ERM Assessment Tools - Literature review Example

A review of ERM assessment tools In 2009 the ERM Initiative at NC conducted a survey research on the current of enterprise risk management capabilities, one of the important results of which is the following statement (Beasley et al., 2009): “Despite growing complexities in the risk environments for organizations …and despite the fact that a majority of the entities are self-described as being “risk averse,” the level of risk management sophistication still remains fairly immature for most responding to our survey” (p.9). However, as Beasley et al. (2009) emphasize in the report, the results of the survey reveal that senior executives and boards of today’s companies realize an increasing significance of improving existing risk management processes. Nowadays the new Enterprise Risk Management (ERM) approach has emerged, which differs from older “traditional” approaches in that it obtains an enterprise view of the portfolio of risks facing an organization. ERM works for any kind of organizational goals (not just accidents or lawsuits like in old approaches); helping executives to figure out which risks they need to deal with and which they can stop worrying about. As a broad and complex concept, ERM has many definitions that can be referred to three main categories: strategic definitions that focuses on results in terms of organizational objectives; functional definitions describes ERM in terms of activities that reduce risks; and process definitions focuses on action undertaken by managers to manage risks (Hampton, 2009). Summarizing different definitions, Hampton (2009) suggests a consensus definition: “Enterprise Risk Management is the process of identifying major risks that confront an organization, forecasting the significance of those risks in business processes, addressing the risks in a systematic and coordinated plan, implementing the plan, and holding key individuals responsible for managing critical risks within the scope of their responsibilities” (p.18). Important contribution in structuring approaches to identify, assess and manage risks was made by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). It has developed the ERM integrated framework, which provides “key principles and concepts, a common language, and clear direction and guidance” (COSO, 2004, p.v). One of the most significant features of the framework is the focus on identifying all potential events influencing on an achievement of organizations’ objectives – both with positive and negative impacts on objectives. Thus, the effective ERM helps executives not only prevent possible risks, but also to detect opportunities for organizational growth and development so that to promote companies “to where it wants to go and avoid pitfalls and surprises along the way” (Ibid. p.1). Figure 1. The COSO ERM Framework (source: COSO, 2004, p.5). Figure 1 represents a COSO ERM Framework, depicting direct relationships between: Entity’s objectives, set forth in categories: Strategic (high-level goals, aligned with and supporting its mission); Operations (effective and efficient use of its resources); Reporting (reliability of reporting); Compliance (compliance with applicable laws and regulations); Entity’s units: Subsidiary, Business Unit, Division and Entity-level; and Interrelated ERM components, derived from the way management runs an enterprise and are integrated with the management process: Internal Environment, Objective Setting, Event Identification, Risk Assessment, Risk Response, Control Activities, Information and Communication, Monitoring. Such a depiction “portrays the ability to focus on the entirety of an entity’s enterprise risk management, or by objectives category, component, entity unit, or any subset thereof” (COSO, 2004, p.5). According to the opinion of the COSO ERM Framework’s authors, the model can serve as a tool of ERM effectiveness’ evaluating – if all eight components are present and functioning properly in an organizational business processes, so an organization’s executives can be assured that “they understand the extent to which the entity’s strategic and operations objectives are being achieved, and that the entity’s reporting is reliable and applicable laws and regulations are being complied with” (Ibid. p. 5). The COSO ERM Framework has motivated a number of famous rating agencies to provide methodologies and tools for the Enterprise Risk Management maturity-level assessment enabling organizations to strengthen their ERM for strategic advantages (COSO, 2009). In addition the ERM maturity evaluation tool is used “as a benchmark for assessing different organizations for equivalent comparison” (Ciorciari and Blattner, 2008, p.7). The first credit rating agency, which expanded its rating methodology for non-financial organisations including an evaluation of enterprise risk management, was Standard & Poor’s (S&P). The main rationale to make this step was that the S&P’ Rating Services experts considered an evaluating of a company’s commitment to ERM will provide deeper understanding about how the company manages its risks, and so, how effectively it is managed at a whole (Dreyer and Ingram, 2008). S&P’s ERM assessment classifies companies into four categories in relation to a level of ERM maturity: “weak”, “adequate”, “strong” or “excellent”. The main analytic components of the S&P’s ERM assessment framework, regardless of the company or sector analyzed, are (Dreyer and Ingram, 2007, p.5): analysis of making daily corporate decisions; analysis of risk controls; analysis of emerging risk preparation: and analysis of strategic risk management. Among the main outcomes of the S&P report (Dreyer and Balic, 2009, pp.3-4) the following ones should be mentioned as important: there are significant differences between levels of adoption, formality, maturity, and engagement