
The world is a risky place to operate a business in-considering COVID-19 variants, Cyber threats, Supply Chain interruptions, Climate Change, and other challenges such as the Great Resignation, War in Ukraine and increasing flooding, fires and natural catastrophes…the complexity of emerging risks over the past three years has prompted many organizations to invest more in risk management. But are your board and management teams following the Best Practices they need in Risk Management? To help you assess, we’ve created a summary from “The State of Risk Oversight: an overview of Enterprise Risk Management practices” (prepared by the American CPA and NCU in 2022). Our synopsis focusses on 20 key actions we believe your organization should follow when adopting, implementing or even starting formalized risk management. Review our brief synopsis to rate your organization’s performance.
The formal report is a collaboration of the American Institute of Certified Public Accountants (AICPA) and the ERM Initiative in the Poole College of Management at North Carolina State University (NCU). While this study was conducted with US businesses, similar studies in Canada have yielded comparable results in the past, hence we consider this study important for review by Canadian and American organizations alike. The report highlights findings from 560 respondents, comprising: 152 large organizations (those with revenues greater than $1 billion); 129 publicly traded companies; 151 financial services entities; 156 not-for-profit organizations- the results are shown for each category.
Some of the results are disappointing, including that only 33% have formal ERM in place (higher for bigger firms) however only 9% of businesses had formal ERM programs in 2009, so progress is underway.
- Is the Volume and Complexity of Risk Increasing since last year
- KEY INSIGHT- 65% of respondents answered “yes”
- Senior leaders call for enhanced risk management
- KEY INSIGHT- Overwhelmingly, there is a strong indication that senior management are looking for new ways to enhance the organization’s approaches to risk management
- CEOs looking for increased senior executive involvement in risk oversight
- KEY INSIGHTs: CEOs are calling on other senior executives to increase their level of engagement in ERM, especially those in large organizations or public companies
- Do Boards seek more executive engagement in risk management
- KEY INSIGHTS: Overall- 62% of Boards expect more senior executive involvement in ERM, this number increases to 74% of boards of public and large organizations
- Percentage with Complete ERM Programs in Place
- KEY INSIGHTS: 15% of the respondents have no enterprise-wide risk management process in place; Non-Profits lag others; Large, Public, and Financial services are active adopters; 33% have formal ERM in place (higher for bigger firms).
- Level of Risk Management Maturity
- KEY INSIGHTS: While public companies have more robust risk management oversight processes, half of the public companies would not describe their processes that way. Less than 50% rate their programs as “Mature and Robust”.
- Integration of risks with strategic planning
- KEY INSIGHTS: Only half of most organizations, with the exception of financial services entities, are significantly emphasizing the consideration of risk exposures when management evaluates different possible strategic initiatives.
- Education and Awareness of ERM
- KEY INSIGHTS: Most organizations (58%) have not provided or only minimally provided training and guidance on risk management in the past two years for senior executives or key business unit leaders.
- Incentives to engage in risk management
- KEY INSIGHTS: While this practice is gaining traction, most organizations have not yet incorporated risk management incentives and accountabilities into management’s performance compensation plans.
- Designation of a chief risk officer
- KEY INSIGHT: Pinpointing an executive to lead the risk management process is becoming more common relative to a decade ago; however, still less than one-half of our surveyed organizations are doing so.
- Lines of reporting for risk leaders
- KEY INSIGHTS: There is a mixture of lines of reporting across different risk champions. Financial services organizations and not-for-profit organizations are more likely to have the risk champion reporting formally to the chief executive officer or president; The chief financial officer (CFO) is also often the position overseeing the risk champion’s work.
- Management level risk committees
- KEY INSIGHTS: A majority of organizations have a management-level risk committee or equivalent, as has been the case since 2016, and such committee meets quarterly or monthly.
- Frequency of risk identification updates
- KEY INSIGHT: While there is substantial variation as to whether they go through an update process, when organizations do update their risk inventories, it is generally done annually, although a noticeable percentage of organizations update their risk inventories quarterly.
- Use of KRI’s (Key Risk Indicators)
- KEY INSIGHTS: There appears to be an opportunity for most organizations to improve the nature and type of key risk indicators included in their management dashboard systems. Across the full sample, only 32% report that they are “mostly satisfied” or “very satisfied” with their organization’s KRIs.
- Delegation of risk oversight
- KEY INSIGHT: Most board committees responsible for risk oversight explicitly describe that responsibility in the committee’s charter.
- Board subcommittee with primary oversight responsibility
- KEY INSIGHTS: the audit committee is most often the recipient of the designated responsibility, while financial services firms have the highest percentage usage of a designated risk committee
- Risk oversight responsibility explicitly described in the designated committee’s charter
- KEY INSIGHT: Most board committees responsible for risk oversight explicitly describe that responsibility in the committee’s charter.
- Formal Enterprise Risk management Policy statement
- KEY INSIGHTS : the presence of a formal ERM policy is mixed across organizations with fewer than half having such a statement. Financial and public companies are more likely to have an ERM policy.
- Dedicated board meetings to discuss top risks
- KEY INSIGHTS: Most boards set aside a specific meeting to discuss the aggregate report of top risks exposures facing the organization, especially public companies.
- Formal reporting of top risks to the board annually
- KEY INSIGHTS: management reporting to the board is common with more than half of organizations reporting at least annually to the board.
Footnotes
- North Carolina State University in partnership with American Institute of Certified Public Accountants (AICPA), June 2022. THE STATE OF RISK OVERSIGHT: AN OVERVIEW OF ENTERPRISE RISK MANAGEMENT PRACTICES. https://erm.ncsu.edu/library/article/2022-risk-oversight-report-erm-ncstate-lp