Risk management progressing but patchy, study finds

Executives see an increasingly challenging web of risks but say efforts to beef up risk-management efforts remain mixed, with boards wanting to see greater involvement from management, according to new research.

Almost 70 percent of respondents polled by North Carolina State University and the American Institute of CPAs (AICPA) at large organizations, public companies and financial services firms feel the volume and complexities of risks have increased over the past five years. Less than half that figure – and only 25 percent of all respondents – describe their risk management processes as mature or robust.

AICPA and the university’s Enterprise Risk Management (ERM) Initiative collected responses from 432 CFOs and other senior executives in a range of industries.

‘What this study reveals is that there is a huge disconnect between corporate challenges and how organizations are responding to them,’ says Mark Beasley, co-author of the report and director of the ERM Initiative.

This may arise from the fact that only 25 percent of respondents feel they have effectively integrated risk management into their strategic planning, the report suggests. Just 30 percent of respondents indicate that top risk exposures facing the company are discussed extensively by the board of directors when they talk about the organization’s strategic plan.

‘Despite the higher percentages of boards that discuss risk exposures in the context of strategic planning for the largest organizations and public companies, the fact that more than half of those organizations are not having these kinds of discussions suggests there is still room for marked improvement in how risk-oversight efforts and strategic planning are integrated,’ the authors write in the report.

‘This report tells us that there is a significant need for [ERM] given the complexity of the risks businesses are facing – and that boards of directors are calling for it,’ says Ash Noah, vice president of chartered global management accountant external relations at AICPA. Under a third (28 percent) of respondents say their organizations have complete ERM processes in place, though this is up 19 percent points from 2009.


CROs
At the same time, the research suggests that boards – particularly at the largest organizations, public companies and financial services firms – have strong expectations for improving risk oversight: 67 percent of all respondents report that their board members are calling for increased senior executive involvement in risk oversight.

One sign of a beefed-up management role is the growing number of companies with chief risk officers (CROs) or equivalent senior risk executive. Forty-two percent of respondents say their organizations had that type of position last year, up from 32 percent the year before and 18 percent in 2009. Large organizations, public companies and financial services firms are more likely than other types of organizations to have a CRO or equivalent, with more than half doing so.

Creating such roles can be driven by a number of factors, such as the company experiencing a crisis or having a sense that it could handle risk management better without increasing the amount spent on it, according to Michael Kearney, partner with Deloitte Risk and Financial Advisory (CorporateSecretary.com, 3/15).  

CROs most commonly – 51 percent of the time – report to the CEO or president. At 21 percent of the firms with a CRO position, the individual reports formally to the board of directors or its audit committee, while an additional 15 percent report to the CFO.

Similarly, 58 percent of respondents had a risk committee last year, compared with 45 percent in 2015, 45 percent in 2014 and 22 percent in 2009. Almost two thirds (61 percent) of all the companies polled give the board of directors or one of its committees a formal report at least annually describing the organization’s top risk exposures. In 2009 the researchers found that only 26 percent of companies provided that kind of information to the board at least annually.