 |
Increasing risk is driving many organizations to adopt formal processes for enabling risk management. Despite this increased attention, less than one quarter have complete risk management processes in place. A recent survey conducted by the ERM Initiative at North Carolina State University on behalf of the American Institute of Certified Public Accountants looked to uncover what types of processes organizations have in place to ensure that board members and management can understand and manage the risks they are taking. According to the survey, 57 percent of organizations believe that the volume and complexity of the risks they face have increased considerably over the past five years, with this holding true across organizations of all types and sizes. In particular, those risks have led to significant operational surprises for 63 percent of the organizations surveyed. But what is perhaps the most surprising is that the proportion of organizations that have been caught off guard is highest in the financial services industry and the public sector—both of which are highly regulated. Organizations Lack Effective Risk Management Practices Over the years, it appears that more organizations have been adopting comprehensive and formal risk management processes—up from 8.8 percent in 2009 when the survey was first conducted, to 24.6 percent in 2013. However, the survey also found that nearly half of all organizations surveyed had no enterprise risk management processes in place at all. Additionally, there was very little improvement seen in 2013 over 2012, making it seem that there is currently little impetus to improve risk management capabilities at present. This situation may seem somewhat surprising considering that organizations say they are under considerable pressure to improve their overall risk management capabilities and processes. For more than 60 percent of organizations, the greatest pressure is coming from the board of directors for greater executive oversight of risk. This is even greater among the largest enterprises, financial services firms, and public companies, which are the very organizations that have reported the most operational surprises through ineffective risk management. However, boards are also facing increasing pressure from external parties—including regulators, investors, and rating agencies—to improve their risk oversight processes. Manage Risk Across the Organization To be most effective, risk management processes should be integrated across the organization and should cover all types of risk to which they are exposed, including IT, operational, financial, and facilities risks. In order to gain a complete oversight of risk, risk data needs to be collected, reported, and analyzed centrally to ensure that nothing slips through the net. All too often, risks are considered in silos, often with a different champion in charge of each. Instead, it is essential that one function is charged with oversight of every risk category so that the big picture can be seen. Barriers to Adoption of Enterprise Risk Management As the report clearly shows, this is all too often not the case. The main reasons include:
Recommendations There are a number of steps organizations can take to improve their risk management processes. The report offers the following guidance:
There is a clear disconnect between the need to manage risks across organizations and the processes that organizations have in place for doing so. The only way to effectively manage risks across an organization is through implementation of effective processes. But, as this survey shows, most organizations only manage such processes in an informal or ad hoc manner. There is room for improvement. Photo Source: Flickr The post Enterprise Risk Management Processes: Room for Improvement appeared first on Speaking of Security - The RSA Blog and Podcast. |
|
|
