Enterprise risk management: More critical than ever

The fast-moving, global reach of the coronavirus has illustrated that a forward-looking approach to risk management is more important than ever. While no one could have predicted the nature, severity, or timing of the virus, it’s clear that organisations should include such risk scenarios in future strategic discussions.

An annual survey of US finance executives, taken before the virus had traveled around the world, measured the maturity of enterprise risk management (ERM) programmes at a variety of organisations, including large, publicly traded companies; not-for-profit entities; and financial-services companies.

The survey is conducted jointly by the ERM Initiative at North Carolina State University and the AICPA. It gathered responses in fall 2019, mainly in October and November. The first confirmed US case of the coronavirus was announced on 21 January.

While concerns about risk, even before the virus outbreak, have not subsided, fewer finance executives were finding strategic value in their risk management processes. In 2016, 20% of respondents said they believed that risk management mostly or extensively provides strategic value. In the most recent survey, the number was 17% — a small drop, but still the third consecutive year of one-percentage-point declines.

Formal risk identification and assessment activities are far more common at public companies and larger organisations, according to the survey. In the full survey sample, 39% of organisations have either a minimal process or no formal process for identifying or assessing emerging strategic, market, or industry risks — up from 32% a year ago.

“About half of the respondent organisations engage in formal risk identification and risk assessment processes,” said Mark Beasley, CPA, the KPMG Professor of Accounting at N.C. State University and the ERM Initiative’s director. “Hopefully more business leaders will see the value in engaging in those processes in the future so that they can be in a more proactive versus reactive risk management posture when the next big risk event emerges.”

Other findings from the survey:

  • The perception of risk has remained relatively steady since 2013 in the survey. The percentage saying that the volume and complexity of risks had increased mostly or extensively in the past five years has hovered between 57% and 60%. In the most recent survey, 59% felt that way.
  • The top three risks were leadership and talent needs, economic conditions, and innovation that could potentially disrupt core business models.
  • Thirty per cent of organisations have mature ERM processes in place. This is down one percentage point from the previous two years but up from 25% in 2014 and 9% in 2009, the first year of the survey.

The survey report acknowledges that even the most mature ERM processes could not prevent an event such as the coronavirus outbreak: “It is our hope that more organisations will take the necessary steps to honestly evaluate the robustness of how … leaders think about potential risks across their enterprise and that they will take the actions necessary to put them in a stronger position for the next unfolding event.”

For more news and reporting on the coronavirus and how management accountants can handle challenges related to the outbreak, visit FM’s coronavirus resources page.

Neil Amato ( is an FM magazine senior editor.