The Woeful State of Enterprise Risk Management
My thanks go to Professors Mark Beasley and Bruce Branson of North Carolina State University’s Poole College of Management (the Enterprise Risk Management Initiative).
They recently published 2022 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices – 13th Edition.
I believe this is their best edition and thank them for the detail it includes.
The information has value, but it is very important to understand that the survey on which the report is based was sent only to current members of the AICPA (in other words, CPAs). What they have to say is likely to be very different from what a CEO, COO, or other business executive would say. It is also likely to be different from what a board member would say.
Data was collected during the first few months of 2022 through an online survey instrument sent to members of the AICPA’s Business and Industry group who serve in chief financial officer or equivalent senior executive positions. In total, we received 560 fully completed surveys.
A variety of executives participated in our survey, with 21% of respondents having the title of chief financial officer (CFO), 18% serving as chief risk officer (CRO), 6% as controller, and 8% leading internal audit, with the remainder representing numerous other executive positions.
The respondents represent a broad range of industries. Consistent with our prior year survey, the four most common industries responding to this year’s survey were finance, insurance, and real estate (27%), followed by not-for-profit (28%), services (21%), and manufacturing (10%). The mix of industries is generally consistent with the mix in our previous reports.
The respondents represent a variety of sizes of organizations. As shown in the table on the next page, 47% of organizations have revenues $100 million or lower while 30% have revenues over $1 billion. So, there is nice variation in organization size in our sample. Almost all (89%) of the organizations are based in the United States.
My intuition says that they are more likely to be positive about ERM at their organization, as well as being more risk averse than other executives in operating management positions.
Their introductory statements are solid, and I am pleased to see them recognize the need to take risks and exploit opportunities. (The emphasis below is mine.)
Many business leaders and other key stakeholders are realizing the benefits of increased investment in how they proactively manage potentially emerging risks. This is done by strengthening their organizations’ processes surrounding the identification, assessment, management, and monitoring of those risks most likely to impact – both positively and negatively – the entity’s strategic success. They are recognizing the increasing complexities and real-time challenges of navigating emerging risks as they seek to achieve key strategic goals and objectives.
Many organizations are recognizing the need to enhance the formalization and robustness of their risk governance processes. Boards and C-suite executives of these organizations have embraced the concept of enterprise risk management (ERM), which is designed to provide an organization’s leadership a top-down, strategic perspective of risks on the horizon so that those risks can be managed proactively to increase the likelihood the organization will achieve its core objectives.
However, even these CPAs are saying that current risk management practices are failing to deliver.
The professors ask: “To what extent do you believe the organization’s risk management process is a proprietary strategic tool that provides unique competitive advantage?”
- Not at all – 37%
- Minimally – 26%
- Somewhat – 25%
- Mostly – 9%
- Extensively – 3%
That’s pretty awful!
This is what they say about the “Strategic Value of Risk Management” (with my highlights):
- Less than 20% of organizations believe their risk management processes provide strategic advantage. This is surprising given most leaders understand that risk and return are inseparable [Marks: it’s not much more than 3% and not close to 20% according to their own numbers.]
- Organizations continue to struggle to integrate their risk management and strategic planning
- Except for financial services organizations, most organizations are not emphasizing the consideration of risk exposures when management evaluates different possible strategic initiatives or when making capital allocations.
- Most organizations do not formally articulate tolerances for risk taking as part of their strategic planning activities.
- There is noticeable room for improving ERM processes to help manage risks impacting reputation and brand.
- There are opportunities to reposition an entity’s risk management process to ensure risk insights generated are focused on the most important strategic issues.
The say this about the “Overall State of Risk Management Maturity”:
- While progress has been made in implementing complete ERM processes, more than two-thirds of organizations surveyed still cannot claim they have “complete ERM in place.” [Marks: and those that do are not saying that their ‘complete ERM’ is effective!]
- Large organizations and public companies are more likely than other organizations to report a complete ERM process.
