The Growing Acceptance of ERM

The Risk and Insurance Management Society (RIMS) published its report, 2011 Enterprise Risk Management Survey, which notes that ERM implementation is increasing among companies. More than 50 percent of the companies surveyed had implemented ERM as compared to 36 percent who reported that they had implemented ERM in a similar survey two years before. In addition, more risk managers are assuming ERM leadership roles in their companies.

The 2011 survey results showed that about 60 percent of companies surveyed stated risk managers as heading the ERM program in their companies. This compares to 32 percent in RIMS’s 2009 survey. The internal audit department and the legal department were the next most utilized departments in heading ERM programs. The survey results showed that ERM is growing in acceptance as a mainstream business practice.

Larger companies were more prone to have advanced ERM programs. Technology, energy, financial, and utility companies had higher ERM adoption rates. In contrast, materials, nonprofit, telecommunication, consumer discretionary and professional services companies lagged in their ERM adoption.

ERM Adoption Motivation and Tools

The two primary motivators for ERM adoption within the surveyed company were board directives and regulatory requirements for ERM. Forty-four percent of the companies surveyed indicated that their ERM processes were not aligned with any particular ERM framework. The next two most significant groups adopted the COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework and the ISO 31000 framework. Other respondents utilized at least four other frameworks to implement their ERM programs. Most of the companies indicated that they received help to develop their ERM programs mainly from brokers, RIMS, risk management consultants and accounting firms.

Fifty-five percent of the respondents indicated that they had developed risk appetite and/or risk tolerance statements; 35 percent developed one at an enterprise level, 25 percent at a business unit/divisional level, and 15 percent at a department level.

Maturity of ERM Programs

The survey asked the respondents to rate their level of satisfaction of specific elements of their ERM programs. The results of this survey show similarities to the COSO’s 2010 Report on ERM  and AICPA’s Report on the Current State of Enterprise Risk Oversight: 3rd Edition

The survey participants had higher satisfaction rates for elements such as reporting risk issues to the board and understanding risk issues among business units. They had lower satisfaction rates for elements such as risk appetite development and adopting ERM practices throughout the organization. Generally, the level of maturity in the organization is still growing. Of the 12 elements that the survey asked, only two elements had more than 50 percent of participants expressing that they were satisfied. The other ten elements had only less than 50 percent of participants expressing that they were satisfied with their company’s progress in that ERM element.

Similar to the results of the above stated COSO and AICPA reports, companies are still struggling to recognize the importance of ERM to the achievement of an entity’s strategy.  Forty-four percent of survey participants believed that the value proposition of ERM is in mitigating risk and supporting compliance exercises; in contrast, 24 percent thought it was in achieving strategic and operating objectives.

The survey asked the participants to rank the maturity of their companies in the seven RIMS Risk Maturity Model attributes. The results showed that companies are still immature. Companies had only one attribute in the highest maturity ranking. In addition, only 15 percent of companies indicated that they had attained the high level of maturity for that one attribute –  adoption of ERM-based approach. The seven attributes of RIMS Risk Maturity Model are business resiliency and sustainability, performance management, uncovering risks (and opportunities), root cause discipline, risk appetite management, ERM process management, and adoption of ERM-based approach.

Click below to download the survey.