Despite the constant drumbeat on the need for companies to improve and formalize risk management systems, most are still way behind, a new report finds.
A study released this week by the American Institute of CPAs (AICPA) and North Carolina State University’s Enterprise Risk Management Initiative finds that while companies have made progress on advancing risk management systems, even those at large companies lack basic structures, such as an executive-level risk management committee, a chief risk officer, or complete enterprise risk management (ERM) processes.
Perhaps most concerning is that the survey of 445 chief financial officers, controllers, chief audit executives, and other senior executives found that a scant 23 percent rated their organization’s overall risk management oversight as “mature” or “robust.” And only one-in-five respondents view their risk management processes as providing important strategic advantage. Just 31 percent can say they have complete ERM processes in place.
“While most executives perceive that uncertainties in the business environment are leading to more complex risk challenges for their organizations, few executives describe their organization’s approach to risk management as mature or robust,” says Mark Beasley, a professor at NC State’s Poole College of Management, and co-author of the study titled, “2019 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices.”
The report’s authors were even more emphatic in the report text: “It is discouraging not to see more organizations making more rapid advances in developing robust, systematic processes to oversee an entity’s most significant risk exposures,” they wrote.
It’s not that companies aren’t feeling the pressure to better manage risk. Nearly 60 percent agreed that the volume and complexity of corporate risks have changed extensively over the last five years, and not for the better. Moreover, boards and other stakeholders are demanding greater accountability on risk management. According to the survey, 59 percent say external parties (regulators, shareholders, and others) are putting pressure on senior executives for more extensive information about risks, and 65 percent of boards are calling for “somewhat” to “extensively” increased management involvement in risk oversight. Strong risk management practices are becoming an expected best practice, yet companies have been slow to react. “I’m surprised that management is not responding to the board request in more significant ways,” says Beasley.
Backsliding?
The results are even more surprising when compared to prior years. In many areas of risk management companies have not advanced the ball down the risk management field very much or have even given up some gains. Among public companies, for example, 48 percent have complete ERM processes, the same as did when the survey was conducted in 2014, and less than the 51 percent of respondents who said they had full ERM capabilities in place last year. For the current survey, 34 percent of public company executives describe their risk management oversight as “mature” or “robust.” That’s actually lower than the 39 percent who described it that way in 2014 and the lowest in five years.
“In this environment of unprecedented levels of risk, CFOs must take the lead and guide their organizations to approach, evaluate, and mitigate risk in a very systematic way,” says Ash Noah, managing director of CGMA learning, education and development at AICPA.
What’s the Holdup?
So why are companies moving so slow to adopt advanced risk management practices? According to the survey, the top barrier to improving risk management is that more than half of respondents (51 percent) thought risks were managed in other ways than ERM.
“What is interesting about that is the fact that the rest of our study highlights a number of basic risk management practices that are not that mature. So, it begs the question: ‘What are those other ways of managing risks?’ It may be that management has a false sense of security as to the robustness of their risk management processes,” says Beasley.
Other barriers to enhancing risk management oversight include: competing priorities (49 percent), insufficient resources (46 percent), and the perception that ERM adds bureaucracy (29 percent). “The most commonly cited barrier is the perception that they have other more important competing priorities relative to the priority of managing risks,” says Beasley. “That suggests that they fail to realize the relationship of ‘risk and return.’ That is, managing risks should compliment efforts to pursue returns by helping to proactively anticipate risks that may impede strategic efforts to generate returns. In our view, ERM should be viewed complimentary rather than competing with key priorities,” he says. As for cost, Beasley adds that most ERM adopters find that it does not require significant investment.
Another problem is that companies have not provided the proper training, tools, and leadership to get better risk management infrastructure off the ground. Well over half (60 percent) said their organizations have not provided, or only minimally provided, training and guidance on risk management in the past two years for senior executives or key business unit leaders. One in four said lack of board or senior executive leadership was a barrier to enhanced risk oversight.
Some Bright Spots
The news isn’t all bad. On some fronts, companies have made some progress. As low as the 31 percent adoption of ERM figure is, it’s still up from just 9 percent who had full ERM programs in 2009. And there’s been a steady increase in the number of companies that are adding a chief risk officer to the C-suite. This year half of respondents said their companies had designated an individual to serve as CRO or an equivalent position, up from 32 percent that had a CRO in 2015 and 18 percent who did in 2009.
Moreover, larger companies and those in highly regulated industries, such as finance, are moving to put a more formalized process in place for identifying and assessing risks. According the survey, the majority of the large organizations (78 percent) and public companies (76 percent) have a standardized process or template for identifying and assessing risks, while 71 percent of the financial services organizations have those kinds of procedures in place.
The most encouraging result in the survey, says Beasley, is that “things are trending towards more risk management maturity over time.”
As complexity, disruption, and advanced technologies continue to obscure the risk picture, companies will need more advanced structures to bring it back into focus. Those that don’t get going soon will only find risks—and their related opportunities—harder and harder to see. 
Joseph McCafferty is Editor & Publisher of Internal Audit 360°
One Reply to “Report: Companies Lag on Improving Risk Management”