Executives are aware that the risks businesses face have increased and become more complex in the past five years, but most companies aren’t fully equipped to manage the rapid changes, according to research released by the Enterprise Risk Management Initiative at North Carolina State University’s Poole College of Management and the Association of International Certified Professional Accountants.
About 60% of the 586 CFOs, finance professionals, and other executives who participated in the global survey said that enterprise risks have become more numerous and more interconnected. Many respondents reported actual events, or operational surprises, in the past five years – 71% in Africa and the Middle East; 53% in Europe and the UK; 46% in Asia, Australia, and New Zealand; and 32% in the US. But less than one in three said their companies have robust enterprise risk oversight.
Companies in Asia, Australia, and New Zealand appeared the most prepared, the survey suggests. Thirty per cent of respondents in the region said they have complete ERM processes in place, and 23% described risk management oversight as mature.
“This region has historically been a leader in risk management best practices, suggesting a business culture there that is in tune with the benefits of improved risk management thinking,” said Mark S. Beasley, CPA, a professor of enterprise risk management, the ERM Initiative’s director, and a co-author of the study.
Enterprise risk oversight was least robust in Europe and the UK, where 21% of respondents said they had complete ERM processes in place or described risk management oversight as mature. In the US and in Africa and the Middle East, about one-quarter of the respondents reported they are fully prepared.
Businesses’ risk management efforts have improved in the past decade. Seven years ago, 16% of US respondents and 39% of respondents from outside the US called their ERM oversight robust. Still, considering the rising potential for harm as well as business opportunities, most companies could benefit from strengthening their ERM approach, Beasley and co-author Bruce C. Branson said.
“Implementation of an ERM process can provide a framework for an enhanced understanding of the risk environment the entity is facing and hopefully an opportunity to identify emerging risks before they have the potential to significantly impact the entity,” said Branson, a professor of accounting and the associate director of the ERM Initiative.
The survey identified three main barriers to improving companies’ ERM approach:
- About half of the respondents believe they do not have sufficient resources to ensure their ERM processes work well, especially those in Europe and the UK (52%) and in Africa and the Middle East (53%).
- Other, competing business priorities restrict improvement of ERM processes, particularly in the US (46%) and Europe and the UK (45%).
- ERM processes are perceived as unneeded bureaucracy and lacking in value, especially in the Africa and Middle East region (47% and 41%, respectively).
“Many see risk management as a compliance or bureaucratic initiative that isn’t focused on adding value,” Beasley said. “They forget the fundamental relationship of risk and return, which is demonstrated in their failure to integrate their risk management efforts with their strategic management efforts.”
About half of respondents said they consider risk exposures when they evaluate possible new strategic initiatives. One likely reason is a lack of useful data, the survey found. About one-quarter of the companies participating in the survey do not maintain inventories of their key risk exposures.
The survey results suggest that lack of leadership may be another hurdle, especially in Europe and the UK where only 42% of participating companies had a management risk committee (64% in Asia, Australia, and New Zealand; 56% in the US; 53% in Africa and the Middle East).
Also, fewer than half of the companies participating in the survey have a formal policy statement regarding their enterprise-wide approach to risk management, except in Asia, Australia, and New Zealand (57%). And in most regions, risk management activities are used only rarely to determine compensation for management performance (20% in Asia, Australia, and New Zealand; 15% in Europe and the UK; and 13% in the US).
In Africa and the Middle East, a region that respondents perceived as most risky, 29% of participating companies tied performance-based compensation to risk management.
Educating business leaders more about ERM and helping them to communicate what they learn might be beneficial, Beasley and Branson suggested.
Most companies (80% or more) have not focused on providing executives formal training or guidance on risk management in the past two years, the survey found.
To better manage the rapidly changing enterprise risks, Beasley and Branson offered executives five tips:
- Be willing to admit that you may be facing a lot of unknown issues and understand that enterprise risk management is an evolutionary process that will yield more insight as it is refined and tailored to a specific organisation.
- Ask your peers to identify the top five strategic initiatives and the top five to ten risks likely to derail them. Ask them to bring their lists to an executive meeting and engage them in a conversation. Determine whether there is a consistent and coherent understanding amongst them that managing top risk exposures can lead to opportunities that create value.
- Identify the key assumptions in senior executives’ business models and challenge how confident they are that their assumptions are reasonable and will not change.
- Recognise that enterprise risk management does not require significant new resources.
- Assess the company’s overall culture and how it might affect risk management. Determine to what extent individuals understand the processes they should use to escalate risk issues to the top and to what extent they are willing to deploy ERM.
—Sabine Vollmer (Sabine.Vollmer@aicpa-cima.com) is a CGMA Magazine senior editor.