Here’s a paragraph Michael Rasmussen, President of Corporate Integrity, published in the Linkedin Enterprise Risk Management Association discussion group, that I thought should be re-posted. The sentiment closely resembles the final paragraph in this recent post by your Riskczar.
The fact is that I have encountered very few ERM programs that are ERM. Most are nothing more than an expanded view of SOX. This is unfortunate. I have been working on extensive research this past year on risk culture as well as the relationship of risk to performance management (along with Thomas Davenport, performance management guru of Babson College, and Sanjay Poonen of SAP). After going through a few thousand companies we have only found less than two dozen that have a mature risk management program, a strong understanding of risk culture, and a relationship of risk to performance management. These few are the solid ERM programs and they come from a range of industries.
Unfortunately, risk management is done poorly in most organizations in the US. My research has determined that Australia, South Africa, and much of Europe are more mature in risk management – particularly as an integrated component of business. SOX has added to this, particularly as much of finance/accounting/audit have taken on ERM in the US and it is just a slightly expanded view of financial controls in most companies and not a true view of enterprise and operational risks.
I agree that there has been growth and improvement in risk management in the US. But it is only moderate growth with A LOT to still be desired. Most US organizations, including the large companies in your reference, suffer with a poor understanding/definition of the scope of ERM. It is rarely (underscore rare) that it is actually linked to corporate performance, strategy, and objective management. A clear understanding and management of risk culture within the organization is often in shambles.
We have made progress – but still have a long way to go.