As demonstrated by the Protiviti enterprise risk management (ERM) survey, carried out by StrategicRISK magazine, it is evident that over 75% of respondents have either initiated or are well under way with their ERM initiatives. Equally there are different views on what ERM is and what the main drivers for implementing ERM are.
However, how do we know or judge whether ERM implementation has been successful? The survey suggests that, in addition to improved corporate governance (62% of respondents), the desire for improved decision making (59%) is a key driver, while the ability to improve overall business performance was the main attraction for 58% of respondents. But if these are the desired outcomes, how does a firm know that it is on the right road? Below, we have listed a number of measures, that in our experience, companies on the ERM journey have used as indicators of effectiveness.
Integration of risk assessment into strategic and operating processes
As managers make business risk an integral part of their agenda they become more anticipatory and forward-looking in their decision making. For example, integration of risk management in the business planning and strategic management processes results in risks being assessed in an explicit, open and transparent manner.
Improved risk identification
Process and activity owners are armed with appropriate tools and approaches to identify risks more effectively. This, coupled with improved risk mapping along with a common language, facilitates a dialogue about risks across and throughout all levels of the organisation. This increased activity more effectively contributes to the firm's performance over time.
Implementation of more effective analytical and early warning techniques
An increased emphasis on more systematic, quantitative and predictive analytics leads to more informed decisions, which in turn lead to better business performance over time. Greater use of methodologies for anticipating risk and assessing impact lead to increased effectiveness in escalation and prioritisation of emerging issues.
Improvement in specific risk measures, metrics and monitoring
Making the transition from 'guessing' through 'understanding' to 'knowing' a risk is a clear improvement, as is moving from 'reacting' to 'being prepared'. Management reporting which tracks key risks provides evidence of improved performance over time. Information about risks made available throughout the organisation facilitates the knowledge sharing aspects of ERM. In addition, the use of risk aggregation tools replaces intuitive guesswork with fact-based analysis.
Reduced number, or avoidance of risk incidents
If a firm can demonstrate fewer risk incidents or loss events than the industry average it has clear evidence of superior performance. It should be noted though that it is paradoxical to invest in a risk reduction response and be disappointed when 'nothing happens' - as evidenced by some commentators on the Y2K effort.
Reduced performance variability
It should be reasonable to expect that as a result of improved risk identification, measurement and control a firm encounters fewer surprises in reported results over time. However, the difficulty with this measure is in delineating the difference between the contribution made by ERM and other management disciplines.
Reduction in cost of capital and improvement in shareholder value
If a firm's risk management is viewed in the market place as a differentiating skill relative to its peers, the company's borrowing costs should decline and share valuations increase. While there is an absence in empirical support for this assertion, it is nevertheless a strong hypothesis that some companies have as they implement ERM.
Increased risk sensitivity and awareness
An increased focus on, and reinforcement of, risk management goals and objectives are an indicator of effectiveness. Reinforcement may be evidenced by incorporating risk management in the appraisal, reward and incentive programmes.
Integration with KPI reporting
In our experience, a number of firms integrate risk management with key performance indicators (KPIs). For example, one firm prepares risk maps for each KPI on its balanced scorecard. This provides management with a comprehensive prioritisation of risks by KPI. All other things being equal, this linkage can only help improve performance over time.
Finally, the continued success of the organisation by building and sustaining competitive advantage and producing incremental increases in key financial and non-financial performance measures such as cashflow, EPS, ROI, customer satisfaction, employee satisfaction and market share, are in themselves indirect measures of effective risk management. Whatever the measure, the organisation should track its performance relative to its peers over time. The logic goes that if the organisation manages its risks effectively and continues to be successful in a competitive market place, the two are related. Again, differentiating between other management disciplines which also contribute to an organisation's success, represents a challenge.
- Sukhdev Bal is a director of Protiviti; a free copy of the 'Guide to Enterprise Risk Management: Frequently Asked Questions' can be downloaded from www.protiviti.co.uk