Norman Marks on Governance, Risk Management, and Internal Audit

For many years, the ERM Initiative of North Carolina University, in partnership with the AICPA & CIMA, has surveyed organizations about their assessments of the maturity of “risk oversight[1]” at their organizations.

In October, 2023 they published “2023 Global State of Risk Oversight Report: Managing the Rapidly Evolving Risk Landscape”[2]. The two authors, Professors Mark Beasley and Bruce Branson, tell us that:

To gain a global perspective about the state of risk oversight practices in organisations around the world, we surveyed executives to understand what processes they have in place to navigate the rapidly changing risk landscape. The report summarizes insights from 983 executives in organisations around the world….

…a majority of the respondents serve in financial, accounting or treasury roles, although other executive positions are represented. And, organisations of all types and sizes are represented, with no industry comprising more than one-third of any geographic region’s respondent base.

For reference, the respondents were:

• In US, 22% were either the CFO or Finance Director; Treasurer/Controller 11%; 10%, CRO; 10% CAE.
• In Europe and UK, 45% CFO or Finance Director; Treasurer/Controller 14%; CRO 3%; CAE 3%.
• Asia and Australasia, 42% CFO or Finance Director; Treasurer/Controller 14%; CRO 8%; CAE 3%.

The responses were from a variety of industries:

• US: 26% Finance/Insurance/Real Estate; Services 26%; Manufacturing 11%
• Europe and UK: 12% Finance/Insurance/Real Estate; Services 20%; Manufacturing 19%
• Asia and Australasia: 18% Finance/Insurance/Real Estate; Services 22%; Manufacturing 16%

Two very important points need to be made before reviewing their findings:

1. The professors seem to believe that effective risk management[3] is about managing or mitigating risks in a risk profile (a list of risks, a.k.a. a risk register). If you have a look at their ten questions to consider (which I excerpt later), there is not a single mention of decision-making, nor is there any discussion of the need to take risks to succeed. Alexei Sidorenko calls this RM1. I call it a variety of unflattering terms, because it is not effective risk management that will help the organization succeed. Managing a list of risks (or Enterprise List Management in the words of Jim DeLoach) may help avoid harms, but it will not help you achieve your objectives. See their finding that leaders don’t see the value in enterprise risk management. Why should we be surprised by this if risk management is limited to the periodic (at best) review of a list of risks?
2. The respondents are more likely to answer positively than the total population. Would you answer a survey and confess to poor practices?

I have reached out in the past to Mark Beasley to discuss the differences between our views of effective risk management (on or off the record), but he has not responded.

All of this points to the bar being set very, very low for the authors’ definition of “mature risk management”.

Even so, the findings are depressing. Note my highlights.

• Investments in risk oversight processes are relatively immature across all regions around the globe, with only 31% of the 983 global organisations surveyed rating their risk oversight practices as mature or robust[4]. The lowest level of maturity was noted by organisations in Africa & the Middle East, followed by those in the U.S.
• Executives and boards struggle to understand and realise the strategic value that effective risk oversight practices can provide. Most do not believe their organisation’s risk management process is providing significant competitive advantage[5]. The lack of strategic value of risk oversight may be attributable to how the organisation’s risk management practices are structured to generate risk insights. Across each region of the world, the dominant focus of risk management practices is centered on information technology (IT) risks, legal/regulatory/ compliance risks, and operational/supply chain/process risks.  In each region, the focus of risk management practices on emerging/strategic/market/industry risks is the lowest among all risk categories we surveyed. The failure to emphasize a strategic risk focus may explain the perceived lack of value of risk oversight.
• While most executives understand the interconnectivity of “risk and return,” many organisations struggle to integrate their risk management practices with strategy. Risk management is often disjointed with risks managed in pockets or silos across the organisation (e.g., regulatory risk, operational risk, IT risk, insurance risk, etc. all separately managed) with little, if any, interaction between those functions.  Risks are often not linked to specific strategies or tactics.  And, risk leaders infrequently (if at all) interact with those in the C-suite about how risks might impact strategic success. Furthermore, this siloed approach to risk management tends to heavily focus on internal, operational, compliance, or other “already-known” risks, with less focus on broader emerging, strategic, and frequently, externally-triggered risks. 
• Senior leaders and boards often fail to see the strategic value of investing in more robust and enhanced risk oversight, given a perceived lack of strategic value being provided by the risk management process… If risk and return are truly interconnected realities, then it is important for the output of any organisation’s risk oversight processes to be an important input to strategy planning and oversight.
• While most executive teams believe their organisations are managing risks, often that is occurring without any individual with responsibility for leading the design and implementation of specific risks management processes. About one-half of the 983 respondents indicate that their organisation has appointed a chief risk officer or equivalent, which means there is no clear risk leader in the other one half of the organisations. It is more common that they have created a management-level risk committee.  But, is a committee-only led process sufficient? The lack of embrace of the importance of risk oversight in organisations may be attributed to the small percentages of organisations that have embedded risk management incentives in their compensation plans. Most organisations (about 80% on average) have not done so, especially those in the U.S.  The lack of incentives may explain why investment in risk oversight is lacking. Most organisations are not providing any training related to risk oversight for executives.
• Messaging from the organisation’s leaders may be negatively impacting the “tone at the top” about the value of risk oversight. Failure to communicate the importance of risk management may lead to perceptions that there are other more important priorities and there are insufficient resources available for investing in risk oversight.
• While strategy and risk oversight are core responsibilities of the full board of directors, less than one half of the organisations’ boards discuss information generated by the ERM process when discussing the strategic plan[6].
• S. organisations report to be least likely to maintain risk inventories on a formal basis and are least likely (relative to the other three regions) to formally update their risk inventories. If management and the board fail to have any organized list of potential risk exposures on the horizon, they are likely to take a scatterplot view of possible risks as they digest the latest news coming into view. That may be distracting them from risks most relevant to their organisation. Most respondents are not satisfied with the robustness of their key risk indicators regarding their entity’s top risk exposures.
• We also asked a different question about whether their ERM processes are “systematic, robust, and repeatable with regular reporting of top risk exposures to the board.” Across the full sample of 983 organisations, less than one-half (44%) of respondents describe their risk oversight in that capacity. Some differences exist in responses between U.S. respondents and respondents from all other parts of the world to that question as shown below. Organisations based in Europe & the UK appear to have more formalized, defined, and repeatable risk management processes relative to other parts of the world, especially when compared to the U.S.[7]

