Milliman
May 2010
Enterprise risk management (ERM) is a process of assessing and
responding to all risks, including organizational and systemic risks
that impact the ability of an organization to meet its objectives.
The general activities in a formal ERM process include risk
identification, evaluation, prioritization, treatment, monitoring,
reporting, and integration into strategic decision making and key
business functions. It is important to understand the challenges
organizations face in implementing ERM processes before we
look at the value that a sustainable and repeatable ERM process
can bring.
Companies have traditionally struggled with assessing the business
value of ERM. Competing priorities and business line fatigue after
seemingly endless rounds of assessments from Internal Audit,
Compliance, and even external regulators have contributed to failed
ERM initiatives. In addition, some companies have rushed through
what at many times has been a board-mandated compliance effort
to institutionalize ERM as one-off events rather than implementing a
sustainable and repeatable ERM process.
In many cases, the efforts have been under-resourced
and, for the broader risk evaluation and mitigation
initiatives, have not had buy-in from executive leadership.
Executive sponsorship and involvement stand at the
heart of a successful ERM initiative, without which
many companies have failed in their efforts to implement
an effective ERM process. With so many competing
priorities, companies also struggle in setting aside
appropriate resources to launch and sustain an effective
integrated ERM process.
An ERM process and risk management framework has
to find synergy with the organization’s culture and not
the other way around. Too many times we see a company
wanting to implement what another company is doing with
regard to ERM. Although best practices are an excellent
way to start thinking about ERM, this thought process
should be complemented with a good understanding of
a company’s own unique culture, strategic objectives,
structure, risk management practices, and operations.
There is not one universal solution for ERM. A customized
approach is crucial to finding the maturity level of an
ERM solution that works for a specific company, based on best
practices, extensive research, interviews, and in-depth knowledge
of how an organization operates (see Figure 1). The process has
to be embedded and integral to support the mission, vision, values,
and objectives, and not just a snapshot from a single point in time
or an annual risk assessment report.
Additional reasons for failed ERM initiatives are that a company’s
objectives have not been integrated into performance management
and poor collaboration with other risk processes. Aligning
incentives with risk management efforts can be critical to the
success of an ERM initiative. Incentives reinforce the tone and
culture of the organization and motivate employees to respond; this
could have more positive results than a forced compliance effort. It
is crucial to get buy-in from employees on the benefits of an ERM
program prior to implementation, and there is no more effective way
than through incentives based on actions and expected outcomes
around risk-managed activities. The integration of ERM with key
risk processes such as audit, compliance, and business continuity,
ERM: The Value Proposition
Joanna David-O’Neill
Mark Stephens
5
4
3
2
1
Optimized
Risk-adjusted
corporate
performance
Embedded
Risk management
driving the decision-
making process
Established
Consistent compliance
communication and
accountability
Formalized
Basic compliance
audit and
risk
awareness
Undelveloped
Basic non-compliance
audit failure, risk silos
Fully automate
enterprise risk process
Analyze risks
Quantify risks
Delegate action/controls
Manage and mitigate risks
Approve and assess
risk data centrally
Identify and communicate concerns,
issues, risks, or incidents using one system
Respond to risk or
control surveys
Figure 1:
er
M Maturity Stage
S
Milliman Copyright 2010
Milliman
Risk Advisory Services White Paper
May 2010
ERM: The Value Proposition
2
for example, is also essential to realizing the value of an effective
ERM process. Companies in a higher maturity level (See Figure 1)
are seeing the business value in decision making as a result of the
collaboration of their ERM program with other risk processes.
Milliman’s Risk Advisory Services consults with organizations to
develop an optimal ERM solution that matches with specialized
corporate needs. Some companies have fully resourced ERM
departments, while others have very restricted dedicated internal
resources. Milliman can assist companies with their ERM initiatives
using the following approaches:
Review the current ERM processes and determine the steps
•
required to raise the maturity level to the desired state.
Design, build, and test a customized ERM process and
•
framework and develop organizational consensus through
vetting of the initial prototype.
Adapt an outsourced ERM business process model.
•
Companies wanting to protect against the downside of risks often
reach for ERM as a compliance tool, but the true value of ERM is
recognized when it is integrated into the organization’s culture and
embedded into strategic decision making and business planning.
We see the following as significant benefits that organizations can
achieve if they invest the time and resources to select a suitable
approach to their ERM needs:
Performance management
•
: Increase certainty of achieving
critical key performance indicators
Capital efficiency
•
: Align capital more accurately with the risks
being taken and ensure that risks are being suitably rewarded
Stakeholder management
•
: Better alignment with expectations
of key stakeholders
Operational excellence
•
: Reduce impact of surprises and boost
the benefits of a well-managed portfolio of risks
Reduction in Total Cost of Risk (TCOR)
•
: Free up capital to
further invest in growing the business
In February 2010, Standard and Poor’s (S&P) published the
report “Enterprise Risk Management Continues to Show its Value
for North American and Bermudan Insurers,” which links effective
ERM programs to increases in share value and reduced volatility
in earnings. In the report, Howard Rosen, the primary credit
analyst, says in part,
“Although average stock prices declined among all public
multiline insurers in 2008, companies with more advanced
ERM programs experienced smaller stock price reductions.
Those companies whose stock performance was better (i.e.
those whose price declines were smaller) had received higher
ERM scores. On the other hand, those companies whose
stock prices had larger declines had lower ERM scores. This is
consistent with Standard & Poor’s view that more robust ERM
programs are the most valuable in times of more pronounced
stress. Looking at ERM scores relative to stock performance in
2009 reveals a different pattern” (See Figure 2).
Figure 2:
er
M and Share Price
c
hange (Jan. 1-
n
ov. 14, 2008, %)
Excludes mortgage and title insurers. Source: Standard & Poor’s.
© Standard & Poor’s 2010
Rosen continues,
“Companies with Excellent and Strong ERM scores—companies
whose stock prices performed better during the more stressful
2008—still improved during 2009, but didn’t need to perform
as well as companies with lower ERM scores to return to their
pre-2008 levels of performance” (See Figure 3).
Figure 3:
er
M and Share Price
c
hange (Jan. 2-
d
ec. 31, 2009, %)
Excludes mortgage and title insurers. Source: Standard & Poor’s.
© Standard & Poor’s 2010
0
(10)
(20)
(30)
(40)
(50)
(60)
(70)
Excellent ERM
Strong ERM
Adequate ERM
Weak ERM
Share price change, Jan. 1 - Nov. 14, 2008, %
30
25
20
15
5
(5)
(10)
(15)
Excellent ERM
Strong ERM
Adequate ERM
Weak ERM
Share price change, Jan. 2 - Dec. 31, 2009, %
0
10
No comments:
Post a Comment