Shedding light on risk oversight

Risk Oversight Rounded

Sword GRC Blog

Shedding light on risk oversight

Risk oversight is widely considered to fall within the remit of the board, but do organizations feel that their risk management processes are supporting strategic decision-making?
The NC State Poole College of Management Enterprise Risk Management Initiative’s ‘2019 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices’ report – based on survey findings from over 400 executives from organizations of all sizes, sector-wide – suggests that risk management within organizations is not considered to be particularly mature or robust. And for business leaders, the internal reporting of key risk indicators often leaves much to be desired – all at a time when greater management involvement in risk oversight is being called for by boards and stakeholders.

Key survey findings:
  • 59% of respondents think that the volume and complexity of risks are increasing over time. Risks associated with human resources, innovation, brand and reputation, plus the economy are of particular concern.
    Inadequately anticipated risks are believed to have caused operational disruption for 68% of organizations
  • Only 23% of organizations describe their risk management as ‘robust’ or ‘mature’
  • 31% of organizations state that they have complete enterprise risk management processes
  • Stakeholders (external) are calling for greater understanding of and reporting on risks from senior executives
  • Increased management involvement in risk oversight is being called for by boards
  • Robust risk management is becoming an expected best practice, especially for public and larger organizations
  • While risk oversight is a focus for boards, responsibilities are typically delegated to committees
  • Boards typically delegate to audit committees, though financial services organizations usually retain risk oversight in board-level risk committees
  • Approximately half of respondents have a designated chief risk officer (or equivalent)
  • Management-level risk committees are in place within over 80% of large organizations, FS bodies and public companies

It is perhaps a matter of concern that as stated in the report, fewer than 20% of organizations ‘view their risk management process as providing strategic advantage’ and only 26% of organizations report that their board ‘substantively review top risk exposures in a formal manner when they discuss the organization’s strategic plan’.

There is also question over the processes used to generate reports about risk exposures for board review, “41% of respondents admit that they are “not at all” or only “minimally” satisfied with the nature and extent of internal reporting of key risk indicators.”

Keen to learn more about improving risk oversight within your organization?

Sword GRC invited Dr Ariane Chapelle, former certified auditor, risk management expert and advisor to the regulator, and founder of advisory and training practice to share her insights into risk management oversight best practice.
Topics explored in her webinar, ‘Risk Management Oversight: Good Practices and Challenges’ included:

  • The three lines model: the recent standard from the IIA
  • Evaluating ORM Frameworks in the financial services industry: key criteria
  • Oversight and Challenge? Avoiding antagonism for partnership building

Watch the ‘Risk Management Oversight: Good Practices and Challenges’ webinar now.

Innovative technology for robust enterprise risk management

Discover why global industry-leading organizations trust Active Risk Manager to support enterprise risk management best practice.