Upload
fadinajdi
View
221
Download
0
Embed Size (px)
Citation preview
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
1/32
Report February 2011
Enterprise Risk Management
A Review of Prevalent Practices
gzl ll
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
2/32
Preface
Enterprise risk management (ERM) is a process that is
critical to an organizations risk governance framework.
While organizations are pursuing ERM, many are at
different stages in the journey, and most have adopted
diverse structures and risk governance practices.
In fall 2009, The Conference Board of Canada conducted
a multi-industry online survey on various aspects of ERM.
The purpose was to provide benchmarking data on the
most prevalent risk governance practices, followed by an
in-depth interview process (published in a separate report)
to gain a clearer understanding of why organizations
have adopted certain risk management, risk oversight,
and governance practices. This report describes the
key findings from the survey.
Enterprise Risk Management: A Review of Prevalent Practices
byJoseph Rizzi, Betty J. Simkins, and Karen Schoening-Thiessen
About The ConferenceBoard of CanadaWe are:
The foremost independent, not-for-profit, applied
research organization in Canada.
Objective and non-partisan. We do not lobby
for specific interests.
Funded exclusively through the fees we charge
for services to the private and public sectors.
Experts in running conferences but also at con-
ducting, publishing, and disseminating research;
helping people network; developing individual
leadership skills; and building organizationalcapacity.
Specialists in economic trends, as well
as organizational performance and public
policy issues.
Not a government department or agency,
although we are often hired to provide
services for all levels of government.
Independent from, but affiliated with, The
Conference Board, Inc. of New York, which
serves nearly 2,000 companies in 60 nations
and has offices in Brussels and Hong Kong.
2011 he onference Board of anada*Published in Canada All rights reservedAgreement No. 40063028*Incorporated as AERIC Inc.
Forecasts and research often involve numerous assumptions and datasources, and are subject to inherent risks and uncertainties. This informationis not intended as specific investment, accounting, legal, or tax advice.
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
3/32
s
xecutive summary i
nterprie ik Manaement: eview of Prevaent Practice 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Organizational Profile and Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Organizational Background on ERM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
ERM Resources and Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Risk Metrics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Key Risk Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
ERM Compensation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Embedding ERM Into Processes, Corporate Functions, and Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Risk Appetite/Tolerances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Executive and Board Involvement in ERM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Risk Management and Board Committees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Risk Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Concluding Thoughts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
ppendix Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
4/32
About the Authors
Joe Rizzi, MBA, JD, is a Senior Strategist with CapGen Financial Group. Before joining CapGen, he was a
member of the ABN AMRO Group or its U.S. affiliate, LaSalle Bank, for 24 years and served as Managing
Director of LaSalle Bank Corporations Enterprise Risk Management unit for North America. A widely pub-
lished author, he has lectured to professional organizations in Europe and the United States and taught at the
Amsterdam Institute of Finance and the Mendoza School of Business.
Betty J. Simkins, PhD, is the Williams Companies Professor of Business and a professor of finance in the
Department of Finance at Oklahoma State Universitys Spears School of Business. She has published a number
of articles on enterprise risk management and finance and is co-editor ofEnterprise Risk Management:
Todays Leading Research and Best Practices for Tomorrows Executives. She currently serves on the
board of directors of the Financial Management Association.
Karen Schoening-Thiessen is a Senior Research Associate at The Conference Board of Canada. She is
the author of several reports on enterprise risk management and has managed the Strategic Risk Council,
an executive network for risk executives, for the past 10 years.
AcknowledgementsThe authors thank the following people, who were part of the advisory committee that developed the survey
questions: John Fraser, Senior Vice-President, Internal Audit and Chief Risk Officer, Hydro One Inc.; Paul
Summers, Director, Internal Audit, Fortis Inc.; Mark Rudowski, Director, Enterprise Risk and Compliance,
George Weston Limited; Karen McBride, Executive Vice-President, Chief Risk Officer and Chief Compliance
Officer, Concentra Financial; and Christopher Eaton, PhD student in risk management and insurance at the
University of Calgarys Haskayne School of Business.
