The need for risk management around the world has grown at an incredulous rate since the global financial crisis.  Recently, Aon Global Risk Consulting gathered data from leading organizations around the world about how ERM is currently being used, the extent to which it has been implemented and its effect on organizational goals.  The survey further showed that ERM has continued to evolve as an accepted and required process to create value.

A majority of respondents noted that their ERM processes were at a “defined” or “operational” level based on Aon’s five-stage ERM maturity model; a twenty point increase from 2007.  Additionally, the number of respondents who consider their ERM process to be “Advanced” more than doubled.  There is a continued focus on deriving value from ERM, as well as the desire to use ERM to improve governance, transparency, performance and decision making.  Respondents in the more mature stages of ERM found value through the optimization and reduction of total cost of risk, a strengthening of business resiliency and increased operational efficiency. 

Nine Hallmarks of Effective ERM

Like most ERM studies, the survey found that the process must be unique to each organization and become deeply rooted in the culture and decision-making processes.  This survey’s examination of the ERM journey produced nine hallmarks, or distinguishing characteristics, of a successful approach.  These hallmarks described below represent practical suggestions based on respondents’ own experiences with risk management.

Board level commitment to ERM as a critical framework for successful decision making and deriving value

This top-level commitment is critical for organizations to create and support an ERM culture, establish risk priorities and allocate resources to risk management.  Aon recommends establishing clear lines of responsibility and authority, as well as timely communication with the board on risk management practices.

A dedicated risk executive in a senior level position who drives and facilitates the ERM process

The traditional role for responsibility of ERM has varied widely in the past, but a new trend has emerged toward giving this oversight to a senior level executive.  The CFO is still the most cited leader of ERM, with the VP/Director Risk Management and CRO following closely behind. To be successful, this leader should have the support of the board and a detailed understanding of the business and its risks as well as the ability to position the program at every level of the organization. 

An ERM culture that encourages full engagement and accountability at all levels of the organization

As ERM is increasingly being seen as a core business practice, education is required at all levels of an organization.  Companies who instill clear accountabilities for risk, leverage risk management to meet organizational objectives and integrate ERM into decision making all have characteristics of an ERM aware culture. Companies may want to consider a pilot of the ERM program within a particular section to show the rest of the organization concrete value.

Engagement of all stakeholders in risk management strategy development and policy setting

Highly advanced ERM organizations add significant value by communicating risk information internally to stakeholders throughout the organization rather than only upwards to the board level.  This allows the organization to coordinate risk management activities, understand potential risks and opportunities, and develop a consensus regarding risk priorities and metrics.  Organizations could also leverage strategic external relationships to create competitive relationships by communicating shared risks.

Transparency of risk communication

Once stakeholders at all levels have been engaged in risk communication, the organization should customize this sharing of information to ensure the necessary data is collected from the right people.  Encouragement of input from each individual during the development phase will ensure a stronger understanding of risks facing the company as well as the best risk management strategy to put in place.

Integration of financial and operational risk information into decision making

As ERM processes begin to mature, organizations are able to rely less on “intuition” and more on quantitative and qualitative information unique to their own business process to make decisions regarding risk.  Risk reports should be streamlined within the company to provide the necessary information at the right time and to the right people.  Risk dashboards may also be used provide key data throughout the organization on a timely basis to better enable informed decision making.

Use of sophisticated quantification methods to understand risk and demonstrate added value through risk management

Companies focus on both understanding risks and ensuring that risk management efforts are actually adding value to the company.  Although there are still a variety of methods used, quantification tools can provide a better way to measure risk and the value of ERM efforts as well as cultivate a clearer understanding of current and emerging risks.

Identification of new and emerging risks using internal data as well as information from external providers

One of the most difficult ERM concepts is the ability to look for and identify emerging risks in the future.  To accomplish this, companies with advanced ERM programs rely on external data, align business continuity management with ERM, and encourage the board to think “outside the box” about possible future risks at least annually.

A move from focusing on risk avoidance and mitigation to leveraging risk and risk management options to extract value

There has been a shift in organizations from risk avoidance to risk optimization, effectively changing risk management into opportunity management.  Focusing risks on opportunities rather than hindrances makes them more engaging at all levels of the organization. 

Click below to download report