July 25, 2023

2023 State of Risk Oversight Survey Results

By Amy Wares, CPA, MBA, Enterprise Risk Management Specialist

The 2023 State of Risk Oversight Report CoverManaging risk is more challenging than ever. New research reveals that not-for-profit organizations are responding by expanding their risk management practices.

On July 11, 2023, the Enterprise Risk Management (ERM) Initiative at NC State University published the 14th edition of its annual State of Risk Oversight report in partnership with the American Institute of Certified Public Accountants (AICPA). This report presents benchmarking data on over 40 aspects of risk management practices and processes. The data was collected from 454 survey respondents; 121 of which represented not-for-profit organizations, which includes nonprofits, universities, and government agencies.

Key takeaways include:

  • The number and complexity of risks are both increasing. The study finds that the volume and complexity of risks organizations face remain significantly higher than pre-pandemic levels. Sixty-five percent of all organizations report that the volume and complexity of risks have increased “mostly” or “extensively” in past five years. This figure is significantly higher for not-for-profit organizations (72% compared to 62% for for-profit organizations).
  • Not-For-Profit senior leadership is paying attention. Seventy-seven percent of not-for-profit organizations report that senior leaders are “somewhat,” “mostly,” or “extensively” calling for enhanced risk management processes, a slight increase over last year’s 74%. There is indication that risk management is becoming more formalized, with 64% of not-for-profit organizations responding that they have a management-level risk committee, up from 56% last year. It is most common for these committees to meet quarterly (43%) or monthly (34%), though some meet semi-annually (8%).
  • Not-For-Profit boards are also becoming more engaged. The percentage of not-for-profit organizations responding that they formally report top risk exposure to their board of directors increased substantially from 57% in 2022 to 70% in 2023. Of these organizations, about half report top risks annually (53%) and half more frequently (36% quarterly and 11% at every meeting). Sixty-three percent of not-for-profit organizations limit the top risks to fewer than 10 with 26% reporting 10-19 and only 11% of organizations reporting 20 or more risks.
  • There is opportunity to strengthen the link between risk and strategy. Risk discussions tend to be focused on the short term with only 22% of not-for-profit organizations reporting that their risk management process “mostly” or “extensively” engages management in thinking about long-term risks (5-10 years out). There is considerable opportunity to improve risk management’s role in supporting strategic goals. Only 14% of not-for-profit respondents believe that risk management “mostly” or “extensively” provides strategic advantage.
  • ERM in not-for-profit organizations is still developing. Only 25% of not-for-profit respondents report that their risk management oversight is “mature” or “robust.” This is a significant increase from 16% in 2021, but insufficient given their level of risk aversion. Sixty-one percent of not-for-profits describe themselves as “risk averse” or “strongly risk averse.” This gap indicates a disconnect between desirable and actual risk management capabilities. The most cited barriers to effective ERM are competing priorities (55%) and insufficient resources (52%).

GRF Can Help

We offer extensive Enterprise Risk Management services, and have numerous ERM resources for you, including the whitepaper Getting Started with Enterprise Risk Management: A Guide for Nonprofits.

GRF specializes in serving nonprofits, schools, and associations so we understand how to develop and adapt ERM policies, processes, and resources to help you maximize the benefits of ERM while keeping cost and staff time requirements to a minimum. If you would like a complimentary consultation, please contact us online, or reach out to us directly at the contact information below.

Amy Wares, CPA, MBA

Enterprise Risk Management Specialist

Melissa Musser, CPA, CIA, CITP, CISA

Partner and Director, Risk & Advisory Services