A recent research report conducted by the Financial Executives Research Foundation (FERF) provides benchmarking data from reviews of over 40 ERM programs and interviews with 25 organizations about the current state of ERM and emerging trends of how organizations are operationalizing ERM in the real world.  The study contains detailed insight into the current state of ERM implementation and the drivers behind it, the different types of ERM programs, how ERM functions are organized, and the operationalization of ERM

ERM Implementation

One shared theme among the companies surveyed is that the main purpose of implementing ERM is to make risks more visible at many levels in the organization before they actually have an impact.  While the financial sector notably has the most mature ERM programs, the vast majority of organizations are still in the early development stages, if there at all. 

The drivers behind implementation of ERM can be categorized as proactive decisions led from within, reactions to internal or external events, or due to requirements of regulators and other external sources.  The new SEC ruling concerning proxy disclosures was cited by almost all respondents as a key driver and is likely the most influential current driver of all.  The new rules are intended to increase transparency to shareholders about how risks are managed within the company and indicate there will be increased formality of ERM activities in the future.

Types of ERM Programs

It is widely known that ERM programs must be unique to each company’s situation, meaning there is no universal approach both to the definition of enterprise risk and the management of it.  This study revealed that current ERM approaches can be broken down into two factors: the categories of risk that are within the ERM scope and the overall approach on how to manage these risks.  Simplified, the types of risks can be split between strategic versus operational and the management approach into quantitative versus qualitative. 

This study noted that ERM programs tend to form one of two types of programs.  Type one, the more common, focuses on strategic views managed in a qualitative way and type two focuses on operational risks in a quantitative way.  However, there is indication that the future trend will merge these two types to create a more holistic view of all risks using both management approaches.  This requires the difficult task of analyzing strategic risks quantitatively and operational data qualitatively, approaches most companies are not used to considering. 

Positive encouragement from ERM managers has supported industry groups to create new templates and frameworks that can assist risk managers throughout the ERM process.  The most influential ERM framework to date remains the Enterprise Risk Management – Integrated Framework launched in 2004 by COSO.  The framework is praised for its fundamental concepts that have become core components in many ERM programs while currently some organizations are asking for an updated framework tailored for the post-recessionary environment in which they now operate. 

Organization of ERM Functions

Respondents have agreed that risk ownership and management must remain within an organization, with accountability held at each appropriate level and the “tone at the top” set by the CEO and board of directors.  However, where this responsibility lies within the company still varies widely.  Some examples of business functions utilized to house ERM include internal audit, office of the CFO, controllership, treasury and strategy/planning.  This report notes that ultimately one function is not necessarily better than another, only that it should have the necessary skills, resources, and knowledge to be effective.

Overwhelmingly ERM teams are staffed by a very few number of employees, sometimes even only one person.  There has been little dissatisfaction with this team size among respondents but it is important to strike the balance between the risk of relying on one person to house all ERM knowledge and spreading the responsibility over too many people which may reduce each person’s commitment. 

A risk aware culture is clearly one of the top priorities of any successful ERM program.  This report notes that it is important to allow a risk culture to develop naturally rather than force one upon employees.  Collaboration with business units and allowing input from all levels not only helps identify risks but create awareness, and therefore culture, throughout the organization. 

Operationalization of ERM

The fieldwork of the study showed that ERM operates around five basic activities in an ongoing program, likely to overlap each other at some points.

Gathering Intelligence

Most companies begin with a “top-down” approach to create a list of risks facing the company and group them together or consider inconsistencies.  This may include reading through 10Ks, having discussions with senior executives, and seeking feedback from business unit leaders on their objectives.

Cross-functional Discussion

Once this list is created companies must evaluate and prioritize each risk, typically through a cross-functional risk forum.  These discussions bring together top management and all business units to achieve insight into each risk and to engage in enterprise-wide risk awareness.  This function is considered a key component to break down communication barriers between “silos”, create a risk language and begin the foundation for a risk aware culture.

Scoring & Prioritizing

The use of a “heat map” plots risks on a graph with the axes defined as the likelihood of a risk occurring and the impact the risk would have.  It is either currently used or has been previously used by almost every ERM manager due to its accessibility and visual impact.  Managers with advanced programs are seeking more sophisticated scoring techniques, often developing a dollar value to attach to each risk.  The most challenging issue risk managers are facing today is how to compare risks that are actually completely different such as strategic and operational or existing and emerging.

Many ERM organizations define their programs in terms of risk appetite and risk capacity to note which risks fall within a level that is acceptable to management.  Sometimes risk appetite is broken down and defined separately for different risk areas.  The interconnectedness of some risks remains a complex process to risk managers and makes the ranking of risks even more difficult.

Risk Response

Organizations are then faced with the ultimate question – what should we actually do about this risk?  There are four basic choices companies can elect, accept the risk, share the risk, mitigate or reduce the risk, or avoid the risk.  It is important to remember that each risk is unique and there can be no standard risk response for a certain risk score.  Each risk and its response should be considered individually.

Monitoring & Reporting

Reporting is noted by respondents to be a balancing act for most managers.  They must provide full information of ERM outputs to boards, but not overwhelm them with small details.  Most ERM managers responded there was a large amount of board time used during the beginning phases of the program, shortened to 30 or 60 minutes during board meetings afterwards, and periodic thorough reports to keep the board up to date usually on the top ten risks.

Click below to download article