Geopolitical tensions, a challenging global economy and other factors mean organisations need to be well-equipped for risks that come their way at any point. Although some risks can be anticipated, many cannot. Having a value-add risk oversight strategy and enterprise risk management (ERM) system in place — as an integral part of business strategy — is an imperative. But what does this mean in practice?
The 2023 Global State of Enterprise Risk Oversight 6th edition— a collaboration between AICPA® & CIMA® and North Carolina State University — provides a view of the state of enterprise-wide risk oversight practices. Research spanned Europe and the UK, Asia and Australasia, Africa and the Middle East, and the United States. The team surveyed insights from 983 executives in organisations around the world to understand what processes they have in place to navigate the fast-changing risk landscape. The report reveals a strong business case for risk oversight.
Analysis identified key gaps between the state of enterprise risk management (ERM) and wider business strategy.
A demanding risk ecosystem requires strategic risk management
Participants are struggling to keep up with the spiralling complexities of risk. Unexpected risk events have operational consequences as has been keenly felt across Europe and the UK. The risk ecosystem that organisations have to navigate is now dynamic and ‘left field.’
Despite the need to safeguard against risk events, a formalised risk oversight function is undeveloped. The report found that expenditure for risk oversight processes was low across the world with ‘only 31% of the 983 global organisations surveyed rating their risk oversight practices as mature or robust’. Africa and the Middle East scored poorly in terms of a mature risk process, followed by the US. Europe and the UK had the best formalised risk management processes compared to peers.
Value risk oversight needs a clear value proposition
The value of risk oversight must be explained including a formalised value proposition. Answers to queries such as what the benefits are and what difference the function will make are vital. Research exposed a silo approach to risk management practices. For example, there was a focus on supply chain risks and compliance and IT risks, but little attention on emerging, industry or market risks. If a strategic risk focus isn’t viewed as important, the perception may follow that risk oversight lacks value.
Leadership accountability in risk oversight is essential
The recognition of risk oversight can’t happen without leadership firmly at the helm. Leadership sets the tone. The study discovered that executives are not formally accountable for risk management oversight, which may explain the lack of enthusiasm for the function across organisations. Many businesses are delegating risk oversight responsibility to a committee. But is that enough? Just ‘half of the 983 respondents indicate that their organisation has appointed a chief risk officer or equivalent,’ according to the report. Appointing an experienced accountable chief risk officer to lead a risk oversight function is key.
Mitigating risks requires a formalised enterprise risk oversight practice
The report’s insights highlight the need for executives and boards to improve their approach to organisational risk oversight. A formalised process of planning, organising, directing and controlling organisational activities to minimise harmful risk is essential. Relying on past out-of-date practices in today’s hugely complex, fast-moving environment can prove perilous.
Diagnostic questions are included in the report to benchmark the state of an organisation’s risk processes. The range of questions can help executives and boards kick-start discussions on how they can increase the value of risk oversight in their organisations.
Although risk oversight practices won’t predict or prevent every risk event, strengthened processes lower the chances of future events. Now is the time to invest in risk management — before the risk event happens.
When you’re ready to position yourself as an ERM advocate, look to our learning solutions to develop your expertise: the COSO Internal Control Certificate Program and the COSO Enterprise Risk Management Certificate Program.