ERM has a noble and ambitious goal: to facilitate the consistent identification, assessment, response to and communication of all critical risks facing an organisation, regardless of those risks’ nature or origin.
Understandably then, expectations amongst organisational leadership teams, regulators and other stakeholders are high. Meeting these expectations is, however, a tough ask for most Heads of Risk / Chief Risk Officers (termed ‘Risk Leaders’ throughout the remainder of this report). Results from recent studies confirm this: the vast majority of board directors do not believe their organisations have a highly effective risk management strategy.
Why is this? Why does ERM so often struggle to find pride of place in C-suite and board agendas, and fail to have a meaningful impact on the business, often viewed as a standalone process, or worse still, a compliance ‘box-ticking’ exercise?
A sensible place to start is with a basic question:
Does ERM add value?
Of course, logically it seems to make sense that a more proactive, anticipatory, risk-aware organisation would outperform a more reactive and stagnant competitor.
And anecdotally, we have seen many case studies where companies have benefited, tangibly and commercially, from a more developed approach to better managing and exploiting risk.
But what about empirically? If ERM truly helped an organisation better navigate uncertainty, we would expect to see the share price of companies with a more mature approach to risk management outperform those with a less developed approach. Do we? Yes – an independent, peer-reviewed research project published in The Journal of Risk and Insurance by Dr Mark Farrell PhD and Dr Ronan Gallagher PhD showed that:
“Organisations exhibiting mature risk management practices realise a valuation premium of 25%”
According to Farrell and Gallagher (2014), “This independent research project provides strong evidence for the value connection of mature enterprise risk management practices in organisations…For companies seeking to improve total shareholder return vs. a peer group…ERM should be a key weapon in those organisations’ armoury.’’ We believe the same principles demonstrated to have helped generate additional total shareholder return can be applied to drive wider stakeholder returns too.
The above research paper, like all studies, does have certain limitations, such as the fact it is dependent on self-reported maturity scores from the companies themselves. That said, it does appear to confirm the results of other, similar studies such as:
“The value of ERM: Evidence from the U.S. Insurance Industry” (Hoyt and Liebenberg, 2008) which found Insurers with ERM programmes are valued approximately 17% higher than other insurers; and
“Does Enterprise Risk Management Increase Firm Value?” (McShane et al 2011) which found evidence of a positive relationship between increasing levels of risk management capability and firm value.
So logically, anecdotally and empirically Risk Leaders with mature ERM frameworks can think of themselves as being on very solid foundations. They should be confident when negotiating for resources and investment and look forward to delivering and discussing their risk reporting with executive committees and boards, carrying with them a deep sense of certainty that they are contributing to the success of the business.
With this evidence appearing to support the premise that ERM does, in fact, add value, it begs the question:
Why is this potential value not always achieved and/or perceived by leadership / the business?
Despite its potential, ERM often lacks senior stakeholder buy-in and support. It can, at times, feel like a frustrating, uphill battle for Risk Leaders, with engagement in risk assessment meetings low and a conspicuous silence when requests are made of the business to update their risk registers.
Reflecting on our experience of helping over 100 companies develop their ERM capabilities, we have diagnosed five core root-causes which we believe answers why there is often this perceived lack of value:
1) Misperceptions and confusion amongst the business population at large, driven by ERM still being relatively nascent in its development
ERM is still a relatively new discipline. It only entered the business vernacular in the early 2000’s, with widespread adoption not really happening until the 2010’s. In contrast, areas of ‘traditional risk management’ (for example, insurance, health and safety, financial audit etc.), have been around for many decades or, in case of insurance, several centuries. As a result ‘ERM’ can often be seen, incorrectly, as synonymous with one or several of these other risk management activities.
The full scope of ERM is therefore not always appreciated, nor is its focus on linking risk with strategy and balancing risk and reward. For example, some companies (mis-)perceive ERM as merely a compliance requirement, or as being limited in scope to relatively easily quantifiable financial risks, and not applicable to their data-poor (and often far more material) cousins, such as ‘strategic’ risks.
