Norman Marks on Governance, Risk Management, and Internal Audit

Professors Mark Beasley and Bruce Branson of the North Carolina State University’s Poole College of Management have shared with us for 14 years the results of their surveys of risk management practices.

Their latest report, 2023 the State of Risk Oversight: An Overview of Enterprise Risk Management Practices, is based on the responses of 454 people. 21% are CFOs, 12% are CROs, 10% lead the internal audit function, and 7% have the title of Controller. 25% are from small organizations with annual revenues of $10 million or less. 130 (32%) are with companies of $1 billion or more in revenue, and 121 (30%) are at not-for profit organizations.

While I would like to think otherwise, I don’t expect small companies to make significant investments in specialist risk management staff or systems. Instead, they rely on operating management to understand risks and opportunities facing the organization and make related informed and intelligent decisions.

Before reviewing the results of the survey, it is useful to consider the questions that Mark and Bruce have posed to the respondents. (They are in Appendix B.)

• Every question is focused on potential events or situations that might have a negative effect on the business. None are about understanding and considering positive events or situations, opportunities.
• There are no questions about whether risk management provides the information necessary for informed and intelligent business decisions, taking the right level of the right risks for success every day.
• There are no questions about seeing the big picture, where all the risks and opportunities are identified and considered together.
• There are no questions about how risks and opportunities might affect the achievement of objectives, even though risk is defined (explicitly by ISO and implicitly by COSO) as the effect on the achievement of objectives.
• While there are suggested questions (although not in the survey) about the consideration of risk in strategic decision-making, the need for it in tactical decision-making is absent. Risk is taken every day, not monthly, quarterly, or (heaven forbid) annually.

So the bar they have set for assessing the maturity of risk management practices is very low.

I have asked them what they consider “mature” risk management, and have suggested talking about it, but they have not responded to my outreach. I have also searched their online library for related articles and only found one – which I was pleased to see referenced a piece I wrote for the IIA’s magazine a dozen years ago! You can find my risk management maturity model in Risk Management for Success.

Even this low bar is not being achieved according to the study:

• While two-thirds of respondents describe the volume and complexity of risks as higher than prior levels, less than one-third describe their risk management processes as mature or robust. That suggests a disconnect between risk management capabilities and needs.
  • Just 10% of the largest organizations described their risk management as “robust”, and only 7% of those in financial services did so.
  • 2% described their risk management as providing a competitive advantage.
• Many leaders believe risk management is a distraction. The “tone at the top” may not be sufficiently embracing the value and relevance of risk management in the context of the organization’s strategic success. Many tend to view risk management as bureaucratic and non-value adding.
• While executives appreciate the reality that risk and return are interconnected, most respondents do not view their organization’s risk management efforts as providing strategic insight.
• Most organizations report risks to the board on an annual rather than a quarterly or more frequent basis, despite the ever-changing nature of the global risk environment. Only one-quarter of respondents believe risk information generated by the organization’s ERM process is formally discussed by the full board of directors when it discusses the strategic plan. Rich insights about the interconnected nature of risks and their impact on the strategy of the organization should be a primary and regular input to overall board discussions and governance.

What does this mean?

Even at a low bar, where the only management is of adverse risks rather than the achievement of objectives considering all sources of risk (and opportunity), executives are not seeing the value to them and to the organization of risk management – the way they see it practiced. They are not investing, and risk management is immature.

My guess is that those who have more robust systems and processes are being forced to invest in risk management by their regulators. There will be exceptions, of course, but there are clearly few of them.

I call again for academics (including Bruce and Mark), consultants, and leading practitioners to recognize that traditional risk management (focusing on avoiding failure) is not only the path to that very failure but will never be recognized by executives as contributing to success.

For example, the recent publication of the Chartered Professional Accountants in Canada, Risk oversight: A framework for identifying, understanding and addressing risk, also discusses only the oversight of adverse events and situations.

If leaders don’t see the value of risk management in helping them make the right decisions for success they won’t invest in it. I repeat this from the NC State report:

Many leaders believe risk management is a distraction. The “tone at the top” may not be sufficiently embracing the value and relevance of risk management in the context of the organization’s strategic success. Many tend to view risk management as bureaucratic and non-value adding.

Surveys like this and guidance from others should be changed to assess and promote true risk management maturity, not failure management. We need to work together to change the expectations for effective risk management.

I welcome your thoughts.

By the way, I now have a YouTube channel with a bunch of videos that you may enjoy.