The state of risk oversight: Why both structure and agility matter

Hosted by Neil Amato

Risk management came to the forefront for many organizations during the Great Recession. Now, in the midst of the Great Resignation and other highly disruptive events, risk management continues to be vital.

An annual report on the state of risk oversight takes a closer look into where organizations stand and what they can learn about their own gaps. Mark Beasley, CPA, Ph.D., a professor at North Carolina State University and director of the school's ERM Initiative, explains more in the latest episode of the Journal of Accountancy podcast.

Click here for the report's most recent edition, and for more resources, visit this page.

What you'll learn from this episode:

  • An overview of the risk management survey's history.
  • How respondents are classified and why that matters to Beasley.
  • How things have changed in the past 10 years related to organizations' thoughts on the risk environment.
  • What organizations have learned about their risk management gaps from the past 2½ years.
  • The value of having structure but also being nimble when it comes to ERM.

Play the episode below or read the edited transcript:

To comment on this episode or to suggest an idea for another episode, contact Neil Amato at


Neil Amato: Welcome to the Journal of Accountancy podcast. This is your host, Neil Amato. This episode focuses on ERM, or enterprise risk management. Organizations' risk readiness has been severely tested the past few years, and an annual report on the state of risk oversight paints a picture of how things stand on the ERM front. I am speaking in this segment with Mark Beasley, a CPA who is KPMG Professor of Accounting at North Carolina State University's Poole College of Management. He is also the director of the school's ERM Initiative and a repeat guest on our show. You'll hear that conversation after this word from our sponsor.

Amato: Mark, thank you very much for being on the podcast. Glad to have you back.

Mark Beasley: Thank you. It's great to be back.

Amato: Now we're talking about an ERM survey that N.C. State and the AICPA have been working on, I guess, together for more than a decade now. It's on the state of risk management. Tell me first what some of the background of the survey and what are some of the things that maybe you're seeing that our key takeaways for you in this new edition of the survey.

Beasley: From a background perspective, as you mentioned, we have been doing it for over a decade. In fact, this year's report is our 13th annual study. The focus of the study is really trying to get a sense from business leaders. This would be people in the C-suite management-level positions that are responding to get a sense for what they're doing in their organizations, to manage the complex web of risk for their organization. The focus is on the state of risk oversight practices and processes within these organizations.

Beasley: We're just trying to get a sense for, as you mentioned, the risk management, particularly last 2½ years has just become more and more of a priority. What are you doing? What does that look like? How do you think it's working for you? It's all about trying to get insights on that.

Amato: Now it's more than 550 respondents overall. Can you break down a little bit about where those respondents are working, what organizations they represent?

Beasley: Yes, definitely. So you're correct. We have 560 respondents that went through. It's a fairly lengthy survey and they stuck with it through that and we're very pleased with that. What that allows us to do then is to analyze it not only for the full sample. Throughout the entire report, we're talking about the results for the 560 organizations that are represented there. But then we break it down. One of the ways we break it down is, well, let's look at the really larger entities, just large, it could be a for-profit, it could be a government, could be a nonprofit, which basically is defined with revenues greater than a billion dollars.

We have 152 what we call large entities, then we have 129 of those are publicly traded companies, so we're obviously interested, OK, what does a publicly traded company look like compared to the full sample? As well as we look at the financial services industry, knowing that risk management has a different feel and some, particularly in banking and insurance, we carve out the financial services entities, which is 151 of the 560. The last group that we analyze are nonprofit organizations, which would include a state and local government, as well as nonprofits, that make up 156. Throughout the report are saying "Here's the full group." But then when you look at each of those subgroups, how might they look differently?

And I should also add multi-industry. We've got a wide range of industries reported. I think our largest is in the 20% range of the full sample, but a pretty broad category that is a part of that group. We're able to look at it multiple ways.

Amato: One question you ask is about the volume and complexity of risks that organizations face. When you see it on a bar chart over 10 years, it's not a dramatic increase from 10 years ago, but it is an increase. I think that's fair to say since 2011, for example, when you look back 10 years, the volume and complexity of risks for organizations does seem to be growing, correct?

Beasley: You're correct. This is what we would refer to as a perception question. We were asking, how does it feel to you and your leadership team about the volume and complexity of risks that you're facing relative to what you can recall that it felt like five years earlier? That's the benchmark we're saying when you think about five years ago, how does it feel now? To your point, 65% of our full sample said the volume and complexity of risk is increasing what we would call mostly to extensively.

If you think about a five-point scale, these would be people that said it's at the four or five level. Naturally, now in hindsight, when we look back, we see definitely it ticked up in 2020 with COVID. That's where we saw a big bump, and it's holding steady with that. I think people still realize we're still in a complex world, and there are so many other things besides COVID that drive that. We've got a lot going on in the world today.

I think the COVID experience has helped them realize, have an eye on it, I guess is a better way to say it. But I do think it's interesting if you go back to say a decade earlier, 2011, it was at 55%. I think it's interesting to highlight that because, even then, we felt like it's a risky world. I think most business leaders are like, the world is changing rapidly and literally overnight things happen and I got to be ready.

Amato: Right. One thing I want to ask actually about the dates that you are gathering responses. Because, obviously, people knew about COVID before, but was the crisis in Ukraine even when the response period was open? I don't know.

Beasley: That's a great question. The respondents participated in this in January, February, March of this year. Yes, for the most part, it was beginning to occur. If you think, the invasion in Ukraine was, this is where my memory is not good, but mid- to late February?

