Are you driving enough shareholder value from Enterprise ... · Clearly, this partly explains why...
8
Are you driving enough shareholder value from Enterprise Risk Management?
Transcript of Are you driving enough shareholder value from Enterprise ... · Clearly, this partly explains why...
Are you driving enough shareholder value from
Enterprise Risk Management?
Are you driving enough shareholder value from Enterprise Risk Management? 2
It’s clear that while a very significant minority of respondents are either very or moderately successful at driving shareholder value from their ERM programs, they are doing so in the face of significant obstacles in terms of key fundamental factors, such as support for embedding the right culture, investment in appropriate resources, and tone from the top.
The majority of respondents are struggling to drive shareholder value from ERM, or are not trying to at all. For these respondents, the obstacles to truly benefiting from ERM are so significant in their organizations that they are not able to realize the true value of an ERM program.
In general, organizations that implement robust ERM programs see a range of benefits, including improved strategic
decision making, a better understanding of how to structure business processes, an enhanced risk and compliance culture, and the ability to better anticipate emerging risks.
Yet it’s clear from the results of this survey that even organizations that claim to have achieved moderate shareholder value from their ERM program are struggling to marshal the resources and internal support they need to go further. Other organizations, it would seem, are failing to achieve value because of the lack of resources and support.
Which begs the question – if ERM programs are delivering shareholder value under such straightened circumstances in most organizations, what could these programs deliver if they were resourced properly?
IntroductionFor Enterprise Risk Management (ERM), there is both good news and bad news, from a survey that Thomson Reuters conducted between September 2015 and October 2016. Some 500 individuals from around the world and all sizes of organizations responded to the survey, which took the form of an online quiz called the “ERM Benchmarking Survey.” What they had to say about the state of ERM today is surprising.
Are you driving enough shareholder value from Enterprise Risk Management? 3
How successful has your enterprise risk/operational risk management program been at enhancing shareholder value?
How strongly does the Board of Directors support the ERM program?
Just how much shareholder value ERM has driven depends on whether you are a “glass half full” or “glass half empty” kind of person. The good news is that nearly half of respondents said their ERM programs have been either very or moderately successful at driving shareholder value. That there has been this much obvious success for ERM programs has to be cause for celebration – it is clear that no matter what the doubters say, ERM can and will drive tangible benefits to shareholders.
On the other hand, 52.7% of those who responded said their programs only delivered shareholder value occasionally, or not at all – or even worse, their program was not designed to, and was just focused on regulatory compliance. In fact, a striking 20.6% of respondents said their programs were focused only on regulatory compliance.
The reality that one-fifth of respondents do not even try to drive value from their ERM programs – in spite of ample evidence of the value ERM can deliver for organizations – is a sobering one.
Interestingly, one-fifth of respondents also said that their Boards of Directors could support their ERM programs more, or do not support them at all. So it’s clear that a lack of Board of Director-level support for an Enterprise Risk Management program is a key factor in ERM program underperformance. Simply put, if the Board doesn’t back the program, it will fail to thrive.
The good news is that Boards of Directors are, in general, leading from the front on ERM. Nearly two-thirds of Boards of Directors actively support their organization’s ERM programs, and almost 44% also have a risk committee in place at the Board level. It’s distressing that this obvious support isn’t translating directly into shareholder value – there is a 47.1 percentage point gap between those who responded that their Boards actively support and those who responded that their ERM programs are very successful at delivering shareholder value.
Very successful ...........................................................................16.6%
Moderately successful .............................................................. 30.6%
Occasionally successful .............................................................22.3%
Not successful ..............................................................................9.8%
Program is focused on regulatory compliance........................ 20.6%
Actively supports; there is a stand-alone risk committee ........43.7%
Actively supports; there is no risk committee, however ..........20.0%
Moderately supports ..................................................................15.2%
Could support more ...................................................................14.0%
Does not support .......................................................................... 7.1%
Are you driving enough shareholder value from Enterprise Risk Management? 4
Who does the head of risk/CRO report to?
