Risk oversight has grown in importance among all types of organizations this decade, but some of the gains can be attributed to public companies responding to the SEC’s rules related to risk disclosures.
Even entities not subject to SEC oversight have started to take a broader approach to enterprise risk management (ERM), according to an annual survey released Tuesday.
Five years ago, nearly one-third of not-for-profit organizations had no enterprisewide process in place for managing risk. Compare that to the 2017 version of The Current State of Enterprise Risk Oversight, an annual survey by North Carolina State University’s ERM Initiative, which showed that 17% of not-for-profits had no enterprisewide process.
Part of that change is in response to a faster-moving business environment—more risks are flying at organizations, and with more speed than in the past. Smaller organizations, such as not-for-profits, are potentially more vulnerable to certain risks, such as occupational fraud, if they lack strong internal controls.
Another reason private organizations are paying more attention to risk is that more of their board members are bringing public company experience.
“Not-for-profits have gotten more savvy over the years in terms of the need to have effective board involvement,” said Jim DeLoach, CPA, a managing director at Protiviti. “A good percentage of the men and women who serve on not-for-profit boards also serve on public boards. They’re bringing that best practice to create some focus in the boardrooms on the risks that really matter.”
Overall, companies seem to be closer than in the past to having a robust risk management program in place. Five years ago, 23.4% of executives said their companies had complete and formal ERM processes in place. That rose to 28% in the current survey, including 49% of large companies, defined as those with annual revenues greater than $1 billion.
Whereas just 11.9% of not-for-profits in 2012 said their ERM process was complete and formal, now 19% say that is the case.
DeLoach said organizations of all types have learned, since the 2008 financial crisis, about the importance of a formal risk program.
“The learning experience that has occurred over this period is that the risk oversight process can’t be scatter-brained in looking at all the risks,” he said. “It’s got to be focused.”
But some companies, DeLoach said, must adjust their focus. They tend to think of ERM implementation as a project with a defined start and stop.
“Complete ERM? There is no such thing,” DeLoach said. “It’s not a [case of] check the box and you’re done, you’re complete, and you don’t have to worry about it anymore. Your risk environment is constantly changing and evolving, and part of the discipline of ERM is to ensure that your risk management capabilities are being constantly upgraded as your business environment changes.”
Competing priorities remain the biggest barrier to progress in ERM efforts, with 45% of respondents listing that concern as a barrier or significant barrier. That’s followed by insufficient resources (44%), lack of perceived value (37%), perception that ERM adds bureaucracy (28%), and a lack of board or senior executive ERM leadership (27%).
Those five barriers were the same as in 2012, and in the same order.
—Neil Amato (Neil.Amato@aicpa-cima.com) is a JofA senior editor.