Time after time, surveys show that the vast majority of risk management programs are neither mature nor effective in providing the information the board and other leaders need to manage and direct the organization to success.
For example, the latest survey from the ERM Initiative at North Carolina State University and the AICPA says:
In today’s rapidly evolving risk environment, most organizations still fall short. Only 11% say their risk processes offer a strategic edge.
Whose fault is that?
There are many you could blame for this failure to provide leaders and decision-makers with all the information they need, including:
- The Chief Risk Officer, if there is one. But first ask whether there are strong mitigating factors that should reduce their sentence, such as:
- Mandates imposed by the regulators
- Budgetary and other resource constraints imposed by top management with the approval of the board
- Their lack of experience and training in effective risk management. Maybe all they know is how to develop a list of risks. Is that entirely their own fault when that is the expectation from the board and CEO?
- Direction from the CEO with the support of the board that limits what they do to developing a periodic list of risks
On the other hand, if the CRO doesn’t know how their program should be improved and made…