2) A still maturing code of good practice, driving the inheritance and perpetuation of flawed fundamentals in framework design
ERM is in many ways akin to an adolescent teenager. It is still figuring out who they are and how they fit into the (commercial) world.
For example, there remains no single agreed-upon definition for ERM. Bromiley et al (2015) found some 25 different definitions, ranging from the impressively jargonistic ‘a truly holistic, integrated, forward looking process’ to the eclectic ‘an umbrella for a world-level organisational model’…
Unfortunately, the 25 different definitions are only the beginning of the divergence in practices. The development of several international standards (e.g. ISO 31000 and COSO ERM), as well as a multitude of guidance from industry associations (e.g. IRM, AIRMIC, RIMS, ALARM, FERMA, CIRMA, IIA to name a few) are well-meaning attempts to shape and influence what ERM is and how it should operate. But the result has also to a degree driven contradictions and confusion, with some publications being overly mechanistic and 'cookie cutter', which can be impractical as franeworks for organisations attempting to implement ERM without significant adaption.
3) A lack of integration of risk activities with other business processes, driven by an under-appreciation of the scale and complexity of developing a new ERM programme
As we note above, the goal of ERM is an ambitious one. Achieving it is complex and multifactorial. Despite many Risk Leaders’ best endeavours, it can be overwhelming and, understandably, often result in a compromised system implementation with diliuted outcomes.
Designing, building and rolling out an effective ERM framework is a complex change management project, requiring careful stewardship, judgement and skill. It therefore typicaslly requires a significant investment over the course of several years and the deployment of skilled resources to fully achieve its potential.
4) A lack of sufficient senior management attention and sponsorship, driven by, for example, engrained biases, cultural resistance and a shortage of bandwidth
In our experience, senior management teams can often become jaded by risk management, perhaps as a consequence of the above three points driving negative experiences.
They can see risk management as a mandatory bureaucratic exercise, and if asked honestly would they engage with the risk management process if they did not have to, the answer would be ‘probably not’.
Others may underestimate the amount of risk the business is exposed to, driven by optimism bias, and therefore not believe risk management to be required. Others may simply resist the additional scrutiny and/or accountability formalised risk management processes may introduce.
Senior support and sponsorship is, in our view, the single most important critical success factor regarding how ERM systems / Risk Functions will perform. If Risk Leaders do just one thing to improve their chances of success, we recommend focusing on getting senior stakeholders ‘onboard’.
5) Lack of sufficient investment in resources, and challenges in finding team members with the requisite skillset, gravitas and calibre
Following on from point four above, leadership teams are understandably reluctant to commit significant investment in the Risk Function if they do not fully support it, or see the value in it.
In addition, and owing to the fact that ERM is still a maturing discipline, it can sometimes struggle to attract 'top performers’ seeking new roles, whether that be graduates, internal transfers or external hires. Perhaps that will change over time, but for now, in our experience, Risk Leaders often struggle to find team members suitable to help them deliver the ambitious goals ERM sets out to achieve.
Too often, ‘re-badged’ generalists act as risk experts. While we of course support career development and change, it is often a significant risk (so to speak) to solely rely on a non-risk specialist for such a highly demanding role, especially if they are engaging with the leadership of the organisation.
Risk professionals must first master the key techniques of risk management and focus on what really matters and what works in practice. The minimum technical skills may include: being able to rapidly review and analyse large reams of disparate data for salient information; characterising identified risks in an accurate and coherent risk description; objectively assessing (and justifying logically) the potential severity of a risk; crafting practical and, crucially, feasible risk response plans; and performing additive risk analyses, including, for example, bow-tie, scenario, and correlation analysis. Increasingly, being savvy with technologies such as AI are also becoming a core competence.
