Enterprise risk management may be popular in concept, but it is still struggling to gain traction in the real world, especially among smaller companies. According to a recent survey by the American Institute of Certified Public Accountants (AICPA) and the Chartered Institute of Management Accountants (CIMA), 45% of U.S. respondents — many of whom are CFOs — report having no ERM framework in place and no plans to implement one.
What’s more, of companies with ERM systems in place, only 1.5% characterize their company’s risk-oversight processes as “very mature” or “robust.” The bulk, 84%, rate their company’s risk-oversight processes as ranging from “very immature” to “moderately mature.”
The state of ERM isn’t much better in Europe, according to the survey. Nearly 40% of European companies report they are not using, and do not plan to use, ERM, while only 8.2% of the ones that are consider their processes robust.
The survey, which was conducted earlier this year, includes 331 U.S.-based respondents and 264 global executives. The median revenue size for U.S. companies surveyed on behalf of the AICPA was $50 million.
“In the past decade, U.S. firms have been able to build a strong set of controls, thanks to
Sarbanes-Oxley, and this survey shows us where we need to look next,” says Arleen Thomas, senior vice president of member competency and development for the AICPA, which offers some training courses on ERM.
So far, there are few clues as to where to find ERM at its highest level. “Anecdotally, we find that really effective ERM and ERM maturity are not necessarily linked to an industry. Rather, it’s more of a function of the level of embrace of ERM and strategy on the part of management and the board,” says Mark Beasley, Deloitte professor of enterprise risk management at North Carolina State University and director of the ERM Initiative at North Carolina State, which conducted the surveys.
In general, however, financial-services companies tend to have much more developed risk-management processes, as do larger companies in general, according to a forthcoming Conference Board report on board practices based on a survey of 279 public-company corporate secretaries. That report, by Matteo Tonnello and Judit Torok, found that more than 80% of companies outside the financial-services sector with more than $500 million in revenue claim to use an ERM framework, and that the full board has responsibility for it in 50% to 60% of those companies.
Regardless of company size and industry, no one would say that implementing an ERM initiative is easy. The approach typically means looking at risks across the company, rather than siloing them by business unit or functional area, and therefore can require the involvement and enthusiasm of a large number of managers. That’s why a push from the top is so critical, says Thomas. New ERM efforts also need the proper marketing. “If you don’t position ERM as a ‘value-add’ to business managers, it doesn’t get the same kind of traction,” says Thomas.
Adding to the difficulty of implementing ERM is that it typically needs to be highly customized. “With ERM, there’s no one-size-fits-all,” says Mark Bures, who leads the two-year-old ERM initiative at Navistar International, an $11.6 billion maker of heavy trucks, diesel engines, and school buses, among other items.
While there are guidelines — including those issued in 2004 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) — “you have to take the models and customize them for your culture,” says Bures. “It takes some time to get [ERM] embedded in the organization so that people are thinking about it day to day, and it’s a process of continuous improvement.”
One possible reason behind CFOs’ dissatisfaction with ERM processes, Bures says, is that new efforts to create them often lead to a report “that tells the CFO what he already knows,” rather than “what’s looming in the background, or what could happen if several [low-level] risks happened together.” To get to those higher-level analyses, he says, Navistar refreshes its risk watch list every six months, and prods managers to think about what they’d like to know from the proverbial crystal ball about how the industry would look three to five years in the future.
Part of the ongoing debate about ERM is how boards of directors should handle their oversight. The AICPA/CIMA survey finds that responsibility for enterprisewide risk management resides with the audit committee in 65% of companies. However, the COSO framework recommends that the entire board take responsibility for overseeing ERM, a finding that a recent Conference Board report based on interviews with 20 directors echoes. “Because of the potential implications of certain risk events on shareholder value, risk oversight has moved to the core of the board’s fiduciary duties; all directors need to…participate in discussions about managing specific risks,” write report co-authors André Brodeur and Martin Pergler.
“Ultimately, ERM is a full board responsibility,” agrees Beasley of North Carolina State. “If boards see it merely as a committee task, ERM will likely be relatively unsuccessful, regardless of which committee is involved.”