Enterprise Risk Management (Preview)

Chapter 1 – Risk Management Awareness 29 information on organizational risks and risk management practices. They need to assess whether the levels of risks taken or tolerated are in fact consistent with the directions provided, and whether organizational performance is acceptable in light of the risks that are assumed. However, reliable and useful information on risk and risk management practices is difficult to obtain when organizations do not have a structured approach. According to the National Association of Corporate Directors “nothing is more funda- mental to business – or more vexing to boards – than risk, particularly in the context of strategic decision making.” 40 The NACD further states that there is an intense focus on risk, and that boards are operating in a challenging business environment. Implementation State Not managing risks is the biggest risk. There is consensus that operating without a structured and integrated approach to risk management is no longer an option, and that ERM provides the necessary structure and integration. However, risk management is an evolving discipline, especially at the enterprise level. Organizations continue to experi- ment. They look for ways to adapt frameworks and leading practices to suit their needs and meet expectations. Most organizations struggle with their implementation of ERM. Some lead the way while others adopt a wait and see approach. These reactions are consistent with other types of changes such as adopting new technologies, developing new products, entering new markets, altering production methods, etc. Surveys conducted by academics, professional associations and professional services firms indicate that a growing number of organizations have a complete or partial ERM framework or process in place. However, these frameworks and processes are at different levels of maturity or capability. A survey of members of the American Institute of Certified Public Accountants (AICPA) conducted by the ERM Initiative of the Poole College of Management, North Carolina State University (Figure 1.3) indicates that only thirty-one percent of organizations had a complete or partial ERM process in 2009. By comparison, the same survey conducted in 2019 indicates that sixty-seven percent of organizations have a complete or partial ERM process in place. The increase of thirty-six percent over ten years is significant. However, only about one quarter of the 2019 survey respondents indicate that their ERM process is “mature” or “robust.” The relatively low level of maturity reported is not surprising given that ERM is difficult to understand and implement, and even more challenging to advance and mature. Differentiating Factors The adoption of ERM varies significantly according to organizational size and industry. Interestingly, these factors have direct correlations with risk volume and complexity. Regulations are also an important driver for the adoption of ERM practices in some industries, and for large organizations within a given industry. For example, the Dodd- Frank Act has more stringent risk management regulations for large financial services organizations than it does for smaller ones. As can be expected, large organizations tend to be much further along with their implementation of ERM. The ERM Initiative survey (Figure 1.3) indicates that ninety-three percent of large organizations (those with revenues of a least $1 billion) have a complete or partial ERM process in place, compared with sixty- seven percent of all respondents. The difference of twenty-six percent is significant given that large organizations are included in the all respondent numbers.