Why risk management failures are not limited to banking

Overconfidence, a resistance to talking about risk, and a dislike of the word “no” are some reasons that businesses fail to invest in risk management leadership.By Mark S. Beasley, CPA, Ph.D.
IMAGE BY WHYFRAMESTUDIO/GETTY IMAGES

IMAGE BY WHYFRAMESTUDIO/GETTY IMAGES

The precipitous developments surrounding the failures of Silicon Valley Bank and Signature Bank in 2023 along with the sudden bailouts of First Republic and Credit Suisse were remarkable. All are fresh reminders that as organisations engage in strategies to pursue higher returns, they are also taking on greater potential risks.

It is also striking to note that the chief risk officer position at Silicon Valley Bank remained unfilled for most of 2022.

A dedicated risk management leader would have been tasked with providing a coordinated, explicitly focused plan on how the bank should navigate the myriad risks emerging in today’s highly complex, rapidly changing global economy.

The risk management landscape

Unfortunately, problems with enterprise-wide risk management are not isolated to Silicon Valley Bank and others making headlines.

Each year North Carolina State University in the US partners with AICPA & CIMA to survey executives across the globe on the state of enterprise risk management practices. According to the 2023 Global State of Enterprise Risk Oversight: Managing the Rapidly Evolving Risk Landscape report, 68% of the 983 global respondents representing a variety of types of organisations said that the volume and complexities of risks have increased “mostly” to “extensively” in the past five years, with respondents in Africa and the Middle East and in Asia and Australasia indicating even higher levels of 78% and 81%, respectively.

However, only 31% of the respondents assess the overall maturity of their organisation’s risk management as “mature” or “robust”, with no region of the world rating risk management maturity higher than 38%. Why the disconnect?

In our work through the Enterprise Risk Management Initiative at NC State University, we frequently observe boards and senior executives who are relatively uninterested in enhancing their organisation’s approach to risk management. We often hear from individuals who serve in chief risk officer roles expressing a sense of frustration as they struggle to get the CEO’s attention on risk issues. There are many more organisations that have yet to even consider the need for having a risk management champion at a senior executive level.

Excuses often heard for not investing in risk management

There are reasons that organisations fail to invest in risk management leadership. Here are a few we frequently observe:

Overconfidence. The CEO and board think they don’t need to invest more in risk management given that “we talk about risk all the time”, even though those discussions are often ad hoc, side conversations.

In fact, our research found that less than 40% of executives responding to the 2023 survey said that key risks are communicated to senior executives as part of ad hoc discussions at management meetings, and only 26% doing so as part of a scheduled agenda discussion about risks (with the highest level reported at 30% for organisations in Europe and the UK).

This unstructured approach is not robust enough to identify all the complex, interconnected risks in today’s rapidly changing environment.

Resistance to conversations about risks. It’s human nature for many to want to focus on the positives in life, particularly in cultures that reward optimism over pessimism. Unfortunately, some C-suite executives resist engaging in discussions explicitly focused on risks because they see those as focusing on negatives, not positives.

Naturally, individuals prefer talking about all the great things that the organisation can accomplish. Focusing on risks that might impede those great things is less exciting and rewarding. So those conversations aren’t welcomed and don’t occur. In fact, our research finds that 18% of executives surveyed globally “do not see the benefits exceeding the costs”, or they believe there are “too many other pressing needs” to carve out time to discuss emerging risks.

Competing vs. complementary view of risk management. Each year as part of our research for our global report, we ask executives to identify common barriers preventing their organisations from enhancing risk management processes.

The most frequently cited barrier is a view that risk management is a distraction from competing priorities that add value to the organisation (38% of the global sample cited this reason for lack of risk management investment).

Unfortunately, these executives fail to recognise that risk management isn’t a competing priority but rather a complementary endeavour. Risk and strategy are two sides of the same coin. On one side is what the organisation is trying to do strategically, while the other side reflects risks that might impact (positively and negatively) the success of that strategy. A complementary view sees the strategic advantage of thinking and planning proactively and in advance of a risk before it emerges.

Distaste for the word “no”. From our early childhood onwards, most of us don’t like to be told “no”, and we often go out of our way to avoid having someone tell us we can’t do something we think makes good sense. The word “no” is something senior leaders sometimes don’t like to hear, particularly from someone subordinate in position and authority. That is despite knowing that, in some cases, the “messenger” recognises perils that leaders may lack the insight to see.

Risk management isn’t getting easier

The world we now live in is weighted with complex drivers of uncertainty that can trigger difficult and interconnected risks at any point in time. Just consider a few: geopolitical changes; trade policies; emerging technologies and artificial intelligence (AI); cyber threats; supply chain challenges; environmental, social, and governance (ESG) developments; terrorism; disruptive innovations; regulatory changes; and talent wars. None of these are easy to manage and track, but they are real and can occur at times you least expect. And, when they do, they can trigger multiple risks simultaneously.

