NC State University each year publishes their research on the state of risk oversight. The latest version is available reflecting input from 563 respondents.
Their findings suggest that significant room for improvement exists particularly in the area of effectiveness.
Their conclusion is that organizations need to be more proactive with their risk management.
Companies that have robust risk management capabilities are in a better position to address not only the COVID-19 pandemic, but also other threats to mission success.
Key Findings from the report include:
Most respondents perceive a much riskier business environment now compared to five years ago. COVID-19 has probably increased that perception exponentially for most business leaders.
Even before COVID-19, respondents noted that a number of external parties were pressuring senior executives for more extensive information about risks. That will likely be even greater once the pandemic crisis is behind us.
Few executives describe their organization’s risk management process as mature. COVID-19 has most likely highlighted even more limitations in their organization’s risk oversight capabilities than previously considered.
More organizations are appointing a Chief Risk Officer or creating management-level risk committees to help lead the organization’s risk efforts. That leadership is critical if an organization wants to ensure the process is ongoing and value-adding.
About half of the respondent organizations engage in formal risk identification and risk assessment processes. Hopefully more business leaders will see the value in engaging in those processes in the future so that they can be in a more proactive versus reactive risk management posture when the next big risk event emerges.
Few respondents perceive their risk management process as providing important strategic value. The ongoing pandemic crisis is hopefully convincing more executives of the strategic importance of having rich insights about risks facing the organization as they make key strategic decisions.
Boards tend to delegate responsibilities for risk oversight to a board level committee. More boards are likely to pull that back to the full board level given all individuals on the board need to be informed about the range of top risks for the organization.
The process used to generate reports to the board about risks is often ad hoc. Executives may want to rethink how they identify and prioritize risk information to be discussed with the board, given many boards are likely to place even greater pressure on management for more timely and robust risk reporting.
Organizations struggle to embed risk accountabilities as part of employee compensation. That is something executives may want to rethink so that risk owners feel greater accountability for overseeing risks assigned to them.
Cultural barriers exist inside organizations that limit the strengthening of risk management processes. Business leaders need to focus on what barriers are present inside their organizations to determine what needs to be done to remove those barriers so progress can be realized.
You can download the full report here.