More than half (65%) of senior finance leaders agree that the volume and complexity of corporate risks have changed “mostly” or “extensively” over the last five years, according to a new report issued by the American Institute of CPAs (AICPA) and North Carolina State University’s Enterprise Risk Management (ERM). Rapidly changing events, including the war in Ukraine, ongoing talent crisis, soaring inflation, lingering supply-chain disruptions, ransomware threats and a host of other risk triggers are leading to significant disruptions impacting an organization’s business model. Despite these complexities of risks, only a third (33%) say their organizations have complete ERM processes in place, and just over a quarter (29%) rate their organization’s overall risk management oversight as “mature” or “robust.”
The 2022 State of Risk Oversight: An Overview of Enterprise Risk Management Practices includes insights from a survey of 560 U.S. CFOs and senior finance leaders conducted in winter 2022. The survey measured finance-related executives’ assessments of the level of maturity in their organization’s proactive management of these risks through adoption of enterprise risk management (ERM) processes.
The report found indication that adoption of ERM processes in the U.S. is on the rise. Over the last 13 years, the percentage of organizations that claim to have complete ERM processes in place has increased 24 points, from 9% to 33%, but that still suggests a majority of entities do not. Given the ongoing experience in navigating the multitude of risks experienced over recent years, more organizations will likely want to focus their efforts in strengthening their entity’s approach to managing the interconnected nature of risks to their business models.
Additional key findings from the report include:
- Most executives do not believe their organization’s risk management processes provide strategic advantage (63% state no or minimal advantage), with less than half (45%) positioning risk management to pinpoint emerging strategic risks.
- A majority of boards of directors are calling for more senior executive involvement in risk oversight, with three-fourths (74%) signaling there will be significant changes to their existing continuity and crisis management planning.
While providing data points about the state of risk oversight practices that organizations can use to benchmark their efforts, the report also offers a list of questions that executives and boards can use to assess their organization’s risk readiness and to help pinpoint tactical next steps for strengthening risk management processes. The questions cover nine areas including:
- Drivers for enhanced risk management
- Overall state of risk management maturity
- Strategic value of risk management
- Impact of culture on risk management
- Assignment of risk management leadership
- Risk identification and risk assessment processes
- Risk monitoring processes
- Board risk oversight structure
- Board reporting and monitoring
“While predictable and unpredictable global disruptions continue to create new and exacerbate ongoing risk triggers, this research reinforces that enterprise risk management needs to be amplified in the list of priorities for CFOs,” said Ash Noah, CPA, CGMA, Vice President & Managing Director Learning Education & Development at the Association of International Certified Professional Accountants. “Value in the business is much more than the balance sheet these days, and along with providing protection for the business, embracing ERM especially at a time when organizations must pay close attention to ESG risks, supports the creation of value and the long-term viability and sustainability of the business.”
The report also includes a number of calls for action to help executives and boards identify actions they can take to enhance the strategic value of their risk oversight. The full report can be found on both the AICPA and NC State websites.