of ERM across sectors and regions; many companies find it difficult to ensure uniform behavior across the enterprise; "silo-based" risk management, focused only at the operational managers level, continues to be prevalent; companies often facilitate their ERM execution via separate structures, with associated roles and responsibilities clearly defined. These observations are well confirmed by recent results of ERM assessment of other agencies and researchers. The mentioned above research of the NC State University also presents findings about that ERM activities mainly remain “silo-based” and are at the operational management level (Beasley et al., 2009). In 2008 Deloitte launched an ERM Benchmark Survey, aimed to “capture and report feedback on the current state of ERM implementation for a cross-section of companies and industries (excluding Financial Services)” (Deloitte, 2009, p.1). The term “Risk Intelligence” was introduced as “the enterprise’s integrated capability to gather, analyze, interpret, and deploy responses to the critical risks to the enterprise” (Ibid.). In 2010 Aon published the 2010 Enterprise Risk Management Survey conducted to show in particular “how ERM used proactively to balance risk, opportunity and value, [as well as to show] the extent to which ERM is successfully implemented across organizations” (Aon, 2010, p.3). It is obvious that an interest in ERM assessment among rating agencies has been influenced by a growing need of organizations in comparative benchmark data on ERM, including goals, responsibilities, and implementation tools. ERM benchmarking value For non-financial companies there is a quite new practice to consider ERM as part of their strategic and operational business processes, but so that to meet new requirements of emerging tendencies in agencies’ ratings methodologies, non-financial organizations have to consider ERM as a part of their agendas. The companies can implement new managerial practices more effectively, if they use a benchmarking approach to the ERMs development. Benchmarking is a well-approved management approach that based on a comparison between some precomputed baseline measures of performance and current results of performance within a company, an industry, a local area, a geographical region, or the whole world. As for the ERM benchmark, the main objective of the ERM benchmark methodology may be defined as providing “a broad perspective on the state of risk management across a variety of industries” (Deloitte, 2009, p.6). Yaeger (2006) supposes the value of benchmarking is driven by key components: What to measure – determining the appropriate granularity and combination of data required to be meaningful; How to measure - if you could measure the activity accurately; What to compare – if you could get comparable data from others performing similar activities; How to interpret - what would the data tell you? Thus, “accurate benchmarking …allows management to understand where they are positioned today and to measure performance against future goals in order to modify actions accordingly” (Yaeger, 2006, p.2). The Risk and Insurance Management Society (RIMS) developed the Risk Maturity Model (RMM), which serves as an excellent example of a benchmarking and educational tool for ERM practitioners. RIMS (2006) acclaims that the “RMM incorporates the best elements from existing ERM models and standards and is meant to be applicable to all industries” (p.4). The RMM uses the five level maturity model to assess an organization’s ERM practices along the seven core ERM attributes (see Table 1). Table 1. The RMM RIMS model. ERM attributes Maturity Level 1: Ad hoc Level 2: Initial Level 3: Repeatable Level 4: Managed Level 5: Leadership Adoption of ERM approach ERM process management Risk appetite management Root cause discipline Uncovering risks Performance management Business resiliency and sustainability RIMS (2006, p.8) define the RMM model’s components as follows: Attributes - core competencies measure how well risk management is embraced by management and ingrained within the organization. Maturity Levels - five maturity levels for each RIMS RMM Attribute. Key Drivers - profiling issues that best differentiate maturity levels within an attribute. Key drivers for each attribute summarize the Maturity Model. Such a maturity level framework serves as a valuable ERM benchmark tool enabling risk practitioners to evaluate their companies’ progress in achieving risk management objectives related to each given attribute. RIMS (2006) emphasize the following benefits of using Risk Maturity Model (p.4): Benefits of using a Maturity Model: the Maturity Model approach is a method that’s proven across a variety of industries, the evidence shows that with each step up in maturity level, organizations get concrete results. A Maturity Model is a structured way of highlighting aspects of effective ERM Processes. Benefits for Practitioners: Build consensus and establish milestones. Benchmarking from best practices. Communicate clearly to the board, regulators, rating agencies, executive management, process owners, support functions (back office groups such as internal audit, IT and compliance), etc. Benefits for ERM stakeholders: Streamline the ERM Process. Eliminate duplication of efforts and connect support functions with process owners. Measure ERM value, based on priorities. Create a shared language and vision. Benefits for Organizations: Tackle inadequately addressed risks and opportunities. Resolve business process inefficiencies. Build a repeatable and scalable process for better decision making. Reduce costs - ERM connects the root cause to the ultimate cost and improves decision making at a fraction of the cost. Increase top line revenue – a compliance issue can lead to rethinking business strategy and finding an opportunity to generate revenue. Methodology to benchmark ERM maturity in non-financial organisations We developed a quantitative survey methodology to benchmark ERM maturity in non-financial organisations on a basis of some approaches and insights discussed above. The survey focuses on gathering and analysing data to make a strategic overview of a company’s performance in each of Key Result Areas (KRAs) and to define the current level of ERM maturity at a whole. Key Result Areas and Drivers The first step of the ERM maturity benchmark process is to define Key Result Areas. We included the following necessary and sufficient areas and formulated 3 key drivers for each of KRAs (see Table 2). Table 2. The ERM maturity benchmark KRAs. Key Result Area Key Drivers Weighting Risk Management Policy 1. Risk management framework linked to other business framework. 