Why ‘complete ERM’ is a myth

Risk oversight has grown in importance among all types of organisations this decade, but some of the gains can be attributed to public companies responding to US Securities and Exchange Commission (SEC) rules related to risk disclosures.

Even entities not subject to SEC oversight have started to take a broader approach to enterprise risk management (ERM), according to an annual survey released Tuesday.

Five years ago, nearly one-third of not-for-profit organisations had no enterprise-wide process in place for managing risk. Compare that to the 2017 version of The Current State of Enterprise Risk Oversight, an annual survey by North Carolina State University’s ERM Initiative, which showed that 17% of not-for-profits had no enterprise-wide process.

Part of that change is in response to a faster-moving business environment – more risks are flying at organisations, and with more speed than in the past. Smaller organisations, such as not-for-profits, are potentially more vulnerable to certain risks, such as occupational fraud, if they lack strong internal controls.

Another reason private organisations are paying more attention to risk is that more of their board members are bringing public company experience.

“Not-for-profits have gotten more savvy over the years in terms of the need to have effective board involvement,” said Jim DeLoach, CPA, a managing director at Protiviti. “A good percentage of the men and women who serve on not-for-profit boards also serve on public boards. They’re bringing that best practice to create some focus in the boardrooms on the risks that really matter.”

Overall, companies seem to be closer than in the past to having a robust risk management programme in place. Five years ago, 23.4% of executives said their companies had complete and formal ERM processes in place. That rose to 28% in the current survey, including 49% of large companies, defined as those with annual revenues greater than $1 billion.

Whereas just 11.9% of not-for-profits in 2012 said their ERM process was complete and formal, now 19% say that is the case.

DeLoach said organisations of all types have learned, since the 2008 financial crisis, about the importance of a formal risk programme.

“The learning experience that has occurred over this period is that the risk oversight process can’t be scatter-brained in looking at all the risks,” he said. “It’s got to be focused.”

But some companies, DeLoach said, must adjust their focus. They tend to think of ERM implementation as a project with a defined start and stop.

“Complete ERM? There is no such thing,” DeLoach said. “It’s not a [case of] check the box and you’re done, you’re complete, and you don’t have to worry about it anymore. Your risk environment is constantly changing and evolving, and part of the discipline of ERM is to ensure that your risk management capabilities are being constantly upgraded as your business environment changes.”

Competing priorities remain the biggest barrier to progress in ERM efforts, with 45% of respondents listing that concern as a barrier or significant barrier. That’s followed by insufficient resources (44%), lack of perceived value (37%), perception that ERM adds bureaucracy (28%), and a lack of board or senior executive ERM leadership (27%).

Those five barriers were the same as in 2012, and in the same order.

Related CGMA Magazine content:

The Gaps That Remain in Risk Initiatives”: Insufficient resources and a perceived lack of value are among the obstacles for some companies in full implementation of enterprise risk management programmes.

6 Barriers Limiting Boards’ Strategic Oversight”: A lack of time devoted to strategy, insufficient or inadequate information, and pressure to produce short-term results are among the factors hindering boards of directors, according to a 2016 survey report.

Neil Amato ( is a CGMA Magazine senior editor.