Some organisations may be questioning the value of enterprise risk management (ERM), particularly in the light of the recent financial crisis. But Eddie McLaughlin says that ERM provides significant – and measurable – benefits

Risk managers will be aware that ERM is not a new concept. It’s been around for some time under various guises. These include ‘holistic risk management’, ‘enterprise wide risk management’, ‘strategic risk management’ or just plain old ‘risk management’.

The variation in terminology can be confusing but nonetheless most of us know what we mean by ERM – and this despite the fact that it has no universally accepted definition. At Marsh, we tend to use the following: ‘a structured and disciplined approach that supports the alignment of strategies, processes, people, technology and knowledge with the purpose of evaluating and managing the uncertainties and opportunities that an organisation faces as it creates value.’ That’s quite a mouthful but what it actually boils down to is about making sure you link ERM to strategic decision making in order to build economic value.

It’s important to realise that the definition is not the same as the processes. Risk management processes include identifying, evaluating controlling and monitoring risks. These are integral but they are not ERM itself rather the framework that supports the delivery of ERM. You can carry out all these processes and still not achieve effective ERM as this requires more qualitative and behavioural aspects of organisational change.

If we take the view that ERM is ultimately about improving the likelihood of successfully achieving strategic objectives and driving value in the organisation, it’s difficult to suggest that this pursuit is not important. There cannot be any organisation that would not want to maximise its chances of success, improve the way it makes decisions and be at the top quartile of its peer group in terms of shareholder returns because it has reduced volatility by managing its risks better.

The difficulty of course lies further down. How do we implement ERM? What resources do we have? To what extent can we prove the economic value - in a positive rather than a negative way? Traditionally, risk management has been about preventing bad things happening rather than improving the chances of good things happening.

Like many of my peers, I believe that we have to make the move away from a downside only view of risk. There are already signs of this happening. We are seeing a significant move away from the pure compliance aspect of risk management, ticking boxes and ensuring governance. The most common request in organisations now, from the C-suite in particular, is akin to ‘show me the money’. How can we prove value? What is the return on equity, what is the net impact? Enlightened organisations know that good risk management means good corporate governance and better decisions but can find it difficult to measure the return in other more quantitative ways.

Proving you’ve got ERM

You need to prove what you are doing in respect of ERM, not only to your internal stakeholders but also to your external ones. We recommend companies to plot a maturity curve tracking their implementation of ERM against various criteria of risk management excellence, ranging from having the governance and infrastructure in place through to actually having a culture of risk management (see fig 1) and applying this in your dealings with third party organisations. These criteria and the maturity curve will show how well ERM is positioned in your own business. You may not want or need to be in the top position for all parts of your business but it’s likely that you will have a minimum threshold that you would like all your operations to meet – maybe somewhere in the middle e.g. a consistent level three across the firm. And for the more risky parts of your organisation, perhaps achieving a higher level makes good business sense.

There are sound reasons for undertaking this kind of exercise. Stakeholders such as regulators, investment capital providers, credit rating agencies, employees and trade unions put a great deal of pressure on companies – and particularly on their non executive directors - to show that they are doing a good job in respect of risk management. This maturity curve provides a road map, showing them the level of existing versus best practice in the organisation and what issues the company should work on to improve risk management i.e. what are our risk investment priorities.

It also provides the risk manager with a plan for the future. If you are currently at the second level and you are targeting reaching level three, you know the criteria and the action plan needed to get you there. You have a concrete vision and strategy.

ERM is about the extent to which risk is built into decision making. However, I’d like to offer a word of caution here. In reality, most decisions are made by ‘gut feel’ and judgement and in some respects that should be so as management teams are employed to exercise sound judgement. A lot has been written about the psychology surrounding how people make decisions, and it’s very important to understand some of that human psychology if you are a risk manager. For example, after 9/11 everyone’s big risk was terrorism. For most companies, that has dropped down the importance list – it may not even be in the top ten now. However, arguably the risk of terrorism is the same if not higher than it has ever been; it’s only the current perception that has changed. So risk managers need to challenge themselves as to whether their perceptions are influencing them and their risk priorities, in other words, ensuring that attitudes and perceptions do not drive the ERM programme.

