The main points captured in the KPMG survey include factors driving ERM efforts, risk assessment processes, risk responsibilities, benefits expected from ERM, and improvements for success. In addition, challenges that management often face related to risk management practices across an enterprise include the following:
- identifying enterprise risk;
- linking ERM to corporate strategy;
- integrating risk management processes across the enterprise;
- embedding ERM in all company aspects; and
- eliminating the gap between regulatory compliance and ERM efforts.
As expected, most companies (68%) are investing in ERM programs to eliminate potential financial losses. Closely followed by financial losses is the drive to improve company performance (64%) and meet regulatory compliance requirements (58%).
Even though many companies continue to struggle with defining the critical components of ERM, the survey results show that the highest percentage of managers selected risk identification (94%) and risk governance (90%) as the most important elements of ERM. Risk reporting (89%) and risk quantification (80%) closely followed as critical components, while the lowest percentage (40%) viewed risk technology as a critical factor.
Implementation is clearly underway for most companies according to the survey. There are still areas in the 9 ERM activities identified by the survey that have not been tackled by some companies, but the percentages are very low. The 9 basic ERM activities included in the KPMG survey are listed below:
- establishment of corporate governance structure;
- identification and prioritization of main organizational risks;
- development of methodologies for risk management;
- establishment of risk organization to correspond with risk objectives;
- development of vital corporate risk tolerances;
- establishment of risk treatment plans;
- design of vigorous risk reporting;
- integration of risk processes and business practices;
- implementation of prerequisite risk foundation.
Most companies show progress and even some companies show movement toward completion in the 9 areas listed above. When asked what risk was most important to them, the majority of respondents (67%) listed “operations.”
Other important results from the survey are listed below:
- CRO and CFO were ranked by nearly 40% of the respondents as being the main executive responsible for risk management;
- risk qualitative measures (46%) are still widely used with a lack of quantitative measures;
- consolidation of risk assessment processes has started with more than 40% of businesses moving away from out-dated “silo approach”;
- risk awareness and communication (76%) are major benefits achieved through ERM;
- risk measurement improvements are cited by 6 in 10 companies as being a top priority for future ERM improvements.
As businesses look to the future, the pace of their ERM program may need to be strengthened to eliminate the expectation gap of regulators, managers, and rating agencies to name a few. This is apparent because of the slow pace most businesses have taken in working towards completion of their ERM processes. The full benefits from ERM will not be obvious until more organizations fully utilize the program.