Survey: 69% of Organizations Do Not Have Comprehensive Enterprise-wide Risk Management Processes In Place Despite Growing Corporate Risks

March 20, 2018

New research from the AICPA and North Carolina State University reveals enterprise risk management (ERM) practices in most organizations are still relatively immature, but CFOs are seeing growing momentum

  • Organizations struggle to integrate risk management with strategic planning
  • Management calling for increased senior executive involvement in risk oversight
  • Increasing demand for Chief Risk Officer (or equivalent) roles
  • Uptick in adoption of ERM practices over the last decade

NEW YORK (March 20, 2018) -  Most senior finance leaders agree that the volume and complexity of corporate risks are increasing, yet less than a third, 31%, report their organizations have complete enterprise risk management (ERM) processes in place. This is according to a new report released today by the American Institute of CPAs (AICPA) and North Carolina State University’s Enterprise Risk Management (ERM) Initiative.

The State of Risk Oversight: An Overview of Enterprise Risk Management Practices” shares insights from a survey of 474 U.S. CFOs and senior finance leaders on how they are proactively managing potential emerging risks by strengthening their organization’s processes surrounding the identification, assessment, management and monitoring of risks. This concept, known as enterprise risk management (ERM), is one way CFOs and finance leaders are providing organizational leadership with a top-down, strategic view of risks and their impact on the business.

According to the report, ERM practices in US organizations are still relatively immature. Less than a quarter, 22%, of finance leaders described the maturity of their organization’s overall risk management oversight as ‘mature’ or ‘robust.’ There is indication, however, that adoption of ERM is growing among US organizations. Since 2009, when the AICPA and NC State began the annual research study, there has been a 22-percentage point increase, from 9% to 31%, in the number of organizations that claim to have complete ERM processes in place. While adoption of ERM is most common in larger organizations, public companies, and financial services organizations, the study revealed a surprising uptick in adoption by not-for-profit organizations in the last year. Nearly a third, 27%, of not-for-profit organizations reported they had a complete ERM process in place—an increase of 9% from 2016.

 “Senior executives and boards of directors are realizing increasingly that the speed of change and the level of uncertainty in the global business environment is outpacing the ability of their organization’s traditional approach to managing risks,” noted Mark Beasley, Deloitte Professor of Enterprise Risk Management and director of NC State’s ERM Initiative. “While many are increasing the robustness of their processes for identifying, assessing, and managing emerging risks that may ultimately impact their core business model and strategic objectives, a number of organizations may not discover that need until they face a major risk event.”

“This research reinforces that ERM is rising up the list of priorities for CFOs, however, organizations need to do more,” said Ash Noah, CPA, CGMA, vice president of CGMA external relations at the Association of International Certified Professional Accountants. “Value in the business is much more than the balance sheet these days and embracing ERM supports the creation of value and the long-term viability of the business.”

Other key findings from the research include:

  • Management wants a greater focus on risk. Most boards of directors, 68%, want senior executives to increase management involvement in risk management. Nearly half of CEOs, 46%, have asked “mostly” or “extensively” for increased risk management oversight—an increase of 3% from 2016.
  • There is a disconnect between risk and strategy. Less than 20% of organizations say their risk management process provides a strategic advantage. Only 29% of the organizations’ boards of directors discuss risk exposures when they discuss the organization’s strategic plan.
  • There is a growing demand for Chief Risk Officers (CRO). The number of organizations designating a CRO (or equivalent) has increased, with 67% of large organizations and 63% of public companies doing so.
  • Risk management is not being considered for incentive compensation. A majority, 66%, of respondents said their organization does not include explicit components of risk management activities in compensations plans.
  • Barriers limit progress in management of risks. Nearly half of respondents, 48%, said risk was measured in ways other than ERM. Other barriers reported include competing priorities, insufficient resources and lack of perceived value.

The report attributed the growing risk landscape to a number of factors including: increased cyber threats, geopolitical shifts, terrorism, tax reform, and other emerging developments. These risks, if unmanaged, could destroy an organization’s business model and brand.

The findings also suggest boards of directors and management should have a more proactive and aggressive role in strengthening an organization’s risk oversight. Calls to action include incorporating risk management with strategic planning, maintaining risk inventories to provide complete risk reports to the board, expanding management dashboards to include risk indicators, finding ways to incentivize management to invest in risk management and providing training and education on risk management.

To download a copy of “The State of Risk Oversight: An Overview of Enterprise Risk Management Practices” click here. Additional resources on risk management from the Association of international Certified Professional Accountants, the unified voice of the AICPA and the Chartered Institute of Management Accountants (CIMA), can be found here.



The State of Risk Oversight: An Overview of Enterprise Risk Management Practices includes data collected during the fall of 2017 through a survey sent to members of the AICPA’s Business and Industry group who serve in chief financial officer or equivalent senior executive positions. In total, 474 fully-completed surveys were submitted.

The respondents represent organizations ranging from the manufacturing and insurance sectors to service and nonprofits. The report looks at responses from all parties, but also breaks out the survey findings for publicly traded companies, financial services providers, nonprofit organizations, and “large” organizations – defined as those that have revenue of at least $1 billion per year. The size of the organizations also varied. Approximately 12% of respondents worked for entities with annual revenue of $10 million or less. At the other end of the spectrum, 10% of respondents worked for organizations with annual revenue of more than $10 billion. Eighty-eight percent of the entities were based in the United States.

The report looks at responses from all parties, but also breaks out the survey findings for publicly traded companies, financial services providers, nonprofit organizations, and “large” organizations – defined as those that have revenue of at least $1 billion per year.

About the American Institute of CPAs

The American Institute of CPAs (AICPA) is the world’s largest member association representing the CPA profession, with more than 418,000 members in 143 countries, and a history of serving the public interest since 1887. AICPA members represent many areas of practice, including business and industry, public practice, government, education and consulting. The AICPA sets ethical standards for its members and U.S. auditing standards for private companies, nonprofit organizations, federal, state and local governments. It develops and grades the Uniform CPA Examination, offers specialized credentials, builds the pipeline of future talent and drives professional competency development to advance the vitality, relevance and quality of the profession.

The AICPA maintains offices in New York, Washington, DC, Durham, NC, and Ewing, NJ.

Media representatives are invited to visit the AICPA Press Center at

 About the Association of International Certified Professional Accountants
The Association of International Certified Professional Accountants (the Association) is the most influential body of professional accountants, combining the strengths of the American Institute of CPAs (AICPA) and The Chartered Institute of Management Accountants (CIMA) to power opportunity, trust and prosperity for people, businesses and economies worldwide. It represents 650,000 members and students in public and management accounting and advocates for the public interest and business sustainability on current and emerging issues. With broad reach, rigor and resources, the Association advances the reputation, employability and quality of CPAs, CGMAs and accounting and finance professionals globally.

About North Carolina State University’s Enterprise Risk Management (ERM) Initiative

The Enterprise Risk Management (ERM) Initiative in the Poole College of Management at North Carolina State University provides thought leadership about ERM practices and their integration with strategy and corporate governance. Faculty in the ERM Initiative frequently work with boards of directors and senior management teams helping them link ERM to strategy and governance, host executive workshops and educational training sessions, and issue research and thought papers on practical approaches to implementing more effective risk oversight techniques (