'Implementation of a holistic approach to understanding and responding to risk, in all the organisation's activities.'
'A risk management system that covers all relevant areas of business aspects our group is facing by doing business; an information system which allows the board to follow, with a few cockpit charts, the actual situation.'
'An assessment of risks and opportunities that support strategic decisions and has clear and measurable benefits.'
'Creating a risk aware culture but not a negative one. It is about ownership, accountability and transparent decision making.'
These are just four of the 73 definitions we received when we asked respondents to the Enterprise Risk Management Survey May 2006 to sum up, in their own words, exactly what ERM meant to them. The fact that, near the end of a 22 point on-line questionnaire, so many of the respondents were prepared to give quite considerable thought to defining ERM, shows that across the whole spectrum of organisations, those concerned with risk management are already thinking hard about the subject.
The main drivers
So what is driving all this thought? When asked what organisations see as the main drivers for ERM, respondents certainly saw compliance as a key issue. Improved corporate governance was cited by 62%, statutory or regulatory requirements by 54%. Fifty-nine per cent, however, also highlighted the desire for improved decision-making, indicating that most organisations do not view ERM merely as a box ticking exercise. Encouragingly, almost none of our respondents considered that ERM was merely an example of consultants pushing the latest fad.
The perception that ERM improves business performance was echoed in respondents' description of its main attraction for their organisation, with most (58%) seeing this as the primary inducement. But only six per cent saw ability to gain competitive advantage as the main attraction - suggesting that even those organisations that have gone furthest down the ERM path are not flagging up their progress to existing and potential customers as part of their product or service offering.
In most organisations, it seems that development of ERM policies, processes and standards is - and is understood to be - a work in progress. Only 11% of the businesses surveyed (one in nine) believe that their ERM policies, processes and standards are fully defined and implemented. Twenty-five per cent said that they are measuring and managing their risks quantitatively and collating them across the organisation, and 24% believed they had a well established process that is, however, reliant on individuals. But 10% do not have defined procedures, seeming to hope that their people are simply getting on with it. Not surprisingly, those organisations that appear to have most fully adopted ERM are those with a chief risk officer (CRO).
Slightly fewer than four out of ten respondents (38%) consider their board to be fully supportive of ERM. Significantly, well over half of these have a CRO - and a third of them operate in the financial services sector. Other responses suggest that the board either delegates risk management responsibilities or, even while supporting risk management in principle, provides no direction or impetus. This was a disappointing response, given that total board buy-in is generally seen as crucial in implementing effective ERM.
Pick your own Standards
Use of the published risk management standards varies. The IRM/AIRMIC/ALARM risk management standard is the most popular (used by 28% of respondents), with the COSO (Committee of Sponsoring Organisations) standard used by 22%. Some companies use other standards or a hybrid, self-tailored version of the ones available. Drawing upon published standards but shaping a version to suit one's own organisation seems a sensible route. But 28% of respondents said that their organisation applies no risk management framework or standard at all.
While a reassuring 54% of respondents said that senior management takes full responsibility for promotion of risk management, and 53% said that senior management had made a full assessment of, and fully understood, the risks that the business faced, only 22% could say that they trained all staff in risk management processes. On the plus side, almost all organisations revisit their enterprise risk assessment at least once a year.
Most organisations surveyed (52%) see management culture as the biggest challenge in promoting and embedding risk management. Processes (19%) and individual buy-in (17%) came a distant second and third. Companies with CROs, however, see management culture as less of a challenge, focusing more on individual buy-in and designing and embedding an effective process.
Risk workshops and risk committees are the most popular means of facilitating ERM across an organisation, with bespoke risk management systems coming third. In addition, a sixth of the respondents identified other tools and technologies that they use. These included:
- 'benchmarking systems for each risk management discipline using self-audit and verification programmes as well as survey and audit programmes'
- 'dynamic risk profiles for each business unit and risk indicators'
- 'risk forums/conferences'
- 'intranet site'.
Surprisingly, only 29% of respondents believe that sufficient guidance on ERM is available. Forty-one per cent reckoned otherwise, and there was a large contingent (30%) of 'don't knows'. Answers did not seem to correlate significantly with industries or whether or not an organisation had a CRO. Individual comments suggest that, as with standards, many companies pick and choose what suits them from what is available and then try to tailor it to their own needs. Twenty-one respondents outlined what guidance they had found useful. Their comments included:
- 'Nothing specific. Each has merits - you need to review all available material to come to your own conclusions and ideas about what is best for the organisation.'
- 'The academic texts can be helpful but are too technical for the average person. There remains a need for an idiot's guide to ERM.'
- 'Prior experience and benchmarking.'
- 'Peer group discussion.'
To a key point - how effective is ERM, or what currently passes for it, in organisations today? Twenty five per cent of organisations rated their ERM framework as 'fairly ineffective', or simply did not know how effective it was. Only 6% of those surveyed thought their framework was 'fully effective' in meeting corporate objectives, although the rest plumped for 'fairly effective'.
Yet discussions during the interview-questionnaires revealed that risk managers can regard a system as fairly effective while openly admitting the existence of 'known unknowns', let alone 'unknown unknowns'. Respondents from financial services and from organisations with CROs tended again to have more belief in their ERM's effectiveness - a pattern repeated when they were asked to say whether their ERM was better, the same as, or worse than that of their peers.
While 37% of respondents rated their ERM standard better than that of their peers, only 7% rated themselves worse. Whether or not one accepts our respondents' self-assessment, the pattern of five 'above average' organisations for every one 'below average' seems unlikely to reflect wider reality. In rating their ERM relative to their peers, industrial companies were notably more self-critical than financial services firms.
The survey provides a fascinating snapshot of a range of organisations at different stages of ERM. Not surprisingly, the financial services sector appears the most advanced. It is hard to avoid connecting this with the highly regulated environment (Basel II, Financial Services Association etc) in which it operates. Financial services boards - which generally need to lead an ERM initiative if it is to succeed - are unavoidably concerned with regulatory compliance and its associated issues, such as reputational damage and, ultimately, licence to operate.
Other sectors are also progressing along the ERM path. The degree of enthusiasm and success seems to vary, and the survey shows that not all businesses yet appreciate the true benefits that ERM can provide. In every organisation, the challenge remains how best to make ERM a fully functioning reality.
- Sue Copeman is editor, StrategicRISK; Peter Joy is head of research, Newsquest Specialist Media
ABOUT THE SURVEY
The Enterprise Risk Management Survey May 2006 was conducted by StrategicRISK for Protiviti Independent Risk Consulting.
Most of the 90 respondents worked in well-known heavyweight organisations, mainly UK based. Most also had 'risk' somewhere in their job title: 'risk manager' was the most common.
Responses came from a wide range of sectors. While a fifth of respondents worked in the financial services sector, this was balanced by another fifth from manufacturing and engineering. A broad cross-section of other industries, businesses and organisations accounted for the remainder.