The main reason for implementing ERM is to add value to the organisation through benefits such as more informed decision making. Graham Buck investigates how added value is achieved and asks whether it can be measured?
The mantra that enterprise risk management (ERM) delivers valuable benefits for companies is rapidly gaining converts. ITV's risk manager Graeme Lee is one; he says that while the broadcaster only recently started down the ERM trail ‘we have already found that a much more detailed discussion of the risks we face has not only clarified the risks themselves, but has also sharpened the mitigation and broadened the understanding of those risks across the organisation.’
However, for the business world adopting ERM still involves an element of faith. Actively calculating and demonstrating its benefits remains a work in progress.
AIRMIC started on the task last year with its paper Research into the Benefits of Enterprise Risk Management. The research, carried out by Det Norske Veritas, outlined how ERM had reduced the risk exposure at five organisations including Solvay and Nestlé.
The study found that ERM provided more reliable risk information that reflected in better corporate strategy and other decision making, helped implement targeted actions to reduce risk levels for specific operations and projects, achieved greater operational efficiencies such as reduced disruption to routine operations, successfully delivered projects and created more effective business processes, improved corporate governance and compliance standards by delivering risk assurance and provided greater scope for delegation by instilling confidence that risks would be managed effectively.
An impressive tally, yet as AIRMIC's technical director Paul Hopkin observed ERM isn’t yet a sufficiently mature discipline for accurately quantifying the extent to which it improves profitability or delivers value for money. The next step, he added, would be to devise a means of measuring ERM's financial benefits.
No single clear formula has yet emerged to tangibly show the absolute value of ERM agrees Stephen Roberts, leader of the UK strategic risk practice at Marsh. This is due, in part, to the fact that when ERM is effective, an event or issue can be suitably managed by the company at a relatively early stage. If a potential incident is prevented from occurring, evaluating this in the context of ERM is difficult unless fairly complex methodology – likely to involve significant time and resources – is employed such as ‘cost of avoidable loss’ analysis.
Colleague Eddie McLaughlin, Marsh’s managing director of strategic risk consulting for EMEA, adds that ERM value can be seen in two distinct ways – qualitative and quantitative.
Qualitative is more common, focusing on ‘doing the right thing’, compliance, better management decisions and good corporate citizenship.
Quantitative value can be assessed by linking improved risk management to reduced volatility, through a reduced cost of capital and higher sector PE ratios/return on equity and, ultimately, higher corporate valuations on future earnings potential.
In addition, Standard & Poor’s plans to link ERM to credit rating will drive the value equation over time by influencing the cost of borrowing.
There are also plentiful examples of surveys evidencing the benefits of risk management in reducing volatility, including the Pretty/Knight study on the impact of catastrophes on shareholder value and Marsh’s research on the causes of FTSE 100 stock drops.
Risk managers are, in addition, often able to demonstrate to management that implementing ERM throughout the organisation produces a tangible benefit in cheaper insurance. Underwriters are increasingly willing to positively recognise its value in their premium pricing, but still do so case by case rather than by applying any overall formula.
‘We’ve yet to reach the stage where underwriters will automatically reduce the premium by x% on evidence that ERM is embedded into an organisation,’ says Roberts. ‘In addition, whereas ERM seeks to address the organisation's total risk profile, an insurance policy addresses only one particular element.’
“ERM offers a clear line of sight for each objective that needs to be managed.
It’s more than likely that the methodology linking ERM's benefits to defined cost and availability of capital criteria will become better defined, adds McLaughlin, but this will take time.
Meanwhile the financial crisis has highlighted a key aspect of ERM – the need for it to be embedded within the organisation before it can add value. As troubled financial institutions demonstrate, a company can have ERM systems and procedures in place and still be vulnerable if they fail to actively apply risk assessment in their daily decision making and ensure proper levels of authority for risk professionals.
Both Roberts and McLaughlin suggest that, in addition to embedding, three key factors are integral to ensure ERM adds value to an organisation. The first is application. ‘During a recession, organisations can't afford to be derailed in reaching their strategic objectives as the luxury of a cash buffer has evaporated,’ Roberts states. ‘ERM offers a clear line of sight for each objective that needs to be managed.’
The second is effective communication, in demonstrating to stakeholders that the company has confidence in its ERM capabilities. This is particularly vital as shareholder meetings focus more than ever on demonstrable proof that the organisation really has a future. ‘Organisations struggling with their viability have a particular need to demonstrate to investors, customers, clients, employees and other key stakeholders that they are robust,’ says Roberts.
He cites the third aspect of added value in ERM's ability to address emerging risk issues, such as complex supply chains, climate change, counterparty risk and volatility in the pricing and security of raw materials and energy.
Add to these the potential failure of key suppliers and business partners, which has become of increasing concern as recession deepens. ‘If ERM is embedded, then it addresses all aspects of the organisation's business and includes the risk profiling of key suppliers, partners, contracts, projects and JVs. If their risk profile shows signs of increasing then you have the opportunity to take proactive action.’
At Nestlé head of risk Marc Schaedeli says that the group has always managed its risk ‘in a pragmatic way’ and has developed over several decades a culture enabling it to be trusted by all stakeholders as well as becoming representative of predictable financial performance.
‘ERM, used as a decision making support, can assure appropriate management, governance and compliance,’ he confirms.
‘Nestlé therefore decided to create an overview about the most relevant risks that have the potential to threaten the value of the company's assets and its capability to achieve its strategic objectives – as well as the related mitigation actions – in order to report them to the executive board on a regular basis.’
Sainsbury’s group head of insurance and risk management, Paul Howard, also the incoming chairman of AIRMIC and head of its risk management steering group, was actively involved in the study. He says that the credit crunch has raised the profile of ERM and fuelled internal discussions over risk within organisations. What should follow next are value-based discussions on both the qualitative and quantitative issues relating to ERM if they are to maximise the overall benefits.
The crunch has also triggered a much greater degree of networking by risk managers than before ‘which indicates the extraordinary times we are living through’. So companies are paying more than mere lip service to ERM, with their representatives ready to go out and get actively involved.
‘As there is an increasing level of interest, not only due to research, it will improve standards and processes,’ adds Howard. ‘As a result, we should see a very different scenario in another three or four years’ time.’
Graham Buck is a freelance writer