Understanding the developing risk management landscape is essential for leaders because they must anticipate and mitigate potential risks and navigate the complexities of the current business environment.
The 2024 15th edition of the State of Risk Oversight report paints a comprehensive picture of enterprise risk management’s (ERM’s) current state based on insights from leaders spanning 377 U.S. organizations that were surveyed.
The report emphasizes the progressing nature of risk, the importance of robust risk management practices, and how executives perceive the overall volume of risks to be increasing and complex. As seen by this survey and report, the nature of risks has not become simpler over time.
Issued annually since 2009 in partnership with the Poole College of Management at North Carolina State University, the 15th edition of this report includes ten focus areas and discussion prompts for each area. Leaders can use the questions to initiate conversations with management and the board about their organization’s risk management process.
Highlighted in the report is the complex risk environment, the need for more mature risk management processes, the importance of linking risk to strategic initiatives, and the fact that risk management is increasing in complexity while becoming even more critical.
The current risk environment is complex
According to executives surveyed in the report, the current risk landscape is complex, and risks are increasing.
Executives participating in the survey voiced their concerns over the growing volume and complexity of risks, with 65% witnessing a significant increase in the past five years.
When asked to share their perspective on the risk landscape, 77% of the full sample said
their organization had experienced significant operational surprise “somewhat,” “mostly,” or “extensively” in the past five years.
The risks most frequently identified are information technology (IT) system risks. Geopolitical events also affect business models and strategic plans, specifically for large organizations and public companies.
Maturity of risk management practices is slow but steady
During the past 15 years, organizations have continued to adopt enterprise risk management frameworks. However, most respondents in the report indicate their risk management processes “are not yet mature or robust.”
Across the full sample of organizations surveyed, less than half (37%) reported having a complete formal enterprise-wide risk management process in place, and 34% of organizations have no enterprise-wide view of risks. The report does reveal that larger organizations and public companies are more likely to adopt enterprise risk management as their main risk management strategy.
Despite lagging enterprise risk management processes, organizations seem to be moving away from ad hoc risk identification processes. Most organizations surveyed use a standardized template to identify risks. However, many organizations do not employ a formal process that would encourage executives to consider long-term risks, such as risks that may be five to ten years in the future.
Connecting strategy and risk mitigation is crucial
Risk and returns on investment are inextricably linked, and organizations must be willing to take risks to generate returns.
Evaluating risks and their potential exposure when assessing new strategic initiatives enables leaders to prioritize initiatives that offer the best balance between risk and reward.
When asked, “To what extent are risk management practices providing insights for strategic advantage?” It seems organizations have difficulty integrating their risk management and strategic decision-making processes.
Over the 15 years of this study, an increasing percentage of organizations have offered a formal report of top risk exposures to the board at least annually. The report states “almost two-thirds of the full sample and about 90% of large organizations and public companies do so at least annually, with just under half doing so quarterly.”
The growing importance of ERM
Risk management is becoming more crucial due to the increasingly complex risk landscape, which includes the threat of cybercrimes, requiring more robust risk management strategies.
The past 15 years have marked a significant shift in organizational structure, with a notable increase in the appointment of Chief Risk Officers (CROs). These senior executives are pivotal in steering their organizations through volatile conditions by identifying, evaluating, and mitigating risks.
During the same period, an increasing percentage of organizations have also created management-level risk committees.
Risk committees are instrumental in fostering a culture of risk awareness throughout the organization, ensuring that all levels of management are engaged in proactive risk oversight.
Over one-third of organizations surveyed believe they need to “mostly” to “extensively” enhance their approach to business continuity and crisis management, as organizations have experienced unanticipated risk events. Boards of directors, their audit committees and CEOs are now expecting more involvement from senior executives in risk oversight for their organizations.
The current risk landscape underscores leaders' need to proactively manage and mitigate potential risks. While overall risk management practices have progressed over the study’s 15 years, leaders still find it challenging to leverage the strategic value that proactive and robust risk management can bring to their organizations.
Enhancing risk management practices has become paramount as organizations strive to navigate the complexities of the modern risk landscape.
To support your organizations in evaluating their risk management practices, explore the ERM Assessment Tool. This interactive tool allows you to assess the robustness of your organization’s existing enterprise risk management program and decide where to go next.