By several measures, enterprise risk management (ERM) is more understood and more valued today than it was 10 years ago. Yet, robust risk management remains elusive for many entities.
The State of Risk Oversight, an annual survey of business leaders by North Carolina State University and the AICPA, is now 10 years old, so several trends can be analyzed. The most recent survey drew responses from nearly 450 CFOs or equivalent senior executives in business and industry in the United States. The data come from industries of all sizes — 16% of respondents' organizations had annual revenue of less than $10 million, and 14% had annual revenue greater than $10 billion.
In general, larger companies and publicly traded ones have a more formal risk function. But much work remains to be done.
"While there is some indication that management efforts related to enterprise-wide risk oversight are increasing over time, there continues to be noticeable room for improving how organizations identify, manage, and keep their eyes on risks that may emerge and significantly impact their ability to achieve strategic goals," the report said.
Here are several key themes from the report that organizations should consider when designing, strengthening, or elevating the importance of ERM practices:
- The management of risks is not getting easier. Nearly 60% said the volume and complexity of risks has increased mostly or extensively over the past five years. As new risks emerge, and as digital-born competitors rise quickly, organizations admit they are sometimes caught off-guard by today's fast-moving business environment, changing regulations, and political challenges. Ten years ago, just as the Great Recession was ending, the percentage was similar (62%).
- External stakeholders seek more engagement in risk management from senior executives. This trend goes beyond the very real scenario where activist investors push for changes to a public company's board of directors or its strategy, as happened last week to Bed Bath & Beyond. An investor group nominated new directors for the U.S. retail chain, called out the company for "excessive executive compensation" and "repeatedly failed execution and strategy", and pointed out lengthy board tenures. According to the report, even a majority of not-for-profit organization respondents (57%) said that external parties were applying pressure on senior executives for more information about risks. In larger companies, that number was 75%, and it was 59% for the full sample.
- More risk information is prepared for executives and board members, but the reporting process remains informal. While 35% say their risk oversight processes are systematic and repeatable with regular board-level reporting of top risk exposures, the rest have ad hoc, siloed, or unstructured processes for board reporting.
- Strategies are needed to circumvent barriers that inhibit risk management progress. The report identified several key impediments to strengthening the organizational approach to risk oversight. The most common responses:
"risks are monitored in other ways besides ERM", 51%
"too many pressing needs", 34%
"no requests to change our risk management approach", 33%
"no one to lead the effort", 26%
"do not see benefits exceeding costs", 22%
The nature of the barriers to ERM success, the report says, have changed little over the past 10 years. But the nature and velocity of risks has changed. For instance, Airbnb began in the summer of 2008, and Uber was founded in March 2009. Those businesses are now entrenched, and competitors looking to disrupt other sectors are sprouting every day. It's why large companies (52%) and public companies (50%) are more concerned than others about innovations that might disrupt the organization's core business model.
It's also why risk management must be better integrated with strategy. Just 40% of current respondents said that existing risk exposures were considered mostly or extensively when evaluating possible new strategic initiatives, compared with 48% in 2009. Even in that survey report, there was a warning for companies related to strategy and risk, from a 2008 speech by Federal Reserve governor Randall S. Kroszner:
"Boards of directors and senior management, who bear the responsibility to set strategy and develop and maintain risk management practices, must not only address current difficulties, but must also establish a framework for the inevitable uncertainty that lies ahead."
— Neil Amato (Neil.Amato@aicpa-cima.com) is a JofA senior editor.