ERM Lessons Across Industries
March 2003
Three new Tillinghast-Towers Perrin enterprise
risk management studies examine trends and provide guidelines. There has been
a rapid spread of ERM programs across a wide range of industries. Early adopters
found ERM to be a valuable, business-building tool that offers them competitive
advantage and helps them solve their major business issues. But implementing
such programs is not easy—there are many organizational and technical barriers
to overcome.
by Jerry
Miccolis
Tillinghast-Towers Perrin
Three recent Tillinghast-Towers Perrin studies of enterprise risk management
(ERM) practices across a broad range of industry sectors—from insurance and
banking to energy, mining, and retailing—are sharpening the picture of the value
to nearly all industries of this relatively new approach to the strategic management
and exploitation of risk. They also show how an increasingly diverse range of
companies is attempting to make ERM an institutionalized part of their organizations.
And they point to many of the barriers and challenges these pioneering companies
are encountering as they implement ERM.
Taken together, these studies—(i)
Enterprise Risk Management in the Insurance Industry, 2002 Benchmarking Survey
Report; (ii)
Enterprise
Risk Management: Trends and Emerging Practices, conducted in 2001
for the Institute of Internal Auditors Research Foundation (for more information,
visit the
Tillinghast-Towers Perrin Web site); and (iii)
A Composite Sketch of a Chief Risk Officer,
conducted in 2001 for the Conference Board of Canada with the University of
Georgia's Center for Enterprise Risk Management—provide both guides and cautions
to the growing number of companies considering adopting ERM.
The key lessons from these studies are as follows.
- If you are thinking of structuring ERM strictly as a defensive response
to satisfy regulators, then you might miss the real business opportunity
these early adopters have discovered. They see ERM as a valuable, business-building
tool that offers them competitive advantage and helps them solve their major
business issues.
- While the speed with which ERM is spreading—most programs in most industries
are less than 3 years old—may suggest that companies coming to ERM at this
stage may be starting at a considerable disadvantage, they can take heart:
early adopters are still struggling with the best way to manage and institutionalize
ERM within their organizations.
- More and more organizations are creating the position of chief risk
officer to coordinate and manage their ERM efforts. But in our view, many
of these companies are not getting the maximum effectiveness out of the
position because of the way they typically view the skills and capabilities
that go into the role. Perhaps for that reason, these early adopters are
turning to the chief financial officer to provide leadership in implementing
ERM.
Who Is Adopting ERM and Why
The studies make very clear the rapid spread of ERM across a wide range of
industries. Three years ago, very few companies had begun implementing ERM.
In insurance, for instance, only 13 percent of the companies we surveyed had
an ERM program more than 5 years old; and only another 13 percent had programs
that were between 3 and 5 years old. Today 49 percent of companies in all sectors
that we've surveyed have either a partial (38 percent) or full (11 percent)
ERM program in place.
The majority of those programs are in the financial sector, led by global
insurance with 49 percent of all companies in our 2002 benchmarking report.
Our Trends study shows that, a year earlier,
27 percent of companies in the broader financial sector had ERM programs, followed
by energy and mining (20 percent), manufacturing (14 percent), the public sector
(9 percent), and telecommunications (9 percent).
The reason these early adopters say they have implemented ERM is largely
because it simply makes good business sense. For instance, nearly 90 percent
of global insurers say they adopted ERM because it is "a good business practice,"
and 52 percent say it provides them "a coherent conceptual framework" for managing
risk holistically. That is also the leading reason for all businesses across
all sectors; nearly 60 percent say they have adopted ERM because they wanted
a "unifying framework" for risk management. Companies also say they adopted
ERM because it gives them competitive advantage (46 percent of insurers) or
because it helps them face competitive pressure (22 percent of companies from
all sectors).
That said, many businesses say that as much as they are attracted to the
carrot of ERM being a sound business practice, they are still aware of the stick
of compliance: 42 percent of insurers say another reason they adopted ERM was
to comply with corporate governance guidelines, a reason offered by 41 percent
of companies from all sectors.
ERM makes good business sense because companies in all sectors believe it
helps them solve their major business issues. That belief is especially strong
among insurers who probably have some of the greatest experience with risk assessment
and mitigation. For instance, 77 percent of insurers say ERM can help them with
earnings growth—the leading business issue for all industries we surveyed—while
57 percent of companies in all sectors say ERM can help them with this issue.
Ninety-two percent of insurers also believe ERM can help with earnings consistency,
compared to 67 percent of companies in all sectors. Seventy-seven percent of
insurers believe ERM can help with pricing issues, compared to 68 percent of
companies in all sectors.
But both insurers and all other companies are equally confident (55 percent)
that ERM can even help them with revenue growth, the number two issue for both
groups. That not-immediately-intuitive connection between ERM and top-line growth
is probably the surest indicator that these early adopters see ERM as a true
business-building tool. That is, these companies see ERM as a way to optimize
their "portfolio" of growth strategies in a risk/reward sense, effectively expanding
modern portfolio theory from the realm of investment planning to the realm of
strategic business decision-making.
The Challenges of Implementing ERM in an Organization
Not surprisingly, given the relative youth of ERM, companies in all sectors
are still working out the most effective way to implement and manage the practice
in their organizations. Most agree that if you want to introduce an integrated,
unified approach to risk management across the entire organization, then one
senior office or entity needs to champion that cause. For example, 90 percent
of companies practicing ERM in all sectors say they have all their risk management
and risk compliance committees report to one executive.
