The State of Risk Oversight: Survey of Enterprise Risk Management Practices
It is a leadership imperative for government executives to mitigate the potency of uncertainty by managing the realities of risk. Employing an enterprise risk management (ERM) process can assist leaders in doing just that. ERM can help decision makers evaluate the likelihood and impact of major events and formulate the best way to either prevent them or manage their effects, if they do occur. Many changes are now occurring that hold the potential to make government function better. It is a positive change that an increasing number of federal agencies have recognized the value of ERM and are taking actions to make it an important part of their strategic management. But what are other sectors doing in this area and what can government leaders learn from the insights and experiences across sectors and industries?
Marking its 12th year, the ERM Initiative at NC State University, in partnership with the American Institute of Certified Public Accountants (AICPA), has conducted research into the current state of risk oversight identifying trends across a number of organizations related to their ERM processes. Data was collected during the fall of 2020 through an online survey instrument receiving 420 fully completed surveys. The findings are summarized in its 2021 State of Risk Oversight Report, reflecting insights from 420 executives about the state of ERM maturity in their organizations. Professor Mark Beasley, director of the ERM Initiative at N.C. State and co-author of the report joined me on The Business of Government Hour to explore the findings and insights collected from this survey. Here's a synopsis of our discussion.
On the Importance of Culture in ERM. While organizations have engaged in risk management activities for centuries, the concept of ERM has only fully emerged over the past two decades. There often is confusion about what ERM represents and there is a lack of understanding as to how ERM might be beneficial to senior leadership. Our findings and experience indicate that culture is king when it comes to risk management. It is everything. An organization’s overall culture and the tone-at-the top can have a direct impact on attitudes and perceptions about the need for and benefits of a more robust risk management process. Building the right culture is the foundational to the entire process and must be set by leadership. Leaders must convey that risk management is important, valuable, and strategic. It cannot be viewed as a compliance or “check the box” effort.
Some of the overall reluctance to embrace ERM across an organization may be due to a lack of understanding and knowledge of what an enterprise-wide risk management process entails relative to traditional approaches organizations use to manage risks. It is not a competing priority; it is a complementary priority in that ERM can help staff do their jobs better by viewing risk as a barrier and anticipating and mitigating the effects of those barriers. We have also found in our survey results that resistance to ERM is a perception that it cost too much and that it may require too many resources. The initial upfront cost could be that of simply starting a conversation and getting the ball rolling on managing risk at the enterprise level. In a post-COVID world, we are seeing also cultures change with more willingness among leadership teams to engage in robust scenario planning.
On Advancing the Use of Chief Risk Officers. We are clearly seeing an increase in the establishment of chief risk officers across sectors. Designing and implementing a robust risk management process does not happen without dedicated leadership of that process. Assigning responsibilities for leading an ERM effort is critical for an organization to make progress in risk management. Pinpointing an executive to lead the risk management process is becoming more common relative to a decade ago. Across the entire full sample of our report, 47% of our respondents indicate they have identified someone in that role, which is up from 18% 12 years ago. For nonprofit and government, the response was about 41%. The trend is heading upwards. There is value in pinpointing a leader that can act as a champion of the process. Chief risk officers help to take the entity through a process by acting as an advocate, a coach, an adviser, and an aggregator of the enterprise view of risk.
On Creating Management-Level Risk Committees. Management‑level risk committees are one of the best things that an organization can do, particularly if they're just starting ERM. To help organizations develop a more enterprise-wide view of risks, a number of organizations are creating management-level risk committees that are comprised of individuals across multiple functions of the organization. Bringing individuals from different functions together to discuss risk issues helps the leadership team develop a more robust, enterprise-wide perspective of how risks might impact the organization. You need people at that level and insight getting a top‑down enterprise-wide view of strategic issues that can affect success, and that is where that management‑level committee is so critical. The percentage of entities with established risk committees is even higher than the percentage with chief risk officers. For organizations with a formal management-level risk committee, those committees most commonly meet on a quarterly basis, although about one-fourth of them meet monthly. These committees are comprised of CROs, CEOs, CTOs, COOs, and general counsels.
On Enterprise Risk Management and its Integration with Strategic Planning. Organizations continue to struggle to integrate their risk management and strategic planning efforts. I find this puzzling that there is such a disconnect. In my view, risk and strategy go hand in glove. Leaders take risks to realize their strategic vision. I think the struggle here is partially behavioral. For some, risk has negative connotations, so the discussing of risk means focusing on issues that keep an organization from realizing its strategic vision and being successful. This seems to be the case in cultures where optimism and positivity are rewarded while discussion of possible roadblocks maybe frowned upon.
