Risks Confronting Boards 2016 - Enterprise Risk Management

March 20, 2017


In prior surveys, directors were asked if their organizations had implemented an enterprise risk management ("ERM") program. The responses had not shown overwhelming adoption of this approach to risk. This year reflects a similar sentiment:

ERM to needs be viewed as a long-term process not a project, with buy-in from the top down. Each year, as you adopt; you continue to reevaluate the process to ensure you're realizing the overall value of ERM. In some cases, the value can be that you mitigated a significant risk. An example could be that your company has the ability and is prepared to quickly respond to a cybersecurity incident. The inverse, and another benefit, is that you can see opportunities in an ERM process, which would have otherwise been missed, such as investing in a product or service in an underserved market. ERM can allow you to gauge where you allocate your resources to areas that pose the most risk and opportunities. It's never too late to start.


Does your organization have/follow a comprehensive enterprise risk management program?

Across the 3 board types, those who responded "no, we do not have a program" rose 22% from 2014. Those who responded "yes, we have a comprehensive program that is fully implemented" decreased 24%. When breaking out these results by board type, the majority of public and private organizations have some sort of ERM program in place, while not-for-profit organizations do not. Next year, we plan to further explore why there has been a shift away from ERM programs, particularly if there were concerns about the value of the investment.


Internal audit can and should be seen as a resource to help address and manage risk. We ask directors about their internal audit programs year after year. How does your organization compare?

Does your organization have an internal audit function?

Does your organization have an internal audit function? - Public Companies
Does your organization have an internal audit function? - Private Companies
Does your organization have an internal audit function? - Not-for-profit Organizations

Internal audit needs to go beyond SOX 404(a) compliance and be used to help the board understand risks embedded in the organization.

Chief Risk Officer

Size of internal audit team

Across all 3 organization types, internal audit functions (either in-house or co-sourced) have increased since 2015. For the majority of organizations, the size of the internal audit team overwhelmingly falls in the 1-5 people range.

Are boards looking to make any changes to the internal audit function?

As the number of organizations growing internal audit functions increases, it makes sense that 40% of respondents indicate they are also prioritizing strengthening the skills of this function. While public and private boards have indicated a steadily decreasing need (over the past three years) to grow their internal audit staff, not-for-profits' have demonstrated growth, increasing the number of staff since 2014.

Given the stabilization of the role in public and private organizations and the continued growth in not- for-profits, we asked what, specifically, these organizations are assigning to the internal audit function:

Which one of the following options would you use to describe the focus of your internal auditors?

Overall, 71% of respondents indicated that internal auditors focus on internal controls over financial reporting or operational audits.

Public boards rely heavily on internal audit to address many different risk concerns (e.g., risk, security and financial/operational audits) and almost half of public boards are not proposing any changes to their internal audit function. This, again, leads us to ask the question: Does internal audit have the bandwidth to sufficiently address the risks that face these organizations?

Next:    Managing Risks >

Concerns About Risks Confronting Boards - 2016 Survey Results

Have Questions or Comments?

If you have any questions, we'd like to hear from you.