The catastrophic meltdown of financial markets that began in September 2008 resulted in a full range of challenges—both old and new—for organizations worldwide. Similar to other periods of adversity and uncertainty, it prompted organizations to re-evaluate their policies, processes and procedures from a renewed perspective, and implement change wherever it was needed. One function that continues to undergo particularly close scrutiny is enterprise risk management (ERM).
The Need for New Thinking About ERM
In recognition of risk management’s elevated position on the leadership agenda, we conducted a statistical survey sponsored by the AICPA and completed by members who are CFOs or hold other senior management positions.
The survey examined the factors that influence ERM, the status quo of ERM, and the interactions between various types of risks, such as strategic risk, operational risk, financial risk and hazard risk, to a standard set of interacting organizational resources, such as personnel and structure, processes and plans, facilities and operational assets, customers and suppliers, and external resources. Risk classes and sets of resources were then identified.
The survey had two major objectives: (1) To test whether these interactions are important to organizations and managers, and (2) to investigate the perception of CFOs as to how, or how well, organizations are addressing these interactions. The survey results are presented here, along with a key set of managerial insights based on our observations.
Areas for Improvement
Positive changes in risk management have occurred over the past few years. It has become part of the organizational culture for a majority of survey respondents. However, the existence of serious weaknesses in ERM within the organizations surveyed revealed that additional strides are necessary. Consider the following survey findings:
Only 41% of respondents said their organizations had a suitable incentive system for top management to actively engage in enterprise risk management. This finding points to the most serious weakness in ERM among the organizations surveyed. To remedy this, organizations must create direct incentives for top managers to engage in ERM. Unfortunately, aligning incentives with risk management, through education, core values, culture and other means, remains a major organizational challenge.
Half of the respondents believed that the knowledge infrastructure, such as appropriate expertise and risk-reporting tools, that are in effect in their organizations needed substantial improvement. This indicates a lack of good models and tools, a lack of implementations of such models and tools, or a lack of data to support risk analyses. These tools include both reporting tools and analysis tools. Such tools should be available in computerized form, through enterprise resource planning (ERP) systems or the like.
Approximately 50% of survey participants said that risk professionals were not highly engaged in strategic risk management nor did they seem to have a major role in other risk categories (operational, financial and hazard risk). These findings indicate that organizations may not be using the input from risk professionals efficiently. It also indicates that in most organizations risk management activities are not accorded the importance given top revenue-generating activities. Also, it may be that risk professionals need to adopt a broader view as to the applicability of their area of expertise. Again, the incentives are likely not present to motivate the use of risk experts and ERM at a level high enough to allow for proper considerations of the impact or the risk. Also, only 39% of respondents would recommend their overall ERM practices to their colleagues, which suggests a lack of confidence in their own ERM practices.
Only 56% of respondents said that their available risk management resources were being used to create optimal value for the organization. This implies that there is potential for creating more value for the organization with the existing level of resources. Resources typically include broad classes of firm-specific assets such as personnel, processes, facilities, customers and suppliers, as well as external stakeholders and regulators. One approach to this issue would be for CPAs to create industry best practices and communication tools that demonstrate how similarly situated organizations are making optimal use of their risk-management resources and delivering top value in the process.
The survey said that 59% of respondents did not believe their organization had appropriate incentives to encourage top management to actively engage in ERM. This issue has become more pronounced since the global financial crisis because of stronger financial constraints, and a focus on cost cutting. In addition, events outside of the financial sector have brought this problem to the attention of the general public and to regulators
Designing a structure that incentivizes leaders to manage risk effectively and efficiently will be the greatest challenge for any organization, whether in the financial sector, in offshore oil drilling, or anywhere in between. The reason for this is that ERM remains a complex, multifaceted, and strategic activity that requires unprecedented levels of coordination and control, as well as long-term perspectives.
Major events, such as the recent economic crisis and failures in the financial system, might just refocus attention to ERM, and lead to either internal organizational changes or regulatory changes that will clearly incentivize good risk management practices, and hopefully elevate good ERM practice to a new level.
The Dodd-Frank Wall Street Reform and Consumer Protection Act may also incentivize organizations to improve ERM practices to reduce future systemic failure. However, the act only addresses risks that are obvious to regulators, and is not in any way a panacea for ERM.
To adequately manage risk, organizations must create the proper incentives for ERM. These incentives must be institutionalized and aligned with the actual ERM practices in the organization. Organizations must also make efficient use of, and properly engage, their risk professionals across organizational activities.
Finally, both tools and information related to ERM must be improved, and made accessible through commonly used ERP systems.
The catastrophic meltdown of financial markets that began in September 2008 resulted in close scrutiny of enterprise risk management (ERM).
The authors conducted a statistical survey that examined the factors that influence ERM, the status quo of ERM, and the interactions between various types of risks. The survey results are presented here, along with a key set of managerial insights based on their observations.
Areas for improvement identified by the survey included: (1) Only 41% of respondents thought their organizations had a suitable incentive system for top management to actively engage in enterprise risk management; (2) half of the respondents believed that the knowledge infrastructure, such as appropriate expertise and risk-reporting tools, that was in effect in their organizations needed substantial improvement; (3) approximately 50% responded that risk professionals were not highly engaged in strategic risk management nor did they seem to have a major role in other risk categories (operational, financial and hazard risk); and (4) only 56% of respondents believed that their available risk management resources were being used to create optimal value for the organization.
Barry Mishra (firstname.lastname@example.org) and Erik Rolland (email@example.com) are professors in the Department of Accounting and Information Systems at the A. Gary Anderson Graduate School of Management, University of California–Riverside.
About the Survey
The survey, A Strategic Framework for Enterprise Risk Management & Identification, was conducted by the research faculty at the A. Gary Anderson Graduate School of Management, University of California–Riverside. It was performed as part of the Management Accounting Research Grant series sponsored by the AICPA.
Data was collected between April 2 and May 12, 2009, through an online survey instrument electronically sent to AICPA members in business, industry and government who serve in CFO or equivalent positions. The study received 227 partially or fully completed surveys. Questions addressed factors related to enterprise risk management within participants’ organizations, organizational resources and the risk types their organizations are facing.
To learn more about A Strategic Framework for Enterprise Risk Management & Identification, or to receive a copy of the survey, please contact the authors at the e-mail addresses provided above.
To comment on this article or to suggest an idea for another article, contact Matthew G. Lamoreaux, senior editor, at firstname.lastname@example.org or 919-402-4435.
Use journalofaccountancy.com to find past articles. In the search box, click “Open Advanced Search” and then search by title.
Common Frauds and Internal Controls for Revenue, Purchasing and Cash Receipts (#753350)
Internal Control Essentials for Financial Managers, Accountants and Auditors (#731855)
For more information or to place an order, go to cpa2biz.com or call the Institute at 888-777-7077.
Common Frauds and Internal Controls for Revenue, Purchasing and Cash Receipts (#CFIC)
Internal Control Essentials for Financial Managers, Accountants, and Auditors (#ICDAD)
To access courses, go to aicpalearning.org and click on “On-Site Training” then search by “Acronym Index.” If you need assistance, please contact a training representative at 800-634-6780 (option 1).
Audit Committee Effectiveness Center, aicpa.org/audcommctr
ERM Initiative at North Carolina State University’s College of Management, erm.ncsu.edu
More from the JofA:
Find us on Facebook | Follow us on Twitter