How enterprise risk management programs operate in organizations today

More than half of CEOs think their enterprise risk management program (ERM) program is not as effective as it should be, a LogicGate survey reveals.

Challenges for enterprise risk management programs

With companies experiencing an increase in risks and data breaches, it’s no surprise the report uncovered that 88% of CEOs think ERM is very or extremely important. However, while most companies have an ERM program in place, there’s little agreement as to what a successful program really looks like in practice, beyond the baseline features.

Fortunately, CEOs are beginning to understand the need for their involvement in their company’s ERM program with 66% wanting more involvement.

“It’s not a matter of if your company will face risk, it’s a matter of when, and which risks. Every business faces risks, and without a strategy in place, you are setting your company up for failure,” said Matt Kunkel, CEO, LogicGate.

“For CEOs to become more involved with ERM, they must integrate ERM in their business decision-making process and create a culture of risk. The responsibility of ERM does not fall only on the IT or compliance departments, it involves every employee and every department.”

The CEOs surveyed echo this sentiment, asserting a clear desire for increased visibility into risks and a quantifiable methodology for tracking and evaluating them.

Several CEOs lamented the “labor-intensive” process in their organizations and voiced a need for a “better understanding of what it’s costing us to mitigate risk.” They also recognize a need for “regimented” and “streamlined” methods of factoring risk into their overall business strategies.

Greatest concerns for CEOs

Looking ahead to 2020, CEOs are most concerned with risks in three categories: Strategic, Operational, and Macroeconomic risks.

• 1 in 3 CEOs see Strategic Risk as the “Biggest Potential Risk Concern.” Among Strategic Risks, risk arising from key business partners is most frequently ranked first.
• 1 in 3 CEOs are most concerned about Operational Risk. In this category, cybersecurity is the top concern due to the increase in cyber threats.
• Finally, of the CEOs most worried about macroeconomic trends, 1 in 4 are most worried about the threat of a recession. Global political instability was close behind.

Other key takeaways from the report

• CEOs at smaller firms are significantly less satisfied with their ERM programs, with 1 in 3 finding them not very or not at all effective.
• CEOs are the least satisfied with the ongoing monitoring of ERM, particularly firms with <$250M in terms of having risk KRIs tracked by a central team.
• About 3 in 4 CEOs rate their risk identification favorably, although fewer CEOs in the core industries of financial services, healthcare, and technology, media, and telecom report cross-functional team involvement.
• Information security leads ERM for 3 out of 10 CEOs, followed by finance, risk, and the board of directors.
• Most CEOs meet with their ERM leader at least weekly, or daily in larger firms.