RIMS and Marsh partnered again in 2008 to survey risk management professionals about trends related to risk management approaches in organizations spanning several industries.  This report summarizes their key findings.

Organizations Aspire to a More Strategic Approach

A successful ERM system depends on having a long-term vision of where the organization wants to be and clearly defined steps to obtain the objectives.  C-Suite managers must be fully supportive and involved in the process.

The survey asked companies to assess their risk management system as traditional, progressive or strategic according to the criteria:

See link to table below.

Most organization listed themselves as progressive and moving towards a strategic approach.  Those employing the strategic approach had several common characteristics:

  • Represent for-profit, public companies with higher revenues
  • Focus on optimizing risk, not risk mitigation and avoidance
  • Identify top risk management priorities as those focusing on reputation, business continuity and regulatory risks
  • Create enterprise-wide awareness through education, reengineered management processes, creating new risk positions, dedicated staff and increased investment

Firms Adopting ERM Reach a Plateau

ERM is a key consideration for companies that are seeking to make their risk management programs more strategic, but it is not being embraced across the board.  In fact, the number of firms looking to put an ERM program in place may have reached a plateau.  The survey found about 65% of businesses surveyed have begun or plan to implement a strategic risk management system, with a small increase from 2006 to 2008 in firms not planning to implement a system at all. 

The top reasons for not implementing an ERM system were:

  • Other areas have greater priority
  • Risk is managed at the operational or functional level
  • Senior management does not see the need
  • Lack of personnel resources
  • Cannot demonstrate the value associated with ERM

Many companies are still in the planning or implementation phase of their ERM programs, and satisfaction with these programs increases with time and with the level of implementation achieved.  Participants in the first two years of implementation listed the process as “somewhat satisfied” or less, and 83% of those two years or further along gave an extremely/very satisfied rating.  As more “satisfied customers” tout ERM’s benefits, it could help companies that currently have no plans to adopt ERM change their strategy.

Among companies that now have ERM programs, investment in the program remains strong.  Most companies are allocating capital to training and personnel and technical resources.  C-suite managers would be well advised to think now about the ERM investments that would propel their programs forward.  Training and education, adding new personnel, upgrading technology are all important, but it can be even more important to ensure that an appropriate governance structure is in place.

Credit Rating Companies to Include ERM Assessment

The potential financial impact on a firm from a rating agency review can be significant because it affects the cost of credit.  The ratings agencies are now preparing to look at a company’s strategic risk management practices as part of the ratings review for companies in 17 non-regulated industries.  To guage the organization’s readiness for these evaluations, survey respondents were asked to respond to these statements:  “My firm’s senior management…

  • Knows where the top exposures are, both in terms of measured risks and immeasurable uncertainties.
  • Understands the company’s risk profile and the mitigation strategies being used to manage its major risks
  • Knows how much it is willing to lose from all sources of risk over a selected time horizon in order to achieve its overall long-term financial objectives”

The responses revealed many organizations are aware of, but not prepared for, the added ERM assessments by credit ranking agencies.  Even firms that ranked themselves at the strategic level could not affirm senior management’s competence in these areas (55% answered can’t agree).  The Standard and Poor’s guidelines for assessing a nonfinancial organization’s ERM system are outlined in specifics falling under the headings of Risk Management Structure and Strategic risk Management.

Experience with Risk

During the normal course of business, there are many immediate issues that demand attention, making it difficult to focus on events that may never affect an organization. But companies need to be prepared for the unexpected, especially when these events can deal potentially devastating blows to areas such as reputation, supply chains, and daily operations.  Risk managers need to be able to balance the day-to-day necessities with the ability to plan ahead. One way to grab the attention of the C-suite and other key constituents is to zero in on risk events that happen to competitors, peers, or geographic neighbors as a springboard for discussion.

Respondents were asked to rate their level of discomfort and perceived importance of risks.  The quadrant of high risk/high importance included: Technology, Human capital, and business continuity/management risks.  After analyzing which organizations had actually experience some of these risk events, it was noted that those risks were rated higher on the importance scale than in those firms who had not experienced the event.  Also, organizations in the progressive and strategic levels were highly likely to assess and change their systems after a risk event.

Supply Chain Risk Management

In the responses to risk importance and discomfort, Enterprise-wide and supply chain risks were in the lower importance, but higher discomfort level areas.  Supply chain was listed as “end to end” to encompass every part of a company’s risk in production.  The fact that supply chain causes considerably more discomfort than do other risks shows that risk mangers know that more needs to be done.  Raising the profile of supply chain risk is yet another way that risk managers can elevate the profile of their function in the eyes of the C-suite and other senior executives while making a significant contribution to their firm’s competitive footing, market share, and reputation.

51% of respondents, with 55% of operations consisting of manufacturing and retail, admitted no risk management in place for the supply chain.  Although respondents in the service-only sector stated supply-chain risks did not apply to them, they should assess their operations for risks with strategic partners, customer demand, etc.

Suggestions to incorporate supply chain risk into a comprehensive ERM process are:

  • Create a cross-functional supply chain risk team that looks end to end
  • Embed risk management activities and responsibilities into existing supply chain processes and functions; create consistency across the organization
  • Build up analytics and risk metrics
  • Extend the Risk manager role

Risk Managers and the C-Suite

The value of maintaining clear lines of communication between the C-suite executives and risk managers cannot be overstated.  Even when they agree on a more strategic approach to risk management, there can be serious differences over how to achieve this objective.  One way to begin dialogue is to look for areas of agreement on shared interests, such as broad objectives like training.

The survey found that risk managers listed their company’s risk management process as progressive, and C-suite managers listed it as strategic.  While their opinions differ, there is a common goal of obtaining a strategic risk management profile.  Discord between Risk Managers and the C-suite shows in the responses to this question: What holds your firm back from practicing more strategic risk management?

1. Other areas have greater priority
2. Lack of personnel resources
3. Corporate Structure
4. Lack of financial resources
5. Lack of personnel experience

1. Lack of personnel resources
2. Other areas have greater priority
3. Lack of personnel experience
4. Difficult to identify/analyze investment matrices
5. Lack of financial resources

The timeline and implementation methods for ERM are also not aligned.  The C-suite expects quicker implementation and has differing top three objectives for putting ERM systems in place.  Both Risk managers and C-suite agree on training and education for implementation.  Another disconnect was in the ownership of the ERM program.  All managers found the CEO as ultimately accountable. C-suites found themselves as the lead for implementation, with the CFO most responsible.  Risk managers cited themselves as leaders of implementation and the most responsible.


Collaboration and shared implementation responsibility between risk and C-suite managers is key to a successful strategic risk management program.  The survey pointed to several aspects that need to be aligned with senior management, and external expectations of an ERM system.  This list is extrapolated in the article:

  • Establish an evaluation process
  • Develop a clear picture
  • Create a road map
  • Understand the role ERM plays in your organization
  • Keep aware of outside influences
  • Learn from what happens to others
  • Maintain strong connections throughout the company
  • Make sure the line of communication is clear and open

Click below to read full article.

Link: Excellence in Risk Management V: Viewing Risk Management Strategically, Marsh and Risk and Insurance Management Society, Inc., 2008.

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

ERM Enterprise Risk Management Initiative 2008-10-01