Three new Tillinghast-Towers Perrin enterprise risk management studies examine trends and provide guidelines. There has been a rapid spread of ERM programs across a wide range of industries. Early adopters found ERM to be a valuable, business-building tool that offers them competitive advantage and helps them solve their major business issues. But implementing such programs is not easy—there are many organizational and technical barriers to overcome.
Three recent Tillinghast-Towers Perrin studies of enterprise risk management (ERM) practices across a broad range of industry sectors—from insurance and banking to energy, mining, and retailing—are sharpening the picture of the value to nearly all industries of this relatively new approach to the strategic management and exploitation of risk. They also show how an increasingly diverse range of companies is attempting to make ERM an institutionalized part of their organizations. And they point to many of the barriers and challenges these pioneering companies are encountering as they implement ERM.
Taken together, these studies—(i) Enterprise Risk Management in the Insurance Industry, 2002 Benchmarking Survey Report; (ii) Enterprise Risk Management: Trends and Emerging Practices, conducted in 2001 for the Institute of Internal Auditors Research Foundation (for more information, visit the Tillinghast-Towers Perrin website); and (iii) A Composite Sketch of a Chief Risk Officer, conducted in 2001 for the Conference Board of Canada with the University of Georgia's Center for Enterprise Risk Management—provide both guides and cautions to the growing number of companies considering adopting ERM.
The key lessons from these studies are as follows.
- If you are thinking of structuring ERM strictly as a defensive response to satisfy regulators, then you might miss the real business opportunity these early adopters have discovered. They see ERM as a valuable, business-building tool that offers them competitive advantage and helps them solve their major business issues.
- While the speed with which ERM is spreading—most programs in most industries are less than 3 years old—may suggest that companies coming to ERM at this stage may be starting at a considerable disadvantage, they can take heart: early adopters are still struggling with the best way to manage and institutionalize ERM within their organizations.
- More and more organizations are creating the position of chief risk officer to coordinate and manage their ERM efforts. But in our view, many of these companies are not getting the maximum effectiveness out of the position because of the way they typically view the skills and capabilities that go into the role. Perhaps for that reason, these early adopters are turning to the chief financial officer to provide leadership in implementing ERM.
Who Is Adopting ERM and Why
The studies make very clear the rapid spread of ERM across a wide range of industries. Three years ago, very few companies had begun implementing ERM. In insurance, for instance, only 13 percent of the companies we surveyed had an ERM program more than 5 years old; and only another 13 percent had programs that were between 3 and 5 years old. Today 49 percent of companies in all sectors that we've surveyed have either a partial (38 percent) or full (11 percent) ERM program in place.
The majority of those programs are in the financial sector, led by global insurance with 49 percent of all companies in our 2002 benchmarking report. Our Trends study shows that, a year earlier, 27 percent of companies in the broader financial sector had ERM programs, followed by energy and mining (20 percent), manufacturing (14 percent), the public sector (9 percent), and telecommunications (9 percent).
The reason these early adopters say they have implemented ERM is largely because it simply makes good business sense. For instance, nearly 90 percent of global insurers say they adopted ERM because it is "a good business practice," and 52 percent say it provides them "a coherent conceptual framework" for managing risk holistically. That is also the leading reason for all businesses across all sectors; nearly 60 percent say they have adopted ERM because they wanted a "unifying framework" for risk management. Companies also say they adopted ERM because it gives them competitive advantage (46 percent of insurers) or because it helps them face competitive pressure (22 percent of companies from all sectors).
That said, many businesses say that as much as they are attracted to the carrot of ERM being a sound business practice, they are still aware of the stick of compliance: 42 percent of insurers say another reason they adopted ERM was to comply with corporate governance guidelines, a reason offered by 41 percent of companies from all sectors.
ERM makes good business sense because companies in all sectors believe it helps them solve their major business issues. That belief is especially strong among insurers who probably have some of the greatest experience with risk assessment and mitigation. For instance, 77 percent of insurers say ERM can help them with earnings growth—the leading business issue for all industries we surveyed—while 57 percent of companies in all sectors say ERM can help them with this issue. Ninety-two percent of insurers also believe ERM can help with earnings consistency, compared to 67 percent of companies in all sectors. Seventy-seven percent of insurers believe ERM can help with pricing issues, compared to 68 percent of companies in all sectors.
But both insurers and all other companies are equally confident (55 percent) that ERM can even help them with revenue growth, the number two issue for both groups. That not-immediately-intuitive connection between ERM and top-line growth is probably the surest indicator that these early adopters see ERM as a true business-building tool. That is, these companies see ERM as a way to optimize their "portfolio" of growth strategies in a risk/reward sense, effectively expanding modern portfolio theory from the realm of investment planning to the realm of strategic business decision-making.
The Challenges of Implementing ERM in an Organization
Not surprisingly, given the relative youth of ERM, companies in all sectors are still working out the most effective way to implement and manage the practice in their organizations. Most agree that if you want to introduce an integrated, unified approach to risk management across the entire organization, then one senior office or entity needs to champion that cause. For example, 90 percent of companies practicing ERM in all sectors say they have all their risk management and risk compliance committees report to one executive.