Thanks also to Divya Krishnan, graduate of the Master of Science in Quantitative Financial Economics
program at Oklahoma State University, who provided superb research assistance in the development of
this report.
Special thanks to John Fraser, Senior Vice-President, Internal Audit and Chief Risk Officer, Hydro One Inc.;
and Christopher Eaton, PhD student at the University of Calgarys Haskayne School of Business, for their
meticulous review and feedback on the draft version of the report.
Another thank you goes to Paul Forgues at The Conference Board of Canada for reviewing the document
and providing commentary prior to its release.
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
5/32
Find this report and other Conference Board research at wwwe-ibraryca
Five years have passed since The Conference
Board of Canada published a report on the
status of enterprise risk management (ERM)1
in Canada. Was it time for another update? Due to
significant changes in the business world and external
1 For the purpose of this report, ERM is defined by the Committee ofSponsoring Organizations of the Treadway Commission (EnterpriseRisk Management) as a process, effected by an entitys board ofdirectors, management and other personnel, applied in strategysetting and across the enterprise, designed to identify potentialevents that may affect the entity, and manage risk to be within itsrisk appetite, to provide reasonable assurance regarding theachievement of entity objectives.
factors that have influenced how organizations are gov-
erned, we decided the risk community would benefitfrom further benchmarking data.
While organizations are pursuing ERM, many are at
different stages in the journey, and most have adopted
diverse structures and risk governance practices related
thereto. This report is part one of a two-part risk govern-
ance research project that looks at the extent to which
ERM methodologies and practices have progressed in
the past five years.
Whie oraniation are puruin M, many are at differ-
ent tae in the journey, and mot have adopted divere
tructure and rik overnance practice reated thereto
The report provides a benchmark of prevalent risk gov-
ernance practices, including key elements of and resources
for ERM accountability structures, and deals with issues
of interest to board members, though it does not necessarily
reflect a board members perspective. It summarizes the
results of the survey, rather than providing a descriptive
analysis or opinions on what the results show.
This report concludes by discussing the areas in which
organizations are excelling in their risk governance
practices, considers where they may be vulnerable and
could improve, and looks at some changes in ERM
Enterprise Risk Management
A Review of Prevalent Practices
sMM
t a gance
More than half of organizations have an enter-
prise risk management (ERM) policy, prepare
corporate risk profiles, maintain risk registers,
and establish dedicated risk management
groups to coordinate the process.
Senior managers are involved in ERM, but
boards could be more aware and involved.
Key risk indicators is still a developing area
for most organizations. While ERM integration with certain disciplines
remains consistent, integration of ERM with
performance management is still low.
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
6/32
ii | Enterprise Risk ManagementFebruary 2011
Find this report and other Conference Board research at www.e-library.ca
practices from 2005 until late 2009. The Conference
Board of Canadas second risk governance report, The
Adoption and Diffusion of Risk Governance Structures
and Practices (released under separate cover) will
explore the reasons for adoption of certain risk manage-
ment, risk oversight, and governance practices.
In November 2009, the Conference Board distributed
a comprehensive, multi-industry online ERM survey. It
received 89 responses out of a distribution list of 392.
The key findings are summarized below.
Organizational Background on Enterprise Risk Management:
The major growth in the rate of organizations adoption
of enterprise risk management occurred around 2003.
Since 2006, the number of new organizations from the
survey sample practicing ERM has stabilized at 7 to
10 per year. It was surprising to note that rating agencies
had very little influence on organizations decisions to
implement or upgrade ERM methodology. Predictably,
many of the respondents experienced some form of
delay in implementing ERM.
ERM Policy and Corporate Risk Profiles: More than half of
the respondents have a written ERM policy, and a little
more than three-quarters prepare a corporate risk profile.
Seven key groups were identified as having explicit
responsibilities for ERM.
Risk Registers: Sixty-nine per cent of respondents
indicated that they maintain a risk register. Virtually
all organizations with a risk register indicated that it
included the corporations objectives and described
accountabilities and action plans. However, only one-
third of organizations required periodic sign-offs by
managers indicating that risks have been identified
for their areas of responsibility.
