The 2019 State of Risk Oversight
Guest Post by James Kline (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
In another article, I discussed the results of the risk survey conducted annually by the World Economic Forum. The survey respondents are considered the economic elite. The responses provide an indication of the concerns of the movers and shakers of business. Consequently, the questions asked, and the risk concerns expressed are more policy oriented.
For instance, the top five risk concerns based on total score, impact and likelihood are: 1. Failure of Climate-change mitigation and adaptation, 2. Extreme weather events, 3. Natural disasters, 4. Cyber-attacks and 5. Biodiversity. Except for Cyber-attacks, the concerns are over risks that are beyond the ability of one or even a group of organizations to significantly impact. Mitigation will require government action.
In that piece, I noted that Cyber-attack was rated among the top five risks for several years in a row. This indicates that management was having trouble managing this risk. But, to more clearly show the difficulty organizations are having with risk management, another annual risk assessment survey needs to be examined. That survey is the “State of Risk Oversight” conducted by the North Carolina State University. This article discusses the 2019 survey results.
The 2019 survey was conducted in association with the American Institute of Certified Public Accountants (AICPA). The population surveyed came from the AICPA list of Business and Industry group chief financial officers or equivalent senior executives. Approximately 445 completed surveys were received. In terms of organization size and institutional emphasis the respondents were from:
142 large organizations (revenue over $1 billion)
126 publicly traded companies
119 financial service companies
The survey respondents cover a broad range of economic activity and organizational size.
The report notes that the ability to manage the multiple risks the organization faces is becoming harder. It states. “The rapid pace of innovation, the rise of social media and demands for greater transparency and countability, government shut downs, economic uncertainty in Europe, volatility in equity markets, record low unemployment, cyber breaches, terrorism, significant natural disasters, among numerous other issues represent examples of challenges executives and boards face in navigating an organization’s risk landscape.”
Not surprising, there is overlap with the risks identified in the World Economic Forum, such as Cyber-attacks, terrorism, and natural disasters and those included in the Risk Oversight survey. Further, the frequency and types of risks are increasing. This in turn means that risk mitigation is becoming more complex.
Seventeen percent of the Risk Oversight respondents indicate that the volume and complexity of risks have increased over the past five years. Forty two percent indicate that the volume and complexity has mostly increased. Another 32% indicate the complexity has increased somewhat over the last five years.
In short, 91% of the respondents see the number of risks and their complexity as increasing. Moreover, 68% indicate that they have recently experienced an operational surprise caused by a risk that they did not anticipate.
With this recognition one would expect that risk management would be a top priority. However, the response indicates that only 23% describe their risk management process as mature or robust. Further, only 31% have a complete Enterprise Risk Management process in place. Forty six percent have a risk management policy statement. Forty nine percent have a risk inventory at the enterprise level and 40% have guidelines for assessing risk probabilities and impact.
The response indicates that even at the basic procedural level, less than half of the organizations have policies and procedures in place. Less than half of those have a mature ERM process.
Impediments to ERM Implementation
Those organizations that have implemented an ERM process indicate that one impediment is the belief that the benefits of risk management do not exceed the cost. Another problem is that there are multiple and more pressing needs. Thus, ERM implementation is low on the to do list. In addition, less than 20% of the organizations view ERM as providing an important strategic value.
With the overwhelming belief among respondents that ERM has little or no value to the organization, the 23% that have a robust ERM might seem to represent an anomaly, as opposed to leaders. But a review of the sources of pressure for ERM adoption indicates the 23% are not only leaders, but models.
External Pressure to Implement ERM
The pressure to implement ERM comes primarily from external stakeholders. For large companies ($1 billion plus) 75% indicate pressure. For public Companies and Financial Services, the percentage is 75% and 73% respectively. For Not-for-Profits 57% report pressure to adopt ERM.
Thus, while respondents are slow to adopt ERM, there is considerable pressure from various sources for them to do so. Table 1 shows the sources of this pressure.
|Percent of Respondents|
|Factors” mostly” or “extensively” leading to senior management focus on risk management||Full Sample||LargestOrganizations||Public Companies||Financial Services||Not-for Profit Organizations|
|Unanticipated risk events||32%||36%||40%||32%||32%|
|Emerging Best Practice expectation||38%||33%||37%||41%||41%|
|Emerging Corporate Governance requirement||29%||32%||37%||39%||19%|
|Board of director requests||32%||37%||44%||32%||39%|
|Unanticipated risk event affecting competitors||15%||43%||18%||13%||10%|
The break down shows that Financial Services companies are under considerable pressure from regulators to implement ERM. For this sector Emerging Best Practices and Emerging Corporate Governance requirements are the second and third factors applying the most pressure. For public companies, Regulator demand and Board of Director requests are the two most important factors, while Unanticipated risk events is a close third. Emerging Best Practice and Emerging Corporate Governance requirement are tied for fourth. For Not-for-profit organizations, the top three factors pushing ERM’s adoption are Emerging Best Practice expectation, Board of director request and Unanticipated risk events.
The World Economic Forum risk survey shows that the business elite are aware of the multiple risks their organizations face. The North Carolina State University 2019 State of Risk Oversight survey shows overlap between the acknowledged risks. It also shows that the private sector is having problems implementing ERM.
The survey respondents indicate that only 31% have fully engaged ERM. This is despite the fact that 91% recognize that the number and complexity of the risk are increasing. The one impediment is the belief that the benefits of risk management do not exceed the cost. Another problem is that there are multiple and pressing organizational needs. Thus, ERM implementation is low on the list. In addition, less than 20% of the organizations view ERM as providing an important strategic value.
Despite the difficulties in implementing ERM, pressures to adopt ERM are increasing. For public companies the main pressures for adoption are from Regulator demand, Board of director request and Unanticipated risk events. Interestingly, for the largest organizations a key push is Unanticipated risk events affecting competitors. This shows that there is a recognition that the environment is full of risks and the global environment is volatile. For Not-for-Profit Organizations the main push is Emerging Best Practice expectations.
Summarized, the survey results indicate that the private sector recognizes that it faces multiple risks. There is, however, a disconnect between recognizing that risks exist and the implementation of ERM. The adoption of ERM is still in the early stages. This is partly the result of multiple organizational pressures and the belief that ERM is not cost effective. However, the pressure for adoption are multiple. They are also to some extent administrative. This means that ultimately, because they come from regulators and the board of directors, the impediments and concerns will be overcome. ERM will end up a standard practice.
James J. Kline is a Senior Member of ASQ, a Six Sigma Green Belt, a Manager of Quality/Organizational Excellence and a Certified Enterprise Risk Manager. He has work for federal, state and local government. He has over ten year’s supervisory and managerial experience in both the public and private sector. He has consulted on economic, quality and workforce development issues for state and local governments. He is the principle at JK Consulting. He has authored numerous articles on quality in government and risk analysis. firstname.lastname@example.org