While more companies are developing formal risk management programs, in its 2019 State of Risk Oversight study, researchers from the American Institute of CPAs and the ERM Initiative at North Carolina State University’s Poole College of Management found just 23% of respondents consider their organization’s risk oversight “mature” or “robust” and less than 20% think it provides strategic advantage.Most boards of large organizations (84%) and public companies (87%) review formal reports about top risks at least annually, but fewer than 60% consider the underlying risk management process systemic or repeatable, and 41% are “not at all” or only “minimally” satisfied with the internal reporting of key risk indicators.
External stakeholders are also driving greater executive involvement, with 65% of boards calling for increased management participation in risk oversight.
Formal assignment of risk management responsibilities has increased since the survey was first conducted 10 years ago, with 50% of companies now designating a CRO or equivalent, compared to 18% in 2009, and 65% maintaining a management-level risk committee, up from 22% in 2009.