ERM/Risk Management Group: More organizations are
establishing a dedicated risk management group to
facilitate ERM. This coincides with the influx of new
organizations practicing ERM since 2003. A majority
of organizations employ one to three full-time staff dedi-
cated purely to ERM. Canadian organizations do not
embrace ERM within a governance, risk, and compli-
ance model.2 There is, though, a tendency to have the
risk management group be responsible for business
continuity planning and insurance. While the hiringof chief risk officers (CROs) or risk executives has
increased since 2005, some organizations from this
survey sample do not have a senior official overseeing
ERM. More CROs are now reporting to CEOs as
opposed to chief financial officers (CFOs).
Risk Metrics and Key Risk Indicators: Just under half of the
respondents stated that their risk metrics consider inter-
relationships between risks and risk types, and most embed
this activity in their general risk mapping or assessment
process. Over half of the organizations use risk metrics
to guide or control day-to-day decision-making. Few
organizations use key risk indicators (KRIs) as part of
their ERM methodology. Business/operations and the
chief risk officer/vice-president of risk management were
most involved in identifying KRIs. There is difficulty in
expressing aggregate risk through quantitative measures
at the enterprise level.
ERM and Incentive Programs: Few organizations have tied
their risk management/ERM group to a form of incentive
compensation. Those that did based them on meeting
risk management objectives, capabilities, and service
levels within the organization. Very few organizations
have reviewed or plan to review their incentive pro-
grams to ensure more responsible risk-taking behaviour.
ERM Integration With Processes: Integration of ERM with
audit, compliance, corporate governance, and business
planning is rated as medium to high, whereas it ranks
low in integration with performance management.
2 A governance, risk, and compliance (GRC) model aligns thegovernance, risk, and compliance roles to collaborate and shareinformation as a unified team, often using a common softwarepackage. See www.oceg.org for a definition and explanation ofa GRC model and system.
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
7/32
The Conference Board of Canada | iii
Find this report and other Conference Board research at wwwe-ibraryca
ik ppetite/oerance: Articulating risk appetite/
tolerances into formal written corporate policies is
still weak. Even though the responses to the risk appetite/
tolerance questions were low, it is clear that there is still
much confusion over these misused terms. Respondents
use the terms interchangeably, both formally in writtenstatements and informally with management and the
board. Perhaps the most pragmatic approach is to refer to
ISO 31000, which requires organizations to determine
a set of risk criteria to evaluate risk.3
senior Manaement nvovement With M: Senior man-
agement takes an active role in various ERM-related
activities. These include identifying risks, participating
in strategic planning and conducting risk assessments
of the organizations strategies, ensuring that appropriate
resources are in place to implement ERM, and com-municating ERM to all employees.
Board nvovement With M: Few organizations indicated
that their boards had sufficient knowledge of and experi-
ence with ERM. Less than half of the respondents were
confident that their boards could correctly name their
organizations top five risks. However, ERM has affected
boards risk oversight responsibilities in a positive way.
3 For more information on risk criteria, see ISO 31000, Section5.3.5, Defining Risk Criteria.
More boards are prioritizing strategies, having regular
in-depth reviews of their key risks, and providing
insights into their organizations risk profile.
ik Manaement ommittee: Organizations structure
their risk management committees mostly through aseparate risk/ERM committee that includes the CEO,
or deal with ERM activities as part of another commit-
tee that reports to the CEO. The committees generally
meet on a monthly and/or quarterly basis. Meetings last
one to two hours.
Board ommittee: In the banking and insurance sectors,
risk committees of the board are becoming more com-
mon. These usually meet monthly or quarterly, and each
meeting lasts from two to three hours. Some prevalent
board oversight activities include receiving informationon key risks and mitigation strategies, providing feed-
back, and reviewing managements performance with
respect to the treatment and monitoring of risks.
ik eportin: Risk reports are mostly prepared by the
CRO, vice-president of risk, or chief auditor. The CFO
appears to review most of the reports. In 2009, risk
reports tended to include emerging risks or looming
uncertainties and risk trends.
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
8/32
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
9/32
Find this report and other Conference Board research at wwwe-ibraryca
Harvard business professor Michael Jensen
says, The social purpose of the corporation
is to seek its highest long-run expected value.
