|
Eight years ago, Deloitte's survey indicated that anout 65% of the financial service organizations had CROs; its current survey shows that figure has risen to about 89%. |
Enterprise Risk Management
Will "slow but sure" win this race?
Two studies point to unfulfilled potential for ERM
By Michael J. Moody, MBA, ARM
Enterprise risk management (ERM) is well on its way to its second decade of existence. Today few corporate board members and/or top company management are unaware of ERM and the fact that many of the recent financial legislative efforts have included several express components of ERM. Most of these new rulings have come as a direct result of the worldwide financial shortcomings and financial crises that were started just a few years ago. Some of these problems were considered a failure of risk management. As a result, the new laws contained a number of sections to address the need for stronger, more proactive risk management.
Financial service sector
ERM initially gained attention within the financial service sector—first within the banking industry and then the insurance sector—more than 10 years ago; most of the early interest was primarily discussion rather than implementation.
It was not until the rating agencies began to modify their rating matrixes to include an ERM component that ERM began to flourish, at least in the financial service sector. Since this sector was among the early adopters, one would expect it to be further along with ERM implementation by now.
Annually for the past eight years, Deloitte & Touche has published a report on the "latest assessment on the state of ERM in the global financial service sector," and this year's survey's "Setting a High Bar," received responses from 86 senior risk executives at worldwide financial intuitions. The results indicate that despite a changing and more demanding business climate, financial institutions appear to be getting the message with regard to risk management. The majority of findings of the Deloitte study showed some progress:
• Board support—The study indicates that at least 80 of the institutions have board approval of risk policy and risk appetite.
• Move to CRO (Chief Risk Officer)—When Deloitte began doing the surveys eight years ago, about 65% of the organizations had CROs; the current survey documents that about 89% have CROs. Even more encouraging was that the CROs "participate in executive sessions with the board and/or board risk committee and actively participate in the development of business strategies."
• Incentive compensation—Many experts believe one of the major root causes to the financial crisis was the "misalignment that was occurring with regard to incentive compensation and excessive risk taking." While the survey notes improvements in this section, there are still some issues remaining. Chief among these is that the board is still only involved with less than half of the compensation reviews.
• Bottom line, the survey indicates that management needs to better manage regulatory changes, strengthen corporate governance, better examine incentive compensation and begin to manage a wider range of risk types.
ERM review
Another study that goes through an annual update is the Marsh/RIMS report of excellence in risk management. The current study, which is its 10th edition, is called "Delivering Strategic Value through Risk Management." It is conducted by polling more than 1,200 risk professionals worldwide. While it touches on many issues similar to those of the Deloitte survey, it divides the respondents into two groups: "risk professionals" and "C-Suite" respondents.
The Marsh/RIMS study provides a significant amount of useful information and should be reviewed cover to cover by anyone who is even remotely involved in a corporation's risk management program. It also provides a number of specific recommendations that should receive additional attention from those in corporate risk management in order to improve program performance. Among the more important observations and recommendations are the following:
• Strategic management—Risk managers should play a more strategic role by "connecting the dots" within their organizations and, in essence, provide more educational efforts and greater risk input into strategic planning/execution.
• Aggregation of risk—80% of the C-Suite respondents and 75% of the risk professional respondents said they "do not aggregate risk at the portfolio level."
• Data and analysis—74% of the respondents said their organizations "need to conduct deeper analysis on their risk-related data."
• Identifying and assessing risks—Both groups of respondents noted risk identifying and assessment were a key part of strategic activities. However, the C-Suite group expressed "a desire for risk management to add meaningful strategic value and effectively engage throughout the strategic workflow."
• Added value—There appears to be a meaningful "gap" in what each group of respondents understands as value. For example, "the transactional (risk transfer) response is highly valued by risk professionals, and yet falls very low on the list for C-Suite respondents."
• Black swan risks—More planning for catastrophe is needed as well as better alignment between insurance coverage purchased and value delivered.
I have been personally involved in various aspects of risk management for 20-plus years and have been a strong and vocal proponent of ERM for more than 10 years. I am totally convinced that ERM's value proposition when properly implemented can provide a competitive advantage for any organization. However, in reviewing the above key findings from the Executive Summary of the Marsh/RIMS study, I must admit I am troubled by the results. Granted, the survey sample was only 1,200-plus people, but these key findings are cause for concern.
ERM has always been about moving up another rung in the corporate ladder, in order to make a meaningful contribution at the board level. Whether strategic risk management is part of the name or not, it is necessary to be intimately involved with the big issues that affect the long-term direction of the organization. Without this broader view, as noted in the Executive Summary, there is no way to even aggregate risk. It's only by being able to understand and communicate the idea of "enterprise" risk management that risk managers are able to fulfill its promise.
Without question, corporate boards are looking for guidance in this area since many of the recent financial standards require boards to understand, monitor and act on these issues. Further, rest assured, there are those in many other corporate functions who are ready to pick up the ball should risk managers fumble it. Corporate directors are demanding this critical information and either risk managers can provide it, or the directors will find someone who can. At which point, risk managers will find themselves back in a cubicle in the bullpen, waiting for the next GL endorsement to be issued.
The author
Michael J. Moody, MBA, ARM, retired as the managing director of Strategic Risk Financing, Inc. (SuRF), a firm that had been established to advance the practice of enterprise risk management. As a regular columnist, he continues to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.
|