- The level of robustness and maturity of risk management oversight remained relatively steady with the prior year; however, fewer than half of respondents describe their organizations’ approach to risk management as “mature” or “robust.”
- Just over one-half of the public companies surveyed do not describe their risk management processes as robust or mature. Non-profit organizations are less likely to have structured risk management processes relative to other organizations.
They also point out that “Many organizations are concluding that their approaches to business continuity planning and crisis management are not at the level of preparedness desired, with almost three-fourths indicating significant changes in those processes will occur”.
The report has a number of important tables. I have highlighted a few points.
| Description of the State of ERM Currently in Place | Full Sample | Largest Organizations (Revenues >$1B) | Public Companies | Financial Services | Not-for-Profit Organizations |
| No enterprise-wide management process in place | 15% | 2% | 2% | 6% | 14% |
| Currently investigating concept of enterprise-wide risk management, but have made no decisions yet | 10% | 3% | 2% | 6% | 10% |
| No formal enterprise-wide risk management process in place, but have plans to implement one | 8% | 3% | 4% | 4% | 10% |
| Partial enterprise-wide risk management process in place (i.e., some, but not all, risk areas addressed) | 34% | 36% | 35% | 36% | 38% |
| Complete formal enterprise-wide risk management process in place | 33%
|
56% | 57% | 48% | 28% |
Many are reporting that they have a “complete and formal” ERM process in place, but at the same time they are not saying that it is delivering the value it should. They are also saying it is not robust (see the next table).
I believe that these people don’t understand the need for ERM to inform both strategic and tactical decision-making. They are satisfied with they have (a list of risks, which is often quite short and only occasionally updated according to the survey), even if it fails to help the organization achieve its objectives.
| What is the level of maturity of your organization’s risk management oversight? | Full Sample | Largest Organizations (Revenues >$1B) | Public Companies | Financial Services | Not-for-Profit Organizations |
| Very Immature | 13% | 3% | 5% | 5% | 15% |
| Developing | 22% | 14% | 11% | 17% | 29% |
| Evolving | 35% | 39% | 39% | 43% | 33% |
| Mature | 25% | 36% | 37% | 29% | 20% |
| Robust | 5% | 8% | 8% | 6% | 3% |
If only a handful of the CPAs in a firm see ERM as “robust”, and 18% of them are CROs, what would the heads of manufacturing, sales, and marketing have to say?
| Description of the Current Stage of ERM Implementation | Full Sample | Largest Organizations (Revenues >$1B) | Public Companies | Financial Services | Not-for-Profit Organizations |
| Our process is systematic, robust, and repeatable with regular reporting of top risk exposures to the board. | 39% | 70% | 70% | 52% | 35% |
| Our process is mostly informal and unstructured, with ad hoc reporting of aggregate risk exposures to the board. | 28% | 16% | 11% | 28% | 31% |
| We mostly track risks by individual silos of risks, with minimal reporting of top risk exposures to the board. | 18% | 13% | 17% | 12% | 17% |
| There is no structured process for identifying and reporting top risk exposures to the board. | 15% | 1% | 2% | 8% | 17% |
So 70% of large organizations and public companies report at the highest level in the table above, but they don’t say the same in the next table.
| Extent to which the organization’s ERM process formally identifies, assesses and responds to emerging strategic, market, or industry risks: | Full Sample | Largest Organizations (Revenues >$1B) | Public Companies | Financial Services | Not-for-Profit Organizations |
| Extensively | 14% | 22% | 26% | 19% | 9% |
| Mostly | 31% | 41% | 42% | 37% | 27% |
| Somewhat | 27% | 28% | 23% | 21% | 33% |
| Minimally | 14% | 7% | 7% | 17% | 11% |
| Not at all | 14% | 2% | 2% | 6% | 20% |
The next two tables demonstrate what I have believed for a while. Top executives don’t see the value of ERM as it is practiced at their organization (or believe it will be practiced if additional resources are provided).
