Organizations continue to be aware of the risks in their midst, yet barriers remain for implementing enterprise risk management (ERM) initiatives.
More than half (57%) of companies acknowledge that the volume and complexity of risks has increased “mostly” or “extensively” in the past five years, but the number of mature ERM programs appears to be leveling off, according to a survey conducted by the ERM Initiative at North Carolina State University for the AICPA.
Companies are “seeing a more complex risk world, but they’re not yet investing at any higher levels in strengthening their risk oversight in a general sense,” said Mark Beasley, CPA, Ph.D., a professor at North Carolina State University and one of the survey’s authors.
About 15% of the 446 senior executives surveyed believe that their organizations’ risk management processes are “mostly” or “extensively” a proprietary strategic tool that provides competitive advantage. That’s down about a percentage point from the previous year’s survey
The top five barriers to ERM progress listed in the survey were:
- Competing priorities, chosen by 51% of respondents.
- Insufficient resources, 43%.
- Lack of perceived value, 41%.
- Perception ERM adds bureaucracy, 33%.
- Lack of board or senior executive ERM leadership, 30%.
Beasley said barriers such as lack of perceived value keep cropping up in the survey because companies haven’t linked ERM with strategy.
“When you think about risk and return, companies have to take risk to generate more profit, so it’s surprising they’re not seeing the connection of ERM when thinking about the strategy of the business,” he said. “We see that a lot. Organizations start the conversation about known risks to their operations, or known risks related to compliance or regulation, versus starting the conversation with strategy. ‘What are the risks to how we make money? What are the risks to the things that drive our value?’ They should position ERM from that perspective.”
About 25% of companies have a mature ERM process in place, although larger organizations and public companies have a much higher rate. The larger companies (56%) and the public ones (52%) help drive up the average, which is weighed down by not-for-profits, which rarely have a mature ERM process in place (13%).
There is less board pressure on not-for-profits to institute ERM practices, but there is plenty of risk discussion at larger companies. Boards of directors are asking for more senior executive involvement in risk oversight at 87% of large companies—those with revenue of $1 billion or more—and 78% of public ones. The most frequently cited factors for increasing executive involvement are regulatory demands, emerging corporate governance requirements, and a desire to better anticipate unexpected risk events.
Since 2009, the first year of the survey, companies seem to have become more attuned to risk in several ways: 31% had a designated chief risk officer in 2013, compared with 18% who had one in 2009. Also, 22% had a management-level risk committee in 2009; 43% had one last year. That trend is led by large organizations, public companies, and financial services firms: about two-thirds of such entities surveyed had internal ERM committees last year.
—Neil Amato (firstname.lastname@example.org) is a JofA senior editor.