2. Support from senior executives, Chief Risk Officer. 3. Risk Management Policy and Reporting. 40% Risk Sharing 1. Risk portfolio analysis and balancing risk positions. 2. Risk allocation protocol and formal procedures for contracting. 3. Documented incident investigation system 15% Risk Appetite Management 1. Risk reward tradeoffs 2. Risk-reward-based resource allocation 3. Transforming potentially adverse events into opportunities 15% Communication and Training 1. Strategy for communicating risks internally. 2. Strategy for communicating risks externally. 3. Risk management awareness training 10% Monitoring and Review 1. Regular Risk management measurement and analysis 2. Risk management performance audit 3. Regular benchmarking inside and outside an organization 20% Each KRA is assigned a specific weighting reflecting an importance of a given KRA in the overall organizational ERM framework. The weighted score helps to gauge a final average score for the company. Obviously the KRAs choosing and weighting differ between companies or industries, although for purposes of benchmarking they should be the same within a set of comparing data, otherwise it will not be possible to get a comprehensive objective picture for comparison. ERM maturity levels Each Key Driver of each KRA is evaluated by survey participants against the Maturity Level scale (see Fig. 2). In this scale the lowest maturity level means that “no documentation is available, no communication is given, and a very low formalization exists” (Ciorciari & Blattner, 2008, p. 13). The highest maturity level means that “the process is optimized, i.e. the risk management principles and processes are integrated in the management process” (Ibid.). A quantitative meaning of each Key Driver and an average score of Key Result Areas are computed according to the Maturity Level score (see Fig. 3). After that all values are scored it is possible to compare the results of the assessment (see Table 3). Figure 2. Maturity Level scale. Figure 3. Maturity Level score. Table 3. Results of the ERM maturity benchmarking. Company A Company B Company C Weighting Risk Management Policy 1 3 2 0,4 Risk Sharing 2 3 2 0,15 Risk Appetite Management 2 4 1 0,15 Communication and Training 2 4 2 0,1 Monitoring and Review 1 3 2 0,2 Average 1,5 3,3 1,6 ERM maturity benchmarking results Table 3 presents results of fictitious survey aimed to compare ERM maturity levels of three companies – A, B, and C. Rounded outcomes of average scores of Key Result Areas show that the Company B is good in Risk Appetite Management and Communication and Training, although its overall average result reveals that the company has the Mid level of ERM maturity. The Company A and Company C is practically equal in relation to average results and they are between Very week and Poor level of ERM maturity. Thus, our ERM maturity assessment and benchmarking tool allows visualizing an organization’s maturity level of both each single component of Enterprise Risk Management and overall current status of ERM, all the more in comparison with other organizations in the market. References Aon, 2010, Global Enterprise Risk Management Survey’ 10, Aon Corporation, retrieved 22 May 2010, Beasley, M.S., Branson, B.C., and Hancock, B.V., 2009, Report on the Current State of Enterprise Risk Oversight, North Carolina State University, retrieved 22 May 2010, Ciorciari, M., and Blattner, P., 2008, Enterprise Risk Management maturity-level assessment tool, Society of Actuaries, retrieved 22 May 2010, COSO, 2004, Enterprise Risk Management - Integrated Framework Executive Summary, Committee of Sponsoring Organizations of the Treadway Commission, retrieved 22 May 2010, COSO, 2009, Strengthening Enterprise Risk Management for Strategic Advantage, Committee of Sponsoring Organizations of the Treadway Commission, retrieved 22 May 2010, Deloitte, 2009, Perspectives on ERM and the Risk Intelligent Enterprise, Enterprise Risk Management Benchmark Survey, Deloitte Development LLC, retrieved 22 May 2010, Dreyer, S.J., and Ingram, D., 2007, Request For Comment: Enterprise Risk Management Analysis For Credit Ratings Of Nonfinancial Companies, Standard & Poors, retrieved 22 May 2010, Dreyer, S.J., and Ingram, D., 2008, Enterprise Risk Management For Ratings Of Nonfinancial Corporations, Standard & Poors, retrieved 22 May 2010, Dreyer, S.J., and Balic, A., 2009, Progress Report: Integrating Enterprise Risk Management Analysis Into Corporate Credit Ratings, Standard & Poors, retrieved 22 May 2010, Hampton, J.J., 2009, Fundamentals of Enterprise Risk Management: How Top Companies Assess Risk, Manage Exposure, and Seize Opportunity, AMACOM, New York. Moeller, R.R., 2007, COSO Enterprise Risk Management: Understanding the New Integrated ERM Framework, John Wiley & Sons, New Jersey. RIMS, 2006, RIMS Risk Maturity Model (RMM) for Enterprise Risk Management, Risk and Insurance Management Society, retrieved 22 May 2010, Yaeger, C., 2006, The Value of Benchmarking, BenchMark Consulting International, retrieved 22 May 2010, Read More