In 2006 and 2007, Deloitte surveyed 151 mid-sized companies from many different industries in North America, South America, and Europe to get feedback on the current state of ERM implementation.  Risk management has been implemented in companies for a long time, but the ERM approach to managing risk is more recent.  ERM has the ability to help companies identify both unrewarded and rewarded risks.  Unrewarded risks include compliance, financial reporting, and operational failures whereas rewarded risks deal with strategy and execution.  Most of the respondents indicated that their organizations primarily use ERM to manage unrewarded risks, which is typical of immature ERM programs.  However, in order to gain maximum benefits from an ERM program, optimizing rewarded risks should also be incorporated.  Incorporating risk management into all aspects of the business will allow ERM to aid not only in asset protection but also in value creation, and ERM’s value to the organization will increase and be more readily apparent.

Current State of ERM

There is growing interest in ERM with most of the respondents indicating they have a heightened interest in ERM compared to one year ago.  The primary driving interest behind implementing ERM among the respondents is regulation and regulatory complexity.  Another important driver of ERM interest to respondents is unanticipated losses.  The primary goals of an ERM program among respondents were processes rather than outcomes, which could contribute to the difficulty in demonstrating the value of ERM and the view that ERM is not part of the core business as well as decrease management’s perceptions of ERM’s relevance.

Fifty-six percent of respondents are part of organizations with ERM programs in place for only two years.  The top five benefits they reported experiencing because of ERM related to people, processes, and management of asset protection and unrewarded risks.  However, the top five benefits reported as expected from ERM programs relate more to managing future growth and rewarded risk, benefits that are more likely as an ERM program matures.  This finding indicates that ERM programs need long-term commitments in order to realize maximum benefits.  Respondents also indicated that risk information is integrated into decision-making primarily in the traditional risk management functions such as internal audit and treasury and is least integrated in core business processes related to future growth such as performance management and capital allocation.  Risk needs to be linked to these business processes in order for all members of an organization to see the value of ERM and to gain the most benefit by using ERM to take as well as avoid risk.

The biggest challenges reported as facing ERM relate to demonstrating its value, with a lack of understanding of the benefits of ERM and difficulty in proving the business case for ERM reported as the two most significant challenges.  It can be difficult to prove the business case for ERM because benefits and costs are all difficult to quantify.  With all of the challenges facing ERM, it is still clear that there is a need for improvement in preparedness within organizations.  When asked about their organizations current level of preparedness to manage mission critical risks, 48% of respondents stated they were only somewhat prepared and only 35% of respondents were highly confident in their level of preparedness.

There are several common characteristics among organizations that assessed themselves as being better prepared to manage risk.  These characteristics include having an assigned executive responsible for ERM and having ERM as a separate and independent function.  Also, the longer an ERM program has been in place, the more prepared the organization is to manage risk.  Finally, ERM programs only appear to significantly increase preparedness when they are fully operational.

Implementing ERM and Organizational Approaches

There were several key survey outcomes related to ERM implementation as it exists across industries, regions, and listing status.  When examining ERM across industries, regulated industries like telecommunications are more likely to have fully operational ERM programs than less-regulated industries like media and entertainment.  In comparing regions, Europe has a higher percentage of organizations that have had an ERM program in place for more than four years than North or South America.  While twice the percentage of listed companies compared to unlisted companies responding have fully operational ERM programs, when looking at companies either developing or considering developing an ERM program there is no significant difference in whether the company is listed or not.

There were also trends evident in the organization of ERM programs.  Respondents indicated that boards, including audit committees, are the primary drivers of ERM programs.  Only 35% of companies have adopted a specific ERM standard and of those organizations using a standard, COSO ERM was predominant.  Current ERM programs tend to focus most on compliance and asset protection risks which could account for the disconnect in ERM’s value to operating management since they are focused primarily on strategy, execution, and growth.  Initial ERM implementation focus is on policy, process, and structure, which is common in organizations where the process part of ERM is familiar and the value components are more unfamiliar. 

Within an organization, respondents indicated that CFOs and CROs often have the primary responsibility for ERM and CROs, in the organizations that have them, report to the CFO or CEO the majority of the time.  This high accountability and visibility for the CRO can help ERM programs be successful by setting a tone of commitment to ERM from the top.  The primary roles of the CRO in these organizations are risk analytics and monitoring risk exposure versus limits.  Boards are most commonly updated either quarterly or annually with important risk management information.  The audit committee is typically responsible for oversight of ERM with over half of respondents indicating their audit committee is required to discuss risk annually with management and that they regularly discuss the company’s major financial risk exposures and monitoring and control steps management has taken.  Forty percent of the organizations surveyed have a risk management committee, and most of these committees are management-level rather than board-level.

ERM policies, processes, and systems were also surveyed.  Two-thirds of respondents only train specialists who perform specific risk management functions, and only 2% train all employees in risk management.  This could contribute to the challenge of achieving the risk-aware culture many view as a benefit of ERM.  Few companies surveyed have defined their risk appetite or tolerances, or developed early warning or escalation procedures.  While management reporting was one of the top five benefits experienced for companies due to ERM, only 18% of surveyed companies have fully implemented a risk dashboard or reporting process, which is a key component to making risk-informed decisions.  Eighty-one percent of respondents indicated their organizations use probability of occurrence to assess risk which is positive, but only 18% have high or very high confidence in their use of likelihood to predict loss.  The most used risk measurement tool in surveyed organizations is self-assessment, followed by economic metrics and scenario analysis.  Sixty-five percent of respondents reported that risk assessments are conducted semiannually or annually at their companies.  Only 27% of respondents indicated that their organizations are using technology or software tools to monitor risk which is consistent with the qualitative nature of many risk assessments.