The barriers to enhanced risk oversight
Major trends emerge in 10 years of surveys.
By several measures, enterprise risk management (ERM) is better understood and more valued today than it was a decade ago. Yet, robust risk management remains elusive for many entities.
The State of Risk Oversight: An Overview of Enterprise Risk Management Practices, an annual survey of business leaders by North Carolina State University and the AICPA, is now 10 years old, so several trends can be analyzed. The most recent survey drew responses from nearly 450 CFOs or equivalent senior executives in business and industry in the United States.
In general, larger companies and publicly traded ones have a more formal risk function. But much work remains to be done.
Here are several key themes from the report:
The management of risks is not getting easier. Nearly 60% said the volume and complexity of risks have increased mostly or extensively over the past five years. As new risks emerge, and as digital-born competitors rise quickly, organizations admit they are sometimes caught off-guard.
External stakeholders seek more engagement in risk management from senior executives. Even a majority of not-for-profit organization respondents (57%) said that external parties were applying pressure on senior executives for more information about risks. In larger companies, that number was 75%, and it was 59% for the full sample.
More risk information is prepared for executives and board members, but the reporting process remains informal. While ٣٥٪ say their risk oversight processes are systematic and repeatable with regular board-level reporting of top risk exposures, the rest have ad hoc, siloed, or unstructured processes for board reporting.
Strategies are needed to circumvent barriers that inhibit risk management progress. The report identified several key impediments to strengthening the organizational approach to risk oversight. The following were the most common responses:
"Risks are monitored in other ways besides ERM," 51%"
Too many pressing needs," 34%
"No requests to change our risk management approach," 33%
"No one to lead the effort," 26%"Do not see benefits exceeding costs," 22%