Public companies and large private organizations are making the biggest strides in installing holistic risk management. But their risk management practices still have gaps.
Fifty-one percent of public companies and 51% of large private companies have complete formal enterprise risk management (ERM) programs in place, according to the AICPA and North Carolina State University, which on Wednesday released data culled from 441 finance executives in business and industry.
The 2016 percentages represent a large increase when compared with previous results in the survey, which began in 2009. In 2011, 32% of large organizations, defined as those with annual revenues greater than $1 billion, had a complete ERM process in place, and just 24% of public companies did.
Mark Beasley, CPA, a professor of enterprise risk management and director of North Carolina State University’s ERM Initiative, said the percentages for public companies began to tick upward about 2010 in response to the SEC issuing new rules regarding disclosures of a board’s role in risk oversight.
In the current survey, 25% of organizations have a complete, formal ERM function, the same percentage as each of the previous two surveys but up from 9% in 2009 and 15% in 2011. Not-for-profits lag behind other categories, with 17% in this year’s survey having complete ERM processes, compared with 10% in 2011.
Plenty of companies say risk management is important, and a rising number have taken steps to make it a priority, through naming a chief risk officer, creating board committees that focus specifically on risk, or other strategies. But a high percentage of organizations stop short of saying they’re finished with ERM initiatives.
“The entities are still working to see what’s best for them,” Beasley said. “They’re thinking more about risk management, but they’re reluctant to describe it as complete or enterprise-wide. They’re hesitant to put a stake in the ground and say, ‘We’ve got this thing figured out.’ ”
Risk, whether in the form of economic uncertainty, cyberthreats, or ever-changing technology, is not going away. In fact, 57% of respondents believe risks tied to doing business have changed extensively or mostly in the past five years.
But some view risk as an issue that doesn’t deserve an enterprise-wide response, and others aren’t seeing value in formal ERM.
Forty-six percent cite insufficient resources as a barrier to ERM progress, 44% list competing priorities, and 34% cite a lack of perceived value.
Some companies have not yet implemented ERM programs. Among respondents from those organizations:
- 47% said risk is managed in other ways besides ERM.
- 31% said there were no requests to change the organization’s risk management approach.
- An additional 31% said there were more pressing needs.
- 23% said they had no one to lead an ERM program.
- 17% said they did not see benefits exceeding costs.
Those attitudes show why risk is not often linked with strategy: 56% said risk management was either “not at all” or “minimally” a proprietary strategic tool in their organization.
—Neil Amato (firstname.lastname@example.org) is a JofA senior editor.