Amato: It was late February, yes, that's correct.

Beasley: Yeah. I think we have a mix, to be honest. I think some of our respondents would have responded before that event. We've been hearing rumblings, but then I think it was in late February. That group after that particularly, yes.

Amato: Clearly, with inflation, the outlook has changed a lot just since the first quarter of this year. There's a lot going on always.

Beasley: There's a lot going on. You're exactly right.

Amato: One thing that you do is not just report the numbers you are giving these organizations who read the survey some suggestions for how they can better assess their risk readiness. I guess you want them to ask themselves a series of questions. Do you want to talk about some of those questions and how they can help the organizations enhance their risk management efforts?

Beasley: I'm glad you're highlighting this because, obviously, our report has several purposes, but our main purpose is just to give people some data. What are other organizations doing? What are they doing? We lay out all kinds of different pieces of risk oversight process and say, OK, here's how many have a chief risk officer, here is how many report annually to the board.

You get a sense for benchmarking, but a big part of our goal with this is to really provide thought leadership to get people to think and evaluate and self-assess. Are we where we need to be in light of the volume and complexity of risks that we obviously are facing? Is our risk management at the level of maturity that we really need to get there?

We're not dictating any level at all. We're saying, just think about this, and to help that thinking then, we organize our findings in different topical areas, which are all hyperlinked. But as an introduction to each of those areas, we have a series of questions just to prompt thinking.

We phrase them as, "We suggest these questions to access your organization's risk readiness." For example, we have a category on the overall strategic value of risk management because we got to take risks to make money. Risk and strategy go together.

We have questions like, to what extent is the information generated by your organization's risk management process highly valued by your senior leadership team and the board for strategic decision-making? Just gets you thinking about that.

Another question in that section is, how connected are your entity's risk management processes to strategic planning, resource allocation like budgeting decisions and that kind of thing? It's just some things to think about, food for thought, but it's on a number of different topics.

It's loaded with those thought questions just to prompt some thinking. Quite frankly, these can easily be used in the executive team of management or even at a board as a discussion guide. Let's talk about some of these and see what we think.

Amato: What do you think organizations learned about their own gaps in ERM from the past 2½ years?

Beasley: I think they learned that the lack of a structured risk management process — that's loosely defined — but some kind of structure put them behind during the COVID initial days, particularly. Let me rephrase it a different way. From entities that we've talked to a lot in our ERM Initiative work, those that had a more advanced approach to risk oversight.

They had processes involved. They had an annual cadence of thinking about risks. They tried to connect it to strategy. They had a leader of the process to advise business leaders to think about the risks. They had a management-level risk committee, and they were regularly reporting risk information to the board.

They already had a structure to tap into immediately in March of 2020. Others that didn't have, it was where risk management. Yeah, I've had many, many executives say to me, Mark, we manage risk all the time. We talk about risk, but it's very ad hoc, very unstructured. There's no defined leader and there's no defined process. By the way, we haven't talked about risk management organization, so the rest of the leadership team doesn't know we do this. They were scrambling just to pull together: What do we do? How do we do it? Whereas those that had a process can hit the ground running.

I think a lot of organizations realized, oh, there's value in risk management. There's some real important lessons there. I think that some other lessons though, even those that had a more formalized structure to the process, they learned as well.

I think a lot of what they learned is there's tremendous value if we can have a little bit of — while we want some structure, we also want to be nimble because things change fast. One of the things that we heard is, if I can get people together talking about risk from multiple lenses across the enterprise, we're going to go a long way. That's going to help us a lot.

What we've seen in the last several years is a significantly increasing number of percentages of organizations that have what we call a management-level risk committee. These are management-level risk committees representing people from all across the enterprise and get together pretty regularly thinking about and talking about risk. I think they've realized, wow, that transparency and conversation has been hugely beneficial and really helping more people understand some of the challenges.

Amato: I'd say on the topic of being nimble and on the topic also of getting together and talking about risk, that's what the ERM Initiative has done. I would guess you had to go virtual with some of your meetings that you've had as in-person summit, but you're still getting those people together and talking about risk. That's the goal of the ERM Initiative, I guess.

Beasley: You're absolutely correct. We were affected just like everyone. Initially like everyone, we're like, oh my, what are we going to do here? But it's also turned into a huge opportunity. We moved a lot of our events and training to a virtual platform, which then increased tremendous participation.

We've had many programs sold out because there's so much demand and we have to cap it at some point. But we have found that people are very hungry to learn from each other: How can we improve our process? Which is part of what we're trying to do with this report is really just help.

Then some of the training also to help, because I think people are still learning how to do this well. Businesses have managed risk for centuries. If they survived a period of time, they must be managing risk. But I think what they're realizing is the way I'm managing risks now should not look like it did in 1990.

The world is so different, and we need to advance our thinking. I think a lot of organizations are doing that, but I would say the concept of ERM is still in an early stage of maturity, as a paradigm, as a way to think about running a business. People are still in a major learning curve of how do we do this well.

It's been around in the U.S. 20-ish years. That sounds like a long time until you compare it to accounting disciplines, which are over 100 years. Accounting had a lot more time to mature. I think ERM's got to catch up there.

Amato: Again, that was CPA Mark Beasley, a professor of accounting at North Carolina State University in their Poole College of Management. We will post a link to the survey report in the show notes for this episode. Thank you for listening to the Journal of Accountancy podcast.