COSO recently issued a report on ERM titled “Current State of Enterprise Risk Oversight and Market Perceptions of COSO’s ERM Framework”. The 460 respondents to the survey were mostly from US and are member organizations of COSO.
The results reveal a few useful trends, which depict the status of ERM within organizations. Here are some high level findings from the report.
- Just 3.4% of the respondents considered their organization’s ERM process as very mature. However, 14.5% respondents described the process as very immature. The rest checked the three levels in between. The information shows that risk management in most organizations is far from satisfactory.
- A little over a quarter (28% ) of the respondents described the current stage of ERM implementation as “systematic, robust and repeatable” within their organization. While majority (60%) stated that risk tracking is informal and 12.5% declared that there is no formal process for risk tracking. The results explain that most of the organizations are still not geared towards formally tracking and addressing risks.
- About one-third (36.6%) respondents confirmed that their board had assigned an appropriate level of risk oversight to a board risk committee. In comparison, 52.2% stated that board had not formulated a proper risk oversight committee. However, 48% respondents mentioned that board had assigned risk oversight responsibility to a senior executive. The results indicate that more than half the boards have not established formal risk oversight committees and board members prefer assigning the risk management responsibility to a single senior person.
- A little less than half the respondents (44.8% ) stated that management regularly reported top risks to board. In contrast, 37.3% acknowledged that management reports minimal or nil risks to the board on a scheduled or regular basis. The data illustrates that a significant percentage of senior management has limited access to information about risks.
- Nearly one-third (30.1%) respondents agreed to possess good structured processes to identify and manage strategic risks within the organization. In comparison, 44.4% had no or minimal processes to assess strategic risks. This signifies that organizations are still not focusing on determining and mitigating their strategic risks.
- About a quarter (24.9%) respondents confirmed that management and board regularly monitor a set of key risk indicators. However, 50.3% indicated lack of sufficient monitoring. The data points out that some boards and management are not focused on monitoring risks regularly.
The results given in the report clearly show that despite the downturn in the US economy, some organizations have not learnt much from the financial crises in respect to risk management. A significant percentage of organizations lack focus in risk management and the some boards do not consider it a priority.
To read the full report, click here (PDF). Welcome your views on it.