In determining whether your organisation really has ERM, you should ask yourself about the value you are bringing to your organisation. Some businesses have very large risk management teams with lots of different risks and action plans. That is not really ERM unless they are using their information in a summary way (metrics / dashboards) to help management make better decisions.

And proving the value of what you’ve got

Governance is not enough – it’s a perimeter guard or boundary protection mechanism. How do we get value for the effort we put into governance? Of course, risk managers have to do it. But being compliant does not help you a great deal in a disaster or a crisis. When the chips are down, saying that you were compliant with the relevant corporate governance standard alone is unlikely to cut any ice.

If we accept as given that ERM enables better decision-making and satisfies corporate governance requirements, we have to ask what other measurable financial benefits it provides. There are two aspects here.

First, there was the announcement two years ago by rating agency Standard and Poor’s that it would be extending its review process to include the quality of a company’s ERM. This should mean that over the next 12 to 24 months, the cost of borrowing can be influenced by the extent to which ‘excellent’ ERM is in place. In other words, the cost of capital for your company is being influenced by the quality of its ERM process.

The other aspect concerns volatility and the ability to gain a competitive advantage. Volatility isn’t always a bad thing and indeed desirable in some industries from an investment portfolio perspective. However, when analysts value a company, they look at its future earnings and then apply a discount rate to reflect potential variation so that they can work out what it might be worth in net present value terms. This means that the less volatile your earnings relative to sector peers, the lower the discount rate applied to your future earnings and the higher the perceived value of the company. So there is a link between managing risk to reduce volatility and achieving a better return on equity, which in turn improves competitive advantage, as demonstrated in a recent survey of 1000 European companies in Accountancy Age. Those businesses with less volatile earnings (top 20% versus bottom 20% in sector) enjoy a 25% to 30% share premium compared to others in the same sector.

Further, good ERM contributes to regaining share value should a disaster occur. This was proved in the study published by Rory Knight and Deborah Pretty in 1997 which showed that companies which manage a crisis well enjoy a higher share price than those that do not have a crisis at all. And those that do not manage a crisis will typically never get back to where they were before (indeed 15% worse off after 12 months in terms of shareholder value) Warren Buffett believes that investors will reward those companies who do not squander capital on non-core risks. With that premise in mind it is clear to see the link between managing risk and the cost of capital.

Although most of these examples related to publicly traded companies I think these themes can be used equally in the public sector (councils, government departments) in privately owned or even family businesses to prove ERM can add value beyond compliance.

Lessons from the financial crisis

Inevitably, some people have asked why, if ERM is so good, the financial crisis occurred. After all, financial institutions led the way in the development of risk management techniques and the industry was the one that had gone furthest in embedding risk management into its practices. Does this mean that ERM doesn’t really work, it’s an enormous waste of money and it should be scrapped?

In fact, I believe that it was the misconception and misapplication of ERM which was a major contributor to the problem. The core of many institutions’ ERM was an ‘ivory tower’ model to determine the necessary capital to remain solvent or to mitigate downside risks, accompanied by a rigid set of processes geared to meeting compliance and disclosure requirements, and a quantified ‘list of risks’ based on a -series of questionable assumptions. In a financial services context risk management tended to be siloed into specific areas such as credit risk, market risk and operational risk. No-one was actually taking a view at the overall enterprise level – although in some cases a Chief Risk Officer (CRO) role was in place and developing this overall view.

Ineffective ERM was at the root of the crisis, failing to take account of the following.

? Models have limits and will not provide the complete answer. They do not take account of “Black Swans” – extremely rare but not unthinkable events – or systemic risk so they must be accompanied by good judgement – and input into the decision not the decision itself.

? Regulation is too often focused on solvency and risk capital, and does often not ask sufficient questions on strategic risk and the business model. Most regulators looked at firms on an individual basis but ignored perhaps their key role as a regulator – managing systemic risk and the interdependency of risk.

? Liquidity risk is the ultimate killer. In the long run, matching short term liabilities with illiquid or suspect assets will cause disaster, no matter how much profit is made in the short term, or how complex and intellectually satisfying the models are. In the non financial services arena this is called overtrading – your order book / sales are fine but you do not generate enough cash to meet liabilities as they fall due.

