According to the study, companies do not have just one predominant risk today -- rather, they face a range of risks. The most significant risks relate to information systems and IT security, customer satisfaction, activities of the competition, and legal and regulatory issues.

Most companies are taking at least some steps to improve, according to the study. Sixty-five percent of respondents report their companies are planning to make changes to their risk management capabilities during the next two years. These efforts include enhancing their organization's ability to identify potential risks through implementing better technology and hiring more qualified staff.

"Rather than the current tendency to approach risk management in an ad hoc manner, companies should adopt an enterprisewide approach," said Everett Gibbs, managing director for Protiviti. "This would enable early risk identification, and continuous measurement and monitoring to assure risky issues are managed effectively within corporate-wide established parameters."

Other findings of the survey:

• 43 percent of executives consider financial reporting and Sarbanes-Oxley Section 404 compliance to be very significant risks.
• 49 percent tie business success to client satisfaction, believing potential weaknesses in this area pose a very significant risk. Executives said the following risks affect their company's ability to sustain customer satisfaction: operating performance; materials procurement; business continuity; and fraud matters.
• 45 percent of executives cited information systems and IT security as potential areas of vulnerability.
• A handful of executives have already deployed certain risk management controls, listed in the table here:

Procedure % that have deployed procedure Risk assessment process 38% Oversight by a risk management executive committee 38% Common language and uniform standards 39%