What business need to know to give value

Reputation of enterprise risk management (ERM) suffered a beating in the aftermath of the global economic downturn. While critics of the discipline were quick to question the value of enterprise risk management, no-one really asked the question whether ERM had been fully implemented and what that fully implemented state looked like.

A recent paper by two US academics, Robert E Hoyt of the University of Georgia, and Andre P Liebenberg of the University of Mississippi, studied whether the market can assign a value premium to firms adopting enterprise-wide risk strategies.

The research focused solely on insurance firms in the US.

Having determined which US insurers have an enterprise-wide approach to risk, Hoyt and Liebenberg then modelled a proxy for the firm’s enterprise value as a function of ERM use and cleaned the findings by accounting for other influencing factors.

Not surprisingly to ERM advocates, their results indicated an enterprise-wide risk management premium of 17 per cent of firm value.

The authors offer five explanations for this premium:

- Firms that engage in ERM have a more objective basis for resource allocation, thus improving capital efficiency and return on equity.

- ERM enables firms to better inform outsiders of their risk profile and also serves as a signal of their commitment to risk management.

- The focus of rating agencies on ERM as part of their reviews suggests a potential value implication to the existence of ERM programmes in insurers.

- By integrating decision-making across all risk classes companies are able to avoid duplication of risk management expenditures by exploiting natural hedges.

- Interdependencies between risks across activities might go unnoticed in silo risk management; ERM enables the identification of risk interdependencies.

Given these results clearly demonstrate the value of ERM, why aren’t all companies who say they have implemented an ERM approach seeing such value? Results of a recent Deloitte ERM benchmarking survey may provide an explanation. The study highlighted that the majority of companies surveyed had implemented relatively “easy” enterprise risk management processes.

However, the more difficult tasks of risk quantification and incorporation into strategic planning and capital allocation lag behind. So then, how can companies progress from adopting the “easy” principles of ERM to being Risk Intelligent enterprises? First, organisations need to understand what it is to be Risk Intelligent. Risk Intelligent companies consider the ability to anticipate and react to market opportunities to be as important as readiness for a potentially devastating business disruption.

Accordingly, organisations need to take a step by step approach to achieve an enterprise-wide risk programme. Too often companies think by creating a risk department, hiring a risk manager, conducting a few risk identification and assessment workshops, and issuing a couple of reports that they have implemented an ERM programme.

This, however, does not deliver value to the organisation. To deliver tangible value that acts as an enabler for executives, organisations must recognise and address seven critical elements.

ERM is more than risk management

ERM involves understanding and managing the full spectrum of risks across all business units. It must understand the interaction of different risks and emphasise both value creation and preservation.

Employ qualified and sufficient staff

Many companies underestimate the effort that true ERM requires to embed it in every level of the organisation and to incorporate it into strategic decision-making. ERM requires people with business acumen, analytical and technical quantitative skills, and leadership and communication skills (not necessarily all in the same person). An ERM department takes more effort than one person producing reports!

Consult your chief risk officer

A successful ERM programme requires a leader with sufficient authority to stand up to executives in risk-taking roles such as CEOs and CFOs. If the CRO isn’t consulted as part of the strategic decision-making process, then the full value of ERM won’t be realised.

Define your risk appetite and tolerance

An organisation must determine its capacity to bear risk and its appetite for taking risks in pursuit of returns. Risk tolerance thresholds must be set and measured against the risk appetite.

Identify and measure your risks

Enterprise-wide risks need to be systematically identified, measured, responded to and reported. Put simply, if you haven’t identified your key risks, they cannot be effectively managed.

Understand your models

Assumptions and the associated limitations underlying models need to be understood. Inputs must be reviewed and refined until you believe the results.

Stress your models

Worst case scenarios need to be identified and understood, regardless of perceived low likelihood.

- The author is the leader of the ERM Center of Excellence at Deloitte in the Middle East. The views expressed are her own


Print Email