A new report entitled the Current State of Enterprise Risk Oversight (alternately, here) has been published by several faculty members from the Enterprise Risk Management (ERM) Initiative at North Carolina State University. For me, the conclusions are alarming, but perhaps not surprising:
Despite the growing pressures for more effective risk oversight that are emerging from the recent financial crisis, the level of enterprise-wide risk oversight across a wide spectrum of organizations appears to be fairly immature. Most organizations have not fully embraced the need for a top-down, enterprise-wide perspective of risk oversight. Results from this survey suggest that there is an urgent need to evaluate existing risk management processes in light of perceived increases in the volume and complexity of risks and operational surprises being experienced by management. That, coupled with a self-described aversion to risk, is likely to spawn greater focus on improving existing risk oversight procedures in organizations today.
The statistics bear out these conclusions. Almost half of the more than 700 companies surveyed have no enterprise-wide risk management process in place and have no plans to implement one. Nearly the same number do not assess risk exposure on a formal basis. The vast majority (> 75%) report that key risk indicators are only communicated on an ad hoc basis at management meetings.
Some organizations are moving to a more structured approach by creating senior executive risk leadership positions. However, it’s hard to know how many have really done so. An earlier study from the Economist Intelligent Unit reported that 45% of companies have appointed a chief risk officer (CRO), while another 24% will do so within two years. On the other hand, this ERM Initiative study showed that very few organizations (18%) have created a CRO position.
My own sense is that the actual percentage is somewhere between the two estimates. Regardless, the percentage is definitely on the rise. If you’re interested, here’s one you can apply for.
(Thanks to Norman for sending me the ERM Initiative study.)
Hello there, I happened to read your blog when searching for “Investment sign-post and Key risk indicator” from the internet.
I am working as Corporate Risk Manager in Singapore. Came across this term “signpost” in a Risk Report recently. Have been trying to find out what is the difference between KRI and signpost. Any idea what is “signpost” suppose to be?
Thanks & Regards,
Pris