The Association of Financial Professionals released new data this week that revealed the threat of payments fraud continues to climb, particularly for large enterprises, as scams like ACH fraud and the Business Email Compromise climb to record levels.
But the latest analysis of U.S. chief financial officers and financial leaders suggests cyber and payments fraud aren’t necessarily on CFOs’ radars.
“The State of Risk Oversight: An Overview of Enterprise Risk Management Practices,” a new report released by the American Institute of CPAs (AICPA) and North Carolina State University’s Enterprise Risk Management (ERM) Initiative), surprisingly only mentions cyber risk a handful of times.
Indeed, the report concluded, high-profile data breaches and cyberattacks may be “causing some executives to conclude that their organization’s approach to risk management may not be as strong as they once perceived it to be.”
The proliferating variety of threats, coupled with rising expectations for risk mitigation, have forced companies to take a deeper look at their risk mitigation strategies — and over the years, the percentage of businesses that say they have a “mature” or “robust” risk management program has declined (from 25 percent in 2015 to 23 percent in 2018).
But cyberattacks and data breaches represent just one piece of the risk profile pie — and according to researchers, today’s CFO is prioritizing other threats facing the enterprise today.
Talent Management, Economic Disruption
Across all categories of organizations surveyed, managing leadership and talent needs emerged as a leading priority for financial executives. The report pointed to the U.S. market’s record-low unemployment and tight labor pool as a key factor behind this trend.
“With record-low unemployment, organizations may struggle to remain competitive as they seek to attract and retain their leadership in the workforce,” the report stated.
Nearly half (48 percent) of companies surveyed cited an extensive concern over managing talent needs, a figure that climbs for businesses with revenues beyond $1 billion.
Rounding out the top-three largest risk concerns for CFOs is the impact of a fluctuating economy, including changing interest rates and currency volatility, and disruptive innovations that threaten to disrupt a firm’s core business model.
While the report suggests that organizations may not be focused on cyber threats, researchers did not ask CFOs specifically about how they rank the risk of cyber events like data breaches. Further, the report said, with a significant portion of CFOs reporting that they have experienced some type of “significant operational surprise” in the last year, analysts noted that cyber incidents could be included in that demographic.
“Collectively, this data indicates that the majority of organizations (68 percent) are being affected by real risk events (e.g., a competitor disruption, an IT systems beach, loss of key talent, among numerous other possible events) in their organizations that have affected how they do business,” the report stated.
Maturing Risk Strategies
Because of the wide variety of risks threatening the enterprise today, from cyber attacks to talent loss to economic fluctuations, researchers concluded that businesses’ risk management strategies are insufficient. A full 14 percent of businesses surveyed said their risk management processes are “very immature,” while only 3 percent ranked theirs as “robust,” with just 20 percent with “mature” risk management oversight.
“That means risk management is not mature or robust for 66 percent of organizations, in a time period when respondents believe the risks are increasing in volume and complexity,” researchers concluded. “Is there a disconnect in how executives are thinking about their risk management needs?”
In a statement announcing the report, Mark Beasley, professor of enterprise risks management and accounting at North Carolina State's Poole College of Management and director of the school’s ERM Initiative, said the era of lackluster risk management could be waning.
“That may be changing,” he said, “given [that] the majority of organizations have external stakeholders and boards of directors who are calling for more extensive management involvement in risk oversight.”