ERM in Focus: Why CEOs are Demanding Better Risk Management

In 2019, only 31% of respondents to the “State of Risk Oversight” report by  AICPA(1) described having a complete Enterprise Risk Management (ERM) program in place. Why?

Although understanding and managing risk has tremendous benefits, 5 years later, ERM programs are still lacking maturity with only 34% of respondents having complete programs. 

Several drivers are increasing the need for an effective risk program, including a spike in the volume and complexity of risks, as well as operational surprises. 

The good news is that according to the "2023 State of RiskOversight" report(2), “CEOs are calling on other senior executives to increase their level of engagement in risk management, especially those in large organizations or public companies.”

In a prior ERM case study(3) I published in the Internal Auditor magazine titled "In Line with Risk," I identified the following key drivers impacting the maturity of risk programs:

Pervasive knowledge gap in what a good ERM program looks like and its benefits, and

Risk management performed ineffectively or as a check-the-box activity, reducing organizational adoption.

In this article, I will provide an overview of the pain points, barriers, and solutions that can help your organization elevate its enterprise risk programs.

Key Observations and Pain Points

When trying to understand why over 65% of surveyed organizations do not have complete ERM programs, several overarching themes emerged from the data that can be categorized into three main areas:

“The Gray Rhino of Cultural Risk”(4) corroborates this data and points to broader cultural risks that ERM should be uniquely suited to address, but adversely ends up as bottlenecks to ERM maturity such as:

• Resistance to change.
• Challenges in sustaining culture in the current work environment. 
• Culture does not encourage the timely identification and escalation of risk issues.
• Organization is not sufficiently resilient or agile to manage an unexpected crisis.

Companies need to address these factors with both top-down and bottom-up solutions to maximize the benefits offered by a full ERM program.

AdviseUp Insights

AdviseUp has identified three main barriers that contribute to an organization’s ability to develop and embrace a robust ERM program.

It’s not a mandatory function, but it should be.

ERM is not a mandatory function in corporations the same way Internal Audit is. More specifically, Internal Audit is a function required for all publicly traded companies, companies working with federal programs like CMS, and regulations and standards such as ISO 27001. An independent ERM function is currently a nice to have, instead of a must-have, which affects cultural attitudes and therefore impacts the ability for it to be fully embraced.

The roles of Auditors and Risk Managers need to be clearly defined.

In many companies, risk management is performed by Internal Auditors. Those roles are distinctly different. Internal auditors should be “customers” of the ERM program and not facilitators. Additionally, auditors do not always have a strong understanding of the ERM frameworks, as risk training is not common for auditors.

ERM lacks standardization because it is a new practice.

There are several ERM frameworks that a company may choose to adopt. However, there is a lack of unified standards outlining not only the key components of ERM programs, but also the minimum requirements for implementing, managing, and improving them. 

As a result, the implementation of a solid ERM program is solely dependent on the knowledge of the person leading it.

These observations are crucial to address when it comes to future ERM acceptance and maturity. In doing so, corporations can create an integrated and proactive approach to risk management.

Solutions

Macro Level Solutions

• The formation of a single internationally recognized set of standards around the structure, independence, qualifications, and implementation of the program
• Regulators making ERM a mandatory function like Internal Audit

Micro Level Solutions

• Adopting an ERM framework. The most commonly adopted framework is COSO ERM. Offer ERM training to the program team members and selective Internal Auditors. A great source for ERM training is the NC State Enterprise Risk Management Initiative. 
• Perform a gap analysis and identify the current maturity level and the next desired maturity level 
• Invest the time in developing a risk register and risk taxonomy that allows your organization to identify risks at the most granular level 
• Map controls and internal audit findings to the risks
• Risk assessments are meant to capture the voice of the organization. Therefore, your first risk assessment must be a bottom-up and top-down assessment, to allow for the creation of a strong risk profile foundation.

Key phases to implement an integrated ERM program

Next Steps - Call AdviseUp

Navigating the world of risk management can feel challenging, especially if your company does not have a formal ERM program in place.

However, ERM remains a highly effective tool at protecting your assets and remaining agile in today’s fluctuating market.

A functioning, mature ERM program can help your company, support better decision making, break down silos, adapt to changing conditions, and not only protect, but also create value.

If you don’t know where to start, contact AdviseUp. We provide expert risk management consulting services with decades of practical, on-the-ground experience building and implementing risk programs. 

Start preparing your business for the future today.

Resources

(1) 2019 State of Risk Oversight Report, NC State University, in partnership with the AICPA 

(2) 2023 State of Risk Oversight Report, NC State University, in partnership with the AICPA 

(3) In line with Risk; Dorina Hamzo; Internal Auditor; 2019

(4) The Grey Rhino of Cultural Risk - Charles Follet, Business Ingenuity 

(5) NC State Enterprise Risk Management Initiative