Risk management is not about avoiding failure -- it is about achieving success.

The ERM Initiative at North Carolina State University, led by Mark Beasley, has published its sixth report on the state of risk management. I saw the first report in 2010 and frankly, not much has changed.

Set the Bar Low, Organizations Still Fail

The authors based the report on a survey of CFOs or equivalent who are members of the AICPA’s Business and Industry group. This is interesting, as it represents the views of people who, in many cases, have executive responsibility for the risk management system.

A very low standard appears to have been set for a “mature” or “complete” risk management system. The authors don’t share whether they provided the respondents with any guidance on what constitutes such a system. But reading between the lines, it is limited to a periodic assessment and review of a limited list of risks at the enterprise level, together with some level of integration with the strategy-setting processes. No mention is made whether the management of risk is embedded into every organizational process (as both COSO ERM and ISO 31000:2009 dictate).

But, even with this low standard, the majority of organizations -- even large ones -- fail.

Key Takeaways

The report acknowledges the lack of progress made in the years since issuing the first report:

Results from all six years of our surveys continue to find that the approach to risk oversight [i.e., the management of risk -- the authors are not talking about board oversight] in many organizations continues to be ad hoc and informal, with little recognized need for strengthened approaches to tracking and monitoring key risk exposures, especially emerging risks related to strategy. Even the large organizations, public companies, and financial services organizations admit that their risk management oversight processes are less than mature.”

An underlying thread of frustration runs through some of the feedback:

There may be opportunities to better connect risk oversight and strategic planning efforts. Four of ten sample firms (41 percent) admitted that they were 'not at all' or 'minimally' satisfied with the nature and extent of reporting of key risk indicators to senior executives regarding top risk exposures.”

The State of the Risk Management Process

The report shares some pretty grim numbers when examining the presence (or in many cases, absence) of a risk management process. Across all respondents:

  • 45 percent have “no enterprise-wide risk management in place” or are exploring putting one in place
  • 30 percent have only a partial process, addressing some but not all risk areas
  • 25 percent have what they call a “complete formal” enterprise-wide risk management process in place

Across public companies (the numbers are about the same when you look at companies with revenue greater than $1 billion):

  • 15 percent have nothing to speak of
  • 37 percent have a partial process
  • 48 percent believe their process is complete and formal (given the very low standard)

Risk Management Maturity

The story gets even worse when you look at the maturity of the risk management system. The authors use a five level model. Across all respondents:

  • 19 percent -- Very immature
  • 23 percent -- Developing
  • 35 percent -- Evolving
  • 19 percent -- Mature
  • 4 percent -- Robust

Across financial services, where you would expect to have the highest level of maturity (public and large companies are not much different from these numbers):

  • 6 percent -- Very immature
  • 20 percent -- Developing
  • 40 percent -- Evolving
  • 25 percent -- Mature
  • 9 percent -- Robust

Only 5 percent (extensively) and 15 percent (mostly) had positive answers to the question “To what extent do you believe the organization’s risk management process is a proprietary strategic tool that provides unique competitive advantage?”

Only about half large, public, or financial services companies maintained a “risk inventory” at the enterprise level.

Respondents only updated their identification and assessment of risks to the achievement of objectives occasionally -- even though they recognize the dynamic nature of the business environment and risk:

  • 33 percent -- Not at all
  • 34 percent -- Annually
  • 10 percent -- Semi-annually
  • 15 percent -- Quarterly
  • 8 percent -- Monthly, weekly or daily

Just 34 percent answered “Mostly” to the question “Existing risk exposures are considered when evaluating possible new strategic initiatives,” while half that number have the same level of discussion of risk when it comes to board consideration of strategies.

This sad state of affairs reflects a failure to link the consideration of risk with excellence in decision-making and performance.

It also reflects the continued misperception, seen in -- and to some extent caused by -- the advice given by some of the firms providing risk management consulting services. To them, risk management is “mature” or “complete” when a. risks (and they only consider situations or events that have a potential adverse effect) are reviewed periodically and b. considered when strategies are developed.

I will continue to say: the management of risk is an integral and essential element in decision-making at all levels across the organization.

Risk management is not about avoiding failure -- it is about achieving success.

I have reason to believe that the COSO ERM update project recognizes this as an issue. We should expect considerable change when the draft update is exposed for public comment.

As a word to all internal auditors -- don't fall into the trap of auditing risk management and evaluating its effectiveness based on compliance with the company’s policy and such. It should be evaluated based on whether it is making a positive contribution to the development and execution of strategies and the making of informed, intelligent decisions -- all part of how an organization optimizes its ability to succeed.

I welcome your comments.