First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Time to wake up to risk reality


This is a post about news we should have known for a long time.

It’s time to recognize the truth about risk management.

For 11 years, the ERM Initiative at North Carolina University has surveyed executives (this year they were again all financial executives) about what they call “the current state of risk oversight processes in organizations of all types and sizes to obtain an understanding of the relative maturity of underlying activities executives and boards use to monitor the rapidly changing risk landscape”.

On April 1st, they published the 2020 The State of Risk Oversight:  An Overview of Enterprise Risk Management Practices – 11th Edition.

It is jarring to see how the authors continue to ask the wrong questions.

Consider how the Journal of Accountancy wrote about the study. This is their lead observation about the results of the study:

While concerns about risk, even before the virus outbreak, have not subsided, fewer finance executives were finding strategic value in their risk management processes. In 2016, 20% of respondents said they believed that risk management mostly or extensively provides strategic value. In the most recent survey, the number was 17% — a small drop, but still the third consecutive year of one-percentage-point declines.


These are finance executives and you would expect more of them to see the value, if it existed, than other in the executive suite. In many cases, they are responsible for the risk management function! Other surveys have reported much lower numbers, such as that by Deloitte. In fact, the numbers are declining even as people get, arguably, more sophisticated.

Yet, the authors of the study persist in talking about the maturity of a program that, where it exists, is not seen as adding strategic value! They have this damning point sixth on their list of key findings.

Ask yourself why so many companies are not investing the resources and attention to bring their risk management program up to what the authors reference as mature.

I believe that executive teams are failing to invest in fully mature ERM programs and directors are not discussing the results of such a program because it is separate from how they run the organization for success. That is clear when risk discussions are distinct, even with different people, from strategy and performance discussions.

Practitioners and board members, ask each of your executives whether risk management at your organization is providing significant strategic value, whether it makes a marked and important contribution to the development and execution of strategies and achievement of success.

If they say no (or fail to enthusiastically say yes), ask why not. Listen and then make sure they get what they need.

If they say yes, make sure you are asking them about whether risk management contributes to their decision-making and success, not about whether it has ‘value’. It should have value, even if it’s limited to satisfying the regulators and avoiding (some) harms. If they continue to say yes, then celebrate and tell us all what you did different.

Yes, there are areas where traditional risk management is the right thing to do. For example, it is essential in project management, safety management, and the management of a financial portfolio. But putting together a list of top risks for the organization as a whole and the idea that you need to manager risks should be something done to satisfy the regulators, not how you run the business.

As for academics and consultants, PLEASE STOP preaching what doesn’t work, traditional risk assessments and reporting. START understanding what leaders of the organization need and how it can be provided efficiently and effectively. How can so-called risk practitioners help the organization increase the likelihood of success?

Where do you stand?

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.