Enterprise Risk Management in the doldrums: If you’re only watching what you’ve been watching, you won’t see anything new...

Enterprise Risk Management in the doldrums: If you’re only watching what you’ve been watching, you won’t see anything new...

This is the fourth post in a series where I bring you findings, questions and insights related to Enterprise Risk Management (ERM), derived from an extensive ERM survey conducted by the AICPA in conjunction with NC State University.  I highly recommend reviewing the findings, which are available in the “2023 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices - 14th Edition” by AICPA and NC State University, found at https://erm.ncsu.edu/library/article/2023-risk-oversight-report-erm-ncstate-lp.

Risk Identification and Assessment capabilities among Financial Services Companies exhibit low levels of maturity and sophistication.

Risk Identification and Assessment Processes:  Infrequent, Narrow and Qualitative

  • Only 40% of respondents update Key Risk Inventories annually; 24% don’t perform updates at all.
  • Although the current Risk “usual suspects” (including IT and Legal and Regulatory / Compliance) had more than 70% of respondents saying that they were addressed “Mostly to Extensively” the corresponding numbers for Market, Strategic, and Operational risks were below 50%.
  • Although decision-makers prefer to use quantitative data to support decision-making, less than 30% of respondents claimed that they use a quantitative or mostly quantitative approach to Risk Assessment.

Risk Identification and Assessment Processes are at the heart of any Enterprise Risk Management program.  As baseball great Walter Johnson (RHP – Washington Senators) once said “You can’t hit what you can’t see.”  And according to the survey, companies have a lot of work to do on the “seeing” part of Risk Management.

One of the issues that the survey uncovered is that a significant majority of Financial Services respondents said that their companies rarely, if ever, update their Risk Inventories.  In the world of the 2020’s,with emerging risks such as Climate Change, InsurTech adoption and GenAI, just to name a few, emerging at an accelerated rate, this is inadequate in terms of staying safe and having an early warning system that actually warns you. One can justifiably ask: “Do these companies even have a working ERM process?”

Not surprisingly, most respondents mentioned that their Risk Management processes cover the risk categories that are “top of mind” such as IT (downside risk is spectacular) and Legal / Regulatory / Compliance (whole departments usually manage these) quite well.  But in a continuing theme, less than 50% say the same thing about Market, Strategic or even Operational risks, all of which can quickly strike a significant blow to the company’s fortunes.

And finally, there is the issue of actually developing and deploying risk measures and indicators that are quantifiable vs. more qualitative in nature, as the latter are more difficult to define and rate consistently, whether it’s across business functions or across time.  And here, roughly 70%of the respondents reported that they use a mostly qualitative approach (which is better than nothing) or No Formal Assessments at all (which is nothing!)  

What this all points to is that Financial Services companies have work to do in terms of updating their Risk Inventories such that they capture and manage emerging risks, broaden their focus beyond the usual Risk “Categories of Interest” and try to quantify most risks such that can be measured, analyzed and help decision-makers take action. Companies making these investments will collect Risk Management dividends for years to come.

And even more importantly, these findings indicate the simple absence of a credible risk culture or sense of risk ownership that extends beyond a handful of individuals within the organization.  They are symptoms of a much bigger problem that organizations appear reluctant to address.   The CEO, CFO, and CRO must take ownership of ERM and make it a corporate priority.  It is always a good time to save your company.

In further posts, we will continue our discussion of the key elements needed to build your risk culture.  Please share your comments, reactions, and observations so we can help you accelerate your ERM evolution.

Book a Free, 45-min. ERM Strategy Session Now!

If you’re a CRO, CEO, CFO or COO, please fill out the form below with your name, title*, email, Company name, and phone number. We'll give you a call some time between 8:30AM - 5 PM ET, Monday thru Friday to schedule the session.

*Appointments limited to Senior Managers with Risk Management Responsibility only.

RMA RIsk Maturity Framework

Powered by SRA Watchtower

Take the self-assessment today to
measure your institutions risk maturity.

Subscribe to receive alerts when new insurance related thought leadership content is published by our ERM subject matter experts:


Book an


discovery session

Three ways to tap into the people, technology and insights of SRA.
We're focused exclusively on the serving the financial & Insurance industries.


Schedule a 30 minute discovery call with an SRA risk expert to understand your challenges or opportunities ahead to see how Watchtower can help you achieve your goals.


Look inside Watchtower, the holistic risk intelligence platform to learn how it helps executives navigate risk and drive growth.

Risk Intel

Listen and learn from SRA risk enthusiasts, Watchtower customers, and experts across the financial industry through our weekly risk focused podcast.

RMA RIsk Maturity Framework

Powered by SRA Watchtower

Take the self-assessment today to
measure your institutions risk maturity.