In an environment where risks are growing—and growing in complexity—few companies are fully considering risk in their business strategies.
The percentage of companies adopting enterprisewide risk oversight has almost tripled in three years but remains small; implementation has yet to take place in more than three out of four organizations, a recent survey done for the AICPA shows.
Fewer companies still have integrated enterprise risk management (ERM) into their overall business strategy. Just 15% of CFOs and senior executives surveyed believe “mostly” or “extensively” that their organization’s risk management process is a proprietary strategic tool that provides a unique competitive advantage.
Almost half (49%) of the organizations in the survey fail to meaningfully consider existing risk exposures when evaluating new strategic initiatives. And just 35% have “mostly” or “extensively” articulated the organization’s appetite or tolerance for risks in their strategic planning.
The survey of 618 U.S. executives was conducted for the AICPA’s Business, Industry and Government team by North Carolina State University’s ERM Initiative. Mark Beasley, CPA, Ph.D., a professor of enterprise risk management who directs the ERM Initiative at the university, said that, at many organizations, the paths of risk management and strategy seldom cross.
“What they’ve forgotten is the fundamental relationship of risk and return,” Beasley said. “They’re hand in glove.”
Protect the “crown jewels”
Beasley recommends that businesses implementing an ERM process start from a strategic perspective. He said a senior executive team should begin risk management by listing the “crown jewels” of their organization—the products or services that generate the most revenue. Then they must determine the biggest risks to those crown jewels, and adjust their strategy accordingly.
“If that’s all I did, I would be way ahead of a lot of companies,” Beasley said.
Instead, he said, many companies begin a risk management implementation by focusing on the risks themselves. They start by listing the things that keep them awake at night, or by creating a list of risks to each element of their enterprise—legal risks, supply chain risks, technology risks, etc.
They end up with a list of perhaps hundreds of risks that seem impossible to manage, and they do not know what to do about them. The importance of specific risks becomes more apparent, Beasley said, when the crown jewels are taken into account first.
Yet the first step for a company, he said, is to make the commitment to start an enterprisewide risk management program. He said companies often spend a lot of time debating whether to start ERM without making a decision. But the percentage of businesses using comprehensive risk oversight is increasing.
About one-quarter (23%) of organizations reported that they have complete ERM processes in place. That’s up from 9% that reported complete ERM implementation in 2009. In 2012, 47% of organizations with more than $1 billion in revenue and 46% of public companies surveyed reported having complete ERM processes in place. This represents a significant increase in just a year. In 2011, 32% of organizations with more than $1 billion in revenue and 24% of public companies reported having complete, formal ERM processes in place.
These processes are helping organizations face an increasingly dangerous business environment. Sixty-two percent of respondents said the volume and complexity of risks have increased “extensively” or “mostly” in the past five years. More than two-thirds (68%) said they were caught off guard by an operational surprise “somewhat” to “extensively” in the past five years.
New risks, growing awareness
Beasley said the uncertain economic environment, cybersecurity concerns, increased regulation, and political uncertainty play roles in the greater volume and complexity of risks.
Despite the environment, 39% of the organizations surveyed do not have enterprisewide risk management in place and do not have plans to implement ERM. Beasley said that does not mean most other businesses are not conscious of risk management. But many executives say they are managing risks in an ad hoc or informal fashion, and Beasley said that can lead to trouble.
“I think people are placing confidence in that kind of [informal risk management] when maybe it’s not warranted or could be overstated,” he said.
Although the percentage of ERM implementers remains low, Beasley is encouraged by their increasing numbers. But much work remains to be done, especially with regard to connecting ERM to strategy.
Beasley has talked to bank executives whose overriding objective for ERM implementation is to satisfy regulators’ demands. He advises them to think more strategically.
“Unfortunately, they’re just doing something to get the regulator off their back,” Beasley said. “And what we’re trying to do is say, ‘OK, you can do that. But you may also find some real advantage to this, in running your business.’ That’s where there’s a huge opportunity still out there, to help people see that strategic advantage.”
—Ken Tysiac (firstname.lastname@example.org) is a JofA senior editor.