I recently wrote two articles referencing the latest report from the Enterprise Risk Management (ERM) Initiative at North Carolina State University, in partnership with the American Institute of Certified Public Accountants (AICPA). Their 8th State of Risk Oversight report provides an overview of ERM practices for a variety of industries.
This report continues to provide me with heartburn over certain areas in the ERM field.
First, let’s talk about risk assessments. For risks to be compared, prioritized, and reported, I would think that the ERM professionals within the organization would provide guidance to the business about the criteria for the risk assessment. And yet:
Yes, you are reading those statistics correctly. Only 38% provide explicit guidelines for assessing the probability of a risk, and only 42% provide explicit guidelines for impact. How can this be?
In my opinion, these low statistics indicate the unwillingness to have numbers (even soft numbers) applied to a risk. People like the idea of saying a risk is “high” or “low”…but don’t make them say that there is a 60% chance of occurrence or this risk will have a $40 million financial impact.
Having those numbers is where ERM can start providing value – by helping management prioritize what risks should be addressed first. And it really helps them identify the risks that should just be accepted based on the risk appetite and tolerance of the company.
Specifically, it appears that the non-for-profits need some guidance – pun intended – in this area.
The report states, “The overall lack of ERM maturity for the full sample is somewhat surprising… Interestingly, 56% of not-for-profit organizations express their risk culture as ‘strongly risk averse’ or ‘risk averse;’ however, those organizations appear to be the least mature in their enterprise-wide risk oversight processes.”
A big part of launching an ERM program includes writing down the risk management process…which includes having explicit guidance and criteria for the risk assessment.
Looks like more people need to get pushed out of their comfort zone. Are ERM professionals up to the challenge?
What are your thoughts on the current state of the risk management process?
Please share your thoughts in the comment field below, or join the conversation on LinkedIn.
Do you want to help ensure your organization matures its ERM program? Are you struggling to get your risk management initiative off the ground or back on track? Contact me to discuss your program today, or continue browsing ERMInsightsbyCarol.com.