The role of management in achieving that mission is
to create and project a compelling strategic vision of
the companys futureone that enlists the support and
commitment of all stakeholder groups whose continued
participation is important to the firms futureand to
design the organization in ways that help guide and
motivate employees in carrying out the vision.1
Jensen captures the importance of risk governance and
the accountability of those overseeing the management of
our organizations. With changing demographics, global
competitiveness, and fluctuating economic conditions,
organizational interest in enterprise risk management
(ERM) is growing. Increasing governmental concern,
monitoring, and regulation following the 200709 credit
crisis have further emphasized the need for improved
risk management.
In 2005, The Conference Board of Canada published
a report on the status of enterprise risk management in
Canada. This report,Enterprise Risk Management:
Inside and Out, provided valuable benchmarking data
1 Michael Jensen, Jesse Isidor Straus Professor of BusinessAdministration Emeritus, Harvard Business School. In BaylorUniversity Roundtable, p. 13.
at a time when ERM was gaining recognition outside
of the finance and utilities industries. These industries
were the first to embrace the concept of ERM and, there-
fore, helped implement and shape ERM principles, tools,
techniques, and practices. In 2009, the Conference Board
embarked on the current benchmarking study, which was
designed, in part, as a follow-up to the 2005 report. This
study was intended as a descriptive analysis of the find-
ings and not an explanatory one.
ncreain overnmenta concern, monitorin, and reu-ation foowin the 200709 credit crii have further
emphaied the need for improved rik manaement
While organizations are pursuing ERM, many are at
different stages in the journey, and most have adopted
diverse structures and risk governance. This report is
part one of a two-part risk governance research project.
It provides a benchmark on prevalent risk governance
practices, including key components of and resources for
ERM, ERM methodologies, and accountability structures.It deals with issues of interest to board members, but does
Enterprise Risk Management
A Review of Prevalent Practices
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
10/32
2 | Enterprise Risk ManagementFebruary 2011
Find this report and other Conference Board research at wwwe-ibraryca
not necessarily reflect a board members perspective. It
compares and contrastswhere possiblethe survey
findings2 against the Conference Boards 2005Inside
and Outreport to determine a contextual framework on
how much change has occurred in risk governance prac-
tices in four years. This report concludes by identifyingwhere respondents are excelling in their risk governance
practices, as well as where they may be vulnerable and
could improve. The conclusion includes a look at some
changes in ERM practices from 2005 until late 2009.
hi report concude by identifyin where repondent
are excein in their rik overnance practice, a we
a where they may be vunerabe and coud improve
The second part of the risk governance project3 will
entail a report on the reasons whyas well as how
organizations have adopted and diffused certain risk over-
sight and risk management structures and practices. It
will examine a variety of organizations paired for com-
parability. The sample includes eight organizations, a pair
in each of the following sectors: financial services, energy/
utilities, telecommunications, and government sectors/
industries. Data were collected on each organizations
board of directors, management team, and risk function.
2 The 2005 report was also based on a survey, which was distrib-uted to 315 organizations (86 of which responded). While bothreports focused on organizations practicing ERM, the compari-sons are based on a somewhat different survey sample and timeperiodtherefore, the study is not of a true longitudinal design.The type of organization, mix of industry, and size and scope ofoperations varied somewhat. See charts 1 to 3 for comparisons.The 2009 survey was much more comprehensive and includedquestions on black swans, ethics, and cultural risk assessments,
which were not part of the 2005 survey. Important, though, is thatthe 2009 results do not include organizations that started ERM(possibly in 2005) but terminated it (not in the 2009 survey).
3 The second risk governance report, The Adoption and Diffusion ofRisk Governance Structures and Practices, is scheduled for releaseshortly after this one.
Mlg
In late November 2009, The Conference Board of
Canada distributed a comprehensive, multi-industry
ERM survey4 to 3925 organizations across Canada.
