Risk management processes within businesses continue to be relatively immature and ad hoc despite increased volume and complexity of risks, according to a study published by N.C. State University’s ERM Initiative in partnership with AICPA’s Business, Industry, & Government Team.
The second annual study, 2010 Report on the Current State of Enterprise Risk Oversight: 2nd Edition , also found that almost 70% of the executives surveyed noted that management does not routinely report the entity’s top risk exposures to the board of directors. About half (48%) of all respondents said they were “Not at All Satisfied” or were “Minimally” satisfied with the nature and extent of reporting to senior executives of key risk indicators.
More companies delegated senior management leadership over risk oversight than in 2009. Twenty-three percent said they created a chief risk officer position, up from 17.8% in 2009, and 30% have an internal risk committee that formally discusses enterprise level risks, up from 22% noted in the 2009 report.
The study is based on a survey conducted in December 2009 of 330 senior financial executives. A majority of those responding (64.9%) were CFOs, 18.2% were controllers. Other respondents included the head of internal audit (1.7%), treasurer (1.3%), and chief risk officer (.9%), with the remainder representing numerous other executive positions.
A broad range of industries was represented by the respondents. The most common industry was finance, insurance, and real estate (24.6%), followed by not-for-profit (19.3%), manufacturing (18.4%), services (15.8%) and construction (6.1%).