Five barriers restricting risk management progress

BY NEIL AMATO

Organizations continue to be aware of the risks in their midst, yet barriers remain for implementing enterprise risk management (ERM) initiatives.

More than half (57%) of companies acknowledge that the volume and complexity of risks has increased “mostly” or “extensively” in the past five years, but the number of mature ERM programs appears to be leveling off, according to a survey conducted by the ERM Initiative at North Carolina State University for the AICPA.

Companies are “seeing a more complex risk world, but they’re not yet investing at any higher levels in strengthening their risk oversight in a general sense,” said Mark Beasley, CPA, Ph.D., a professor at North Carolina State University and one of the survey’s authors.

About 15% of the 446 senior executives surveyed believe that their organizations’ risk management processes are “mostly” or “extensively” a proprietary strategic tool that provides competitive advantage. That’s down about a percentage point from the previous year’s survey

The top five barriers to ERM progress listed in the survey were:

  • Competing priorities, chosen by 51% of respondents.
  • Insufficient resources, 43%.
  • Lack of perceived value, 41%.
  • Perception ERM adds bureaucracy, 33%.
  • Lack of board or senior executive ERM leadership, 30%.


Beasley said barriers such as lack of perceived value keep cropping up in the survey because companies haven’t linked ERM with strategy.

“When you think about risk and return, companies have to take risk to generate more profit, so it’s surprising they’re not seeing the connection of ERM when thinking about the strategy of the business,” he said. “We see that a lot. Organizations start the conversation about known risks to their operations, or known risks related to compliance or regulation, versus starting the conversation with strategy. ‘What are the risks to how we make money? What are the risks to the things that drive our value?’ They should position ERM from that perspective.”

About 25% of companies have a mature ERM process in place, although larger organizations and public companies have a much higher rate. The larger companies (56%) and the public ones (52%) help drive up the average, which is weighed down by not-for-profits, which rarely have a mature ERM process in place (13%).

There is less board pressure on not-for-profits to institute ERM practices, but there is plenty of risk discussion at larger companies. Boards of directors are asking for more senior executive involvement in risk oversight at 87% of large companies—those with revenue of $1 billion or more—and 78% of public ones. The most frequently cited factors for increasing executive involvement are regulatory demands, emerging corporate governance requirements, and a desire to better anticipate unexpected risk events.

Since 2009, the first year of the survey, companies seem to have become more attuned to risk in several ways: 31% had a designated chief risk officer in 2013, compared with 18% who had one in 2009. Also, 22% had a management-level risk committee in 2009; 43% had one last year. That trend is led by large organizations, public companies, and financial services firms: about two-thirds of such entities surveyed had internal ERM committees last year.

Neil Amato ( namato@aicpa.org ) is a JofA senior editor.

SPONSORED REPORT

Tax reform complicates year-end tax planning

Get your clients ready for tax season with these year-end tax planning strategies, which address how to make the most of recent tax law changes, such as the new deduction for qualified business income and the cap on the deductibility of state and local taxes.

VIDEO

What RPA is and how it works

Robotic process automation is like an Excel macro that can work on multiple applications, says Danielle Supkis Cheek, CPA. RPA can complete routine, repetitive tasks such as data entry, freeing up employee time from lower-level chores.