The survey questions for this report asked about the
following risk governance practices and risk account-
abilities: 1) ERM resources and structure; 2) basic risk
metrics used; 3) identification of key risk indicators
(KRIs) in ERM methodology; 4) compensation plans;
5) ERM integration with processes, corporate functions,
and programs; 6) risk appetite/tolerance statements;
7) executive and board involvement in ERM; 8) risk
management and board committees; and 9) risk reporting.
gzl Pl ss
In total, there were 89 respondents to the online survey,
resulting in a response rate of 22.7 per cent.6 We had
anticipated a higher response rate, given the heightened
awareness of increased organizational transparency,
enhanced regulatory requirements, and the pressure
(greater than before) on directors to demonstrate their
risk management accountability.
Charts 1, 2, and 3 show the breakdown of organizations
by type, industry, and scope of operations, respectively.
In terms of size, a wide range of organizations was
4 The online survey was divided into five main sections with the pur-pose of producing four reports. The titles of these five sectionswere Organizational Profile, ERM Background Information,Risk Governance and Accountabilities, Corporate Risk Profilesand Black Swans, and Managing Corporate Reputation andDemonstrating ERM Value. The questions in each sectionwere developed with the assistance of advisory committees.
5 The online survey was e-mailed to the designated representativewithin the organization responsible for ERM/risk management. Thetitles of these people included CRO, CFO, VP of Risk Management,VP of Strategy, VP of Internal Audit, VP of Compliance, and VP ofCorporate Governance.
6 All the survey questions were not all answered by the 89 respondents.
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
11/32
The Conference Board of Canada | 3
Find this report and other Conference Board research at wwwe-ibraryca
represented: 16 per cent have revenues less than
$100 million, and 53 per cent have revenues greater
than $1 billion. (See Chart 4.)
Compared with The Conference Board of Canadas 2005
Enterprise Risk Management: Inside and Outreport, the
current survey includes more public stock organizations
(26 per cent versus 23 per cent) and more organizations
operating throughout North America (30 per cent versus
19 per cent). There were, however, fewer multinational
organizations in 2009 than in 2005 (10 per cent versus29 per cent). Furthermore, the 2009 survey includes
many additional organizations that have implemented
ERM since 2005.
gzl BKg M
To gain a better understanding of the risk governance
practices applied in the survey sample, we asked foun-
dational questions about the year organizations started
practicing ERM, the drivers for doing so, and whether
from the time that they started ERMthere were any
significant barriers that halted its progress at any point.
The number of organizations in the survey sample that
started practicing ERM between 1998 and 2004 was 32;for 2005 through 2009, the number was 47. The growth
in the rate of ERM adoption by organizations occurred
around 2003, with the average year of implementation
hart 1Survey Participants by Organization Type, 2005 vs. 2009(n=89; percentage of organizations)
Note: In 2005, respondents had the opportunity to categorize their organization into one of two additional groups: cooperatives (of whichthere were eight) and associations (of which there was one). If cooperatives and associations had been grouped under other in 2005 (asthey were in 2009, if there were any in the responding sample), the other category would have had a similar response rate in both years.Source: The Conference Board of Canada.
21
25
25
8
23
8
Crown
Government
Mutual
Notforprofit
Private
Public
Other
19
16
2
713
26
17
Crown
Government
Mutual
Notforprofit
Private
Public
Other
2005 2009
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
12/32
4 | Enterprise Risk ManagementFebruary 2011
Find this report and other Conference Board research at wwwe-ibraryca
being 2005. (Mean years of ERM experience was approxi-
mately 5.5 years.) Chart 5 illustrates the peaks and shows
that a number of survey participants are still in the early
stages. The number of organizations in our survey sam-
ple of 89 starting to practice ERM has stabilized at 7 to
10 per year since 2006.
What drove organizations to embark on an enterprise-
wide risk management approach? Respondents were
allowed multiple choices, and a total of 84 organizations
indicated at least one primary driver. The top 10 drivers
are listed below, with the percentage of respondents
selecting each driver shown in parentheses.
1. Enterprise-wide assessment of principal risks
(67 per cent)
2. Improved decision-making (51 per cent)
3. Board mandate (39 per cent)
4. Other reasons (enhanced strategic planning, greater
visibility, increased shareholder value, government
requirements in Canada, etc.) (20 per cent)
hart 2Survey Participants by Industry(n=89; percentage of organizations)
Source: The Conference Board of Canada.
