The 2019 edition of “The State of Risk Oversight: An Overview of Enterprise Risk Management Practices” was released in April by North Carolina State University’s ERM Initiative, in partnership with the American Institute of CPAs.
Based on survey responses from 445 business executives, the report provides detailed insights about the state of maturity of current enterprise risk management (ERM) practices.
In this post, we highlight seven key risk management trends from the report that you should be aware of.
1) The Volume and Complexity of Risks Are Increasing
Be prepared to face a business landscape where the management of risks is more difficult. For 59% of respondents in the report, the volume and complexity of risks have increased “extensively” or “mostly” over the past five years.
The number jumps to 66% for large organizations (revenues greater than $1 billion) and 67% for public companies.
Respondents are especially concerned about their ability to manage leadership and talent needs, innovations that might disrupt their business model, the impact of the economy, and shifts in consumer and social demographics.
Since the management of risks is becoming more complex, be sure to have the right software tools to simplify tasks and bring as much automation as possible.
2) Many Organizations Are Experiencing “Operational Surprises”
According to the report, about 9% of respondents have been affected by an operational surprise “extensively” in the last five years, while 24% of respondents said they have been “mostly” affected. Another 35% of respondents answered “somewhat” to the question.
This means that 68% of organizations have experienced an operational surprise in the last 5 years due to a risk they did not adequately anticipate. The number is 69% for large organizations, and it jumps to 75% for public companies.
The report says that the high volume and growing complexity of risks are translating into unexpected operational issues. Effective risk management is needed to better anticipate events that could result in unexpected operational surprises.
3) The Approach to Risk Management Needs to be More Mature and Robust
Ironically, even though organizations acknowledge that the volume and complexity of risks are increasing, and that they still face unexpected operational surprises, only a few of them describe their risk management processes as mature and robust.
Only 23% of respondents (34% for large organizations and public companies) describe their risk management processes as “mature” or “robust”.
There is clearly a disconnect between: 1) the growing realization that risk management is getting more complex, and 2) the preparedness of the organization to face increasing risks and operational issues. But this can also translate into an opportunity to improve risk awareness and implement the right processes and technologies to increase the maturity of risk management practices.
4) There is Great External Pressure to Provide Information About Risks
Respondents were asked to describe the extent to which external factors (e.g. investors, ratings agencies, regulatory agencies, emerging best practices) are creating pressures on senior executives to provide more information about risks affecting their organizations.
For 10% of respondents, external parties are applying pressure “extensively”, while 21% said that external parties are “mostly” applying pressure. Another 28% reported that external parties are “somewhat” applying pressure.
Thus 59% of organizations are reporting some level of pressure from external parties to be more transparent about risk exposures. The number jumps to 75% for large organizations and public companies.
Increasingly, having mature and robust risk management processes in place is also about meeting stakeholder expectations more successfully.
5) Stronger Integration Between Risk Management and Strategic Planning is Needed
Risk management is not just about:
- Identifying risks.
- Maintaining a risk register.
- Determining the likelihood of adverse events.
Risk management is first and foremost about making sure that company objectives are achieved by anticipating potential obstacles and measuring the effect of uncertainty on objectives. In other words, risk management is about better management.
However, according to the report, most organizations struggle to integrate risk management with strategic planning. For example, only 40% of respondents say that existing risk exposures are considered “extensively” or “mostly” when evaluating possible new strategic initiatives.
A better understanding of risks should be a valuable input to the strategic planning process so that organizations can design goals and initiatives with these risks in mind, the report says.
To determine if you’re connecting risk management with strategic planning, consider these questions:
- Is your current risk management process focused too much on operational or compliance issues?
- Are the top risks identified by your risk management process mapped to your most important strategic initiatives?
6) Key Risks Should Be Updated More Frequently
As mentioned above, risk management is about making sure that corporate objectives are achieved, and determining the effects of uncertainty, positive or negative, on objectives.
Striving to meet objectives is not an exercise that takes place only once a year. It is a continuous and ongoing process. Does it make sense to update risks only annually or even semi-annually? If risks are linked to objectives, then the answer is ‘no’.
However, the report reveals that organizations are not updating their risk inventories as often as they should. Respondents were asked whether they go through a dedicated process to update their key risk inventories, and the frequency of updates. Among all respondents, 23% answered they don’t have such a process, 45% answered that they update risk inventories annually, and 9% answered semi-annually.
This means that 77% of respondents are not updating their key risks as often as they should. The number is 76% for large organizations and 64% for public companies.
7) The Reporting of Key Risk Indicators Has to be Improved
The report reveals that there is room for improvement in the nature of risk information being reported. Organizations appear to be struggling to find effective measures to monitor top risk exposures.
Only 28% of respondents were “very satisfied” or “mostly satisfied” with the reporting of key risk indicators (KRIs). The number is the same for large organizations, and 31% for public companies. There is clearly a dissatisfaction with the reporting of KRIs.
Survey results also find that only a small percentage of organizations have a robust set of metrics included in management dashboards to help them monitor changing risks. Most organizations have plenty of key performance indicators (KPIs), but KPIs look at the past and only focus on internal things, the report says.
While the reporting of KRIs needs to improve, there is nevertheless some hope. The growing use of data analytics may provide opportunities to strengthen management dashboards by including more information that helps track potential risks in the future, the report says.
Check out the full report to learn more about these seven insights and the state of risk oversight, and to get an overview of enterprise risk management practices.
View the recording of our webinar with COFACE to learn more about their GRC journey with Enablon, and how to centralize risk, control and assurance activities: