The first in-depth study on enterprise risk management (ERM) practices, “RIMS State of ERM Report 2008,” substantiates the value of ERM for organizations of all types and indicates that companies that have greater risk management and ERM maturity levels enjoy higher credit ratings.
ERM reduces uncertainty and, over time, improves the prospects of success for organizations that have risk management competency. More than just traditional financial and insurable hazards, ERM encompasses the entire spectrum of risk, including strategy, operations, reputation, finance, compliance and information. As organizations’ competency levels improve, so do the odds of successfully managing all kinds of risks.
Marquee companies collapse, high-profile executives step down in disgrace, and thousands of corporations are forced to restate financial reports. The impact of these risks is preventable if resources are allocated while there is still time to change the outcome. Are organizations managing their risks effectively?
On the surface, they seem to be trying. Boards create risk management committees, CEOs hire senior risk officers and report author Steven Minsky, CEO and founder of LogicManager, notes that organizations in North America alone spend nearly $30 billion annually on compliance – $6 billion just on Sarbanes-Oxley (SOX) compliance.
However, total losses for the global financial crisis have been estimated to reach $945 billion. How can so many smart people overestimate their risk management competency? Did they not have the right infrastructure in place? Did they not aggregate and measure risk effectively? Would these catastrophic events have been prevented if this same spending had been invested in an ERM approach, questions Minsky.
Minsky says the current crisis is now largely seen as a failure of risk management. New government regulation formally enforcing enterprise risk management can be expected. This will have fundamental and far-reaching ramifications for the governance of organizations as well as regulators. Key members of publicly-traded organizations’ management already are required to discuss major risk factors, opportunities and related mitigation activities in filings, Minsky says.
External auditors already are required to perform risk-based audits, which include evaluating organizations’ risk management competency. The expectation is that organizations now will be required to go into depth on how they identify risk, set risk tolerances and provide evidence of effectiveness.
In addition to key findings, RIMS State of ERM Report 2008, published by the Risk and Insurance Management Society Inc. (RIMS) and LogicManager, outlines priorities for best practice criteria that organizations may use to improve ERM competency. Key findings of the report include:
- Organizations that have embraced ERM have realized a concrete advantage in their risk management competency. The study found that 93 percent of organizations with formalized ERM programs in place make better risk-informed decisions – a recognized competitive advantage over those that do not have an ERM program.
- Organizations that report they have an ERM program in place still fall significantly short of achieving managed or better risk maturity. The study demonstrates that, based on the ERM guidelines presented in RIMS Risk Maturity Model for ERM, only 4 percent of these companies have achieved a managed or better level of risk management competency in all risk competencies. This suggests that organizations may have a false sense about all that is required for an effective risk management program.
- Data from the study verifies that formalized infrastructures in well-managed ERM programs embody the 68 best practice guidelines for efficient and effective risk management programs as presented in RIMS Risk Maturity Model for ERM.
- The study links ERM to better business performance. There is a distinct correlation between companies that score higher on RIMS Risk Maturity assessment and companies that possess higher credit ratings. The same is true of low scoring companies that, typically, possess lower credit ratings. Hence, better managed companies in terms of ERM practices benefit from better business performance.
“In order for organizations to capitalize on the strategic and tactical value creation enabled by ERM, management – from the board room to the front line – must play an active role in the risk management process,” says Carol A. Fox, ARM, senior director of risk management at Convergys Corp. and chair of RIMS’ ERM Development Committee. Members of the committee, who are risk practitioners, contributed to the report. “This report identifies fundamental requirements for management to build and maintain a resilient and sustainable organization.”
For organizations that want to further develop their current ERM program, or learn how to implement one, RIMS recommends that an important first step is to understand where they stand. RIMS Risk Maturity Model for ERM and the free online Risk Maturity Assessment allows companies to assess their current practices against validated risk competencies and develop an action plan to take your risk management program to the next level.RIMS State of ERM Report 2008 is available for free to risk practitioners who complete an online Risk Maturity Assessment.