A new report issued today by the American Institute of CPAs (AICPA) and North Carolina State University’s Enterprise Risk Management (ERM) Initiative states that 65 percent of senior finance leaders agree that the volume and complexity of corporate risks have changed ‘mostly’ or ‘extensively’ over the last five years. Rapidly changing events, including the war in Ukraine, ongoing talent crisis, soaring inflation, lingering supply-chain disruptions, ransomware threats and a host of other risk triggers are leading to significant disruptions impacting an organization’s business model. Despite these complexities of risks, only a third (33 percent) say their organizations have complete enterprise risk management (ERM) processes in place, and just over a quarter (29 percent) rate their organization’s overall risk management oversight as ‘mature’ or ‘robust’.
The 2022 State of Risk Oversight: An Overview of Enterprise Risk Management Practices includes insights from a survey of 560 US CFOs and senior finance leaders conducted in winter 2022. The survey measured finance-related executives’ assessments of the level of maturity in their organization’s proactive management of these risks through adoption of enterprise risk management processes.
“Our study finds that few executives perceive their risk management processes as providing important strategic value,” according to Mark Beasley, KPMG Professor of Accounting and Director of the ERM Initiative at NC State. “This is despite the reality that risk and return are interrelated – organizations must take risks in the pursuit of strategic objectives. It is our hope that the ongoing uncertainties and rapidly changing business environment will convince more executives of the strategic importance of having rich insights about risks facing the organization as they make key strategic decisions.”
The survey indicated that adoption of enterprise risk management processes in the US is on the rise. Over the last 13 years, the percentage of organizations that claim to have complete ERM processes in place has increased 24 points, from 9 percent to 33 percent, but that still suggests a majority of entities do not. Given the ongoing experience in navigating the multitude of risks experienced over recent years, more organizations will likely want to focus their efforts in strengthening their entity’s approach to managing the interconnected nature of risks to their business models.
Additional key findings from the survey include:
- Most executives do not believe their organization’s risk management processes provide strategic advantage (63 percent state no or minimal advantage), with less than half (45 percent) positioning risk management to pinpoint emerging strategic risks.
- A majority of boards of directors are calling for more senior executive involvement in risk oversight, with three-quarters (74 percent) signaling there will be significant changes to their existing business continuity and crisis management planning.
While providing extensive data points about the state of risk oversight practices that organizations can use to benchmark their efforts, the report also offers a list of questions that executives and boards can use to assess their organization’s risk readiness and to help pinpoint tactical next steps for strengthening risk management processes. The questions cover nine areas including:
- Drivers for enhanced risk management
- Overall state of risk management maturity
- Strategic value of risk management
- Impact of culture on risk management
- Assignment of risk management leadership
- Risk identification and risk assessment processes
- Risk monitoring processes
- Board risk oversight structure
- Board reporting and monitoring.
The report also includes a number of calls for action to help executives and boards identify actions they can take to enhance the strategic value of their risk oversight.
Read the report (PDF).