AICPA finds risk management practices falling short

Even though more companies are implementing enterprise risk management processes, many of them are falling short, according to a new study from the American Institute of CPAs and North Carolina State University.

The report from the AICPA and NC State’s  Enterprise Risk Management (ERM) Initiative found that 65% of senior finance leaders believe the volume and complexity of corporate risks have changed “mostly” or “extensively” over the last five years. Fast-changing events, such as the war in Ukraine, ongoing talent crisis, soaring inflation, lingering supply-chain disruptions, ransomware threats and a host of other risk triggers are leading to significant disruptions impacting an organization’s business model. Despite these complexities of risks, only 33& of the respondents said their organizations have complete ERM processes in place, and just 29% rate their organization’s overall risk management oversight as “mature” or “robust.”

For the study, the researchers surveyed 560 U.S. CFOs and senior finance leaders this past winter, asking them to assess the level of maturity in their organization’s risk management processes. The results reflected a mostly negative perception.

“Our study finds that few executives perceive their risk management processes as providing important strategic value,” said Mark Beasley, KPMG professor of accounting and director of the ERM Initiative at NC State, in a statement. “This is despite the reality that risk and return are interrelated — organizations must take risks in the pursuit of strategic objectives. It is our hope that the ongoing uncertainties and rapidly changing business environment will convince more executives of the strategic importance of having rich insights about risks facing the organization as they make key strategic decisions.”

Despite the shortcomings of current ERM initiatives, the report nevertheless found that adoption of ERM processes in the U.S. is on the rise. Over the past 13 years, the percentage of organizations that claim to have complete ERM processes in place has increased 24 points, from 9% to 33%, but that still suggests a majority of entities don’t have such processes in place. Given all the risks facing companies right now, more organizations are likely to focus on risk management in the future.

“While predictable and unpredictable global disruptions continue to create new and exacerbate ongoing risk triggers, this research reinforces that enterprise risk management needs to be amplified in the list of priorities for CFOs,” said Ash Noah, vice president and managing director of learning education and development at the Association of International Certified Professional Accountants, in a statement. “Value in the business is much more than the balance sheet these days, and along with providing protection for the business, embracing ERM especially at a time when organizations must pay close attention to ESG risks, supports the creation of value and the long-term viability and sustainability of the business.”

The study also found that most executives don’t believe their organization’s risk management processes provide strategic advantage (63% saw no or only minimal advantage), with less than half (45%) of the respondents positioning risk management to pinpoint emerging strategic risks.

A majority of boards of directors would like to see greater senior executive involvement in risk oversight, with 74% indicating there will be significant changes to their existing continuity and crisis management planning.