On the Frontlines: How Mature is Your Risk Management?

Likewise, The Board of Governors of the Federal Reserve System cited a lack of focus on risk management in its assessment of the Silicon Valley Bank failure: “Silicon Valley Bank’s board of directors and management failed to manage their risks,” it stated. “When supervisors did identify vulnerabilities, they did not take sufficient steps to ensure that Silicon Valley Bank fixed those problems quickly enough.”

With such high-profile failures in the news, we might expect organizations to conclude that the absence of an enterprise risk management (ERM) system is correlated with business failures and multiple risks exposures. Or we might expect them to understand that the pursuit of a mature ERM system will help them better achieve their strategic planning objectives.

Nevertheless, recent studies show there is still much to be done regarding ERM.

In the 2023 report, The State of Risk Oversight: An Overview of Enterprise Practices, published by the American Institute of Certified Public Accountants and NC State, only 29% of risk leaders surveyed say their organization’s risk management oversight processes are mature, while 35% describe them as evolving, 21% say they are in the development stage, and 15% indicate they are very immature.

It's important to note that these answers came from more than 400 organizations, including large organizations (with revenues greater than $1 billion), publicly traded companies, financial services entities, and not-for-profit organizations.

Further analysis reveals that 17% of the respondents say they have no structured risk management processes for identifying and reporting top risk exposures to the board. An additional 18% of respondents indicate that they mostly track risks by individual silos of risks, with “minimal reporting of top risk exposures to the board.” Additionally, 25% responded that they mostly have informal and unstructured risk management processes, with “ad hoc reporting of aggregate risk exposures to the board.”

Considering the current business environment, it is intriguing see such low levels of risk management maturity. Internal auditors should be aware of red flags that may arise in situations with poor risk management practices or where ERM initiatives are not as effective as planned, including:

• Poor involvement of the organization’s tone at the top in ERM initiatives.
• Risk culture not reflected in the way an organization is doing its business.
• Risk incidents occurring continuously, and the root cause is not identified.
• Risk management not integrated in strategic planning.
• Reactive rather than proactive approach.
• Key personnel unaware of the extent of risks, given significant changes in the size or operations of the organization.
• Absence of internal control structures and personnel ownership of risk and control responsibilities.

To encourage the organization to move toward more mature risk processes, internal auditors can act as risk management advocates by encouraging management to act in the following ways:

• Engage the board and senior management on ERM initiatives. Ensure their understanding regarding definitions, drivers, benefits, and implications of ERM processes.
• Cultivate a risk-aware culture. Establish an appropriate risk culture across the organization.
• Review the risk management processes in place. Identify common patterns of repetitive risk events that can help to break this cycle by identifying root causes and strengthening proactive measures.
• Embed risk management into strategic planning and day-to-day operations. Aligning those elements might be helpful to proactively address potential risks.
• Use key risk indicators. Insights from past risk events, industry benchmarking, and environment conditions might be helpful to proactively manage risks.
• Adapt to changes. Be aware of timely updates required in strategic planning and risk management initiatives when significant changes in business operations arise.
• Ensure timely communication to key risk personnel regarding critical business changes. Risk champions might help with the implementation of an effective ERM structure to be communicated and integrated across the organization.
• Set up a desired level to reach in the maturity process. It is also important to agree how gaps between the current and desired level will be closed.
• Implement effective governance, risk, and control structures. Having an internal audit department in place means there will be assurance on the effectiveness of risk management and control initiatives.

Risk management is not a static process. Ongoing monitoring of the ERM system will help gather evidence about the organization’s internal and external environment, as well as business performance, in light of current events that may affect the organization.

Past failures have demonstrated that there is no single organization immune to the consequences of risk events. There is no such absence of risk in the current business environment. A tone at the top that encourages the organization to develop risk management processes and strives to keep maturing those processes will be better prepared when risks events materialize.