Just in time for harried business executives trying to deal with the latest global ransomware crisis, North Carolina State’s Poole College of Management is out with a new study focusing on risk management. Its conclusion: “An ever-increasing array” of challenges threatens their success. Here are their top concerns and the study authors’ calls to action.

“Organizations of all types face a seemingly ever-increasing array of risks that may significantly affect their strategic success,” the study’s executive summary explains.

“To gain insights about the current state of risk management processes around the globe, we surveyed executives in the autumn of 2016 about how their organizations approach risk oversight. We conducted similar surveys in 2010 and 2014. This report summarizes insights from 586 executives in organizations across the world and provides insights on the current state of enterprise-wide risk oversight, including identified similarities and differences in four global regions.”

Key findings:

1. Organizations all around the world perceive an increasingly complex risk environment.

Views about the volume and complexities of risks are generally similar in all four regions. The exceptions are those organizations in Africa & the Middle East that perceive risk complexities to be even higher than their peers do. Close to a majority or more of organizations outside the US have experienced a significant operational “surprise” during the past five years. Only 32% of US organizations have experienced similar levels of surprise.

2. Risk management practices appear to be relatively immature across the globe.

Around 30% or less of organizations indicate they have “complete” enterprise risk management (ERM) processes in place. The lowest percentages of organizations to do so are in Europe & the UK (21%) followed by Africa & the Middle East (24%). Only about a quarter of respondents in all regions of the world describe their organization’s risk maturity as “mature” or “robust”

3. Most organizations struggle to integrate their risk management processes with strategic planning.

Fewer than 20% of organizations in Europe & the UK or in the US believe their risk management processes are providing a unique competitive advantage.

Despite the fact that most strategies may be impacted by a number of risks, only about 50% of respondents around the world indicate that they “mostly” or “extensively” consider risk exposures when evaluating new strategic initiatives.

4. There appears to be a lack of detailed risk oversight infrastructure in most organizations.

Under one-third of organizations in all regions of the world maintain or update risk inventories/registers. About one-half of organizations in Asia & Australasia and in Africa & the Middle East have formal risk management policy statements. This compares with only about one-third of organizations in Europe & the UK and in the US.

5. Internal management-level risk committees are more common than chief risk officers.

Around 30-40% of organizations have appointed a chief risk officer, whereas more than 50% of organizations (other than those in Europe & the UK) have management-level risk committees. Most organizations (around 80%) have not conducted any formal risk-management training for executives.

6. The board of directors is placing pressure on management to strengthen risk oversight.

In the US, the greatest pressure for the increased involvement of senior executives in risk oversight is coming from the audit committee. This contrasts with the other regions of the world, where the greatest pressure is coming from the board of directors or the CEO.

Boards of US organizations are more likely to delegate risk oversight to the audit committee, whereas boards for organizations in other parts of the world are more likely to delegate it to a board risk committee.

7. There are real barriers within organizations that are impeding progress in maturing risk management processes.

Outside the US, the most notable barrier is a perception that the organization does not have sufficient resources to invest in ERM. The biggest barrier for US organizations, meanwhile, is the perception that there are more pressing competing priorities.

Calls to action

1. The increasing complexities in today’s business environment mean risk management is unlikely to get easier. Senior executives and boards of directors benefit from honest and regular assessments of the effectiveness of the current approach to risk oversight in the light of the rapidly changing risk environment.

2. Given the fundamental relationship between “risks” and “returns”, most business-unit leaders understand that taking risks is necessary to generate higher returns. The challenge for management is to genuinely consider whether the process used to understand and evaluate risks associated with the organization’s strategies actually delivers any unique capabilities to manage and execute their strategies.

3. Given the intricacies of managing risks across complex business enterprises, organizations may need to strengthen the leadership of their risk management function. Appointing a risk champion (for example, a chief risk officer) or creating a management-level risk committee may help to ensure that all risk management processes are appropriately designed and implemented.

4. Most organizations have tremendous amounts of data that might provide insights about emerging risks. Most of these, however, have not analyzed that data with a risk perspective in mind. They may need to add key risk indicators (KRIs) to management’s dashboard systems and reports.

Read the full report at:

http://www.cgma.org/content/dam/cgma/resources/reports/downloadabledocuments/global-risk-oversight-report.pdf