Once past this broad principle, actual practice for ERM organizational design, roles, and responsibilities shows a great variation across all sectors. Many organizations, for instance, have turned to the practice of appointing a chief risk officer (CRO). Thirty-eight percent of all global insurers in our benchmarking survey have done so, up from 20 percent since our first study of ERM in the insurance industry published in 2000. Those numbers straddle the percentage for all sectors, where, in 2001, 24 percent of companies had appointed a CRO.
But even with this rise in the CRO position, companies rarely give that office the primary responsibility for overseeing ERM. Among global insurance companies, the responsibility most frequently (33 percent) rests with the chief financial officer, followed by the CRO (19 percent), chief actuary (16 percent), ERM or risk committee (10 percent), and CEO (7 percent). Among companies in all sectors, primary responsibility for ERM rests with the chief audit officer (30 percent), probably reflecting a slight "compliance bias" for the function, followed by the CFO (24 percent) and CEO (7 percent).
This relatively secondary position for the CRO may be a consequence of both the youth of the position, as well as how organizations seem to conceive of its responsibilities and capabilities and qualifications. For example, half the CROs that we surveyed in our Composite Sketch study said they'd held the position for less than 2 years. Only 20 percent said they had been in the position for more than 3 years. We saw similar results in our Trends survey. In that study, 63 percent of CROs had been in place for less than 2 years, with 40 percent in place less than 1 year.
The role assigned to the position so far, according to our survey of CROs, has largely been technical: centralizing and coordinating ERM activities (48 percent) and introducing and developing an ERM framework (29 percent). Only 10 percent said they were responsible for improving risk communication in their organization.
The assumption by many organizations that the CRO should be a "super technician" also is clear in the source of CROs and the skills and capabilities most companies say they look for in a CRO. For companies in all sectors, the CRO most frequently comes from inside the organization, reported by 71 percent of respondents. The internal sources are also likely to be technical: 21 percent from internal auditing, 18 percent from finance, and another 18 percent from a variety of other functions, including "risk management." These numbers match those from our survey of CROs themselves, two-thirds of whom come from internal positions.
By contrast to the practice across all industries, insurers are almost as likely to look outside the organization as inside for a CRO. Only 56 percent of CROs in insurance come from inside their own companies (but this is up from 38 percent in the 2000 insurance industry survey), and most frequently from the actuarial function (47 percent). Forty-four percent of insurance CROs come from outside the company, usually from the disciplines of actuarial (33 percent), banking (27 percent), or risk management (13 percent).
The technical bias for the CRO is probably clearest in the skills and capabilities that organizations say they look for in a CRO. Among CROs themselves across all industries, nearly 65 percent say technical skills are most important to the position: 24 percent say math and qualitative skills are most important, 22 percent say finance, 15 percent say accounting. Only 18 percent say communication skills are most important and only 8 percent say management skills are most important.
Insurers around the world generally share this bias toward the technical. Some 77 percent told us technical skills were important in a CRO. Only 49 percent said communication skills were important, and only 17 percent said project management skills were important. By contrast, Canadian insurers go against this bias. Among this group of insurers, 71 percent rate communication skills important, followed by organizational skills, rated important by 57 percent.
Our consulting experience strongly suggests that the Canadians have it right. In the companies that have been most successful with ERM, the CRO serves as the "ambassador" of ERM and the facilitator of its implementation—a true change agent—across the organization, able to diplomatically resolve turf issues (a major barrier to ERM implementation as we will see) and get everyone in the organization on the same page. Those tasks require above-average communication and organizational skills.
Barriers to Implementing ERM
While the respondents to our surveys report steady progress in implementing ERM, they have also been candid in outlining some of the barriers they have faced—and still face—in that implementation. Not surprisingly, in the light of our consulting experience, many of these have to do with the kinds of issues best addressed by a skilled communicator and facilitator.
For example, 55 percent of companies from all sectors list "organizational culture" as a barrier to successful ERM implementation, as do 48 percent of insurers. Thirty-six of companies from all sectors list "organizational turf" conflicts as a major barrier, as do 42 percent of insurers. Even several of the barriers that do not ostensibly have to do with communications and facilitation may very likely have those issues at their root. For instance, half the companies from all sectors say that a barrier they face is that ERM is "not perceived as a priority among senior management." And insurers cite "lack of resources" (57 percent) and "time" (52 percent) as barriers—both of which are frequently reasons for inaction within organizations where senior management has not been convinced that an initiative deserves such attention.
That said, the respondents to our surveys do note a number of true technical barriers to implementing ERM: lack of a formalized process (cited by 46 percent of companies across all sectors), lack of processes and intellectual capital (cited by 47 percent of insurers), and lack of appropriate technology (cited by 21 percent of companies across all sectors and 36 percent of insurers) among the leading technical barriers.
A Final Word for Companies on the Fence
Despite the challenges to adopting and implementing ERM, the weight of the testimony of these early adopters is unequivocal. ERM makes sense. Properly conceived and designed, an ERM program not only helps organizations mitigate the most important risks they face, it helps them grow the business. It lifts the top and bottom line. It provides competitive advantage. The question for other companies, then, is less "if" they should adopt and implement ERM, but "how soon" they should begin that value-creating journey.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
