The global economic crisis continues to cast its shadow over organizations not only in the U.S. but also in the farthest reaches of the world. The result has been an escalation in the frequency and severity of existing obstacles to success as well as the introduction of new hurdles that go to the very core of an organization’s management, financial and operational structure. Today, more organizations are tackling these challenges by embracing Enterprise Risk Management (ERM).
Recognizing the need for additional insights into and heightened awareness of ERM, the American Institute of CPAs (AICPA) and the Chartered Institute of Management Accountants (CIMA), as part of a broader research series partnership, recently published the paper “Enterprise Risk Oversight: A Global Analysis of its Current State.”
In 2009 and 2010, at the request of the AICPA, the Enterprise Risk Management Initiative at North Carolina State University (the ERM Initiative) surveyed members of the AICPA’s Business, Industry and Government segment primarily domiciled in the United States. CIMA separately worked with the ERM Initiative to conduct a similar survey of CIMA membership, which represented organizations based in regions all over the world. The surveys’ findings, and subsequent research paper, not only provide key insights into the current state of ERM, but also reveal dramatic similarities in and differences between U.S. and global organizations.
Increased Awareness of a Growing Concern
The increased number, challenges and complexities of risk have led boards of directors and senior executives to scrutinize and re-evaluate their approaches to risk oversight, and in many cases strengthen their risk management strategies. Government regulators, credit-rating agencies, stock exchanges and institutional investor groups are now increasing their calls for substantial changes that improve the effectiveness of enterprise-wide risk oversight. Also, recent events—from headline-making missteps by leadership at global organizations to employee misconduct at local companies—have shown that even the most excessive risk-taking can go undetected by key players in the corporate-governance process.
Pervasiveness of Risk
Today’s business environment is not only fraught with risk but according to an overwhelming majority of AICPA and CIMA survey participants, those risks are greater than they were just five years ago. Over 60 percent of executives in the U.S. noted that the volume and complexity of risks have increased extensively or a great deal, while almost 75 percent of global respondents felt that same way.
In addition, another overwhelming majority of both U.S. and global business leaders have been surprised by unexpected risk events at least moderately, with approximately 40 percent of both U.S. and global respondents characterizing the extent to which they have faced significant operational surprises as extensive or a great deal.
Quality of ERM Processes
As organizations face the realities of a new risk environment, they are reevaluating their current approach to risk oversight and realizing the true condition of their ERM efforts. Eighty-four percent of U.S. respondents assessed their risk oversight processes as ranging from very immature to only moderately mature. In contrast, 61 percent of the global respondents assessed their risk oversight as falling in those ranges. Only 1.5 percent of U.S. respondents and 8.2 percent of global respondents assessed their risk management oversights as “very mature/robust.”
Advocates in Senior Management
Many organizations appear to be recognizing that changes in their approach to risk oversight are warranted, with pressure coming from the highest leadership levels for increased senior executive involvement in implementing risk management processes. Survey responses reveal that in the U.S., pressures for increased senior executive involvement in risk oversight are coming from the board (45 percent note that pressure is extensive or “a great deal”) and audit committee (57 percent indicate extensive or “a great deal”). That board pressure is also likely to be increasing interest in the part of management in strengthening risk oversight. CFOs are calling for extensive or “a great deal” of increased senior executive involvement in risk oversight in 59 percent of the organizations surveyed, followed by internal audit (55 percent), and CEO/president (43 percent).
Similar pressures are observed at the global level. Interestingly, while in the U.S., greater pressure is coming from the audit committee rather than the full board of directors, at the global level the opposite trend has emerged. Like the U.S., global CFOs are asking for extensive or a great deal of senior management involvement in risk oversight (59 percent of respondents), along with the CEO/president (51 percent) and internal audit (39 percent).
Internal Risk Champions and Committees
Despite greater expectations for more effective risk oversight, most organizations surveyed say they have not yet officially appointed a chief risk officer or senior risk executive equivalent. Global firms appear to be appointing individuals to those leadership positions at higher rates than U.S. respondents (31 percent and 23 percent respectfully).
Global respondents are also more likely to have an internal management-level risk committee (or equivalent committee consisting of at least some internal senior executives) that formally discusses enterprise-level risks. Forty-five percent of global respondents indicate that their organizations have internal risk committees in contrast to only 30 percent of U.S. firms.
Roadblocks to Success
The effectiveness of an organization’s risk oversight strategy, regardless of the country, is greatly influenced by challenges that can thwart program success. Both U.S. and global survey participants identified a number of shared challenges; however, they experience them in different degrees.
Almost half (47 percent) of global respondents and 56 percent of U.S. respondents believe competing priorities are an extensive or significant barrier to ERM. Insufficient resources to strengthen risk oversight were noted as extensive to significant for 47 percent of global and 52 percent of U.S. respondents. Also, just over one-third of both global (38 percent) and U.S. (39 percent) respondents have extensive to significant concerns that ERM will add unneeded bureaucracy, while 36 percent of global firms and 44 percent of U.S. respondents believe the lack of perceived value for ERM is extensive to significant.
A Strong Defense
With a business environment still firmly in the clutches of an economic recession, organizations of all types and sizes will continue to be confronted by an evolving range of risks that will test the strength and resiliency of not only the leadership team but also the organization as a whole. In addition, results from the AICPA and CIMA surveys reveal that although global organizations may be further down the ERM path than those in the U.S., significant strides remain to be made in most parts of the world. However, a risk-oversight strategy customized to an organization’s goals, structure and culture, and wielding management’s confidence and support, can be the best weapon against the risks that continue to thrive in an uncertain and complex global economy.
To read the joint paper, click here.
About the Authors of "Enterprise Risk Oversight: A Global Analysis of its Current State"
Mark S. Beasley, CPA, Ph.D., is the Deloitte Professor of Enterprise Risk Management and director of the ERM Initiative at North Carolina State University. He earned his Ph.D. at Michigan State University.
Bruce C. Branson, Ph.D., is a professor of accounting and associate director of the ERM Initiative at North Carolina State University. He received his Ph.D. from Florida State University.
Bonnie V. Hancock, M.S., is the executive director of the ERM Initiative and is also an executive lecturer in accounting at North Carolina State’s College of Management. She earned her BBA in Accounting at the College of William and Mary and an MS in Taxation from Georgetown University.