Few companies strategically using risk management

Nearly half of senior leaders in a long-running risk management report said their organizations consider existing risk exposures when evaluating possible new strategic initiatives, yet only 11% definitively labeled their risk management process as a strategic tool that delivers a competitive advantage.

Only about one-third (32%) of the 273 CFOs and senior finance leaders surveyed in the 16th edition of The State of Risk Oversight report rated their organization’s overall risk oversight as “mature” or “robust,” even as 61% acknowledged that the volume and complexity of risks have notably changed over the past five years.

“Organizations with a robust, enterprise-wide and strategically focused approach to managing risks increase the odds that these risks can be managed proactively so that key strategic initiatives stay on track,” Mark Beasley, CPA, Ph.D., director of the ERM Initiative at North Carolina State University, said in a news release.

Beasley and fellow N.C. State accounting professor Bruce Branson, Ph.D., the associate director of the ERM Initiative, co-wrote the annual report in conjunction with the AICPA.

“There has been a slow, steady embrace of ERM as a formal risk management practice over the past 16 years of our study,” Beasley said. “However, the study finds that the majority of organizations of all types and sizes continue to completely overlook or are making slow progress in advancing their ERM processes.”

Only 35% of leaders said their organizations have complete formal enterprise risk management (ERM) processes in place, down from 37% a year ago. Though 63% of organizations with annual revenue above $1 billion report having complete ERM processes, just 24% of smaller organizations reported the same.

Only 29% of leaders across all organizations saw a lack of perceived value as a notable barrier to implementation of effective ERM processes. Competing priorities and insufficient resources (41% each) are seen more often as barriers.

“In today’s business landscape, defined by uncertainty, disruption, innovation, and constant change, organizations must move beyond reactive risk management and embrace a proactive, enterprise-wide approach,” said Tom Hood, CPA/CITP, CGMA, the AICPA and CIMA’s executive vice president–Business Growth & Engagement. “The pace of change demands resilience not just as a concept, but as a capability embedded throughout the organization.”

Nearly half (45%) of organizations represented in the report have a chief risk officer or senior risk executive equivalent on staff.

The report includes calls for action to help executives and boards identify actions to enhance the strategic value of risk oversight. These questions are a sample of issues leaders can consider as they evaluate their approach to risk:

• What are management’s perceptions about the current approach to risk management?
• Is there consensus about the most significant enterprise risks?
• How is the output from risk management used in strategic planning?
• Does management have access to robust key risk indicators?
• Is the organization sufficiently prepared to manage a significant risk event?

— To comment on this article or to suggest an idea for another article, contact Bryan Strickland at Bryan.Strickland@aicpa-cima.com.