A new study finds steady progress in the number of companies that say they have formal enterprise risk management processes in place, though obstacles remain to successful ERM adoption, including a lack of formal guidelines or measures for business units to assess probability and impact of risks.
The survey, conducted by the ERM Institute at North Carolina State University on behalf of the American Institute of Certified Public Accountants' Business, Industry and Government Team, found that 23.4% of survey respondents reported having a “complete formal enterprise risk management process in place” this year, up from 8.8% in 2009.
Released last month, the survey found, however, that 26.6% of respondents have no enterprise risk management process in place and another 12.1% said they are investigating the concept but have made no decisions.
As they look to identify and assess risks, the survey found a growing number of organizations relying on maintaining inventories of risk at the enterprise level. In this year's survey, 37.9% of organizations reported maintaining enterprise level risk inventories, up from 19.6% in 2009. The report indicated that just over half of those surveyed reported formally defining the meaning of the term “risk” for employees' use in identifying and assessing key risks, however.
Also, the survey found that 74.0% of those surveyed don't provide business unit leaders explicit guidelines or measures with which to assess the probability of risk events, and 70.7% don't provide such guidelines for measuring the impact of risks.
Asked whether they have a dedicated process for updating key risk inventories, 30.8% said they have no dedicated process for doing so. Of those organizations that do, 38.7% said they go through such a process on an annual basis, 10.0% said they do so semi-annually, 15.3% said they do so quarterly and 5.2% said they update key risk inventories on a monthly, weekly or daily basis.
Among large organizations surveyed, 73.9% said they had a standardized process or template for identifying and assessing risks while only 27.6% of nonprofit organizations surveyed said they have such a structured risk identification and assessment approach.
The survey found that 37.1% of respondents do no formal assessments of emerging strategic, market or industry risks, while 33.4% of those surveyed also conduct no formal assessments of operational or supply chain risks and 33.4% fail to assess reputational and political risks.
The report noted an increase in the number of organizations with a formally designated chief risk officer or equivalent senior officer. This year, 37.7% of survey respondents reported having a CRO in place, up from 17.8% in 2009. Similarly, 48.6% of this year's respondents indicated their organization has a management-level risk committee in place, up from 22% in 2009.
Survey data was collected during April and May through an online survey of members of the AICPA's Business and Industry group who serve in chief financial officer or equivalent senior positions. The survey produced 618 responses.
The report, “Current State of Enterprise Risk Oversight,” can be found here.