In fact, 55% of our survey respondents admit that their organisation has “mostly” to “extensively” experienced a significant unanticipated operational surprise in the last five years, with those in Europe and the UK and in Asia and Australasia reporting even higher levels at 62% and 59%, respectively. Those surprises may reveal a symptom of ineffective risk management capabilities.

Pause and reflect on your risk management approach

Our extensive research and our work directly with a variety of entities show that many organisations have a long way to go to create risk management capabilities and infrastructures matching the realities of the risk environment in which we live.

Let’s not assume the banking crisis was limited to a few rogue bankers. Rather, let’s use this as an opportunity to make an honest and objective assessment of whether our organisations are similarly limited in their embrace of risk management as an important strategy and governance tool.

The 2023 global survey includes a number of diagnostic questions that executives and boards can use to facilitate conversations about the effectiveness of their organisation’s risk management processes. (See the sidebar, “10 Questions that Facilitate Risk Conversations”.)

These questions may help identify opportunities for enhancing how their organisation approaches consideration of risks in the context of their business model and strategic plan. The questions can be used to help outline next steps organisations can take to enhance the strategic value of their risk management efforts.

10 questions that facilitate risk conversations

Business leaders can use these considerations to evaluate their organisation’s preparedness for managing the rapidly evolving risk landscape:

  1. How rapidly are uncertainties in the global business environment changing in complexity and volume, and is your organisation’s approach to risk management at a level of robustness necessary to manage those changing realities?
  2. To what extent is your organisation’s risk management process providing valuable insights for board and senior management’s strategic decision-making? Are risk insights from the risk management process a valued input to strategic planning?
  3. What types of risks dominate board and management discussions? Is the focus mostly on “already known” operational, compliance, and financial risk challenges or are those discussions prompting management to consider new and emerging risk challenges on the horizon, particularly those that may emerge from outside the organisation?
  4. To what extent are risks identified by the risk management process mapped to how they might impact the organisation’s core business model and strategic plan on both a short-term and long-term perspective?
  5. How is the organisation’s culture affecting risk taking and risk management across the organisation? Is risk management perceived to be an important, value-adding management tool or is it viewed as a “check-the-box” or compliance activity?
  6. To what extent is there clarity among the board and senior management about the top risks for the organisation?
  7. Has management explicitly identified an “owner” for each of the organisation’s top risks, and what accountabilities are in place to ensure risk owners are sufficiently overseeing their assigned risk areas?
  8. To what extent do all members of the executive team and board have a rich understanding of the root-cause drivers of the organisation’s top risks and how the entity is responding to those risks to prevent the root cause from occurring and minimize the impact should the risk occur?
  9. To what extent does management’s dashboard of key performance metrics also include relevant key risk indictors to help them keep an eye on emerging risk trends?
  10. What risk information does the board and senior management need but currently not have? And what improvements to the organisation’s risk management process are most essential?

Mark S. Beasley, CPA, Ph.D., is the Alan T. Dixon Distinguished Professor of Accounting and Director of the Enterprise Risk Management Initiative at North Carolina State University’s Poole College of Management in the US. The ERM Initiative (www.erm.ncsu.edu) provides thought leadership to help business leaders navigate enterprise-wide risks from a strategic and governance perspective. To comment on this article or to suggest an idea for another article, contact Oliver Rowe at Oliver.Rowe@aicpa-cima.com.

LEARNING RESOURCES

COSO Enterprise Risk Management— Framework and Compendium Bundle

This addresses the evolution of enterprise risk management (ERM) and the need for organisations to improve their approach to managing risk to meet the demands of an evolving business environment.

PUBLICATION

Risk Management Techniques and Tools

Understand the benefits of implementing an ERM system within your organisation.

COURSE

Up Next

Decarbonisation benefits boost climate investments globally

By Steph Brown
September 25, 2025
Revenue growth and operational savings from climate-related initiatives are incentivising the push for technology-driven migration and adaptation solutions.
Advertisement

Most Read

5 ways AI augments the accountant’s role
Shadow AI emerges as significant cybersecurity threat
Want to innovate using gen AI? You can’t be passive about it
Elevating productivity through strategic business partnering
Could AI be your next boss?

LATEST STORIES

Decarbonisation benefits boost climate investments globally

AI-enabled spreadsheet tools — what finance professionals need to know

Adaptability, curiosity, shaping the future — Q&A with CIMA’s president

FRC initiative aims to streamline corporate reporting

Corporate disinformation — have a plan and move quickly

Advertisement
Read the latest FM digital edition, exclusively for CIMA members and AICPA members who hold the CGMA designation.
Advertisement

Related Articles

Decarbonisation benefits boost climate investments globally

September 25, 2025 Revenue growth and operational savings from climate-related initiatives are incentivising the push for technology-driven migration and adaptation solutions.

Adaptability, curiosity, shaping the future — Q&A with CIMA’s president

September 24, 2025 John Graham, FCMA, CGMA, sets out priorities for his term as CIMA president, details plans to increase member engagement, and shares tips for leading with purpose.