The authors include ten questions that merit our consideration. They don’t go nearly far enough, focusing on managing risk rather than managing the business. But that doesn’t mean they shouldn’t be answered.

10 DIAGNOSTIC QUESTIONS TO ASK

Business leaders may find it helpful to consider these diagntostic [sic] questions as an evaluation of their organisation’s overall risk oversight effectiveness.  Engaging senior management and the board in discussions about answers to these questions may help pinpoint needed enhancements to the organisation’s risk oversight:

1. 1. How rapidly are uncertainties in the global business environment changing in complexity and volume and is your organisation’s approach to risk management at a level of robustness necessary to manage that changing reality?
   2. To what extent is your organisation’s risk management process providing valuable insights for board and senior management strategic decision making? Are risk insights from the risk management process a valued input to strategic planning?
   3. What types of risks dominate the board and management’s discussions? Is the focus mostly on “already known” operational, compliance, and financial risk challenges or are those discussions prompting management to consider new and emerging risk challenges on the horizon, particularly those that may emerge from outside the organisation?
   4. To what extent are risks identified by the risk management process mapped to how they might impact the organisation’s core business model and strategic plan on both a short-term and long-term perspective?
   5. How is the organisation’s culture affecting risk-taking and risk-management across the organisation? Is risk management perceived to be an important, value-added management tool or is it viewed from a “check-the-box” or compliance activity?
   6. To what extent is there clarity among the board and senior management about the top risks for the organisation?
   7. Has management explicitly identified a “owner” for each of the organisation’s top risks and what accountabilities are in place to ensure risk owners are sufficiently overseeing their assigned risk areas?
   8. To what extent do all of the members of the executive team and board have a rich understanding of the root cause drivers of the organisation’s top risks and how the entity is responding to those risks to prevent the root cause from occurring and minimize the impact should the risk occur?
   9. To what extent does management’s dashboard of key performance metrics also include relevant key risk indictors [sic] to help them keep an eye on emerging risk trends?
   10. What risk information does the board and senior management need but currently not have? What improvements to the organisation’s risk management process are in greatest demand?

My thoughts include:

1. What will it take to get consultants, educators, and software vendors to realize that risk, strategy, and performance are all necessary ingredients, taken together and not in isolated silos, of effective management? Risk needs to be taken to achieve objectives, and the key is to take the right level of the right risks to achieve them. The periodic review of a list of risks (whether in a COSO risk profile or in a heat map) is not only not effective risk management, but it leads executives and board members to the conclusion (as shown in this report) that while enterprise risk management (as practiced) may be something you need to do to pacify the regulators and others, it is not something you want to do because it helps you run the organization for success. (Credit to Carol Williams for that expression.)
2. Messaging from the top about the value and importance of risk management is unnecessary when operating management can see and experience its value in helping them make informed and intelligent decisions.
3. How many CROs and CAEs of these organizations are reporting to the board and top management that their risk management practices are insufficient?
4. How many of these organizations are disclosing in their filings with the regulators that their risk management practices are insufficient?
5. Why are we not making the progress we should as practitioners? I am pleased to see so many following this blog[8] and agreeing with my views on effective risk management. I was pleased to see Hersh Shah of IRM in India recently speak about the integration of risk management and decision making. But that is clearly not enough.

What can we do? What can you do?

I welcome your thoughts.

====================================================================

[1] I cannot explain why they use this term instead of “risk management” or “the management of risk”.

[2] They refer to it as the 6^th Edition.

[3] They say that “ERM is a process that strives to provide a more holistic, top-down strategic perspective of risks that may be on the horizon, with the goal of managing risks within the context of the organisation’s appetite for taking different risks as it pursues strategic objectives.”

[4] The authors no longer disclose the abysmal percentage who report they have achieved the highest level of maturity.

[5] 16% globally; 11% in US, 15% in Europe and UK.

[6] In the US, the number is 26% mostly or extensively; for Europe and the UK, Asia and Australasia, it is 42%.

[7] 37% of US organizations rated this last as “mostly or extensively”.

[8] 2.9k subscribers, but many more visitors. So far this month, 13,639 have visited the site.