“Across most dimensions, enterprise risk oversight in U.S. organizations is lagging in its maturity relative to organizations in all other regions of the world,” according to the second edition of Global State of Enterprise Risk Oversight, a report by Chartered Global Management Accountant (CGMA) and North Carolina State University Poole College of Management’s ERM Initiative.
“Europe is ahead of the United States in its ERM implementation,” said Mark Beasley, the Deloitte professor of enterprise risk management and director of the ERM Initiative at NC State, and one of the authors of the study. “I heard early, from 2001 to 2003, that Europe was further along. Since then, there has been a lot of conversation about ERM in the United States, so we were interested in finding out the current state of ERM in different regions.”
The report is broken down into four regions: Europe, Asia and Australia, Africa and the Middle East, and the United States. While Europe and Australia were already believed to be the most mature in their implementation, “everyone else seems to be further along than the United States, so Europe and Australia are not the only frontrunners,” Beazley said.
“From the board of director perspective, including the audit committee, it surprised me that those outside the United States indicated much higher percentages of requests coming from the board and audit committee than here in the United States,” he said. “That surprised me because, from my conversations with board members here, there seems to be a fair amount of interest in the topic. Outside the United States, 67% of the respondents believe the boards are putting pressure on them, but here in the United States, it’s 39%.”
Key shareholders and stakeholders abroad were also more interested in the kind of accountability that can result from ERM than were their American counterparts. “In Europe, about 34% were asking for more engagement in risk oversight and in the United States it was about 19%,” Beasley said. “There is a higher awareness there and a need for better information from management.”
One factor that may have hampered ERM maturity in the United States is implementation of Sarbanes-Oxley, Beazley believes. “Massive confusion on how to comply and get those reports done and be audited on internal controls took a lot of the wind out of the sails for ERM for a number of years. Therefore, ERM hit the back burner,” he said. “While Europe was moving forward, we were sidetracked on another issue, and we could still be seeing that effect.”
Another reason for the division could be that boards in the United States have fewer conversations about risk in the context of strategic planning. “When we asked questions going deeper into the risk management process—such as do you have a standardized process for identifying and assessing key risk, do you have guidelines that you give the board to think about risk, or have you set up a process to identify risk and maintain inventories—the non-U.S. companies were in the 50% to 60% range, whereas it was 25% to 40% in the United States.”
When asked to what extent the risk information generated by the ERM process is formally discussed when the board talks about strategic plans, more than 40% of businesses outside the United States said they were having these conversations. In the United States, just 26% were doing so.
Companies are still “not seeing ERM as a strategic tool,” he said. “They still have a compliance focus, and that causes people to question the value of it.”
Beazley’s team at the NC State ERM Initiative is working to change that. “We try to help people see that a mature ERM program helps them to think about risk to the long-term viability of their business model and what they are trying to do strategically,” he said.
They have found that, if an organization has an ERM system informing them about emerging risk to their core products, what their competitor is doing and what is happening in the marketplace, and informing those key decisions, that is when stakeholders begin to see the value proposition.
The report lists 10 calls to action to help ERM programs mature. For example, one approach is to find out to what extent the organization’s approach to risk management identifies the most significant risks. Then, see if there is a consensus among board members and senior management about the top risks the company faces.
Beasley recommended incorporating the study’s action points into a survey tool to put before the senior management team and the risk committee and then comparing their answers. “This can create a dialogue about where we need to go to make this better,” he said. “Taking these steps could also alert the risk manager to any disconnects with senior management.”