New Report from Baker Tilly and Internal Audit Foundation Reveals Gaps in Enterprise Risk Management Maturity, Calls for Closer Internal Audit Collaboration
The joint report emphasizes a need for enhanced risk oversight through tighter audit integration
LAKE MARY, FL (June 9, 2025) – A new report from Baker Tilly and the Internal Audit Foundation (the Foundation) reveals organizations have opportunities to increase enterprise-wide risk awareness. The report outlines practical steps to advance enterprise risk management (ERM) maturity, such as fostering closer collaboration with internal audit and implementing more consistent risk assessment practices.
Based on a comprehensive survey of 567 professionals, the report highlights significant progress organizations have made in implementing ERM programs. Since 2010, the share of organizations with complete ERM processes in place has grown nearly fourfold – from 9% to 34% in 2023. Driven by an increasingly complex risk landscape, the global risk management market is expected to more than triple in size from $9 billion in 2025 to more than $32 billion in 2033.
Despite this momentum, opportunities exist: fewer than half of respondents (49%) say risk awareness resonates within their organization, while only 6 in 10 agree that risk intelligence is used in organizational strategic planning.
Benchmarking data on current ERM practices offers valuable insights into how risk functions can better align with strategic decision-making. The report identifies several key strategies to enhance ERM maturity.
Strengthening Collaboration and Communication with Key Risk Teams
While 60% of survey participants share risk information across compliance, risk, and internal audit functions, half report that coordination only occurs during annual risk assessments. Roles and responsibilities across risk functions remain informal or insufficiently communicated with roughly a third (36%) reporting agreement on common taxonomies.
Complementary research from the Foundation revealed chief audit executives (CAEs) are often responsible for one or more areas outside of internal audit, such as ERMs programs. This underscores the need for greater collaboration and risk awareness across organizations.
In addition, the report outlines ways to strengthen collaboration and communication between ERM and internal audit without compromising independence. These include establishing a greater cadence of risk meetings, creating specialized committees for key risk areas, and cross-functional knowledge-sharing, including reciprocal training programs.
"Organizations today face an extraordinary level of disruption and risk volatility from geopolitical instability, the rapid advancement of AI and emerging technology, and trade-war-driven economic uncertainty,” said Anthony Pugliese, President and CEO of The Institute of Internal Auditors (The IIA). "In this dynamic risk environment, ERM and internal audit must work in lockstep to proactively identify emerging risks and embed risk intelligence into strategic business planning. Our research highlights the growing need for stronger collaboration and communication between internal audit and ERM as both functions continue to evolve and increase their impact.”
Establishing Consistent and Timely Risk Assessments
Nearly a quarter of respondents have not conducted a risk assessment in the past three years, citing insufficient resources and lack of leadership as primary reasons. Further, few organizations (just 25%) align these assessments with the business planning cycle and less than 40% say that ERM insights align with overall risk management efforts.
To increase ERM effectiveness, Baker Tilly and the Foundation recommend annual risk assessments for most organizations and suggests ERM managers integrate risk assessments into existing business planning along with a stronger focus on measuring risk mitigation to identify areas for improvement.
Leveraging New Technology
ERM programs have substantial opportunity to improve technology adoption. Nearly 60% still rely on basic tools such as word processing and spreadsheets, while only 21% report using governance, risk, and compliance (GRC) platforms.
To close the gap, the Baker Tilly and the Foundation recommend positioning internal auditors as ‘technology advocates’ to help educate on the benefits of GRC platforms and introducing basic automation tools to kick-start wider adoption.
“This report offers a practical roadmap for organizations looking to elevate their ERM capabilities,” said Corey Parker, Principal at Baker Tilly. “By benchmarking against peer practices and pinpointing areas for improvement, risk leaders can take focused steps to enhance performance, deliver greater stakeholder value, and strengthen board engagement.”
Baker Tilly and The Internal Audit Foundation, together with The IIA, are committed to continuing to deliver guidance to risk practitioners as they navigate an evolving risk landscape and work to establish greater collaboration between ERM and internal audit. The full report is available here.
Methodology
The Baker Tilly and Internal Audit Foundation ERM Maturity Assessment Survey was conducted from January 07 to February 07, 2025. Respondents primarily came from organizations headquartered in North (59.8%) and Latin America (18.3%), with the remaining from the Asia Pacific (9.2%), Europe (7.2%), Africa (5.1%), and the Middle East (0.4%).
About the Internal Audit Foundation
The Internal Audit Foundation is the preeminent global resource, in strategic partnership with The IIA, dedicated to elevating and empowering the internal audit profession by developing cutting-edge research and programs. The Foundation helps current and future internal auditors stay relevant by building and enhancing their skills and knowledge, ensuring organizations are equipped to create, protect, and sustain long-term value.
About The Institute of Internal Auditors and the Internal Audit Profession
Internal auditing is an independent, objective assurance and advisory service designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes.
The Institute of Internal Auditors (The IIA) is an international professional association that serves more than 260,000 global members and has awarded more than 200,000 Certified Internal Auditor (CIA) certifications worldwide. Established in 1941, The IIA is recognized throughout the world as the internal audit profession's leader in standards, certifications, education, research, and technical guidance. For more information, visit theiia.org.
About Baker Tilly (bakertilly.com)
Baker Tilly is a leading advisory, tax and assurance firm, providing clients with a genuine coast-to-coast and global advantage in major regions of the U.S. and in many of the world’s leading financial centers – New York, London, San Francisco, Seattle, Los Angeles, Chicago and Boston. Baker Tilly Advisory Group, LP and Baker Tilly US, LLP (Baker Tilly) provide professional services through an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable laws, regulations and professional standards. Baker Tilly US, LLP is a licensed independent CPA firm that provides attest services to its clients. Baker Tilly Advisory Group, LP and its subsidiary entities provide tax and business advisory services to their clients. Baker Tilly Advisory Group, LP and its subsidiary entities are not licensed CPA firms.
Baker Tilly Advisory Group, LP and Baker Tilly US, LLP, trading as Baker Tilly, are independent members of Baker Tilly International, a worldwide network of independent accounting and business advisory firms in 143 territories, with 43,500 professionals and a combined worldwide revenue of $5.62 billion. Visit bakertilly.com or join the conversation on LinkedIn, Facebook and Instagram.
Media Contact
Sarah DuBois
952-688-2588
Ally DiGiovanni
332-282-3423