| Percentage of respondents indicating that each of the following “Mostly” to “Extensively” is impeding risk management progress | Full Sample | Largest Organizations (Revenues >$1B) | Public Companies | Financial Services | Not-for-Profit Organizations |
| Risks are monitored in other ways besides ERM | 29% | 28% | 18% | 30% | 24% |
| Too many pressing needs | 16% | 27% | 26% | 19% | 19% |
| No requests to change our risk management approach | 19% | 17% | 23% | 12% | 21% |
| Do not see benefits exceeding costs | 13% | 17% | 12% | 15% | 12% |
| No one to lead effort | 12% | 9% | 12% | 7% | 16% |
| Would overcomplicate what can be best done ad hoc | 11% | 8% | 9% | 17% | 8% |
| Percentage of respondents who describe each of the following as being a “barrier” or “significant barrier” to effective ERM | Full Sample | Largest Organizations (Revenues >$1B) | Public Companies | Financial Services | Not-for-Profit Organizations |
| Competing priorities | 44% | 35% | 36% | 47% | 50% |
| Insufficient resources | 43% | 41% | 40% | 43% | 52% |
| Lack of perceived value | 28% | 31% | 27% | 25% | 29% |
| Perception ERM adds bureaucracy | 24% | 25% | 23% | 21% | 26% |
| Lack of board or senior executive ERM leadership | 21% | 18% | 19% | 16% | 22% |
| Legal or regulatory barriers | 6% | 3% | 4% | 6% | 6% |
As the authors say:
Some of the overall reluctance to embrace ERM across an organization may be due to a lack of understanding and knowledge of what an enterprise-wide risk management process actually entails relative to traditional approaches organizations use to manage risks. ERM is a relatively new business paradigm that business leaders are hearing about but may lack an understanding of how it might help them achieve their strategic objectives.
On the other hand, at least more people than I would have thought realize risk is not just downside.
| The definition of “risk” focuses | Full Sample | Largest Organizations (Revenues >$1B) | Public Companies | Financial Services | Not-for-Profit Organizations |
| Both on “upside” risks (risk opportunities) and “downside” risks (threats to the organization) | 60% | 58% | 54% | 63% | 68% |
| Only on “downside” of risks (threats to the organization) | 39% | 41% | 44% | 36% | 31% |
| Neither | 1% | 1% | 2% | 1% | 1% |
The table below shows that the speed and volatility of risk are certainly not being addressed.
| Frequency of Going Through Process to Update Key Risk Inventories | Full Sample | Largest Organizations (Revenues >$1B) | Public Companies | Financial Services | Not-for-Profit Organizations |
| Annually | 41% | 57% | 55% | 43% | 41% |
| Semi-Annually | 10% | 12% | 13% | 9% | 11% |
| Quarterly | 16% | 14% | 20% | 21% | 15% |
| Monthly, Weekly, or Daily | 7% | 9% | 7% | 11% | 5% |
| Not at all | 26% | 8% | 5% | 16% | 28% |
As I said in the table, the report indicates that the current practices around risk management are woeful.
We need to change everything, including the guidance from the various consultants, risk institutes, COSO and ISO (sorry, advocates), to help lead practices away from management of risk (doom management) and towards the informed and intelligent risk-taking through quality decisions that will enable the achievement of objectives (success management or, more simply, effective management).
Unfortunately, the professors failed to ask what might be the most important question:
Does risk management at your organization help you and others understand what might happen so you can make the informed and intelligent decisions necessary for success, taking the right level of the right risks and exploiting appropriate opportunities?
Maybe this will be in the 2023 edition! One can only hope.
What do you think?
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Very sad after all these years, likely due to how poorly good ERM is understood. Our management team, I.e., the CEO and executives, in a Harvard study (video) stated that they could not run the company properly without ERM as we had it.
Last year I saved my company $13 million though solid quant risk analysis. I would love to understand what good ERM or what it looks like, because I certainly do not understand it.