9
14
15
4410
13
21
5
6
4
13
Banking
Health care
Insurance
Manufacturing
Mining
Other financial services
Public sector
Retail
Service
Tech
Telecom
Transportation
Utilities
hart 3Scope of Operations(n=89; percentage of organizations)
Note: Respondents were asked to select all that applied.Source: The Conference Board of Canada.
Asia
Europe
Latin America
Multinational
North America
Limited to one country
Limited to oneprovince or state
0 5 10 15 20 25 30 35 40 45
hart 4Size of Organization by Total Revenue(Non-governmental)(n=67; percentage)
Note: Due to rounding, the numbers do not add up to 100 per cent.Source: The Conference Board of Canada.
16
12
10
7
37
6
4 6
Less than $100 million
$100 million$249 million
$250 million$499 million
$500 million$999 million
$1 billion$4.9 billion
$5 billion$9.9 billion
$10 billion$24.9 billion
More than $25 billion
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
13/32
The Conference Board of Canada | 5
Find this report and other Conference Board research at wwwe-ibraryca
5. Regulatory requirements specific to an organization
(15 per cent)
6. Sarbanes-Oxley/Canadian Securities Administrators
National Instrument (NI 52-109) (10 per cent)
7. Improved bottom line (9 per cent)
8. Standard & Poors ERM evaluation process
(5 per cent)
9. Economic climate in the last two years (4 per cent)
10. Enhanced employee production (3 per cent)
Of interest is that Standard & Poors and other rating
agencies had little influence on organizations decisions
to implement or upgrade their ERM methodology. This
could be because most or all of these organizations
were early adopters and had already met or exceeded
the agencies criteria when they started to include ERM
as part of their credit rating evaluation. As well, while
board mandate was ranked third in importance overall,
it was of less relevance to private sector organizations.
Improved decision-making held significance for all
organization types, hovering between 40 and 50 per
cent on average. (See Chart 6.)
As expected, over half (56 per cent) of the 84 organiza-
tions that responded experienced some form of delay.
Common barriers cited were these: not seen as a prior-
ity, organizational change, lack of knowledge, lack of
time, lack of executive support and resources, resistance
to cultural change, and more focus on operational risk.In almost 97 per cent of these cases, respondents felt that
ERM was stalled at the board or senior management/
executive level.7
M ss s
M Pl
The process of . . . ERM . . . starts and finishes with
the board of directors, which demands and approves a
policy for risk management.8 This statement from oneof the Conference Boards original research briefings on
ERM, though it dates back to 1997, is still valid and
describes an effective way to maintain the momentum
of ERM.
f interet i that standard & Poor and other ratin
aencie had itte infuence on oraniation deciion
to impement or uprade their M methodooy
It is encouraging to note, then, that almost 60 per cent
(50 organizations) of respondents to our 2009 survey
had a written ERM policy, and these organizations had,
on average, 5.4 years of ERM experience. Twenty-two
of these 50 respondents were either Crown corporations
or government organizations. Thirty-three organizations
had their ERM process mandated or driven by the board
or at the executive level. More encouraginglyalthough
the progress was slowis the 16 per cent increase from
7 Only 48 organizations responded to the question At what level ofmanagement did you feel the implementation of ERM was stalledor that there were significant barriers that halted its progress?
8 Nottingham, A Conceptual Framework.
hart 5Growth in Rate of ERM Adoption by Organizations(n=79; number of organizations)
Note: There are any number of possible explanations for thegrowth rate in ERM adoption: the corporate governance failuresthat led to Sarbanes-Oxley, Treasury Board Secretariat estab-lishing its Integrated Risk Management (IRM) guidelines, theAuditor General conducting IRM audits of several federal gov-
ernment departments, Basel II ramping up, the Joint Committeeon Corporate Governance report release in late 2001, etc.Source: The Conference Board of Canada.
1998 99 00 01 02 03 04 05 06 07 08 09
0
2
4
6
8
10
12
14
16
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
14/32
6 | Enterprise Risk ManagementFebruary 2011
Find this report and other Conference Board research at wwwe-ibraryca
the 2005 ERM survey, which had 86 respondents in total.
As Table 1 illustrates, the 2009 survey identified seven
key groups with explicit responsibilities for ERM.
P sK Pls9
A corporate risk profile is defined inEnterprise Risk
Management: Todays Leading Research and Best
Practices for Tomorrows Executives as a periodic
documentation of the key risks to an organization to
achieving its stated business objectives over a specified
9 For more information on identification and assessment techniques
used to develop a corporate risk profile, see Hoyt and Schoening-Thiessen, The Role of Black Swans in Enterprise Risk Management.
hart 6Type of Organization and Drivers for ERM(n=82; percentage of organizations selecting each driver)
Note: Respondents were asked to select all that applied.Source: The Conference Board of Canada.
0
10
20
30
40
50
60
70
80
90
100
110
Enterprise-wide assessment
of principal risksBoard mandate
Improved decision-making
Regulatory requirements specific
to your organization
Sarbanes-Oxley/Canadian Securities Administrators
National Instrument (NI 52109)Standard & Poors ERM evaluation
Crown
(n=16)
Government
(n=14)
Mutual
(n=2)
Not-for-profit
(n=6)
Private
(n=12)
Public
(n=24)
Other
(n=15)
abe 1Groups Responsible for ERM Based on
Written Policy
group Percentae of repone
Board 80
CEO 75
Line managers 65
Chief risk officer 65
Risk owners 61
Internal audit 48
Executive committee 7
Note: Respondents were asked to select all that were identifiedin their ERM policy.Source: The Conference Board of Canada.
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
15/32
The Conference Board of Canada | 7
Find this report and other Conference Board research at wwwe-ibraryca
future time period.10 Its primary purpose is to com-
municate information from management to the board.11
A corporate risk profile, therefore, could be classified
as one of the most important elements of ERM.
Our survey asked organizations if they prepared a corpor-ate risk profilethat is, a list of their key risks. Of the
89 organizations that responded, 78 per cent (69 organ-
izations) did so. This list is prepared and updated annu-
ally in 51 per cent of the organizations and quarterly in
32 per cent. The remaining organizations undertook this
effort semi-annually.
irtuay a repondent indicated that their rik reiter
identified rik a affectin the corporation objective
and decribed accountabiitie and action pan; otherinformation incuded the ource of the rik
Just over 60 per cent of the 69 respondents indicated
that risk profiles are prepared at least at some level for
subsidiaries/divisions. (Forty-two per cent said yes,
19 per cent said some.) The remaining 39 per cent
responded that they did not prepare risk profiles at the
subsidiary or division level.
sK gssClearly, maintaining a risk register is an important ele-
ment in the ERM process. It not only helps track risks
and relevant information, but also helps identify risk
trends that affect corporate goals and helps determine
possible reporting formats.
Do organizations maintain risk registers for major risks?
Fifty-eight organizations (69 per cent of the 84 respond-
ents) indicated that they do. This percentage increased
by only 11 per cent since the 2005Enterprise Risk
Management: Inside and Outreport. Within the risk
register, several significant elements are logged and
maintained. Virtually all respondents indicated that
their risk register identified risks as affecting the cor-
porations objectives and described accountabilities and
10 Fraser and Simkins, Enterprise Risk Management, How to Preparea Risk Profile, Ch. 11, p. 171.
11 Ibid.
action plans. Other information included a description
of the risk, impact and probability levels, the source of
the risk, and mitigation plans.
Of the 58 organizations maintaining a risk register,
approximately two-thirds indicated that managers arenot required to periodically sign off on risks that have
been identified for their areas of responsibility and are
being mitigated. Slightly over one-third of respondents
(25 organizations) require sign-offs, and most12 are done
annually or quarterly. While this is a small portion, it
is instructive to see at what level these sign-offs are being
reported. (See Chart 7.) Most common are the executive
committee, audit committee of the board, and risk man-
agement committee of the board.
12 One organization required a weekly sign-off, and two organizationsrequired a monthly sign-off. The remaining 22 organizations requiredquarterly, semi-annual, or annual sign-offs.
hart 7Level at Which Sign-Offs Get Reported(n=25; percentage of organizations listing each response)
Note: Respondents were asked to select all that applied.Source: The Conference Board of Canada.
