The percentage of organizations with relatively mature risk management processes increased over recent years, although the majority of organizations still do not believe their processes reflect a “complete” or robust ERM process. While progress is being made, there is still room for significant improvement in risk oversight for many organizations, according to a recently released study, 2017 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices
NC State’s ERM Initiative, in partnership with the American Institute of CPAs, has just released its 2017 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices. Based on survey responses from 432 business executives spanning a number of industries, types and sizes of organizations, the report provides detailed insights about the state of maturity of their organization’s current enterprise risk management (ERM) practices. This is the eighth year that we have conducted similar research in partnership with the AICPA.
See also: The Current State of Risk Management
This report provides extensive data about the state of maturity about various aspects of an organization’s ERM process. Not only do we provide data about the full sample, but we also separately report findings for the largest sized organizations (revenues > $1B), publicly traded companies, financial services organizations, and not-for-profit organizations.
Here is a brief overview of some of the key findings.
Risk Environment is Complex
Most respondents believe the risks they face are complex and numerous
- About 70% of large organizations, public companies, and financial services entities perceive the volume and complexities of risks have increased "mostly" or "extensively" in the past 5 years
- That trend has been consistent over the past several years, suggesting the overall risk environment continues to be challenging to manage for all types of organizations
- Most organizations have dealt with significant operational surprises in past 5 years
- 25% of full sample describes their risk management processes as "mature" or "robust", with large organizations, public companies, and financial services entities having more mature processes (but less than 50% of those are "mature" or "robust")
- The majority of organizations do not believe their processes reflect "complete" or formal enterprise-wide risk management
- Only about one-quarter of the respondents describe their ERM processes as an important strategic tool with no real differences in that assessment across types of organizations
- 34% of the full sample do no formal assessments of emerging strategic, market, or industry risks
- If an entity considers strategic risks, that mostly involves qualitative assessments of risk exposures
- 58% of the full sample has a management-level risk committee, up from 45% last year
- Management-level risk committees are more likely for larger organizations, public companies and financial services organizations (around 80%) - an increase of about 10 percentage points over last year
- We also saw an increase in the designation of individuals who serve as chief risk officer or equivalent
- 67% of the boards for the full sample are calling for more involvement, with even higher percentages of boards asking for greater management involvement in risk oversight at large organizations, public companies, and financial services entities
- This trend is consistent with prior years, suggesting boards continue to be interested in strengthening risk oversight
