A new survey of 230 financial executives says companies recognize the importance of enterprise risk management, but fall short when it comes to implementation.
A majority of executives — 58 percent — reported that their company has an enterprise risk management approach and philosophy that considers various interactions among different types of risk. And 68 percent of those polled said their CEO is placing greater emphasis on the management of all types of risk.
However, the survey, conducted by Oversight Systems, suggests that progress has been mixed, and, in some cases, has slipped.
Just 33 percent of financial executives said their company has formally trained executives and business line managers to assess the probability of various types of risk, down from 35 percent in the prior year’s survey. Likewise, just 41 percent of financial executives said their company has a widely communicated definition of risk, down from 45 percent in 2005.
“Financial executives and businesses are beginning to embrace the concepts of enterprise risk management, but implementation and effectiveness are still in their infancy,” said Mark S. Beasley, professor of accounting and director of the Enterprise Risk Management Initiative at North Carolina State University. (Beasley, whose comment appeared in the survey report, is an adviser to Oversight Systems.) “While a majority say they take a top-down approach to risk management,” he says, “many are not very sophisticated in their risk-management abilities.”
Even so, a large majority (85 percent) of finance execs did report enterprise risk preparedness in 2006, up from 78 percent in 2005.
“After completing their exhaustive work to comply with Sarbanes-Oxley, individuals should feel confident in their controls that address enterprise risk,” Oversight Systems CEO Patrick Taylor said in the report. “However, risk management must be implanted across organizations, and forward-thinking companies are examining the role of technology to facilitate enterprise risk management in their day-to-day operations.”
Who is in charge of risk within most companies? According to the report, 86 percent said a senior executive has explicit responsibility for overseeing the management of all risk across the enterprise. The CFO, however, is clearly the most likely go-to person, named by 44 percent of the survey’s respondents. The CEO was singled out by 20 percent, and 8 percent named the chief risk officer.
“With Sarbanes-Oxley, we’ve seen a big shift away from the finance-oriented CFO and back toward the accountant CFO, but this survey shows that your CFO can’t just be a bean counter. Your CFO must also understand risk management,” said Dana Hermanson, Dinos Eminent Scholar Chair of Private Enterprise at Kennesaw State University. Hermanson is also an advisor to Oversight Systems.
The report also stressed that risk management is working its way into Sarbanes-Oxley compliance. Nearly one-third (30 percent) of financial executives surveyed said their internal-controls audits employed more of a risk-based approach to evaluating control effectiveness.