There is general consensus that operating without a structured and integrated approach to risk management is not an option. Enterprise risk management (ERM) is the solution. However, ERM is a relatively new discipline. It was not very prevalent twenty years ago. It continues to evolve through research and experimentation. Organizations improve their practices and adopt new ones to suit their needs and meet stakeholder expectations. Some organizations lead the way, while others take more of a wait and see approach. Such behaviors are consistent with any other type of change.

Growing Adoption

Surveys indicate that a growing number of organizations have an ERM framework or process in place. For instance, annual surveys of members of the American Institute of Certified Public Accountants (AICPA), conducted by the ERM Initiative of the Poole College of Management at North Carolina State University, indicate that only 38% of organizations had a complete or partial ERM process in 2011 (Figure 1). By comparison, the same survey conducted in 2021 indicates that 70% of organizations have such a process. Of the 30% without a process, almost half indicate that they have plans to implement one, or that they are “investigating” the possibility. The adoption of ERM continues to grow, which attests to its importance and relevance for organizational success.

The surveys conducted by the ERM Initiative indicate that adoption varies considerably based on organizational size and across industries. Interestingly, these two factors correlate with overall risk exposures and organizational complexity. Other important drivers of adoption include regulations and stakeholder expectations. Large organizations are much further along, with 94% reporting that they have complete or partial ERM in place. Publicly-traded companies (irrespective of size) also have a high adoption rate, with 95% reporting that they have complete or partial ERM. The industry group with the lowest adoption rate is the not-for-profit sector, with only 64% of organizations reporting that they have a complete or partial ERM process. The survey does not differentiate the responses of government entities from other types of not-for-profit organizations.

Still Much Work To Do

ERM adoption should not be confused with maturity of practices. For instance, only 42% of the AICPA survey respondents indicate that their organization has a “systematic, robust and repeatable process” for reporting risks to board members. Even worse, only 28% of respondents believe that the risk management oversight in their organization is “mature” or “robust.” According to the survey, 73% of chief executive officers want senior executives more engaged in managing risks. Similarly, 68% of board members also want more involvement by senior executives.

Shift of Mindset Needed

Board members, senior executives and middle management tend to focus more attention on well-known risks as opposed to emerging risks. In addition, they typically place a lot more emphasis on financial, accounting and compliance risks, often to the detriment of strategic and operational risks. Humans have a natural tendency to overly manage what they understand better, and to pay much less attention to everything else. No one argues that financial, accounting and compliance risks are not important. But there is overwhelming evidence that value creation and destruction are mostly attributable to how an organization positions itself in response to emerging risks, and whether it manages strategic and operational risks better than its competitors.

Many organizations do not focus risk management on their most important strategic issues. For this reason, risk management often does not provide very good insights for value creation. In the survey of AICPA members, only 51% of respondents indicate that their organization is “extensively” or “mostly” focused on emerging risks. In addition, only 47% report that existing risk exposures are considered when evaluating strategic initiatives. These findings are rather surprising. It is clear that a shift of mindset is needed. The shift may not be easy, but it is absolutely necessary.