Business risks are increasing globally in volume and complexity – regardless of geography – but business leaders are not sufficiently investing in their organisation’s risk oversight despite the hazards posed to business models by not doing so.
This is according to the latest report by AICPA & CIMA and North Carolina State University’s Enterprise Risk Management (ERM) Initiative.
The report found that 66% of respondents sense volume and complexities of risk increasing globally. In Africa & the Middle East, 73% reported facing an increasingly complex risk environment. However, only 32% globally, with a similar percentage of respondents in Africa & the Middle East, describe their organisation’s risk oversight practices as “mature” or “robust.” Additionally, only 17% worldwide indicate that their risk management process is providing insights that create competitive advantage – however, respondents in Africa & the Middle East indicated a significantly higher level of 51%.
These results come as participants also revealed that their organisation had faced a significant operational surprise in the past five years with 48% indicating that their organisation has experienced a major, unexpected risk event impacting the organisation. Respondents in Africa & Middle East indicated a slightly lower incidence, with 41% reporting an operational surprise in the past five years. The occurrence of an actual significant risk event suggests a potential breakdown in organisational risk management processes.
Key findings from the report include:
- The volume and complexity of risks are increasing across the four geographic regions: Africa & Middle East (73%), Europe & U.K. (66%), Asia & Australasia (68%) and the US (64%).
- Organisations are recognising the need to identify a risk management leader, with 47% of respondent organisations globally appointing a single individual (chief risk officer or equivalent) to lead the risk management function. However, more organisations (64%) are likely to have a management-level risk committee in place versus a single individual risk management leader. Across the four geographic regions: Africa & Middle East (61% single/76% committee), Europe & UK (40% single/67% committee), Asia & Australasia (48% single/61% committee), US (48% single/ 60% committee).
- In all regions of the world, respondents who claimed their organisations had “mature” or “robust” risk oversight are in the minority: Africa & Middle East (32%), Europe & UK (38%), Asia & Australasia (25%), US (30%).
- Only about one-half of boards in organisations formally discuss risk information when the board reviews the strategic plan: Africa & Middle East (66%), Europe & UK (43%), Asia & Australasia (46%), US (24%).
- Only 47% of organisations describe their ERM process as a process that is “mostly” to “extensively” systematic, robust, and repeatable with regular reporting of top risk exposures to the board: Africa & Middle East (59%), Europe & UK (52%), Asia & Australasia (45%), US (44%).
“Globally, effective enterprise-wide risk management should be one of the organisation’s most important strategic tools,” says Mark Beasley, Alan T Dickson Distinguished Professor of Accounting and director of the ERM Initiative at NC State. “Unfortunately, many organisations view risk management as a distraction from more important strategic tasks.
“Risk management will not become easier over time,” Beasley adds. “Given the rapid speed of change in the global business environment, complex risk issues will continue to emerge at rapid-fire pace. Now is the time for many organisations to give their approach to risk governance an honest assessment.”
Ash Noah CPA, CGMA, vice-president and MD of Management Accounting at the Association of International Certified Professional Accountants, adds: “An ERM programme is not only a value preservation mechanism, but a potential strategic value generating asset that drives decision-making around opportunity identification and creates a competitive advantage while addressing the under-investment in risk oversight.
“If enterprise-wide risk programmes are not teasing out emerging strategic risks, the output of those programmes is less likely to provide valuable insights important for strategic decision-making. Finding ways to link risk management activities directly to strategic initiatives and demonstrating how ERM identifies and mitigates risks that threaten these goals and identifies opportunities that align with strategic aims is essential to improve ERM adoption.”