In addition to this technical ‘table-stakes’ expertise, risk professionals must also possess a broad array of interpersonal and communication skills, including: interviewing and productively engaging with senior leadership; facilitating interactive and interesting group workshops; writing impactful reports; managing time appropriately to solve problems efficiently; and persuading / influencing others in selling the benefits of risk management.
This is a tall order, and individuals with the requisite skills are in short supply.
So how do Risk Leaders respond? What can they do to help realise the latent potential in their ERM systems
Unfortunately, there has been, to date, only limited help and support available for Risk Leaders to navigate these core challenges. As discussed above, the guidance made available by the industry (and consultants) can be too simplistic / turgid / generic to address bespoke needs and cultures. This issue is compounded by the seemingly ever-increasing expectations of stakeholders, and an external environment which is continually evolving and becoming more complex and interconnected, resulting in new risks emerging and the impact of many existing risks becoming more severe.
Having seen hundreds of ERM programmes up close and personal, we offer below 10 guiding principles which we see as common attributes of ERM frameworks which are recognised as adding meaningful value to their organisations. We hope these will help you, as a Risk Leader, realise ERM’s potential in your organisation and in so doing, exceed your stakeholder’s expectations:
Be absolutely clear on the scope, vision and value proposition of ERM in your business, and where necessary, re-position ERM and the role of Risk Leader as a strategic-level discipline / position (rather than a compliance activity / job) - this may require endorsement and promotion by leadership.
Be an unapologetic advocate for ERM, fostering enthusiasm across the organisation. If you, as the Head of Risk / Chief Risk Officer do not believe in its value or are overly apologetic about it, how do you expect the rest of the business to buy-in?
Share your vision and enthusiasm broadly and particularly with senior stakeholders, framing ERM as a decision-support tool and helping to ‘recruit’ these individuals as key proponents and supporters of risk across the organisation. Have them carry your message into their respective teams and areas of the business, and design ways for them to showcase their support, particularly in front of large audiences wherever possible (e.g. townhalls).
Review and revise where necessary the fundamentals of the ERM programme to align with good practice standards. This is one of the foundation's upon which the success or failure of the Risk Function will be determined. For example, the whole organisation should use the same risk ‘language’; risks must be described clearly and concisely and measured using relevant, consistent and objective criteria; there should be a single point of accountability for each risk; and significant controls and mitigations should be captured and their effectiveness determined.
Ensure the key risk processes (e.g. annual risk assessment cycles) are user-friendly, yet robust, and that they are widely understood and adopted throughout the organisation. Avoid the perception of risk being about bureaucracy and a one-way street in terms of reporting, such as when risks which have been submitted by business units are seen to go into a ‘black box’.
Risk reporting and other outputs must be designed in a way which is accessible, focused, action-based, leverages available data, remains fresh and interesting and is aesthetically pleasing. Risk reporting should help to encourage debate and engagement, and ultimately improve management’s decision making.
Integrate change management support throughout the project when rolling out a new framework, including sequencing activities appropriately and ensuring stakeholders are trained on ERM, informed of what to expect and clear on their role and contributions.
Train or hire for soft-skills, as well as technical skills. Possessing sound technical knowledge is critical in order to be a successful risk professional, but the ability to successfully engage with the business on terms that resonate with them, to facilitate group discussions effectively and influence and interest senior individuals, are equally, if not more, important.
Measure and demonstrate the impact of the ERM programme in supporting the success of the business by, for example, comparing the volume of incidents, near misses or losses before and after the ERM roll-out, levels of transparency in risk disclosure, and/or comparing the relative impact of industry-wide events on your company vs. competitors who have less mature ERM programmes.
Maintain momentum throughout the year and on an ongoing basis with a continual focus on ERM’s evolution and improvement to ensure the programme keeps pace with the business and external developments (e.g. regulatory change), and share fresh risk insights to sustain interest within stakeholder groups.