Some ERM practices going stagnant, survey indicates

By Neil Amato

A majority of senior finance executives say that risk management is not an important strategic tool at their organizations, and most have not articulated their risk appetite in pursuit of objectives, according to a new survey.

Additionally, fewer than half of respondents believe that existing risk exposures are considered when evaluating new strategic initiatives. That’s according to a survey of 1,093 CFO-level members of the AICPAs’ business and industry group.

Just 25% of companies have a formal enterprise risk management (ERM) process in place, according to the survey, which was conducted by the ERM Initiative at North Carolina State University.

Companies are not as likely now, compared with a few years ago, to appoint a chief risk officer, one of several examples where ERM practices appear to have gone stagnant. In 2012, 38% of respondents said their companies had chief risk officers. In the most recent survey, conducted last fall, that number had fallen to 32%. The percentage is still higher than the first edition of the survey in 2009, when 18% of respondents said their companies had a chief risk officer.

Five takeaways

The survey’s authors offered several takeaways from the survey. Among them:

  • There appears to be a disconnect between the recognition of risk and the decision to invest more in structured risk oversight. Rapid changes are catching organizations off guard because few have robust ERM processes in place.
  • Executives indicate that they are receiving increased calls for greater engagement in risk oversight, but those pressures do not appear to be leading to significant year-over-year change in risk-management approaches.
  • About one-third of organizations update their understanding of risks annually, and an additional 24% update that understanding twice or four times a year. Also, nearly half have no formal updating process. “Given the nature of the ever-changing business environment, key stakeholders may wonder if the frequency of risk updates is sufficient,” the report said.
  • Most organizations do not provide any guidelines or scales by which management can assess risk probability or impact. The process used to prioritize risks is mostly ad hoc and “subject to the biases of an individual’s personal risk tolerances.”
  • While most view the risk landscape as increasing in complexity over time, the majority of organizations have provided no formal training or guidance on risk management for employees.

Regulatory changes and increased regulatory scrutiny was ranked as the top risk on the minds of board members and executives in a separate ERM Initiative survey, which was conducted by consulting firm Protiviti. Behind regulatory issues on the list were growth-restricting economic conditions and cyber-threats.

Neil Amato is a JofA senior editor.

SPONSORED REPORT

How to make the most of a negotiation

Negotiators are made, not born. In this sponsored report, we cover strategies and tactics to help you head into 2017 ready to take on business deals, salary discussions and more.

VIDEO

Will the Affordable Care Act be repealed?

The results of the 2016 presidential election are likely to have a big impact on federal tax policy in the coming years. Eddie Adkins, CPA, a partner in the Washington National Tax Office at Grant Thornton, discusses what parts of the ACA might survive the repeal of most of the law.

COLUMN

Deflecting clients’ requests for defense and indemnity

Client requests for defense and indemnity by the CPA firm are on the rise. Requests for such clauses are unnecessary and unfair, and, in some cases, are unenforceable.