Global economic uncertainty is placing organizations under increasing pressure to improve their risk management practices while simultaneously achieving consistently higher financial returns. Consequently, organizations in many industries are adopting an enterprise risk management (ERM) framework as a way to assist them in achieving this. An ERM framework can be defined as a well-rounded approach to understanding, quantifying and managing the risks of an organization and it should form an integral part of the organization’s strategic direction. A key objective of a modern ERM program is to reduce the sensitivity of earnings and share price fluctuations to external variables, or for privately-owned organizations, to ensure that their returns are stable. Therefore, the conceptual benefits of ERM include improved strategic and operational decision-making, reducing the organizations risk premium, and a reduction in earnings volatility.
While ERM is an integral approach to managing dynamic, fluid and highly interdependent risks, the practical challenge that most organizations face is how to develop a program that is perceived as valuable and useful in minimizing surprises, loss and costs while allowing the organization to become more proactive, rather than reactive.
It has been challenging for organizations to realize the benefits of ERM for a number of reasons:
- How ERM is measured. Risk is different for every organization, even those in the same industry, so quantifying results—both positive and negative—in a meaningful manner for stakeholders can be challenging.
- Resource commitment. Traditionally, risk has been viewed as a cost center and as such may not have the resource allocation required to achieve all of their objectives.
- Risk assessment method. Some elements of risk are relatively easy to assess, however areas such as strategic risk are subjective and have no formal quantification methods.
- Time horizon. Risks evolve and change and without the appropriate measures in place, the time horizon issue starts to influence how risk is viewed.
- Reporting. Reporting needs to be meaningful and capture the right metrics to enable constructive conversations to occur.
Empirical research on the relationship between ERM and organizational financial value has been conducted in the United States and United Kingdom. The results from these studies have been mixed with some asserting a positive correlation and others finding none. However, a consistent theme emerging from the international research is that even when an organization has successfully implemented a well-rounded ERM framework, there is a significant proportion that have struggled to realize the full benefits of their investment.
The Relationship Between ERM and Organizational Performance
To assist in addressing this issue, research was recently undertaken to examine the link between ERM and organizational financial performance. The research focused on Australian-based companies in the ASX30, which includes Australia’s top 300 organizations ranked by market capitalization, and members of the Risk Management Association of Australasia (RMIA). Participants represented 23 industries, including government agencies and not-for-profit organizations, and most participants primarily operated exclusively within Australia, although some also had operations in New Zealand and Asia.
The research found that the relationship between ERM and organizational financial performance is influenced by organizational specific characteristics. These factors include:
- Organization type. Not-for-profit, profit and government organizations have different stakeholders and the risks they face will vary based on their objectives. Subsequently, the way they structure their ERM framework should be tailored to their organization and aligned with their organization’s objectives.
- The nature of the organization’s operations. Organizations in different phases of their lifecycle are going to have different risk priorities and influences and will be influenced by different external factors.
- The size of the organization. Larger organizations are more likely to have an ERM framework in place while smaller organizations struggle with the potential complexity of implementing something like an ERM framework, or were simply overwhelmed by the thought.
Organizational characteristics are an important consideration when developing an ERM framework because to gain the maximum value from the investment made in risk, the risk solution needs to consider all of these items. There is no one-size-fits-all approach to risk implementation and even the guiding frameworks for ERM should be tailored to consider business requirements. Without considering these factors it is unlikely the ERM framework will be successfully embedded into the organization.
In addition to the organizational characteristics that influence the success of an ERM program, there were also a number of mitigating variables that were found to influence value, including:
- Communication. ERM communication should be both top-down and bottom-up and for larger organizations, also span horizontally. The majority of responses from the research identified three levels for ERM communication: the board, general manager/business unit head and senior manager levels. Only a small proportion of respondents indicated that ERM communication occurred at the management and staff levels. The lower number of responses for managers and all staff suggest that communication regarding ERM objectives was primarily the focus of senior management. To be successful, effective and continuous communication is required throughout the whole organization and in both directions.
- Skill levels. Skill levels varied among survey participants. Additionally, the level of executive skills influenced how resources were being allocated to the risk function. The findings suggested that the respondent’s ERM programs were not fully developed and, while they possessed many of the necessary components, they had not managed to coordinate these adequately to achieve the benefits that would be obtained from an integrated ERM program. While this indicates a lack of risk maturity, a common theme of not understanding how to execute or embed a complete framework was also found.
