Most people agree that organizational risks are increasing. Examples include low employee retention, skilled labor shortages, supply chain reliability issues, public health challenges, cybersecurity threats, intellectual property theft, catastrophic climate events, crime and civil unrest, geopolitical conflicts, high inflation, aging infrastructure, staggering government debt, corruption and unethical conduct, and distrust in public officials and institutions. These growing sources of risks are worrisome. It is in fact quite difficult to identify areas where risks are decreasing.

Organizations Caught Off Guard

The number of organizations caught off guard with unanticipated risk events has dramatically increased in the past ten years. Annual surveys of members of the American Institute of Certified Public Accountants (AICPA) indicate that 33% of organizations were caught off guard with unanticipated operational risk events during the five years leading to 2011 (Figure 1). The same survey conducted in 2021 indicates that 83% of organizations were caught off guard with such events. For large organizations, the percentage is even higher at 90%. The average increase of 50% over a ten year period is significant and revealing. It leaves no doubt that the risk landscape (context) of organizations is a lot more challenging than it used to be.

Unanticipated Risk Events Drive Attention

Unanticipated risk events have become the leading factor driving added focus on risk management by senior executives. In the 2011 survey of AICPA member, only 34% of respondents indicated that such events were causing an increased focus (Figure 2). By contrast, 50% of respondents in 2021 reported that unanticipated risk events are a factor, and the percentage jumps to 74% in the case of large organizations. Interestingly, regulatory requirements were the leading factor in 2011, but they are now much less of a concern. The dramatic shift in leading factor is quite revealing. It confirms that risk management is less of a compliance-driven activity than it used to be. Organizations are now compelled to focus on risk management mostly in response to their growing risk landscape.

Increasing Volume and Complexity of Risks

When asked whether risks had increased in volume or complexity in the past five years leading up to the 2011 survey, 55% of AICPA members answered “mostly” or “extensively.” By contrast, 67% of survey respondents indicated an increase in volume or complexity when asked the same question in 2021. The 2021 response was 75% in the case of large organizations, and 69% in the case of publicly-traded companies. The 2021 responses are not materially different across organization size, types or industries, because many systemic risks are affecting organizations indiscriminately.

Calls for More Senior Executive Involvement

According to AICPA members, 73% of chief executive officers (CEOs) want senior executives more engaged in managing risks. The percentage jumps to 82% in the case of large organizations, and 76% for publicly-traded companies. Similarly, 68% of boards want more involvement by senior executives. This percentage rises to 80% in the case of large organizations, and 81% for publicly-traded companies. Although a great majority of organizations have implemented enterprise risk management (ERM) frameworks or processes in the past 20 years, there is much room for improvement. Calls for action are loud and clear. Organizations need to mature and strengthen their ERM practices to meet expectations. There is no better way to manage risks effectively.