? The exacerbatory effect of accounting changes, with a shift to a mark-to-market trading book, as opposed to a banking-based accruals approach meant that losses were magnified in the short term and earnings were much more volatile during the crisis. Increased use of off-balance sheet structures first masked the problem and then made it worse.

However, the main factor may simply have been a fundamental lack of awareness, comprehension and preparedness to focus on risks by organisations’ own senior management. There was an unwillingness to ask hard questions when things appeared to be going well. Those who were concerned about the undue amount of risk being taken did not have sufficient authority or position to make their voices heard.

There are a number of lessons from the financial disaster. First, embedding risk in the corporate strategy setting process, and empowering the organisation to practise it properly remains key. Second, senior decision makers must consider the wide range of more extreme scenarios in formulating strategy, committing capital and setting growth targets. Third, strategic risk assessment needs to be more forward looking (emerging risks), considering the full range of earnings, solvency, liquidity, business and reputation risks that can lead to a sudden loss in value. And finally, at a basic level, management should understand which business units introduce the greatest volatility into the overall portfolio and how different business unit risk profiles aggregate against the desired risk appetite for the company as a whole. Easy to say, not easy to achieve!

What now?

ERM is not a passing fad. It is in a temporary spotlight at the moment but hopefully this is not just a reaction to market conditions. There should be a longer term effect because of the increase in the authority and voice of the risk manager, and an understanding that ERM is less about having a list of risks and associated action plans, and more about the value that risk management is bringing into the company in understanding interconnectedness. We are also seeing increased external stakeholder interest from rating agencies, bankers and investors.

I envisage more convergence in risk management standards. Currently, there are a number of these but they appear to be moving closer together towards a single risk management standard e.g. ISO 31000. There is of course the danger that sometimes the compromises you make to get to a ‘one size fits all’ standard mean that it is watered down too much and it doesn’t take into account industry specifics.

Consolidation is also likely to occur in respect of risk management information systems. There are a number on the market and two or three are now emerging as front runners - the platforms of choice.

We can expect more qualitative management judgement than purely quantitative driven models, with greater understanding of the need to measure risk appetite and understand how it can be used dynamically and qualitatively as a boundary or barometer for risk taking. And perhaps risk management needs to be more forward looking, moving away from the traditional annual risk management processes and becoming more risk agile. Companies need to have a process and framework which changes with business need e.g. mergers, acquisitions, joint ventures, etc, and is flexible enough to cope with issues like projects and country risks. We see more focus on ‘strategic risks’ – indeed in a recent research paper we commissioned, ‘Impact of risk events and the relevance of intangible assets’, we found 87% of shareholder value drops in FTSE 250 companies were due to ‘strategic risks’.

In addition, I anticipate more integration with other disciplines. We are now seeing a more holistic approach to ERM. For example, business continuity and risk management were often separate disciplines reporting to different people but now they are becoming more integrated. This is a good thing and forces the risk debate into value adding processes and beyond the firm itself e.g. into the supply chain.

Where does the risk manager sit in all of this? An AIRMIC study showed that around 40% report to finance. While this may not be as ideal as having the CEO’s ear, it does force the question of value because the CFO will typically want to know the return on investment.

More potentially problematic, four to five per cent report to internal audit. Companies should have three distinct lines of defence normally: (1) business managers who have been trained in risk management - the risk takers (2) the risk management team, and (3) internal audit making sure policy and procedures are being used in the way that they’ve been designed for. If risk management and audit come under the same umbrella, there are only two lines of defence. Further, can you really create a policy that you then subsequently audit? There is potentially a conflict. We recognise that audit and risk management are closely aligned and often when risk management is introduced into a company the most natural fit is perceived to be audit. We understand this business reality and efficiency, but after a suitable period we believe risk management and audit should usually be separated.

Is the risk manager’s lot improving? Generally speaking, it is. We have seen some risk managers losing their jobs but in many cases the profiles and types of decision they get involved in have increased dramatically. It is an upward trend in terms of responsibility.

Finally, the key point for ERM in the future is to push to get the maximum value from it. In the end, the full and intended benefits will only be realised if ERM is properly integrated into business strategy and has the active monitoring and attention of management at the highest level.