- Compliance versus strategy. Every risk management program should seek to create value and contribute to the organization’s financial performance. However, the research findings indicated that ERM may be implemented in Australia for the purpose of compliance, rather than to gain a performance advantage.
The details behind these findings demonstrated that there were a number of elements of ERM that were still not being utilized to a significant extent or utilized correctly, including rewards systems linked to risk management and the use of technology to efficiently conduct risk assessments. Additionally, survey respondents believed they were deriving much more value from their ERM program than was actually the case because they were undertaking risk assessment activities, but not incorporating risk management into the organization’s strategic decision-making.
This finding presents an opportunity for risk practitioners to improve the way they link their risk management and strategic planning process. This will require the development of a complete ERM implementation plan, senior management support, and communication and education throughout the organization.
The Importance of Culture
While all of the elements discussed thus far are critical to success, one of the most important implications for practice was the relationship between the success of ERM implementation and the organization’s culture. Culture was found to have the greatest effect on ERM implementation success. This means organizations should invest more resources in cultivating a suitable culture than on any other factor when implementing ERM.
The dimensions of culture that may affect ERM implementation include senior management engagement, communication, tolerance, level of insight, level of care, speed of response, confidence, openness, challenge and cooperation.
In addition to considering the factors outlined above, an organization’s culture should be considered in relation to the initial plan to ensure that any potential issues can be appropriately addressed up front and not embedded into the program as it is implemented. A culture that is suitable for the successful adoption of ERM is open, transparent and productive. It must be supported by senior management, both in concept and in demonstration. The board should set expectations for how conversations about risk should occur and this should include the creation of a risk appetite statement for their organization.
A risk appetite statement is also an important step in developing a robust ERM program. The research demonstrated that the level of ERM implementation in Australia was highly variable, but generally lower than other developed countries. The data analysis determined that 65% of the survey respondents had introduced a risk appetite statement, but only 17% of respondents used multiple ERM elements. Furthermore, the relationship between having a risk appetite in place and identifying strategic risks, which is often present when ERM implementation is mature, was found to not be statistically significant. Some elements of ERM were common, including policies and procedures (87%) and reporting capabilities (75%), but few respondents reported having the appropriate technology in place.
The aggregated implications of these findings suggest that ERM implementation among the respondents was quite immature. Further, while the level of ERM implementation was high on measures like reporting capabilities, the utilization of risk management to proactively improve financial performance was low.
Lessons for Risk Practitioners
Although this research was conducted in Australia, the extant literature would suggest there are lessons in these findings for all risk practitioners. Practitioners need to focus on ensuring that all of the elements of their ERM programs are appropriately integrated to ensure that they gain strategic level benefits. The pressures for increasing risk management capabilities will continue to grow and the risk environment is likely to become increasingly more complex. There are obvious barriers to ERM implementation, however, and understanding this up front and addressing them in a proactive manner ensures that they are dealt with rather than becoming compounded by other challenges.
Organizations have invested significant sums of money to change their business models to take maximum advantage of today’s global business environment and technological advances. They have developed new products, new operating practices and new concepts in service delivery to try to enhance business performance. But research has shown that many organizations are using risk management programs and techniques that have not evolved with their strategy—they have become compliance driven—providing the opportunity for organizations to harness this potential.
Risk practitioners have an opportunity to become more strategically orientated in order to optimize the risk/reward relationship. High-performing organizations need to manage their risks in all areas of operations, if they are to effectively pursue their strategic goals. Logically, ERM is an important management tool for this purpose.
An ERM framework should not be a compliance tool—it should be insight and value driven. By achieving this, organizations have greater visibility into the health of their business and consequently make better strategic decisions. They also create an environment where upside as will as downside risks are highlighted, enabling the organization to assess and act upon opportunities rather than having them pass by unnoticed. As a consequence, risk begins to make a significant contribution to the bottom line.
The business world is not going to stand still. Complexity and competitiveness will continue to increase and challenge organizations in ways they have never experienced. But if utilized correctly, ERM can provide a better pathway to improved business performance.