Despite consensus that risk is a big deal—something companies should be managing aggressively—recent academic data suggests public companies in particular have a long way to go to deal with risk effectively.

A recent study out of North Carolina State University shows almost 60 percent of nearly 1,100 companies surveyed through the American Institute of Certified Public Accountants say they are facing a greater volume and complexity of risks than they were five years ago. A slightly higher percentage says they were caught off guard by some operational surprise in the same timeframe.

The total population includes private and not-for-profit companies, but only about one-third of larger companies, public companies, or financial services organizations within the sample said they would describe their enterprise risk management process as “mature” or “robust.” Less than half of the larger companies or financial services firms reported that their boards extensively review top risk exposures when considering their strategic plans.

The findings suggest a disconnect between a view that today’s business environment is generally pretty risky and the decision by organizations to tackle risk. “I see it as a little bit of overconfidence on the part of management,” says Mark Beasley, an ERM professor at NC State. “We are seeing a little bit of a leveling off. There was some initial investment in ERM in 2009 and 2010, but the last few years it has been flat.”

NC State also produced a survey result in connection with Protiviti that shows another disconnect. When asked what kinds of risks are most significant to their organizations, responses were all over the map. Board members and executive management focused their attention on economic conditions, political factors, global financial markets, and an ability to obtain sufficient capital and meet growth objectives under those conditions. Fair enough.

Operational leaders, however—those who run the finance, audit, risk, and other functional areas—focus more on operational risks: hiring the right talent, managing cyber-threats, and beating competitor performance. They also worry that risks won’t be identified in a timely way and escalated to the right level in the organization so the risk can be addressed in connection with the company’s strategy.

“I wonder if there is a lack of understanding of the views of risk across the management team. The presumption may be that we are more on the same page than we really are.”
Mark Beasley, ERM Professor, North Carolina State

In tandem, the separate survey results suggest companies may have work to do to better address risk, and to assure everyone agrees upon what the most important risks to address are. “I wonder if there is a lack of understanding of the views of risk across the management team,” Beasley says. “The presumption may be that we are more on the same page than we really are.”

The findings on ERM maturity are disappointing to Scott Mitchell, chairman of the Open Compliance & Ethics Group. “One wonders what’s wrong with ERM and why ERM hasn’t matured as quickly as quality management or strategic management,” he says. “Obviously OCEG’s point of view is the possibility that ERM is too myopic in its focus. A lot of ERM programs struggle to integrate with performance, and that’s why they struggle.”

Divergent Views, or Splitting Hairs?

The suggestion that boards and senior management may have a different view of risk compared with functional leaders isn’t as much of a concern to Mitchell. “You have different departments or different units that have different priorities,” he says. “That’s the point of running a business.”

Jim DeLoach, managing director at Protiviti, says the findings imply that some companies might need to review the basics in terms of their risk assessment processes. Companies might go about it in different ways, which might affect the results. “You want to have different perspectives that are captured, integrated, and assimilated,” he says. “In that way, you come up with the organizations’ best collective view of its risk profile. That’s not easy.”

Beasley points out that one key finding of the studies is concern that corporate culture might not adequately encourage key risks to be elevated to the right levels in a timely manner so they can be addressed. “I’ve heard some say in certain cultures, if I elevate a risk, I could be incriminating myself as an ineffective manager,” he says. “So are you comfortable you have the right process to assure risks are being elevated among multiple players in the C-suite team?”

Also crucial, says Brian Schwartz, U.S. GRC leader for PwC, is assuring a well-defined risk appetite. “Risk appetite will tell the company how many and which types of risks should be taken on based on pursuing their business objectives,” he says. “A lot of companies build elaborate risk assessment programs before they’ve defined appetite. It’s like building a bridge without knowing how wide the river is.” On the plus side, he says, he sees chief risk officers increasingly stepping back and asking what they can do to make the ERM process more relevant to the organization.

For Mike Kearney, national managing partner for strategic risk services at Deloitte, the recent data provide a wake-up call to companies to spend more time considering how key risks affect strategy. “There’s just not enough time spent talking about it,” he says. “There’s not enough time really getting beneath what the risks are and what they mean to the longevity of the organization and the strategy chosen.” Too often, he says, companies view the ERM program as a standalone function with an annual assessment process. “It’s not necessarily based into the business management process as much as it could be.”

Norman Marks, a retired internal auditor turned governance activist, says risk programs fail to operate effectively for any number of reasons: not being recognized by the board as contributing to success, not being embraced by functional managers throughout the organization, and not being aligned with the strategy of the organization. Companies can move further along the ERM maturity curve by assuring their risk is aligned with strategy and managed at acceptable levels, he says. “We’ve got to move away from periodic reviews of risk to risk being an integral part of how we run the business,” he says.