September 14, 2017
The State of Risk Oversight in 2017
by Mark Beasley, Bruce Branson and Bonnie Hancock
Less than half of the respondents surveyed describe risk management processes as "mature" or "robust."
The percentage of organizations with relatively mature risk management processes increased over recent years, although the majority of organizations still do not believe their processes reflect a “complete” or robust ERM process. While progress is being made, there is still room for significant improvement in risk oversight for many organizations, according to a recently released study, 2017 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices
NC State’s ERM Initiative, in partnership with the American Institute of CPAs, has just released its 2017 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices. Based on survey responses from 432 business executives spanning a number of industries, types and sizes of organizations, the report provides detailed insights about the state of maturity of their organization’s current enterprise risk management (ERM) practices. This is the eighth year that we have conducted similar research in partnership with the AICPA.
See also: The Current State of Risk Management
This report provides extensive data about the state of maturity about various aspects of an organization’s ERM process. Not only do we provide data about the full sample, but we also separately report findings for the largest sized organizations (revenues > $1B), publicly traded companies, financial services organizations, and not-for-profit organizations.
Here is a brief overview of some of the key findings.
Risk Environment is Complex
Most respondents believe the risks they face are complex and numerous
- About 70% of large organizations, public companies, and financial services entities perceive the volume and complexities of risks have increased “mostly” or “extensively” in the past 5 years
- That trend has been consistent over the past several years, suggesting the overall risk environment continues to be challenging to manage for all types of organizations
- Most organizations have dealt with significant operational surprises in past 5 years
Risk Management Processes Less Advanced
Less than half of the respondents describe risk management processes as “mature” or “robust”
- 25% of full sample describes their risk management processes as “mature” or “robust”, with large organizations, public companies, and financial services entities having more mature processes (but less than 50% of those are “mature” or “robust”)
- The majority of organizations do not believe their processes reflect “complete” or formal enterprise-wide risk management
Opportunities Exist to Integrate Risk Management and Strategic Planning
Most organizations are struggling to integrate risk management with strategic planning
- Only about one-quarter of the respondents describe their ERM processes as an important strategic tool with no real differences in that assessment across types of organizations
- 34% of the full sample do no formal assessments of emerging strategic, market, or industry risks
- If an entity considers strategic risks, that mostly involves qualitative assessments of risk exposures
Organizations are Strengthening Risk Leadership
More organizations are establishing management-level risk committees
- 58% of the full sample has a management-level risk committee, up from 45% last year
- Management-level risk committees are more likely for larger organizations, public companies and financial services organizations (around 80%) – an increase of about 10 percentage points over last year
- We also saw an increase in the designation of individuals who serve as chief risk officer or equivalent
Calls for Increased Senior Management Involvement
Strong majority of boards are asking for increased senior executive involvement in risk oversight (“somewhat”, “mostly”, or “extensively”)
- 67% of the boards for the full sample are calling for more involvement, with even higher percentages of boards asking for greater management involvement in risk oversight at large organizations, public companies, and financial services entities
- This trend is consistent with prior years, suggesting boards continue to be interested in strengthening risk oversight
See also: 4 Steps to Integrate Risk Management
Future of ERM
As organizations peer into the future, the challenge question for the board of directors, senior executives, and other key stakeholders is “how confident are we in our organization’s ability to effectively identify and navigate the unfolding uncertainties surrounding our current business model and new strategic initiatives?” Based on key findings in this report, what opportunities exist to enhance the organization’s risk management thinking so that both sides of the risk and return relationship are sufficiently and effectively managed?
This year’s report highlights many other specific findings about various aspects of an effective enterprise-wide risk management process. In addition to providing findings for the overall sample, the report separately highlights key findings for public companies, the largest organizations, financial services organizations, and not-for-profit entities.
You can download the full 8th edition here.