The report, based on The Conference Board/Mercer Oliver Wyman survey of 271 risk management executives, found that more than 90% of executives say they are building or want to build ERM processes into their organisations, but only 11% report they have completed their implementation.
Companies continue to face increasing pressures to implement ERM processes.
Both industry and government regulatory bodies, as well as investors, are increasingly examining these policies and processes. Boards of directors in a rising number of industries are now required to review and report on the effectiveness of ERM frameworks in their companies.
"Most companies are in the process of adopting ERM to contribute to value, to meet rising corporate governance challenges and regulatory actions particularly in the US, and to meet the challenges arising from external and internal risks," says Ellen Hexter, senior research fellow and programme director for The Conference Board's ERM conferences. "Enterprise risk management is clearly gaining ground."
The survey indicates that more than two-thirds of both boards of directors and senior management staff consider risk management to be an increasingly important responsibility. Behind this trend are pressures to reduce unexpected volatility in earnings and a need to implement the internal mandates demanded by the Sarbanes-Oxley Act and other similar regulatory frameworks.
ERM pays off
Companies that have already implemented ERM report a significantly higher level of value added than companies that have not yet fully implemented these measures. This level of value is true for all the benefits attributed to ERM, including the top three:
- better-informed decisions (86% of companies with fully-implemented ERM; 58% of all other companies)
- greater management consensus (83% of companies with fully-implemented ERM; 36% of all other companies)
- increased management accountability (79% of companies with ERM; 34% of all other companies)
The study finds that companies fully embracing ERM are better able to improve management practices, such as strategic planning, and have a greater ability to understand and weigh risk-reward equations in their decisions.
More than 60% of those surveyed believe that there will be at least a significant increase in external risk over the next five years. "Although it might not be possible for businesses to control external risks, understanding how such risks are interrelated can help companies anticipate major surprises," comments Hexter.
Avoiding surprises
ERM is also gaining ground as a framework for corporate business practices.
When asked to rank their highest priority objectives for their ERM programme, survey participants placed the greatest emphasis on 'ensuring risks are considered in decision making' and 'avoiding surprises and predictable failures'.
However, only 16% of respondents report that their companies have integrated ERM practices into corporate practices, such as strategic planning and the annual budget process. But the fact that just under a third say their company's ERM is integrated with internal audit illustrates that risk management efforts often begin within the internal audit area. But once the company has achieved a certain level of ERM sophistication, risk oversight is often moved to an independent status or another area, since there are conflicts in having audit units establish ERM objectives and then use them to determine operating managers' performance.
Techniques used to evaluate risks included key risk indicators, individual self-assessments, group assessments and industry benchmarks. Quantitative techniques involving statistical and scenario analyses are beginning to emerge to support the inclusion of risk in corporate decision making.
The study included executives based in a wide variety of industries throughout North America and Europe as well as insights gleaned from top executives who attended conferences held recently by The Conference Board. Financial services and risk management consulting firm Mercer Oliver Wyman, which sponsored the report, also provided key data.