According to a survey by thePoole College of Management at North Carolina State University, over one-fourth (26.6 percent) of all respondents to a recent survey on enterprise risk oversight have no enterprise-wide risk management (ERM) process in place.
The survey, entitled “Current State of Enterprise Risk Oversight” by Mark Beasley, Deloitte professor of ERM and director of the ERM Initiative at Poole College of Management, was released in July 2012 in conjunction with the American Institute of Certified Public Accountants (AICPA). Data was collected during April and May 2012.
The goal was to obtain a deeper understanding of the current state of enterprise risk oversight among entities of all types and sizes and to see how they are responding to the rapidly evolving risk landscape.
“This year we observed a notable increase in the percentage of organizations that report increased maturity of their enterprise-wide risk oversight processes, with large organizations, public companies, and financial services organizations significantly more mature than other organizations in their enterprise-risk oversight processes,” says Beasley. “Despite improvements, significant opportunities remain for organizations to strengthen underlying processes for identifying and assessing key risks, especially as it relates to integrating risk oversight efforts with strategic planning activities.”
The survey says…
Important findings in the survey include:
- About two-thirds of the respondents reported the volume and complexity of risks have changed “extensively” or “mostly” in the last five years
- Over two-thirds (68.1%) admit they were caught off guard by an operational surprise in the last five years
- There is a significant increase in the percentage of organizations that claim to have a “complete formal enterprise-risk management process in place,” jumping from 8.8 percent in 2009 to 23.4 percent in 2012
- Despite this, about one-quarter of all organizations in the survey have no ERM processes in place—highly surprising considering that two-thirds of organizations describe their risk culture as “strongly risk averse” or “risk averse”
- Almost two-thirds of organizations experience “somewhat” to “extensive” pressure from external parties to provide more information about risks
- Although the percentage of organizations embracing ERM is on the rise, the level of risk management sophistication is still fairly immature for most respondents
- Even large organizations, public companies, and financial services organizations have room for improvement, with less than 40 percent claiming to have “mature” or “robust” risk management systems in place
- Less than half the organizations have a formal policy statement regarding their enterprise-wide risk management approach
- Although more organizations are maintaining inventories of risks at the enterprise level, almost three-quarters do not provide explicit guidelines or measures to business unit leaders on how to assess probability and impact of risks
- Just under half (43.3 percent) either have no structured process for identifying and reporting risk exposures to the board, or they track risks by silos with minimal reporting of aggregate risk exposures to the board
- The majority of organizations (62.6 percent) communicate key risks on an ad-hoc basis at management meetings; only one-third explicitly schedule agenda time to discuss key risks at management meetings
And another thing:
There is also a definite need for integrating risk oversight and strategic planning. Over one-third of the respondents undertake no formal assessments of emerging strategic, market, or industry risks. “For those that do attempt to assess strategic risks, most do so in a predominantly qualitative manner or by using a blend of qualitative and quantitative techniques,” says Beasley. “About half the organizations fail to meaningfully consider existing risk exposures when evaluating new strategic initiatives.”
Perhaps most shocking result of the survey are the reasons given for the lack of ERM preparation, the most common being the belief that “risks are monitored in other ways besides ERM.” Also about one-third noted there were “too many pressing needs” and that “no requests to change our risk management approach” were received.
Hopefully you dodged those bullets above and emerged like Ironman—if not, however, you may want to overhaul ERM strategy so you’ll be able to handle the next “operational surprise” with ease.
To read the full report, visit http://www.poole.ncsu.edu/erm/index.php/research/nc-state-erm-research.