The COVID-19 pandemic reshuffled everyone’s priorities. For businesses, simple operations became difficult or disappeared altogether, and employees who fretted about a long commute or too many meetings suddenly had to deal with a host of outside issues — assuming they still had a job.
Enterprise risk management (ERM) practices also were re-examined, although for some organisations, ERM remains a work in progress. The 2021 State of Risk Oversight: An Overview of ERM Practices, the 12th edition of a survey report by the ERM Initiative at North Carolina State University and the AICPA, showed that competing priorities and insufficient resources still hamper risk management. The survey from fall 2020 included responses from 420 US business and industry members in finance leadership roles.
Mark Beasley, CPA, KPMG Professor of Accounting at NC State and director of the ERM Initiative, said that the pandemic reminded organisations how fast and impactful risks can be.
“There’s been a greater awareness that risk is something to think more proactively about, because when the risk event is big, it can have an unbelievable impact,” Beasley said. “Also, it’s led to a realisation that, as we manage risks …, now we can turn that into opportunity.”
The report provides questions that leaders can use to bolster their risk management processes. After each of these questions in the report is a series of other considerations:
What are management’s perceptions about the organisation’s current approach to risk management? The survey shows that 35% of respondents believe their organisation has “complete” ERM in place. That’s an increase from previous surveys, but an equal percentage label their ERM as “partial”, and 23% either have no enterprise-wide process in place or are still investigating the ERM concept.
Is there consensus amongst management about the top enterprise-wide risks? Leaders “may find themselves chasing after the wrong risks or … creating risks for other parts of the organisation” if they fail to stay in contact about emerging risk issues, the report said. One potential link to a lack of consensus could be that organisations lack a structured process for identifying and reporting top risk exposures to their board. For example, 19% said that risks were tracked “by individual silos”, and 13% said there was no structured process for identification and reporting of risk exposures.
How is output from the ERM process used in strategic planning? With risk can come opportunity, but a majority of organisations aren’t matching up risk discussions with strategy ones. For instance, just 33% said their organisation mostly or extensively had articulated risk tolerance in the context of strategic planning, and 32% said risk exposure was mostly or extensively considered when making capital allocations.
Does management have access to robust key risk indicators? According to the survey, 30% of respondents say they are mostly satisfied or very satisfied with their organisation’s key risk indicators. “Most organisations have a tremendous amount of [KPIs] to help them monitor the performance of the business,” the report said, noting that KPIs tend to focus on internal factors.
Is the entity sufficiently prepared to manage a significant risk event? “The worst time for an organisation to discover a lack of risk management preparedness is during the risk event itself,” the report said. For many entities, that happened in 2020. The survey showed that 67% of respondents thought that the volume and complexity of risks had increased mostly or extensively. That percentage is the highest in the history of the survey — higher than the aftermath of the 2008 financial crisis.
Other findings from the survey:
- 47% said their organisations had designated a chief risk officer or senior executive equivalent. That’s down from 2017 and 2018 (48% and 50%), but up from 2019, when 42% said they had designated someone to oversee risk.
- Each type of entity in the survey (large organisation, public company, financial services entity, not-for-profit) had a year-over-year increase in saying they had a management-level risk committee. Public companies (86%) are well ahead of not-for-profits (59%) in having such committees.
- More organisations are delivering risk information to boards — 64% said they provided a formal report of top risk exposures to the board at least annually, up from 57% in 2019 and the highest percentage in the history of the survey. In 2010, for example, 32% provided a formal report of top risks to their board.
— Neil Amato (Neil.Amato@aicpa-cima.com) is an FM magazine senior editor.