ERM in Focus: Why CEOs are Demanding Better Risk Management

Dorina Hamzo • October 5, 2024

In 2019, only 31% of respondents to the “State of Risk Oversight” report by AICPA(1) described having a complete Enterprise Risk Management (ERM) program in place. Why?

Although understanding and managing risk has tremendous benefits, 5 years later, ERM programs are still lacking maturity with only 34% of respondents having complete programs. 


Several drivers are increasing the need for an effective risk program, including a spike in the volume and complexity of risks, as well as operational surprises. 


The good news is that according to the "2023 State of Risk Oversight" report(2), “CEOs are calling on other senior executives to increase their level of engagement in risk management, especially those in large organizations or public companies.”


In a prior ERM case study(3) I published in the Internal Auditor magazine titled "In Line with Risk," I identified the following key drivers impacting the maturity of risk programs:

  • Pervasive knowledge gap in what a good ERM program looks like and its benefits, and
  • Risk management performed ineffectively or as a check-the-box activity, reducing organizational adoption.


In this article, I will provide an overview of the pain points, barriers, and solutions that can help your organization elevate its enterprise risk programs.

Key Observations and Pain Points

When trying to understand why over 65% of surveyed organizations do not have complete ERM programs, several overarching themes emerged from the data that can be categorized into three main areas:

Strategy Culture ERM Standards
Respondents struggle to integrate risk management into strategic activities. Cultural factors may explain the lack of ERM maturity. Some organizations are investing in appointing dedicated Chief Risk Officers. However, that is still not a common practice. Structural components of ERM exist, but vary from organization to organization and key risk indicators are still not being measured.

“The Gray Rhino of Cultural Risk”(4) corroborates this data and points to broader cultural risks that ERM should be uniquely suited to address, but adversely ends up as bottlenecks to ERM maturity such as:

  • Resistance to change.
  • Challenges in sustaining culture in the current work environment. 
  • Culture does not encourage the timely identification and escalation of risk issues.
  • Organization is not sufficiently resilient or agile to manage an unexpected crisis.


Companies need to address these factors with both top-down and bottom-up solutions to maximize the benefits offered by a full ERM program.

AdviseUp Insights

AdviseUp has identified three main barriers that contribute to an organization’s ability to develop and embrace a robust ERM program.


It’s not a mandatory function, but it should be.

ERM is not a mandatory function in corporations the same way Internal Audit is. More specifically, Internal Audit is a function required for all publicly traded companies, companies working with federal programs like CMS, and regulations and standards such as ISO 27001. An independent ERM function is currently a nice to have, instead of a must-have, which affects cultural attitudes and therefore impacts the ability for it to be fully embraced.


The roles of Auditors and Risk Managers need to be clearly defined.

In many companies, risk management is performed by Internal Auditors. Those roles are distinctly different. Internal auditors should be “customers” of the ERM program and not facilitators. Additionally, auditors do not always have a strong understanding of the ERM frameworks, as risk training is not common for auditors.


ERM lacks standardization because it is a new practice.

There are several ERM frameworks that a company may choose to adopt. However, there is a lack of unified standards outlining not only the key components of ERM programs, but also the minimum requirements for implementing, managing, and improving them. 


As a result, the implementation of a solid ERM program is solely dependent on the knowledge of the person leading it.


These observations are crucial to address when it comes to future ERM acceptance and maturity. In doing so, corporations can create an integrated and proactive approach to risk management.

Solutions

Macro Level Solutions

  • The formation of a single internationally recognized set of standards around the structure, independence, qualifications, and implementation of the program
  • Regulators making ERM a mandatory function like Internal Audit


Micro Level Solutions

  • Adopting an ERM framework. The most commonly adopted framework is COSO ERM. Offer ERM training to the program team members and selective Internal Auditors. A great source for ERM training is the NC State Enterprise Risk Management Initiative. 
  • Perform a gap analysis and identify the current maturity level and the next desired maturity level 
  • Invest the time in developing a risk register and risk taxonomy that allows your organization to identify risks at the most granular level 
  • Map controls and internal audit findings to the risks
  • Risk assessments are meant to capture the voice of the organization. Therefore, your first risk assessment must be a bottom-up and top-down assessment, to allow for the creation of a strong risk profile foundation.


Key phases to implement an integrated ERM program

Next Steps - Call AdviseUp

Navigating the world of risk management can feel challenging, especially if your company does not have a formal ERM program in place.


However, ERM remains a highly effective tool at protecting your assets and remaining agile in today’s fluctuating market.

A functioning, mature ERM program can help your company, support better decision making, break down silos, adapt to changing conditions, and not only protect, but also create value.

If you don’t know where to start, contact AdviseUp. We provide expert risk management consulting services with decades of practical, on-the-ground experience building and implementing risk programs. 


Start preparing your business for the future today.

REQUEST A CONSULTATION

Resources

(1) 2019 State of Risk Oversight Report, NC State University, in partnership with the AICPA 

(2) 2023 State of Risk Oversight Report, NC State University, in partnership with the AICPA 

(3) In line with Risk; Dorina Hamzo; Internal Auditor; 2019

(4) The Grey Rhino of Cultural Risk - Charles Follet, Business Ingenuity 

(5) NC State Enterprise Risk Management Initiative 

Auditing Under Pressure: Strategies for Risk Management in a Volatile World

By Dorina Hamzo March 3, 2025
In 2025, organizations face growing risks like cyberattacks and supply chain disruptions. Auditors are critical in identifying risks and ensuring accountability but face pressure to meet deadlines. This blog outlines key strategies for auditors, including writing clear findings, creating effective remediation plans, and building continuous monitoring programs to improve risk management and help organizations thrive in a volatile world.

Positive Change on the Horizon: HIPAA Security Updates for Healthcare Cybersecurity

By Dorina Hamzo February 3, 2025
In response to rising ransomware attacks, HIPAA is introducing critical security updates for healthcare organizations. With 67% targeted in 2024, the new rules mandate HIPAA compliance and include measures such as annual asset inventories, risk analysis, mandatory encryption of ePHI, regular audits, and multi-factor authentication to strengthen data protection and prevent cyber threats.

How to Choose the Right GRC Tool for Your Organization: A Comprehensive Guide

By Andrea St. Pierre December 23, 2024
Choosing the right Governance, Risk, and Compliance (GRC) tool can transform your organization's risk management and compliance efforts. In this guide, we walk you through the key steps to select, implement, and measure the success of your GRC solution—while avoiding common pitfalls. Learn how AdviseUp can help you design and implement a customized GRC strategy tailored to your needs.
More Posts