Enterprise Risk Management
State of the profession
Risk managers face increased scrutiny and rising expectations
By Michael J. Moody, MBA, ARM
Despite the fact that enterprise risk manage≠ment (ERM) has been around for more than 10 years, it is sometimes difficult to get a feel as to the current state of the profession. For the most part, there are few valid surveys that manage to successfully take the pulse of ERM practitioners. There are, however, a couple of surveys that do attempt to provide a broad view of the current state of the risk management profession.
The two surveys were researched and prepared by the two largest insurance brokers: Marsh and Aon. The Marsh survey is an annual event known as Excellence in Risk Management, which is in its eighth edition. The survey is provided in partnership with the Risk and Insurance Management Society (RIMS). Aon provides a biennial survey that is titled Global Risk Management Survey.
It is important to note that while there are obviously going to be a number of similarities between the surveys, they are in fact quite different. As noted above, Aon's survey is a biennial event that is Web-based (i.e., survey form was online) and was crafted to provide companies with significant benchmarking information that is directed at an international audience. The survey had 960 participants from 58 countries. In addition to traditional risk management questions such as top-10 risks, board oversight, and risk management staffing, the Aon survey goes on to provide additional information regarding the current state of the insurance markets, global risk management programs, and various risk-financing issues including captives.
By comparison, the Marsh survey is more limited in its focus. Much of the data obtained from the 1,022 people who participated in the survey comes from U.S.-based corporations. Despite this, the Marsh/RIMS survey does provide a good mix of participants based on job function, company size, and organization type.
Both of the surveys had some overlap with regard to what the participants felt were their organization's top risks. According to Marsh, participants noted the following as their top risks:
1. Economic conditions
2. Business disruption
4. Legal or regulatory shifts
5. Litigation or claims
6. Technology/systems failure
8. Data security/privacy breach
9. Destruction/loss of physical resources
10. Business continuity/crisis management execution
Other noteworthy risks that were mentioned in the survey were cash flow/liquidity, talent availability, and competitors. Concern about "the impact that government regulations and legal environment" (items 3 and 4 above) were noted by many participants since this has become such a critical agenda item for many corporate boards today.
Similar concerns were expressed by the Aon survey participants. Their top-10 list includes the following:
1. Economic slowdown
2. Regulatory/legislative changes
3. Increasing competition
4. Damage to reputation/brand
5. Business interruption
6. Failure to innovate/meet customer needs
7. Failure to attract or retain top talent
8. Commodity price risk
9. Technology failure/system failure
10. Cash flow/liquidity risk
Other risks that were mentioned frequently in the Aon report include capital availability/credit risks and distribution or supply chain failure. While there are a number of differences between the top 10 lists, much of this can be explained by the fact that Aon's survey participants are much more global.
The Marsh/RIMS study points out that, for the most part, management continues to place more expectations on risk management departments and, as a result, it is important to establish key performance indicators (KPIs). According to Marsh, the most important aspect of the KPIs is that, over time, they should help to define leadership expectations. And ultimately, this should benefit all risk management professionals.
The top KPI is that management is beginning to hold risk managers more accountable for things such as "managing and communicating risk management value through total cost of risk." While there are many definitions for total cost of risk (TCOR), what is clear at this point is that a common language should be found and articulated to management. The next four KPIs include competitive procurement of risk transfer (i.e., insurance), financial performance measurements for retained/insured exposures, insurance budget management, and mitigating liabilities and supporting organizational preparedness. Together these five KPIs made up for 70% of the responses. As a result, "the overall view of risk management's 'success' can be fairly well defined." This may well lead to developing an optimized approach to measuring the function's performance.
Surprisingly, the Aon survey contained a similar finding. It noted that organizations are facing increasing pressure from stakeholders to better understand their risks and to optimize their insurance programs by lowering their total cost of risk. As a group, 61% of the respondents consider lowering their TCOR as one of the major advantages of implementing a risk management program; however, only 39% indicated that they "have tracked and managed all of the components of their TCOR."
It is clear from both surveys that while there is significant lip service given to more advanced techniques such as ERM, management within the corporations continue to measure successful performance via traditional touchstones like the total cost of risk figures. While this may initially be difficult to understand, participants provided significant insight into why the more advanced approaches like ERM have not been implemented.
A frequent roadblock cited in the Marsh report was the difficulty in removing the "silos" from within their organizations. While many risk managers have struggled to break down the silos, the fact is that they have made little headway in accomplishing this. Some of the participants feel that the best way to minimize the issue is by building an internal team made up of a cross section of other functional risk managers. Many times the best way to tackle the silo effect is to form risk committees, and risk managers indicated that they are moving quickly in this directionójumping from 47% in 2010 to 62% in 2011. Other impediments listed by Marsh include lack of relevant risk data, and inadequate links to other corporate functions.
Just how effective these cross-functional risk committees are is another issue. Only about two-thirds of the respondents indicated that they would grade them as "somewhat effective." Just forming the committee is not enough; how the committee functions is the real question. As most of the survey participants point out, management is looking to the risk manager to provide leadership in this important area. This represents one of the most fertile areas for risk managers to make an impact.
Board oversight and involvement was another important issue that was addressed in the Aon survey. For the last several surveys the trend has been that risk management remains "firmly on the board's agenda." Regulators and other stakeholders are making certain that risk management continues to be a front-burner topic for most boards. The board or a committee of the board has now become a vocal supporter of ERM. The survey confirms that at least three out of four organizations have established policies to address risk oversight and management. It is widely recognized that in order to embed ERM within the corporate culture, it will require the active support of the board. Involvement at the board level, according to the majority of respondents, will increase and risk management would do well to embrace this involvement.
Both of the above noted surveys offer significant insight into the current state of risk management at the corporate level. While both of the surveys provide similar core data, each had slightly different responses. This was primarily due to the differences within the locations of the participants.
While much progress has been made in an attempt to move an ERM agenda along, there are many obstructions along the way. An excellent example of this is the continued reliance on the TCOR measurement that has been utilized by management as a gauge of success for years. It is somewhat disappointing to discover that this is still the criterion. To some extent, however, it is a failing of the risk management profession that it has not been able to convince management of the wisdom of an alternative performance measurement. This needs to be job one for those organizations that are advancing various ERM frameworks. As long as management retreats back to a TCOR matrix, which is roughly equivalent to a "pass/fail" grade, ERM will never attain its rightful place in corporate management.