News built for finance pros
CFO Brew helps finance pros navigate their roles with insights into risk management, compliance, and strategy through our newsletter, virtual events, and digital guides.
Deciding which risks to worry about most may feel a bit like picking your poison. But it doesn’t have to be that way with the right approach to monitoring on management dashboards and reviewing them with executives and boards, according to AICPA’s newest State of Risk Oversight Report.
CFO Brew previously detailed the report’s unearthing of the disconnect between strategy and risk management. Another major conclusion from the report, which summarizes an AICPA and North Carolina State University survey of 377 organizations, is that companies don’t always have the right tools at their disposal for overseeing risk management.
One way to track evolving risks is to include key risk indicators (KRIs) on management dashboards. Yet, according to the report, “few organizations have robust reporting of [KRIs] that management can use to monitor shifts in risk conditions over time.”
There’s a wealth of historical internal data available in the modern economy that allows companies to create key performance indicators (KPIs) for just about anything, Mark Beasley, a professor at the Poole College of Management at NC State University and director of its enterprise risk management initiative, told CFO Brew. But there’s a problem with applying that same data to risk-monitoring efforts, he added.
A lot of risks “are emerging from external drivers,” Beasley, who is also a coauthor of the AICPA report, said. The inward-looking data KPIs use won’t capture the risk of things like competitor movements, shifts in customer demographics, or even the upcoming presidential election, he added.
“What is often missing is KRIs that are based on external, forward-looking trends,” Beasley said. “And a lot of companies get a false sense of confidence because they’ve got a management dashboard system; CFOs have a big dashboard they pull up every day to look at how [they’re] doing…Well, is that dashboard including a lot of external data that’s not about our performance, but about external drivers?”
Just under half (49%) of organizations provide business unit managers with specific guidelines or methods to “assess the probability and impact of a risk event,” according to the report. Approximately one-quarter (26%) of respondents described their KRIs as “mostly” to “extensively” robust.
Organizations generally use qualitative, rather than quantitative, approaches to assess risks, the survey found. Nearly six in 10 (59%) respondents said their risk assessments are more or mostly qualitative.