Businesses need advanced risk oversight as executives worry that the volume and complexity of risk is growing harder to manage, according to a survey by accountancy bodies AICPA and CIMAR.

Yet only about one in three businesses has complete enterprise risk management (ERM) systems in place. In fact, organisations in Asia and Australasia scored best for the having effective ERM processes.

Not joined up

Most organisations separate their strategic planning efforts from risk oversight. In fact, only about half of all survey participants said risk management processes focus on emerging strategic, market, or industry risks.

“Fewer than half believe their risk management process provides important strategic advantages, and that percentage is noticeably lower for organisations in Europe, the UK and the US,” the report said.

In addition, European and UK organisations lagged when it came to appointing senior executives to lead the risk function. Only one third said they had done so, compared with half in the rest of the world

Not robust

Neither did organisations put in place robust risk management processes in over half organisations. For example, only 30 per cent of US businesses use meaningful key risk indicators for emerging risks. Half of companies in African and the Middle East use such metrics.

“The lack of useful key risk indicators focused on emerging risks may explain why respondents generally do not believe that their organisation’s risk management processes are providing strategic value,” the report said. “Without effective KRIs, management is forced to react to risks to their businesses rather than proactively manage those risks for strategic value creation.”

More risk oversight

The status quo is changing. Senior management, audit committees and full boards are demanding senior executive involvement in risk oversight. In fact, pressure from regulators to improve risk oversight was less than from internal boards and managers. This suggests “that boards and CEOs see value in risk management regardless of expectations for risk management coming from regulators,” the report said.

The most common barrier to addressing enterprise risk oversight is a perceived lack of resources. Other barriers included competing priorities, ERM perceived as being unneeded bureaucracy and a lack of perceived value.

“The more executives realise the strategic value of enterprise-level risk information, the more they will be willing to engage in important risk management processes,” the report concluded. “Helping executives rec- ognise how robust risk insight increases the organisation’s ability to be agile and resilient, the greater progress they can make in expanding their risk oversight infrastructure.”

Global state of enterprise risk oversight, 5th edition, September 2022.