The gaps that remain in risk initiatives

Public companies and large private organisations are making the biggest strides in installing holistic risk management. But their risk management practices still have gaps.

Fifty-one per cent of public companies and 51% of large private companies have complete formal enterprise risk management (ERM) programmes in place, according to the American Institute of CPAs and North Carolina State University, which on Wednesday released data culled from 441 finance executives in business and industry.

The 2016 percentages represent a large increase when compared with previous results in the survey, which began in 2009. In 2011, 32% of large organisations, defined as those with annual revenues greater than $1 billion, had a complete ERM process in place, and just 24% of public companies did.

Mark Beasley, CPA, a professor of enterprise risk management and director of North Carolina State University’s ERM Initiative, said the percentages for public companies began to tick upward about 2010 in response to the US Securities and Exchange Commission issuing new rules regarding disclosures of a board’s role in risk oversight.

In the current survey, 25% of organisations have a complete, formal ERM function, the same percentage as each of the previous two surveys but up from 9% in 2009 and 15% in 2011. Not-for-profits lag behind other categories, with 17% in this year’s survey having complete ERM processes, compared with 10% in 2011.

Plenty of companies say risk management is important, and a rising number have taken steps to make it a priority, through naming a chief risk officer, creating board committees that focus specifically on risk, or other strategies. But a high percentage of organisations stop short of saying they’re finished with ERM initiatives.

“The entities are still working to see what’s best for them,” Beasley said. “They’re thinking more about risk management, but they’re reluctant to describe it as complete or enterprise-wide. They’re hesitant to put a stake in the ground and say, ‘We’ve got this thing figured out.’ ”

Risk, whether in the form of economic uncertainty, cyber-threats, or ever-changing technology, is not going away. In fact, 57% of respondents believe risks tied to doing business have changed extensively or mostly in the past five years.

But some view risk as an issue that doesn’t deserve an enterprise-wide response, and others aren’t seeing value in formal ERM.

Forty-six per cent cite insufficient resources as a barrier to ERM progress, 44% list competing priorities, and 34% cite a lack of perceived value.

Some companies have not yet implemented ERM programmes. Among respondents from those organisations:

  • 47% said risk is managed in other ways besides ERM.
  • 31% said there were no requests to change the organisation’s risk management approach.
  • An additional 31% said there were more pressing needs.
  • 23% said they had no one to lead an ERM programme.
  • 17% said they did not see benefits exceeding costs.

Those attitudes show why risk is not often linked with strategy: 56% said risk management was either “not at all” or “minimally” a proprietary strategic tool in their organisation.

Related CGMA Magazine content:

Why Multinationals Should Prepare Better for Key Risks”: Risk management is abundant at large multinationals, but efforts to anticipate key risks show significant gaps, according to a global Deloitte survey. Find out how to better prepare for the worst.

How to Gather Risk Intelligence”: Risk management requires constant assessment of internal and external information. Here’s how it’s done at Siemens Wind Power in Denmark.

Neil Amato ( is a CGMA Magazine senior editor.