Alex, do you practice RM2 at your company? Isn’t that “good ERM”?
Norman, RM2 is decision science, probability theory, corporate finance and behavioural economics, very siloed approach to different risks. I have no idea what good ERM is. I suspect what we do actually goes against most ERM principles, because ERM principles are wrong
Alex, if RM2 doesn’t enable a decision-maker to consider all the potential effects on a corporate objective, when they arise in different silos, then it is insufficient (IMHO).
I consider ERM as providing that ability when it is effective. Lists of risks, or fragmented risk management in silos without a big picture view, does not enable informed and intelligent business decisions.
For example, somebody considering the timing of a new product launch needs to consider opportunities and risks from multiple sources, such as compliance, customer satisfaction, reputation, cyber, regulators, competitors, and more.
Norman, that’s decision science 101 and corporate finance 101. No ERM necessary for that. My point is that I still have no idea what ERM brings to the table that isn’t just common plain vanilla decision making covered in any decision science text book
Alex, you have nailed it. I was not involved in the creation of ERM, but as I understand it the focus is on ENTERPRISE objectives. Rather than fragmented consideration of risk in silos, using different methods and language, its about the a ability to see the big picture.
Sadly, people just put together lists of all the risks instead of finding ways to aggregate them for decision-making.
It is more than decision science 101, as it means each silo has to produce results that can be combined in some fashion.
In the last 3 years I began to think that this whole story about enterprise objectives is a myth. No problem aggregating risks for capital adequacy assessments or for M&A deals, no problem aggregating risks for insurance purposes and so on. I believe it is a made up problem that enterprise objectives are somehow under risk.
The real problem is much simpler. IIA, regulators and risk associations promote astrology and call it risk management. We don’t need new risk management, we just need less astrology. The science of risk has and always had all the answers
Enterprise objectives are certainly at risk every day. Its not a new problem at all, and effective management is the answer.
Decision science is a major part of the answer, if only people would know how to make informed (emphasis on informed, which includes considering what might happen) and intelligent risks.
Do we need a new name for that? Probably not, especially as risk management has been corrupted into producing a list of risks.
The IIA is not part of the problem. They are not promoting current practices at all. However, neither are they (yet) part of the solution.
Regulators are the problem, pressing companies to list their risks with a CRO that is the sheriff in town policing the cowboys in management.
When the CRO is imposing obstacles to success, there is a huge problem.
Could be a good debate for RAW2023. I very much disagree that IIA is not a problem, they did more damage to risk management than RIMS. I also think CROs are not doing good enough job at being a sheriff, which they should do more
John I am in agreement! but for a different reason: current ERM methodologies have grown out of a mindset of protecting physical assets against adverse events, many of which can be estimated by probabalistic models (fire, flood, earthquake etc). However for modern companies, especially (but not limited to) software and SaaS companies, the most valuable assets are intellectual property and corporate brand and reputation. I believe that current ERM methodologies do not accurately value such assets, and cannot properly estimate the low probability, high consequence events (such as a hack or data breach) that might impact them.
It depends on what you you mean by “current ERM methodologies”. If you mean COSO or what most people are doing then I would agree with you. If however, your ERM uses “risk criteria” as envisioned by ISO 31000 and deals with all objectives in a consistent way then there should be a consistent approach to decision making and dealing with risks irrespective of what the objective is.
fair enough. I am familiar with the 31000 document and the risk criteria therein. My comments are directed generally at the “FAIR” methodology, likelyhood X impact. My working hypothesis is that the organization’s control exception frequency is a better criteria for identifying systemic risk. I wrote an article on this, which see: https://www.linkedin.com/pulse/part-2-perverse-incentives-systemic-risks-case-petry-cissp-ccsp
interested in your comments.
Mark, that is an excellent article. Thanks for sharing it.
I agree but have no solution for when people do bad things due to greed or incompetence and do so in a group setting or with the approval of the most senior people. Obviously culture plays a big part. ERM will not work in a dysfunctional company.