The Enterprise Risk Management Report by BDO, in partnership with the Australian Institute of Company Directors (AICD), found that only 6.2 per cent of organisations have formalised risk appetite statements that were documented in policies and procedures, supported by thresholds that establish parameters for specific risks.
Almost 20 per cent of organisations have no formal risk appetite statement, with 74.4 per cent having a partial risk appetite approach or position.
BDO partner Marita Corbett said the survey highlights the need for boards to implement strategies to cope with incoming risks.
“In an age where disruptive forces - particularly technology - can no longer be ignored, organisations need to have the capacity to change and experiment. And that means they have to take on some risk,” said Ms Corbett.
“In terms of challenges over time, understanding and education of risk appetite is improving gradually, yet still remains the most difficult to implement. Years one and two are especially hard for organisations, as the integration of risk appetite with strategies and practices becomes a reality.”
The survey also found that publicly listed and not-for-profit organisations have the highest level of maturity, while federal, state and local governments - as well as private organisations - have a lower overall maturity level.
Ms Corbett said organisations will get a much better handle on their risk when a top-down approach is taken, in which all the layers of an organisation are included.
“For boards, this means it is essential to take the time to understand their organisation's culture in creating successful risk appetite approaches. Improving reporting to the board to give it a better grasp of the disruptive forces and the risks the business is willing to take to meet that disruption will also be important.” Ms Corbett said.