What is the state of ERM? A new study sheds a little light
One of the studies I have referenced for a few years has been updated. The ERM Initiative at North Carolina State University has released the 7th edition of The State of Risk Oversight: An overview of risk management practices.
The principals at the ERM Initiative, Mark Beasley in particular, have been active in the ERM area for a number of years. From what I can tell, they have been primarily associated with and involved in the COSO view of risk management rather than that of ISO (the 31000:2009 global risk management standard).
I have been using a sad statistic from the 2010 edition of this publication, which reported that only 3.4% of respondents believed their risk management program was “fully mature”. This number is essentially unchanged at 4% (the latest edition is based on responses to a survey in 2015).
However, respondents are not provided with a definition of “fully mature”- or at least one is not provided in the report.
Instead, respondents define for themselves what a “complete” risk management program entails (another survey uses this as the highest level of risk management maturity) or when it is fully mature.
COSO ERM goes further than, from what I can see, the ERM Initiative surveys. The survey asks about the frequency with which a list of top risks is reviewed and how often it is updated (very few indeed do it monthly or better). But it doesn’t talk about whether the consideration of risk is embedded into decision-making across the organization, which COSO ERM does. Nor does it address whether risk management “helps an organization gets where it wants to go” – another COSO ERM statement, which recognizes that risk management is about more than avoiding hazards and threats.
So what are we to make of this?
There seems to be growing pressure from boards and regulators to improve risk management practices, and there is every reason for them to be concerned at the current state! Yet, little progress is being made. 4% self-report that they have fully mature risk management, with larger companies (revenues greater than $1bn) at 9%.
Will this study make a difference?
I doubt it.
The emphasis has to move towards whether, as Deloitte has said, risk management is helping an organization set and then achieve its strategic goals.
Focusing on risk management as a silo, separated from the rest of effective management of the organization, is not going to persuade boards and executives (the latter are clearly reluctant to invest in what is seen as a compliance activity) to move the practice forward because it is an essential element in informed, intelligent decision-making.
Let’s start talking about effective management that includes risk management.
When will we get a survey on that?