Enterprise Risk Management (Preview)

30 Part 1 – Concepts and Methods A global survey conducted by the Institute of Internal Auditors (IIA) during 2015 has conclusions that are similar to the ERM Initiative survey. According to the survey, fifty- three percent of organizations have formal risk management practices. The IIA survey includes responses from over twenty-five hundred chief audit executives from all regions of the world and across a wide range of industries. Formal risk management is typically associated with a structured ERM approach applied systematically. Similar to the ERM Initiative survey, the IIA survey identifies significant differences between large and small organizations. For instance, seventy-three percent of respondents from organizations with revenues exceeding $10 billion indicate that formal risk mana- gement practices are in place, compared with less than fifty-one percent for organizations with revenues lower than $1 billion. The IIA suggests that the differences related to organizational size may be explained by the tendency of large organizations to devote more resources for risk management. Moreover, organizations that operate in highly regulated industries such as financial services and public utilities tend to be larger. 41 With respect to regional differences, the IIA survey indicates that the level of adoption of formal risk management practices in North America at fifty-two percent is comparable with the global average. However, the adoption of formal risk management practices is much higher in Europe at sixty-seven percent. The difference of fifteen percent between Europe and North America is noteworthy. The IIA suggests that it may be attributable to a higher level of regulation in Europe, particularly in regards to financial services. 42 The IIA survey also highlights important differences between industry sectors. These differences are largely driven by varying stakeholder expectations, regulations, resources and competitive pressures. As such, the adoption of formal risk management practices is highest in the industrial sectors of banking, insurance, public utilities, mining, and oil & gas. By comparison, the adoption of formal risk management practices tends to be lowest in education, retail trade, transportation and manufacturing, where less than forty-five percent of respondents indicate that formal practices are in place. 2009 All organizations 2019 All organizations 2019 Large organizations* Complete or partial ERM in place** No formal ERM in place 69% 31% Figure 1.3 – ERM Adoption Rates Based on Surveys of AICPA Members The adoption rate of ERM has significantly increased since 2009. ERM adoption is most important with large organizations in general, and publicly-traded companies in particular. * Large organizations are defined as those having revenues of at least $1 billion. ** Partial adoption refers to some (but not all) risks being managed on an enterprise-wide basis. Source: Adapted from Mark Beasley, Bruce Branson and Bonnie Hancock, The State of Risk Oversight: An Overview of Enterprise Risk Management Practices , 11th Edition (North Carolina State University, Poole College of Management, Enterprise Risk Management Initiative, April 2020. Report accessible through: www.erm.ncsu.edu) Percentage of organizations with: 33% 67% 7% 93%