The State of ERM: Research Reveals Need for Risk Management Maturity

Between economic and supply chain challenges, geopolitical events, cyber threats, and other circumstances, managing risk remains a complex and challenging effort for organizations of all types and sizes.

The 2022 State of Risk Oversight Report, the 13^th annual enterprise risk management study conducted by ERM Initiative at North Carolina State University and the AICPA, surveyed executives across a range of industries on their organizations’ risk oversight practices and areas for improvement.

In comparing past State of Risk Oversight reports, the previous two years have seen executives ranking risk volume and complexity at their highest levels in more than a decade. Yet, despite a greater need for effective risk management and the “growing level of uncertainty in today’s marketplace,” the surprising reality is that a quarter of respondents reported having either no formal ERM processes or no plans to implement them at this time.

“There are a number of barriers that inhibit progress in risk management improvements in organizations,” the researchers noted. “Perceptions that managing risks lacks value may signal a lack of understanding about how effective risk oversight may actually improve the organization’s ability to proactively and resiliently navigate emerging risks.”

Related Reading | Proving the Value of a Bank ERM Program >

The report organized its findings into several focus areas to benchmark respondents’ ERM practices, including:

• Drivers for Enhanced Risk Management
• Strategic Value of Risk Management
• Risk Management Maturity

Motivations for Improving Risk Management

Organizations that plan to enhance their ERM program identified some common drivers:

Operational Resiliency

Executives recognize that changes are needed in governing business continuity and crisis management due to the frequency of unexpected risk events.

Financial Services Spotlight: Part of the growing focus on resilience is an increase in “significant operational surprises” across industries that started in 2020, with the upward trend continuing into 2022. The financial services industry reported the biggest surge in unanticipated risk events from 2019 to 2020. Due to these high levels of disruption, 75% of financial services firms believe that there will be significant changes in their organization’s current approach to business continuity planning and crisis management.

Risk Intelligence

Increasing pressure from stakeholders to provide information that enables the organization to prepare for and manage emerging risks is another motivation for enhanced risk management.

External and internal demands — from regulators, boards of directors, and executive leadership teams — for improved risk oversight remain strong, particularly for public companies and financial services firms.

Financial Services Spotlight: 40% of financial institutions report increasing regulator expectations for senior executive involvement in risk oversight.

Unlocking the Value of Risk Management

Many organizations struggle to make their risk management function a value center, particularly in the area of integrating risk management with strategic planning. The survey found that fewer than 20% believe their risk management processes provide a strategic advantage.

“Overwhelmingly, most organizations do not perceive their risk management processes as providing important risk insights that management can use to create or enhance strategic value.”

Why is this? The research suggests some common deficiencies in ERM programs that prevent organizations from gaining strategic insights and making risk-based decisions:

• Insufficient focus on emerging strategic, market, or industry risks: Less than half (45%) of respondents indicate that their organization focuses “mostly” or “extensively” on formally identifying, assessing, and responding to these emerging risks.
• Limited consideration of risk exposure: Less than (47%) of organizations “mostly” or “extensively” consider existing risk exposures when evaluating new strategic initiatives.
• No articulation of risk appetite or tolerances: Only a third of organizations surveyed “mostly” or “extensively” articulate risk appetite or tolerance in the context of strategic planning.

Related Reading | How to Develop Risk Appetite and Tolerances >

Additionally, the report points out that there is “noticeable room for improvement” in how organizations use ERM to “aid management and the board in monitoring and responding to risk more proactively rather than reactively” through monitoring emerging risks to reputation and brand.

Enterprise Risk Management Maturity

Although adoption of ERM practices has increased over the past decade plus, program maturity has plateaued in recent years, according to data from past State of Risk Oversight reports.

A third of organizations surveyed describe their ERM program as “complete” (up significantly from 9% in 2019), but that figure has remained around 30% for the past five years.

This slow progress in pursuing maturity may be part of the reason organizations aren’t perceiving ERM a value-adding activity. Given the option of ranking their organization’s risk management maturity as very immature, developing, evolving, mature, or robust, only 29% of respondents chose “mature” or “robust.”

Financial Services Spotlight: For more detailed benchmarks on organizations’ ERM implementation efforts, the report asked respondents to select statements that best describe their maturity level. The results for financial services organizations versus the full sample of respondents follow:

• Our process is systematic, robust, and repeatable with regular reporting of top risk exposures to the board – Financial Services: 52%, Full Sample: 39%
• Our process is mostly informal and unstructured, with ad hoc reporting of aggregate risk exposures to the board – Financial Services: 28%, Full Sample: 28%
• We mostly track risks by individual silos of risks, with minimal reporting of top risk exposures to the board – Financial Services: 12%, Full Sample: 18%
• There is no structured process for identifying and reporting top risk exposures to the board – Financial Services: 8%, Full Sample: 15%

Summing Up

In a volatile risk environment that demands effective ERM processes, many institutions don’t have the risk culture, management capabilities, or program maturity to keep up. Where does your organization stand?

The authors of the report suggest that senior executives and boards of directors “may still need to engage in robust and honest assessments regarding their organization’s current capabilities for managing the ever-changing landscape of risks on the horizon” and propose several questions to get started:

1. What about our organization’s approach to risk management is working well?
2. What aspects of our organization’s approach need to be enhanced?
3. What are the top action-items for strengthening the integration of risk information into strategic decision making for our enterprise?
4. What should be tackled first?

If you’re looking for ways to accelerate your ERM program maturity through capabilities like risk integration, automated management processes, and streamlined reporting, consider investing in risk management technology. Learn how Quantivate solutions help organizations solve governance, risk management, and compliance (GRC) challenges.

• GRC Challenges: Tackling Risk & Compliance Management With Smart Solutions
• Case Study: Building a Cohesive GRC Strategy