Formalized, comprehensive approaches to enterprise risk management are not terribly baked into corporate practices, according to a recent study by the accounting profession.
A survey of 474 senior finance executives in the business and industry group of the American Institute of Certified Public Accountants found only 31 percent who said their organizations have a complete ERM process in place. Still, that’s an increase of 22 percent from 2009, when only 9 percent reported they operate in a complete ERM environment.
The AICPA conducted the study in coordination with North Carolina State University’s ERM Initiative. It found only 22 percent of participants who said their organization’s ERM practices could be described as “mature” or “robust.” The results also suggest corporate directors may not be happy with the current state of affairs, as 68 percent indicated boards want senior executives to increase management involvement in risk management.
Mark Beasley, ERM professor at NC State and director of the ERM initiative, says senior executives and boards of directors increasingly are realizing that change is occurring faster than their ability to manage risk using traditional approaches. “While many are increasing the robustness of their processes for identifying, assessing, and managing emerging risks that may ultimately impact their core business model and strategic objectives, a number of organizations may not discover that need until they face a major risk event,” he said in a statement.
The study also identified a “disconnect” between corporate strategies and risks. The study says less than 20 percent of organizations see their risk management processes as providing any kind of strategic advantage. A little less than one-third said their boards discuss risk exposures in the context of the organization’s strategic plan.
That’s one of the points driven home in the recently revised ERM framework issued by COSO, or the Committee of Sponsoring Organizations of the Treadway Commission. COSO rewrote the framework in part to draw a tighter link between an organization’s strategic objectives and performance and its approach to risk management.
Other key findings in the study include:
A growing number of organizations are appointing chief risk officers, with 63 percent of public companies establishing and filling such a position.
Two-thirds of participants said their organization does not include explicit components of risk management activities in executive compensation plans.
Nearly half said risk was measured in ways other than through ERM. Some reported barriers such as competing priorities, insufficient resources, and lack of perceived value.