Between economic and supply chain challenges, geopolitical events, cyber threats, and other circumstances, managing risk remains a complex and challenging effort for organizations of all types and sizes.
The 2022 State of Risk Oversight Report, the 13th annual enterprise risk management study conducted by ERM Initiative at North Carolina State University and the AICPA, surveyed executives across a range of industries on their organizationsâ risk oversight practices and areas for improvement.
In comparing past State of Risk Oversight reports, the previous two years have seen executives ranking risk volume and complexity at their highest levels in more than a decade. Yet, despite a greater need for effective risk management and the âgrowing level of uncertainty in todayâs marketplace,â the surprising reality is that a quarter of respondents reported having either no formal ERM processes or no plans to implement them at this time.
âThere are a number of barriers that inhibit progress in risk management improvements in organizations,â the researchers noted. âPerceptions that managing risks lacks value may signal a lack of understanding about how effective risk oversight may actually improve the organizationâs ability to proactively and resiliently navigate emerging risks.â
Related Reading | Proving the Value of a Bank ERM Program >
The report organized its findings into several focus areas to benchmark respondentsâ ERM practices, including:
Organizations that plan to enhance their ERM program identified some common drivers:
Executives recognize that changes are needed in governing business continuity and crisis management due to the frequency of unexpected risk events.
Financial Services Spotlight: Part of the growing focus on resilience is an increase in âsignificant operational surprisesâ across industries that started in 2020, with the upward trend continuing into 2022. The financial services industry reported the biggest surge in unanticipated risk events from 2019 to 2020. Due to these high levels of disruption, 75% of financial services firms believe that there will be significant changes in their organizationâs current approach to business continuity planning and crisis management.
Increasing pressure from stakeholders to provide information that enables the organization to prepare for and manage emerging risks is another motivation for enhanced risk management.
External and internal demands â from regulators, boards of directors, and executive leadership teams â for improved risk oversight remain strong, particularly for public companies and financial services firms.
Financial Services Spotlight: 40% of financial institutions report increasing regulator expectations for senior executive involvement in risk oversight.
Many organizations struggle to make their risk management function a value center, particularly in the area of integrating risk management with strategic planning. The survey found that fewer than 20% believe their risk management processes provide a strategic advantage.
âOverwhelmingly, most organizations do not perceive their risk management processes as providing important risk insights that management can use to create or enhance strategic value.â
Why is this? The research suggests some common deficiencies in ERM programs that prevent organizations from gaining strategic insights and making risk-based decisions:
Related Reading | How to Develop Risk Appetite and Tolerances >
Additionally, the report points out that there is ânoticeable room for improvementâ in how organizations use ERM to âaid management and the board in monitoring and responding to risk more proactively rather than reactivelyâ through monitoring emerging risks to reputation and brand.
Although adoption of ERM practices has increased over the past decade plus, program maturity has plateaued in recent years, according to data from past State of Risk Oversight reports.
A third of organizations surveyed describe their ERM program as âcompleteâ (up significantly from 9% in 2019), but that figure has remained around 30% for the past five years.
This slow progress in pursuing maturity may be part of the reason organizations arenât perceiving ERM a value-adding activity. Given the option of ranking their organizationâs risk management maturity as very immature, developing, evolving, mature, or robust, only 29% of respondents chose âmatureâ or ârobust.â
Financial Services Spotlight: For more detailed benchmarks on organizationsâ ERM implementation efforts, the report asked respondents to select statements that best describe their maturity level. The results for financial services organizations versus the full sample of respondents follow:
In a volatile risk environment that demands effective ERM processes, many institutions donât have the risk culture, management capabilities, or program maturity to keep up. Where does your organization stand?
The authors of the report suggest that senior executives and boards of directors âmay still need to engage in robust and honest assessments regarding their organizationâs current capabilities for managing the ever-changing landscape of risks on the horizonâ and propose several questions to get started:
If youâre looking for ways to accelerate your ERM program maturity through capabilities like risk integration, automated management processes, and streamlined reporting, consider investing in risk management technology. Learn how Quantivate solutions help organizations solve governance, risk management, and compliance (GRC) challenges.