Less than one third of organizations have a complete enterprise risk management (ERM) process in place, despite the growing number of risks and threats against businesses today. Just 31 percent of organizations are fully addressing risk management, according to a new study conducted by North Carolina State University’s Enterprise Risk Management Initiative and the American Institute of CPAs (AICPA).
Researchers talked to nearly 500 CFOs and financial leaders about the ways they manage emerging risks and discovered that ERM is still a fairly immature practice in most businesses, with only 22 percent saying their systems are robust.
However, there are a lot of positives coming from this study. Since the first report in 2009, there has been a jump from 9 percent to the current 31 percent of organizations reporting a complete ERM process. It was also noted that while large enterprise is still most likely to have risk management tools in place, there is a considerable uptick among the not-for-profit sector.
But here is the statistic that surprised me the most: The push for a complete ERM strategy is coming from the highest management levels. From the report:
Most boards of directors, 68 percent, want senior executives to increase management involvement in risk management. Nearly half of CEOs, 46 percent, have asked “mostly” or “extensively” for increased risk management oversight — an increase of 3 percent from 2016.
The study’s respondents are also calling for the addition of a Chief Risk Officer to their organization, and nearly two-thirds of companies now have a CRO in place.
Traditionally, in the cybersecurity world I’m used to, security, risks, and threats were rarely taken as seriously by boards of directors or top executives. CIOs and CISOs, yes, but CEOs or CFOs often stood as roadblocks for upgrading or investing in improved security systems. There seems to be a much different attitude when it comes to risk management. In a formal statement, Mark Beasley, Deloitte Professor of Enterprise Risk Management and director of NC State’s ERM Initiative, provided some background on why this disconnect between security and risk management exists:
Senior executives and boards of directors are realizing increasingly that the speed of change and the level of uncertainty in the global business environment is outpacing the ability of their organization’s traditional approach to managing risks. While many are increasing the robustness of their processes for identifying, assessing, and managing emerging risks that may ultimately impact their core business model and strategic objectives, a number of organizations may not discover that need until they face a major risk event.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba