Nine years ago, just 9% of companies claimed to have a complete enterprise risk management (ERM) process. Today a larger percentage of companies (31%) describe their ERM processes as complete.
While there has been progress, there’s still some work to do for many companies, according to an annual survey released Tuesday by North Carolina State University and the AICPA. The survey polled 474 finance executives in business and industry, mainly from North American companies.
One example of concern: Enterprise risk management continues to be viewed more as a compliance exercise than one that produces strategic value, according to Mark Beasley, CPA, the director of N.C. State’s ERM Initiative. That’s despite growing concern about the complexity of the risk environment and a reprioritization of the top risks on the minds of finance decision-makers. The level of worry about risks has risen in three of the past four years in the survey
Companies are struggling to create mature ERM practices despite the perception that the volume and complexity of risk was increasing mostly or extensively — a view held by 60% of respondents.
Twenty-two percent rate their organization’s risk management oversight as mature or robust.
Meanwhile, there’s more evidence revealing a disconnect in the way companies are prioritizing risk: About half of companies provide written reports to senior executives at least annually to communicate about risks, and that percentage jumps to 82% for public companies.
“They’re providing written reports, but [the reports are] based on a fairly immature process,” Beasley said.
More companies are paying attention to ERM, the data show, but they are not necessarily structured in the way they plan to respond to risk events on the horizon. Thirty-one percent say they have a complete ERM process in place, compared with 28% last year and 23% in 2012.
Additionally, a growing number of companies have appointed a chief risk officer or equivalent, and more organizations have a management-level risk committee than in the past: 59% in the current survey, compared with 30% in 2010.
So, ERM has gradually gotten more important, even if it remains somewhat informal. “Companies are putting their telescope on it, but it’s been gradual,” Beasley said.
Rapid changes to business
Another survey shows that specific risks faced by companies are changing. The top risk for several years in a survey N.C. State conducted with consulting firm Protiviti was related to economic conditions. In the most recent version, released in December, economic conditions fell to eighth on a list of concerns, and regulation — regularly a top worry of finance executives — fell to fourth.
The top risk in the Protiviti survey was potential business disruption from rapid innovation.
“They’re afraid they’ll be totally blindsided by some competitor, and it may not be an existing competitor,” Beasley said. “It may be something that happens out of the blue.”
The updated Committee of Sponsoring Organizations of the Treadway Commission (COSO) ERM framework could help nudge companies in the right direction, Beasley said. That framework, released in September, specifically mentions a tie-in between risk and strategy.
One call to action in the N.C. State-AICPA survey is to find ways to connect risk management and strategic planning. Beasley said companies have pockets of sophisticated risk management in place — such as airlines for compliance with air-traffic rules, or banks for loan defaults — but a large segment of organizations in the survey still have a long way to go in making their ERM process holistic.
“They are embracing that they need to be doing more on risk management,” Beasley said. “But as far having detailed processes and building out their risk infrastructure, it’s happening slowly.”
— Neil Amato (Neil.Amato@aicpa-cima.com) is a JofA senior editor.