There also seems to be a disconnect between risk management and strategic leadership. To illustrate, I often use the visual of a skyscraper showing that strategic leadership happens on the top floor while risk management is often relegated to the lower floors, and they do not talk. In this case, risk management tends to be too operational, compliance focused, and does not view risk from a strategic perspective.
We could also do a better job of translating risk management lingo like risk appetite, risk tolerance, risk intelligence, risk probability, or risk impact into strategic language. Convert the discussion about risk into what keeps an organization from being successful. This also means speaking in terms of opportunities and challenges. Integrating risk management with strategic planning involves getting buy-in.
On the Overall State of Risk Management Maturity. To obtain a sense for the current state of ERM maturity, we asked survey participants to respond to several questions to help us get a sense for the current level of risk oversight in organizations surveyed. These questions included: how would you describe the maturity of your risk management process? Do you think it is pretty mature and robust? How would you describe your process? To what extent is it providing strategic value? Fewer than half of the respondents describe their organizations’ approach to risk management as “mature” or “robust.” Slow progress continues to be made towards a more robust, complete enterprise-wide approach to risk management. In 2009, only 9% of organizations claimed to have complete ERM processes in place; however, in 2020 the percentage has increased to 35% for the full sample. So, greater adoption of ERM has occurred. We found in our survey that public companies and financial services organizations exhibit the biggest move towards ERM in 2020.
On the Impact of COVID-19. Our survey did explore the impact of COVID-19 on how organizations identify and assess risk. Organizations have learned much over the past year about risks and how to navigate them when they emerge and impact virtually all aspects of their enterprise. We posed two questions exploring the impact of the pandemic around risk identification and assessment and the extent to which organizations have increased the use of formalized scenario planning activities to anticipate future risks. What we found is that the experience of navigating the pandemic is providing insights to help organizations improve how they identify and assess risks on the horizon. Risk profiles are changing due to COVID-19, with just under half responding that the pandemic has changed the nature and type of top risks. That said, generally entities do not appear to be making drastic changes to how they identify and assess risks. Frankly, COVID emphasized the strategic importance of assessing and prioritizing risk from a strategic perspective.
On Calls for Action and Questions to Consider. We ended the report with a series of calls to action, which are a series of questions to get people thinking. How does your organization manage risks? What does that process look like at present? What works well and what does not work well in your process? How coordinated is it? Is it really helping executives make better decisions managing risk?
- Perceptions about your current risk management approach. It is important for ERM leaders to obtain feedback from senior executives about their perspectives regarding an organization’s current approach to risk management. Leaders should consider the following questions: Does the organization’s risk management process mostly focus on pockets or silos of risks impacting particular functions and operations? Is that process leading to a top-down, holistic view of the entity’s most critical risks impacting its strategic objectives?
- Consensus on the most significant enterprise risks. If executives fail to stay in constant dialogue about emerging risk issues, they may find themselves chasing after the wrong risks. Leaders should consider the following questions: Is ownership and accountability for managing enterprise level risks clear to those involved? Does the senior executive team understand how the organization is responding to top risk exposures and are they confident those responses are implemented and effective? How often is management engaging in robust discussion about the top risks and is there agreement about the most critical risks to the organization?
- Use of risk management in strategic planning. Our survey results find that only a small percentage of organizations view their risk management activities as providing important strategic value. Less than half of the organizations formally consider existing risk exposures when evaluating new possible strategic opportunities. Leaders should consider the following questions: Is your organizations’ risk management process failing to provide important strategic information about risks on the horizon? Is the current risk management process focused too heavily on operational or compliance issues? Are the top risks identified by the risk management process mapped to the most important strategic initiatives?
- Responding to significant risk events. Another question we pose in our calls to action: Is your organization sufficiently prepared to manage a significant risk event? The worst time for an organization to discover a lack of risk management preparedness is during the risk event itself. When organizations invest time and resources into engaging senior executives in more robust risk management discussions and dialogues on an ongoing basis, we find that they are in a better position to deal with a significant risk event should one emerge. Does management and the board have a detailed “playbook” for how they will respond should one of the organization’s top risk exposures emerge in a significant way?
On the Evolving State of ERM. I see it evolving in a positive way. The speed of risk seems to be getting faster, particularly with innovation, technology, and just the shrinking of the globe. I see more organizations recognizing the need and value of managing risk at the enterprise level. It will mature in a positive not bureaucratic way--in a good, value‑adding way. One of the key challenges going forward is getting risk information escalated to decision-makers in real time. Like a very sophisticated weather mapping systems, organizations would benefit from building a radar like system tracking all the risk on the horizon they are facing. We also need to think of risk from a short- and long-term perspective.
The topics surveyed in the report are relevant to any business or entity, including state, local, and federal government. Government agency leaders are facing both similar risks as every other sector as well as those risks/threats unique to fulfilling the mission of government.