Why the disconnect? Risks are everywhere; risk management is not

A survey report that focuses on enterprise risk management (ERM) and offers tools for risk practitioners is the focus of this episode of the JofA podcast.

The 14th edition of The State of Risk Oversight, a report produced jointly by the AICPA & CIMA, together as the Association of International Certified Professional Accountants, and the ERM Initiative at North Carolina State University, shows that the volume and complexity of risks continues to be prominent on the radar of leaders at U.S. organizations of all types and sizes. However, complete and formal ERM processes are just as common now as five years ago, after the survey showed nearly a decade of increased interest in ERM.

Mark Beasley, CPA, Ph.D., a professor at N.C. State and director of the school’s ERM Initiative, analyzes the disconnect, explains why a post-pandemic sigh of relief is not a good sign for risk managers, and shares some of the questions that organizations can ask themselves to improve their ERM practices.

What you’ll learn from this episode:

• An overview of the annual survey, and why it appears that interest in establishing complete and formal risk management appears to have leveled off.
• Beasley says there’s a “false sense of security” related to risk management.
• Why defining an organization’s crown jewels is a key first step in risk management.
• The obstacles that inhibit some organizations’ risk management efforts.  
• Questions related to risk management that can be part of your next company strategy meeting.

Play the episode below or read the edited transcript:

To comment on this episode or to suggest an idea for another episode, contact Neil Amato at Neil.Amato@aicpa-cima.com.

Transcript

Neil Amato: Welcome back to the Journal of Accountancy podcast. This is your host, Neil Amato. This episode focuses on ERM or enterprise risk management. There’s an annual report on the state of risk oversight that we’re going to discuss and it paints a picture of how things stand on the ERM front.

I’m speaking for this segment with Mark Beasley, a CPA who is Alan T. Dickson Distinguished Professor of Accounting at North Carolina State University’s Poole College of Management. He is also the director of the school’s ERM Initiative and a repeat guest on our show. You’ll hear that conversation right after this word from our sponsor.

It’s the 14th year of this survey and I guess first maybe for listeners who might not know, who are the people responding to it? What are their levels and their roles in companies?

Mark Beasley: The primary audience would be those in an executive position because we’re trying to get a sense for the enterprise view of how they think about risks so we want a senior leader in the organization. We work in partnership with the AICPA, then through our ERM initiative, to target people that are very knowledgeable about how their organizations approach risk management. Naturally, because of the AICPA, we have a lot of people in financial reporting kinds of roles.

A huge majority of our survey participants are CFOs, controllers, treasurers, but we’ll have others outside of that. But over 50% would be in that financial accounting leadership roles within their organizations. This particular study is focused mostly on U.S. companies for the most part, as well as government, non-profit. It’s meant to be all kinds of organizations, not just a certain industry segment. It’s not just public companies. It’s all kinds of organizations.

Amato: That’s a good summary. In the first decade or so of this survey, the percentage of organizations that labeled their ERM as complete and formal increased from 9% in 2009 to 31% in 2018. Since then, in the last five years, there’s not really been an increase. Why is that?

Beasley: That’s a great question, and you’re right. It’s leveled off and the roughly a third, 33-ish percent, around there, depending on the year. That is surprising to us. When you look at the world that we’re in today, and in that five-year period that you highlighted, remember, we had a pandemic.

We’ve had a lot of other issues occurring. It is an interesting observation to see the leveling off for the full sample. Now if you look at public companies, just to be transparent, you get into roughly two-thirds. But even two-thirds, in my view for publicly traded companies, why isn’t it 100%?

Amato: Is there a disconnect between that number leveling off and yet volume and complexity of risks remains a true concern for all segments of the survey respondents?

Beasley: That’s part of the puzzle to us, because we do start out the survey by just getting a sense for how they perceive the environment in which they’re operating, the issues they’re dealing with day-to-day. What does it feel like? It’s a perception question.

We’re just saying, how do you perceive the volume and complexity of risk today to say five years ago? Sixty-five percent of the full sample would say the volume and complexity has increased “mostly” to “extensively” in the last five years. On a scale of 1 to 5, 65% are picking 4 or 5. If you’ve go to public companies, it gets even higher: 77%. They’re admitting it is a risky environment out there, which should be no surprise when we look at it. They also tell us — 78% of the sample tells us — their organizations actually had to deal with a significant operational surprise.

What they’re basically telling us is we’ve actually had risk events that we didn’t anticipate. When you then ask, well, tell us about the maturity of how you view your organization’s risk management process, whatever that looks like in your organization, how would you describe it? Only 29% would describe their risk management approach as “mature” or “robust.” If it’s a public company, it’s 48%. I see that as a disconnect because they’re telling us, in 65% of the cases, the volume and complexity is much higher — 78% of us have actually had a surprise, but only 29% would have mature or robust.

There’s a disconnect here. Personally, I think there’s a little bit of denial and overconfidence on the leadership team and boards of how they think they’re managing risk. There needs to be some kind of reconciliation there that I don’t know that they’re having an honest evaluation of that disconnect.

Amato: I was talking to a CFO leader about a different topic and he was talking about a CFO survey and said CFOs who had made it through the pandemic and their companies were still solvent and maybe even thriving, they may be were confident because they made it through.

Do you sense any of that? We’ve gotten through this pandemic and it was tough and things are still not good, but is there maybe even a sigh of relief? I don’t know if I’m trying to read too much into it.