Once past this broad principle, actual practice for ERM organizational design,
roles, and responsibilities shows a great variation across all sectors. Many
organizations, for instance, have turned to the practice of appointing a chief
risk officer (CRO). Thirty-eight percent of all global insurers in our benchmarking
survey have done so, up from 20 percent since our first study of ERM in the
insurance industry published in 2000. Those numbers straddle the percentage
for all sectors, where, in 2001, 24 percent of companies had appointed a CRO.
But even with this rise in the CRO position, companies rarely give that office
the primary responsibility for overseeing ERM. Among global insurance companies,
the responsibility most frequently (33 percent) rests with the chief financial
officer, followed by the CRO (19 percent), chief actuary (16 percent), ERM or
risk committee (10 percent), and CEO (7 percent). Among companies in all sectors,
primary responsibility for ERM rests with the chief audit officer (30 percent),
probably reflecting a slight "compliance bias" for the function, followed by
the CFO (24 percent) and CEO (7 percent).
This relatively secondary position for the CRO may be a consequence of both
the youth of the position, as well as how organizations seem to conceive of
its responsibilities and capabilities and qualifications. For example, half
the CROs that we surveyed in our Composite Sketch
study said they'd held the position for less than 2 years. Only 20 percent said
they had been in the position for more than 3 years. We saw similar results
in our Trends survey. In that study, 63
percent of CROs had been in place for less than 2 years, with 40 percent in
place less than 1 year.
The role assigned to the position so far, according to our survey of CROs,
has largely been technical: centralizing and coordinating ERM activities (48
percent) and introducing and developing an ERM framework (29 percent). Only
10 percent said they were responsible for improving risk communication in their
organization.
The assumption by many organizations that the CRO should be a "super technician"
also is clear in the source of CROs and the skills and capabilities most companies
say they look for in a CRO. For companies in all sectors, the CRO most frequently
comes from inside the organization, reported by 71 percent of respondents. The
internal sources are also likely to be technical: 21 percent from internal auditing,
18 percent from finance, and another 18 percent from a variety of other functions,
including "risk management." These numbers match those from our survey of CROs
themselves, two-thirds of whom come from internal positions.
By contrast to the practice across all industries, insurers are almost as
likely to look outside the organization as inside for a CRO. Only 56 percent
of CROs in insurance come from inside their own companies (but this is up from
38 percent in the 2000 insurance industry survey), and most frequently from
the actuarial function (47 percent). Forty-four percent of insurance CROs come
from outside the company, usually from the disciplines of actuarial (33 percent),
banking (27 percent), or risk management (13 percent).
The technical bias for the CRO is probably clearest in the skills and capabilities
that organizations say they look for in a CRO. Among CROs themselves across
all industries, nearly 65 percent say technical skills are most important to
the position: 24 percent say math and qualitative skills are most important,
22 percent say finance, 15 percent say accounting. Only 18 percent say communication
skills are most important and only 8 percent say management skills are most
important.
Insurers around the world generally share this bias toward the technical.
Some 77 percent told us technical skills were important in a CRO. Only 49 percent
said communication skills were important, and only 17 percent said project management
skills were important. By contrast, Canadian insurers go against this bias.
Among this group of insurers, 71 percent rate communication skills important,
followed by organizational skills, rated important by 57 percent.
Our consulting experience strongly suggests that the Canadians have it right.
In the companies that have been most successful with ERM, the CRO serves as
the "ambassador" of ERM and the facilitator of its implementation—a true change
agent—across the organization, able to diplomatically resolve turf issues (a
major barrier to ERM implementation as we'll see below) and get everyone in
the organization on the same page. Those tasks require above-average communication
and organizational skills.
Barriers to Implementing ERM
While the respondents to our surveys report steady progress in implementing
ERM, they have also been candid in outlining some of the barriers they have
faced—and still face—in that implementation. Not surprisingly, in the light
of our consulting experience, many of these have to do with the kinds of issues
best addressed by a skilled communicator and facilitator.
For example, 55 percent of companies from all sectors list "organizational
culture" as a barrier to successful ERM implementation, as do 48 percent of
insurers. Thirty-six of companies from all sectors list "organizational turf"
conflicts as a major barrier, as do 42 percent of insurers. Even several of
the barriers that do not ostensibly have to do with communications and facilitation
may very likely have those issues at their root. For instance, half the companies
from all sectors say that a barrier they face is that ERM is "not perceived
as a priority among senior management." And insurers cite "lack of resources"
(57 percent) and "time" (52 percent) as barriers—both of which are frequently
reasons for inaction within organizations where senior management has not been
convinced that an initiative deserves such attention.
That said, the respondents to our surveys do note a number of true technical
barriers to implementing ERM: lack of a formalized process (cited by 46 percent
of companies across all sectors), lack of processes and intellectual capital
(cited by 47 percent of insurers), and lack of appropriate technology (cited
by 21 percent of companies across all sectors and 36 percent of insurers) among
the leading technical barriers.
A Final Word for Companies on the Fence
Despite the challenges to adopting and implementing ERM, the weight of the
testimony of these early adopters is unequivocal. ERM makes sense. Properly
conceived and designed, an ERM program not only helps organizations mitigate
the most important risks they face, it helps them grow the business. It lifts
the top and bottom line. It provides competitive advantage. The question for
other companies, then, is less "if" they should adopt and implement ERM, but
"how soon" they should begin that value-creating journey.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author's employer or IRMI. Expert Commentary articles
and other IRMI Online content do not purport to provide legal, accounting, or other
professional advice or opinion. If such advice is needed, consult with your attorney,
accountant, or other qualified adviser.