Skip to main content

Current State of ERM reports on how organizations practice ERM

The “2015 Report on the Current State of Enterprise Risk Management: Update on Trends and Opportunities” provides detailed insights about the current state of maturity of their organization’s enterprise risk management (ERM) practices. 

Among the key findings is an apparent disconnect between the recognition of today’s high-risk business environment and the decision to invest more in structured risk oversight, said Mark Beasley, Deloitte Professor of Enterprise Risk Management and director of the ERM Initiative at the NC State Poole College of Management. This is the sixth year that the ERM Initiative and American Institute of CPAs have collaborated on similar research. 

This year’s report is based on survey responses from 1,093 business executives spanning a number of industries, types and sizes of organizations.

While almost 60 percent of participants believe that the volume and complexity of risks have changed “extensively” or “mostly” in the last five years, only 23 percent describe their organization’s level of risk management as “mature” or “robust,” Beasley said. 

“Even more revealing is the finding that 52 percent indicate their organization’s risk management process is ‘not at all’ or ‘minimally’ viewed as a proprietary strategic tool that provides unique competitive advantage. This raises the question: Have executives lost sight of the interrelationship of risk and return?" he said.

Click here to access a PFD file of the full report at the ERM Initiative website.

Respondents indicate that they are receiving increased calls for greater engagement by executives in risk oversight, Beasley said. But those pressures do not appear to be leading to significant year-over-year changes in risk management approaches. The maturity of enterprise-wide risk oversight processes appears to have leveled off for organizations in general, although the study does find that large organizations, public companies, and financial services organizations are significantly more mature than other organizations in their enterprise-risk oversight processes. In 2009, the study found that only nine percent of organizations surveyed claimed to have complete ERM processes in place; by 2015, 25 percent made that claim.

Other key findings discussed in this report include:

  • 32 percent have designated an individual to serve as the chief risk officer or equivalent, with financial services entities most likely to do so. It is more common (45 percent of the time) for the entity to have a management-level risk committee.
  • Only 33 percent of organizations maintain risk inventories at the enterprise level while 39 percent claim to use written reports to communicate risk information to senior executives. Most (59 percent) chose to report risks on an ad hoc basis rather than schedule agenda time for such discussion.
  • 28 percent provide guidance to management to assess a risk’s probability or impact, thereby subjecting the risk prioritization process to individual biases and risk tolerances of executives.
  • 41 percent admit to not being “at all satisfied” or “minimally” satisfied with the nature and extent of the reporting of key risk indicators to senior executives.
  • 36 percent of the organizations do no formal assessments of emerging strategic, market, or industry risks.
  • Only 27 percent of organizations have boards that “mostly” or “extensively” review the top risk exposures when discussing the strategic plan.

"This year’s report highlights many other specific findings about various aspects of an effective enterprise-wide risk management process," Beasley said. "In addition to providing findings for the overall sample, the report separately highlights key findings for public companies, the largest organizations, financial services organizations, and not-for-profit entities," he said.Click here to access a PFD file of the full report at the ERM Initiative website.

About the Enterprise Risk Management Initiative at the NC State Poole College of Management

Business professionals are well aware that expectations are growing rapidly for boards of directors, audit committees and senior executives to design and implement effective enterprise risk management systems to protect and enhance an entity’s value. They are looking for new tools and methods that will help them manage risk more effectively across the enterprise – and to remain competitive. The Enterprise Risk Management (ERM) Initiative in the NC State Poole College of Management provides thought leadership about ERM practices and their integration with strategy and corporate governance. Faculty in the ERM Initiative frequently work with boards of directors and senior management teams helping them link ERM to strategy and governance, host executive workshops and educational training sessions, and issue research and thought papers on practical approaches to implementing more effective risk oversight techniques. The ERM Initiative has developed a series of graduate courses focused on training the next generation of executives on issues affecting enterprise-wide risk management. 

About the AICPA

The American Institute of CPAs is the world’s largest member association representing the accounting profession, with more than 400,000 members in 145 countries, and a history of serving the public interest since 1887. AICPA members represent many areas of practice, including business and industry, public practice, government, education and consulting. The AICPA sets ethical standards for the profession and U.S. auditing standards for private companies, nonprofit organizations, federal, state and local governments. It develops and grades the Uniform CPA Examination, and offers specialty credentials for CPAs who concentrate on personal financial planning; forensic accounting; business valuation; and information management and technology assurance. Through a joint venture with the Chartered Institute of Management Accountants, it has established the Chartered Global Management Accountant designation which sets a new standard for global recognition of management accounting.