How well does your organization understand and act on its ERM objectives?
One reason why strong Board of Directors support for ERM isn’t translating more directly into shareholder value may be reporting lines. Almost one-quarter of respondents work in organizations where the ERM program does not report into either the C-suite or the Board of Directors.
Nearly half of ERM programs now report into the C-suite, which is good progress. A decade ago, most ERM programs did not have this kind of internal visibility.
However, best practice remains that the head of risk or the Chief Risk Officer should be a member of the C-suite and should be accountable to the Board of Directors. Most ERM
programs do not have independent accountability in the same way that, for example, internal audit has. Just 28.6% of ERM programs report directly into the Board.
So one observation could be that Boards of Directors would find it easier to ensure their ERM programs drove shareholder value if they ensured these programs reported directly into them, and were accountable to them for their activities. This would give ERM programs not just additional internal support in the form of “tone from the top” but also help ensure that the program is delivering the risk intelligence that Boards need about the organizations they oversee.
Having a stronger “tone from the top” might also help correct another challenge around ERM programs – 79.1% of respondents said their organizations do not understand and act on their ERM objectives very well beneath the senior management level.
Again, the results of this question underscore that Boards of Directors understand the value of ERM – but translating that desire for better ERM into reality in their organizations continues to prove challenging. Nearly one-third of respondents said even their senior management didn’t
understand and act on its ERM objectives very well. Such fundamental intellectual and cultural disconnects need to be resolved by the Board – first through the development of a deeper understanding with senior management and then through training and risk culture development throughout the rest of the organization. It is nearly impossible for an organization to drive shareholder value from its ERM program if the great bulk of the organization does not understand why ERM is important and how it is meant to act on this importance.
The Board .................................................................................. 28.6%
The CEO ..................................................................................... 34.3%
The CFO ......................................................................................14.5%
The head of another assurance function ...................................11.8%
We do not have a head of risk/CRO ..........................................10.8%
Very well, top to bottom ........................................................... 20.9%
Very well at the Board and senior management level, less well further down ............................................................... 38.9%
Very well at the Board level, less well further down ................ 13.5%
Not very well, from top to bottom .............................................26.7%
Are you driving enough shareholder value from Enterprise Risk Management? 5
How embedded is your organization’s risk appetite in its culture?
How many are part of your ERM program: Risk and Control Self-Assessments (RCSAs); Key Risk Indicators (KRIs); Scenario Analysis; Emerging Risks?
Another fundamental tool for translating an ERM program from vision into reality is the risk appetite statement. Nearly one in seven of the respondents said their organizations do not have a risk appetite in place.
Another 30.3% said that while they have a risk appetite, it’s not communicated well and it’s not part of the strategy conversation – making it effectively dormant. That’s a surprising 45.1% of respondents – not far from 50%! – who do not have a risk appetite that has at least some efficacy within their organization.
Clearly, this partly explains why ERM programs in so many firms are failing to translate below the senior management level into understanding and action – one of the most powerful tools to do this is not being used in many organizations.
The good news is that 40.8% of respondents said their organizations are making risk appetite a part of strategy discussions, and 36.7% say their risk appetite is communicated throughout the organization. A gold star should go to the 22.6% of respondents who said their organizations are doing both.
Putting metrics around the risk appetite – and tracking those metrics – is the next step in implementing a robust ERM program. Again, respondents’ answers point to the lack of commitment in many organizations, with nearly half saying their organization has implemented two or fewer of these, out of a total of four standard approaches.
Having Assessments, Key Risk Indicators, Scenario Analysis and an approach to identifying Emerging Risks is considered by most ERM experts to be a sort of “base camp” approach to the discipline. Without these, it’s difficult to track how an organization is performing against its risk appetite and provide
the kind of reporting that senior management and the Board needs to steer the ship. Yet less than one-third of respondents could claim to have all four.
After implementation of a risk appetite, putting in place mechanisms to monitor risk both inside and outside of the organization is essential to enabling risk-aware decision making. It’s little wonder that ERM programs have penetrated so little below the Board level if business units cannot see the practical benefit that risk intelligence could bring them in their day-to-day decision making.
Risk appetite is communicated through the organization and is part of the strategy conversation .................................. 22.6%
Risk appetite is part of the strategy conversation ....................18.2%
Risk appetite is communicated throughout the organization ....14.1%
We have a risk appetite but it is not communicated well and it is not part of the strategy conversation ......................... 30.3%
We do not have a risk appetite ..................................................14.8%
All of them ................................................................................. 29.6%
Three of them ............................................................................ 22.5%
Two of them ................................................................................ 21.9%
One of them ................................................................................16.0%
None of them...............................................................................10.1%
Are you driving enough shareholder value from Enterprise Risk Management? 6
Are there clear accountabilities for both risks and their management within the ERM program?
Are compensation frameworks linked to risk measures?
Given the unevenness of the implementation of a risk appetite framework among respondents as well as the patchy use of key ERM feedback mechanisms, it’s hardly surprising that more than three-quarters of respondents say they do not have both clear accountabilities and individuals actively managing risk, evenly across their organization, as a result of their ERM program.
This really is where the proverbial rubber meets the road for an ERM program – are people actually behaving and making decisions in a risk-aware way for which they are accountable? Clearly, the answer for most respondents is “No!”
However, it would be hard for people in organizations to have the accountabilities and actively manage risk if they do
not have a good risk appetite in place in their organization – essentially so individuals can understand the rules of engagement. How can they behave in a risk-aware way if they are not told what the boundaries of risk-taking are, and how their organization conceptualizes risk?
As well, individuals cannot make risk-aware decisions if they are not given risk metrics to guide their thinking – so that they can understand that every action has a reaction. The lack of support in both helping individuals in organizations conceptualize risk and then monitor it in a tangible way leads inevitably to a breakdown in the ability to make risk-based choices.
It is surprising that nearly a decade after the beginning of the global financial crisis – when so much emphasis was put on linking risk-taking to compensation by regulators, the media, and society at large – that almost two-thirds of respondents say their organizations do not link compensation to risk. More than four out of 10 organizations said, furthermore, that they had no plans to do so.
It would be wholly unfair to link risk to compensation in organizations that do not have an appropriate risk appetite in place as well as feedback mechanisms such as RCSAs and KRIs. That would be like telling someone to drive a car but
blindfolding them and making them wear swimming flippers to press the accelerator and the brake.
However, linking risk to compensation is another proven way for organizations to ensure that individuals make risk-aware choices that are aligned with the greater strategic outlook. It is a way for Boards and senior management to ensure alignment and risk-appropriate behavior down into the business units. It’s a proven way to build a strong risk culture and encourage appropriate behavior.
So it’s surprising that more than four out of 10 respondents say their firms have no plan to implement such an approach.
Y es, there are clear accountabilities and individuals actively managing risk as a result .......................................... 22.4%
Yes, there are clear accountabilities, although engagement can be uneven ...................................................... 20.1%
Yes, there are clear accountabilities, but a culture of engagement needs development ......................................... 26.1%
There are clear accountabilities for some aspects of the ERM program ..................................................................14.6%
We do not have a program that outlines accountabilities for risks ............................................................16.8%
Yes, both quantitatively and qualitatively .................................16.0%
Yes, quantitatively ........................................................................9.5%
Yes, qualitatively .........................................................................10.8%
No, compensation is not linked to risk but we are considering doing this................................................................21.0%
No, compensation is not linked to risk and we are not considering doing this ........................................................ 42.7%
Are you driving enough shareholder value from Enterprise Risk Management? 7
How well does your organization enable the ERM team to perform its role?
