The State of Risk Oversight in 2017

Less than half of the respondents surveyed describe risk management processes as "mature" or "robust."

The percentage of organizations with relatively mature risk management processes increased over recent years, although the majority of organizations still do not believe their processes reflect a “complete” or robust ERM process. While progress is being made, there is still room for significant improvement in risk oversight for many organizations, according to a recently released study, 2017 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices NC State’s ERM Initiative, in partnership with the American Institute of CPAs, has just released its 2017 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices. Based on survey responses from 432 business executives spanning a number of industries, types and sizes of organizations, the report provides detailed insights about the state of maturity of their organization’s current enterprise risk management (ERM) practices. This is the eighth year that we have conducted similar research in partnership with the AICPA. See also: The Current State of Risk Management   This report provides extensive data about the state of maturity about various aspects of an organization’s ERM process. Not only do we provide data about the full sample, but we also separately report findings for the largest sized organizations (revenues > $1B), publicly traded companies, financial services organizations, and not-for-profit organizations. Here is a brief overview of some of the key findings. Risk Environment is Complex Most respondents believe the risks they face are complex and numerous
  • About 70% of large organizations, public companies, and financial services entities perceive the volume and complexities of risks have increased "mostly" or "extensively" in the past 5 years
  • That trend has been consistent over the past several years, suggesting the overall risk environment continues to be challenging to manage for all types of organizations
  • Most organizations have dealt with significant operational surprises in past 5 years
Risk Management Processes Less Advanced Less than half of the respondents describe risk management processes as "mature" or "robust"
  • 25% of full sample describes their risk management processes as "mature" or "robust", with large organizations, public companies, and financial services entities having more mature processes (but less than 50% of those are "mature" or "robust")
  • The majority of organizations do not believe their processes reflect "complete" or formal enterprise-wide risk management
Opportunities Exist to Integrate Risk Management and Strategic Planning Most organizations are struggling to integrate risk management with strategic planning
  • Only about one-quarter of the respondents describe their ERM processes as an important strategic tool with no real differences in that assessment across types of organizations
  • 34% of the full sample do no formal assessments of emerging strategic, market, or industry risks
  • If an entity considers strategic risks, that mostly involves qualitative assessments of risk exposures
Organizations are Strengthening Risk Leadership More organizations are establishing management-level risk committees
  • 58% of the full sample has a management-level risk committee, up from 45% last year
  • Management-level risk committees are more likely for larger organizations, public companies and financial services organizations (around 80%) - an increase of about 10 percentage points over last year
  • We also saw an increase in the designation of individuals who serve as chief risk officer or equivalent
Calls for Increased Senior Management Involvement Strong majority of boards are asking for increased senior executive involvement in risk oversight ("somewhat", "mostly", or "extensively")
  • 67% of the boards for the full sample are calling for more involvement, with even higher percentages of boards asking for greater management involvement in risk oversight at large organizations, public companies, and financial services entities
  • This trend is consistent with prior years, suggesting boards continue to be interested in strengthening risk oversight
See also: 4 Steps to Integrate Risk Management   Future of ERM As organizations peer into the future, the challenge question for the board of directors, senior executives, and other key stakeholders is “how confident are we in our organization’s ability to effectively identify and navigate the unfolding uncertainties surrounding our current business model and new strategic initiatives?” Based on key findings in this report, what opportunities exist to enhance the organization’s risk management thinking so that both sides of the risk and return relationship are sufficiently and effectively managed? This year’s report highlights many other specific findings about various aspects of an effective enterprise-wide risk management process. In addition to providing findings for the overall sample, the report separately highlights key findings for public companies, the largest organizations, financial services organizations, and not-for-profit entities. You can download the full 8th edition here.

Mark Beasley

Profile picture for user MarkBeasley

Mark Beasley

Mark S. Beasley, CPA, Ph.D., is the Deloitte professor of enterprise risk management and director of the ERM initiative at NC State University. He specializes in the study of enterprise risk management, corporate governance, financial statement fraud and the financial reporting process. He completed over seven years of service as a board member of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and has served on other national-level task forces related to risk management issues.

Read More