The ERM Initiative at North Carolina State University, led by Mark Beasley, has published a report on the state of risk management.
2015 Report on the Current State of Enterprise Risk Oversight: Update on Trends and Opportunities (PDF) is the sixth of these reports (the first one I saw was in 2010 — and, frankly and sadly, not much has changed).
The report is based on a survey of chief financial officers or equivalent who are members of the American Institute of Certified Public Accountants' Business and Industry group. This is interesting, as it represents the views of people who, in many cases, have executive responsibility for the risk management system.
It is important to note that, as far as I can tell, the authors set a very low standard for a "mature" or "complete" risk management system. They don't share whether they provided the respondents with any guidance on what constitutes such a system, but reading in between the lines, it is limited to a periodic assessment and review of a limited list of risks at the enterprise level together with some level of integration with the strategy-setting process. The authors don't talk about whether the management of risk is embedded into every organizational process (as both COSO ERM and ISO 31000:2009 dictate).
But, even with this low standard, most organizations — even large ones — fail.
Here are some key observations:
- "Results from all six years of our surveys continue to find that the approach to risk oversight [i.e., the management of risk — the authors are not talking about board oversight] in many organizations continues to be ad hoc and informal, with little recognized need for strengthened approaches to tracking and monitoring key risk exposures, especially emerging risks related to strategy. Even the large organizations, public companies, and financial services organizations admit that their risk management oversight processes are less than mature."
- "There may be opportunities to better connect risk oversight and strategic planning efforts. Four of 10 sample firms (41 percent) admitted that they were "not at all" or "minimally" satisfied with the nature and extent of reporting of key risk indicators to senior executives regarding top risk exposures."
- Across all respondents:
- 45 percent have "no enterprisewide risk management in place" or are exploring putting one in place.
- 30 percent have only a partial process, addressing some but not all risk areas.
- 25 percent have what they call a "complete formal" enterprisewide risk management process in place.
- Across public companies (the numbers are about the same when you look at companies with revenue greater than US$1 billion):
- 15 percent have nothing to speak of.
- 37 percent have a partial process.
- 48 percent believe their process is complete and formal (given the very low standard),
- The story is even worse when you look at the maturity of the risk management system. The authors use a five-level model. Across all respondents:
- 19 percent are very immature.
- 23 percent are developing.
- 35 percent are evolving.
- 19 percent are mature.
- 4 percent are robust.
- Across financial services, which you would expect to have the highest level of maturity (public and large companies are not much different from these numbers):
- 6 percent are very immature.
- 20 percent are developing.
- 40 percent are evolving.
- 25 percent are mature.
- 9 percent are robust.
- Only 5 percent (extensively) and 15 percent (mostly) had positive answers to the question "To what extent do you believe the organization's risk management process is a proprietary strategic tool that provides unique competitive advantage?"
- Only about half of large, public, or financial services companies maintained a "risk inventory" at the enterprise level.
- Respondents only updated their identification and assessment of risks to the achievement of objectives occasionally — even though they recognize the dynamic nature of the business environment and risk:
- Not at all — 33 percent.
- Annually — 34 percent.
- Semi-annually — 10 percent.
- Quarterly — 15 percent.
- Monthly, weekly, or daily — 8 percent.
- Just 34 percent answered "mostly" to the question "Existing risk exposures are considered when evaluating possible new strategic initiatives," while just half that percentage have the same level of discussion of risk when it comes to board consideration of strategies.
This is very sad and reflects, in my opinion, a failure to link the consideration of risk with excellence in decision-making and performance.
It also reflects the continuing misperception, reflected in and to some extent caused by the advice and consulting services of some of the firms that provide risk management guidance, that risk management is "mature" or "complete" when a) risks (and they only consider situations or events that have a potential adverse effect) are reviewed periodically, and b) are considered when strategies are developed.
As I have said and will continue to say, the management of risk is an integral and essential element in decision-making at all levels across the organization.
Risk management is not about avoiding failure; it is about achieving success.
By the way, I have reason to believe that the COSO ERM update project recognizes this as an issue, and we should expect considerable change when the draft update is exposed for public comment.
Also, as a word to all internal auditors, please do not fall into the trap of auditing risk management and evaluating its effectiveness based on compliance with the company's policy and such. It should be evaluated based on whether it is making a
positive contribution to the development and execution of strategies and the making of informed, intelligent decisions — all part of how an organization optimizes its ability to succeed.
I welcome your comments.