When looking at how ERM programs deliver shareholder value, the final building blocks must be having a team in place and a technology platform. A team and technology are essential to help promulgate the framework, collect and manage risk data, generate reporting, and consult as well as communicate with the business and other assurance functions about risk. It’s surprising that this is a gap for so many organizations.
More than 58% of organizations do not have an ERM technology platform in place, and nearly 38% do not have an ERM team. Not having a technology platform or a team for an ERM program is like having an orchestra but no sheet music and no conductor.
Organizations seeking to drive shareholder value from their ERM programs must have both – the technology helps the organization understand how well its activities are aligning to its risk appetite. It keeps track of all of the quantitative and qualitative risk intelligence and helps the organization analyze this information. ERM teams are needed to help drive risk insights, embed the risk culture, and to serve as a resource of risk expertise across the organization. Nearly 32% of respondents have both a team and technology, and this is indeed a sizeable minority. But the fact that so many organizations lack one or the other is a key driver behind the challenge of driving shareholder value from ERM programs.
There is an ERM team and a technology platform .................. 31.9%
There is an ERM team but no technology platform ................ 30.5%
There is a head of ERM but no team and no technology platform...................................................................16.9%
There is no ERM team but there is a technology platform ........9.7%
There is no ERM team .................................................................11.0%
Are you driving enough shareholder value from Enterprise Risk Management? 8
ConclusionWhat is surprising is how much shareholder value ERM programs have managed to drive in spite of the lack of support and resources given to them in the organizations we surveyed:
How Thomson Reuters can help A good first step to building a stronger approach to Enterprise Risk Management is adapting a technology solution that the whole organization can engage with. Thomson Reuters Enterprise Risk Manager is a powerful, connected solution for understanding, analyzing and acting on operational and enterprise risk information.
Enterprise Risk Manager enables organizations to establish a framework for risk based on their risk appetite. The solution captures information such as incidents, indicators, assessment responses and scenario analysis data. It provides risk managers with the insight to analyze risk through the lenses of their organization’s various structures and reporting lines – using a powerful search capability – so that both the cause and effect of “a risk” can be fully understood.
Enterprise Risk Manager, with its dynamic user interface, also empowers executives to actively manage risks across the business, track the tasks others are expected to perform and report status to key stakeholders. The information contained in the solution can be linked to key deliverables in an organization’s risk appetite framework, enabling a holistic approach to measuring and managing risk.
Risk data housed in Enterprise Risk Manager can power Monte Carlo simulations for economic and regulatory capital modeling, as well as various forms of statistical analysis and stress tests to help executives better communicate with regulators and to understand the challenges their business faces.
S041223/11-16
79% do not understand and act on their ERM objectives very well beneath the senior management level.
Almost two-thirds do not currently link compensation to risk.
58% are not supported in their ERM programs by a technology platform.
30% have a risk appetite but it’s not communicated well and it is not part of the strategy conversation.
Nearly half said their organization has implemented two or fewer of the key risk feedback mechanisms, out of a total of four.
Yet more than 47% say their ERM programs are moderately or very good at driving shareholder value.
So the question is – just how much value would an ERM program drive if it was properly resourced, and given the time and attention it needs within organizations? If these programs can deliver so much based on such a thin gruel for sustenance, how much better could they perform with a team, some metrics, and a technology platform? How much better would the management information be that Boards and senior executives are receiving?
The answer could be very surprising indeed.
![[PPT]PowerPoint Presentation - Event Schedule & Agenda …schd.ws/hosted_files/2016agripspring/97/Joint ERM... · Web viewOutline ERM Frameworks Why CIS is Involved in ERM CIS ERM](https://static.fdocuments.in/doc/165x107/5ac13a447f8b9a4e7c8cc305/pptpowerpoint-presentation-event-schedule-agenda-schdwshostedfiles2016agripspring97joint.jpg)