Beasley: I’m glad you asked that because I’ve heard that. That’s usually used as a reasoning for — I don’t think we need to really invest more in risk management, look how we performed. I always go back to them and say, OK, let’s think about that. You just dealt with a risk issue that 100% of other organizations had to deal with. You were not alone. We were all in it together.

There’s a huge amount of patience, tolerance. We were all dealing with the same issue. The second thing is we also had significant government support, material dollars thrown at the problem that we all benefited from or a lot of organizations, I should say, benefited from. So I think there’s a false sense of security because the next big risk event that that CFO could face may be a risk event that only affects his organization and there’s no government funding. Let’s see how you do then in that scenario.

That’s where the over-confidence, I think, is coming in — that they are forgetting a massive amount of support financially, as well as just emotional with people tolerating. As a consumer, I knew my services were going to be bumpy. In fact, when I went to restaurants, I usually tipped a lot more just to say thank you for trying. It wasn’t great service, but it was great service in the context. That’s the kind of response I would give to someone that might be thinking about how they look at risk management in the context of their success over the last few years.

Amato: The organizations that do risk management well have been able to link it to strategy. One, I’m wondering if you can talk some about that. Then also I’d like to ask, for those that don’t do it well, what are some of the obstacles?

Beasley: That’s a great question. I’m glad you asked because early on you asked: Why is risk management not advancing like we think? I think you’ve hit on a major driver, and that is the lack of seeing the strategic value in risk management.

So, to answer your first question, or the first part of your question, when we see organizations doing it well, how are they doing it? They’re starting with strategy as the starting point. They’re saying, OK, what drives value today for our organization? We like to talk about them in our training as, what are your crown jewels? Those are things that already generate value today. Naturally, I want to keep them as a jewel. They’re starting with here on my crown jewels, then they’re saying, what are the risks that can emerge that could threaten that jewel, that could devalue the jewel. So they’re starting with a strategic lens to then go find the risk.

Then they’re also starting with the strategic plan, which will be not a jewel yet, but what they want it to be a crown jewel in five years or whatever the horizon is for strategy planning. They’re saying, OK, we’ve got this strategy that we’re going to try to deploy over the next three to five years, what could make it not successful? They’re starting with that strategic lens and they’re asking simple questions. They can be as simple as: When you think about the strategic success of our organization, what could emerge from outside the walls of the organization as well as inside the organization that could derail our success? It’s all starting with a strategic lens.

To then get into your second question, those organizations that are struggling, why are they struggling? I think they skip the strategy focus and they start with: What keeps you up at night? That’s going to tend to lead people toward what risks they already know about. Because if they know about it, that’s what’s going to keep them up. But good risk management is really trying to tease out what is it I don’t know that later on I don’t want to say I should have known that.

ERM is all about trying to tease out what I don’t know that I should. I think a lot of people make the mistake because they skip the strategy connection and they go in and just start. They already think about what is already known and that tends to be mostly internal risks — operational, a compliance risk, or financial reporting risks. Those are internal and they’re probably already fairly well-managed. What’s likely to derail their success strategically, the data shows from several studies, it’s likely to be coming from an external source. I think a lot of times their risk management is only looking inward.

Amato: I didn’t mention this at the top of the show at the intro, but this survey is out and live. We will post a link to it in the show notes for this episode. This is again a U.S.-focused survey, but there’s also a global version of the survey and that’s coming out – what’s the timeline for that?

Beasley: That will be coming out in the fall, I would say October, where we will be releasing the global study, which is largely focused on some of the same general, it is focused on some of the same general issues about the process. But we’re able to look at how that risk management maturity and process differs as you look at different geographic regions around the world.

Amato: Great. Now, I know there’s a lot of other ways we could go with this, but what else that I didn’t ask you about but maybe I should have. What else would you like to say about this survey?

Beasley: I know a lot of times people that are leading the risk management function in an organization are really are looking for some of the basic benchmarking data like how many entities have a chief risk officer? How many have a management-level risk committee? How many have probability and impact scales? How often are you reporting to the board and how many risks do you tend to report? All that data is in the report. People that are looking for process benchmarking to get a sense for what do I look like compared to others, they’ll find that in there.

What I want to really draw attention to is where a real contribution of the study is in the calls to action. Throughout the report, it’s divided into different sections. We’ve got drivers of risk management, overall state of maturity, the strategic value, the impact of culture, subcategories. Each section begins with questions to ponder. As you think about the culture, how does our culture impact risk management?

Well, we’ve got some questions for you to think about. In the back of the report however, we’ve got a whole host, I think it’s over 50 different questions organized by different areas, questions to consider. For example, we have questions to consider in regard to how is the output from risk management used in strategic planning. We’ve got five or six questions. You can easily take into your next executive committee meeting and just say, let’s just talk these through. It will prompt a conversation that might lead to some self-discovery of, well, there’s some things we could do to really improve.

We end the report on the positive side of we’re providing a tool. Lots of questions that you can literally cut and paste, take into a management meeting and say, we need to have a 30-minute conversation. Let’s just talk through these questions. And you can’t cover all 50 in one 30-minute session, but you might pick a category and work your way through it if you’re really trying to get people to honestly evaluate how effective is our risk management approach and is there room for improvement.

Amato: Thanks again to Mark Beasley for being on the podcast and sharing his insights. This is Neil Amato with the Journal of Accountancy. Thank you for listening.