Many organisations have begun to strengthen their processes to handle emerging enterprise risks, but only about one-third have in place fully structured, mature enterprise risk management oversight, according to surveys that focus on small to midsize enterprises.
More than 1,300 executives from the US, Europe, Asia, Australia, Africa, and the Middle East were polled. About one-third said their organisation had complete, formal ERM oversight in place. Just 24% of the respondents in the US said their organisation had complete ERM oversight in place.
The research, conducted by the ERM Initiative at North Carolina State University for the American Institute of CPAs (AICPA) and the Chartered Institute of Management Accountants (CIMA), suggests that many companies have work to do to manage enterprise risks that 60% of respondents perceived as having increased in the past five years.
“It’s on the radar of business leaders around the world,” said Mark Beasley, CPA, Deloitte professor of enterprise risk management and the director of NCSU’s ERM Initiative. “Some organisations are making progress, but there’s a lot of room for improvement.”
Fully structured enterprise risk oversight involves employees throughout the organisation, senior executives, and board members who are focused and accountable, as well as processes that regularly update the organisation’s risks. Ideally, senior leadership and the board use the ERM data gathered across an organisation to detect threats to the business’ long-term viability and to pinpoint strategic opportunities.
ERM’s sweet spot is generating insights that can be used to inform strategy, which is a benefit most organisations have yet to reap, Beasley said. Forty per cent or fewer respondents said their organisations are satisfied with the reporting of information about top risk exposures to senior management. Fewer than 30% viewed their risk-management process as providing a competitive advantage.
While organisations still struggle to use ERM data beyond regulatory compliance, they have increased vigilance to identify risks in the past five years. When compared with a similar survey that NCSU’s ERM Initiative conducted for the AICPA and CIMA in 2010, the current survey shows that more organisations maintain and update risk inventories on a formal basis today.
In 2015, one-third of US respondents said risk inventories or registers are maintained by all business functions and at the enterprise level (37% in Asia and Australia, 40% in Africa and Middle East, and 49% in Europe). In 2010, 22% of US respondents and 38% of respondents globally (those outside the US) said their organisation did.
Organisations have also improved risk assessment in the past five years. In 2015, 41% of US respondents said their organisation had a standardised process to identify key risks (58% in Africa and the Middle East, 60% in Asia and Australia, and 69% in Europe), compared with 29% of US respondents and 51% of respondents globally in 2010. More organisations worldwide also used processes to assess risk probabilities and impact.
But the 2015 survey showed barriers to effective enterprise risk oversight remain, including concerns about insufficient resources (42% in Europe, 41% in the US, 40% in Asia and Australia, and 39% in Africa) and the perception of ERM as unneeded bureaucracy (28% in the US and Europe, 26% in Asia and Australia, and 14% in Africa).
Based on research and responses from organisations, NCSU’s ERM Initiative listed four recommendations to help organisations worldwide improve the effectiveness of their enterprise-wide risk oversight:
- Assess the efficacy of the organisation’s current enterprise risk management approach in light of the changing risk environment and share the results with the board of directors and senior executives.
- Determine to what extent critical risks may remain undetected if each business function manages specific types of risk in a silo approach with little co-ordination among silos.
- Consider enterprise risk management an important input to the strategic planning process, not just a way to comply with regulations and prevent losses.
- Appoint a risk-management leader with explicit responsibility to help develop structured processes related to risk and co-ordinate the organisation’s risk thinking.
Related CGMA Magazine content:
“How to Pick a Successful Risk Leader”: Corporate boards should look for an executive risk leader with these particular qualities to help them oversee and govern an increasing number of unfamiliar and complex risks that threaten the business.
“Why Risk-Management Leaders Generate Higher Profits”: Executives and corporate directors believe business uncertainties and threats are increasing, a PwC survey suggests. The survey results explain how improved risk-management programmes can lead to better financial performance.
“Five Barriers Restricting Risk-Management Progress”: Only about 15% of companies see a strong link between their enterprise risk management (ERM) processes and their business strategy, according to a 2014 survey.
—Sabine Vollmer (svollmer@aicpa.org) is a CGMA Magazine senior editor.