Executive committee
Audit committeeof the board
Risk managementcommittee
CEO
Chief risk officer
Risk management committeeof the board
Full board
Legal head
Governance committee
CEO of subsidiary
Compliance committeeof the board
Quality control committee
0 10 20 30 40 50 60 70
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
16/32
8 | Enterprise Risk ManagementFebruary 2011
Find this report and other Conference Board research at wwwe-ibraryca
sK MgM/M gP
An overwhelming 81 per cent (72 respondents) use a
dedicated risk management group to facilitate ERM. The
number of these groups appears to be growing. In 2005,
61 per cent had such a group. For the 2009 survey, when
asked what year the risk management group was formed,57 of the 72 organizations provided the year. As shown
in Chart 8,13 the trend is striking. Note the dramatic
growth since 2004, which also mirrors the findings in
Chart 5 for ERM implementation.
sK ql
Seventy-three per cent of the respondents (64 organiza-
tions) have a chief risk officer (CRO) or senior risk
executive responsible for their ERM process. Again,
this number has grown since 2005, when 49 per cent
had CROs or an equivalent and another 10 per cent were
considering appointing a CRO. Of the 64 organizations
that have CROs or a senior risk executive, 23 were
within Crown corporations or government organizations.
Somewhat disturbingly, in 2009, 21 per cent had nosenior official overseeing ERM. Such organizations may
be more likely to encounter a number of cultural and
implementation issues due to lack of proper oversight
13 A total of 68 responses were received to this question, but ninerespondents did not state the year that the risk group was formed,and two respondents indicated that the risk management groupwould be formed in 2010. The chart excludes these responses.
and leadership. Of 80 responses, 53 per cent stated that the
CRO or risk executive responsible for ERM is a senior
member of the executive management team. This is
critical to ensure the credibility and transparency of
the organizations efforts in implementing ERM.
seventy-three per cent of the repondent have a chief rik
officer or enior rik executive reponibe for their M
proce; in 2005, 49 per cent had or an euivaent
One dramatic change in the reporting relationship occurred
between 2005 and 2009. In 2005, 28 per cent of CROs
reported directly to the CEO, but in 2009, 54 per cent14
did so. Another 20 per cent reported to the chief financial
officer (CFO) (this has not changed since 2005), and 7 percent reported to the audit committee of the board (this
has increased by 4 per cent). Chart 9 shows an overwhelm-
ing 69 respondents reporting on a quarterly basis. As a
percentage of the responses, 65 per cent reported to a
board committee, 51 per cent reported to the CEO, and
42 per cent reported to the board. In all these instances,
reporting to any one of these three groups has increased
since 2005, especially to the CEO and a board committee.
14 The percentage is based on having received 69 responses tothe question.
hart 8Formation of Risk Management Groups, by Year(n=57; number of responses)
Note: While 72 organizations responded to the question onwhether they use a dedicated risk management group, only 57out of the 72 indicated the year in which the group was formed.Source: The Conference Board of Canada.
1999 00 01 02 03 04 05 06 07 08 09
0
2
4
6
8
10
hart 9Frequency of Reporting on ERM(n=69; number of responses)
Note: Respondents were asked to select all that applied.Therefore, the total number of responses equal more than the69 responses received.Source: The Conference Board of Canada.
Daily Weekly Monthly Quarterly Annually
0
20
40
60
80100
120
CEO Board Board committee
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
17/32
The Conference Board of Canada | 9
Find this report and other Conference Board research at wwwe-ibraryca
Our survey listed a few ERM-related responsibilities
and asked respondents to select all that applied to them.
Of the 70 responses, most organizations saw the CRO
as a supporting role. Responses showed that the CROs
main responsibility was to:
1. facilitate, set standards and methodologies, and pro-vide support to the organization (61 organizations);
2. challenge major initiatives, transactions, and strategic
decisions (42 organizations);
3. follow up on implementation of action plans com-
mitted to by the owner of the risk to mitigate the
risk (42 organizations); and
4. approve major initiatives, transactions, and strategic
decisions (14 organizations).
raniation in the bankin, inurance, or other financiaindutrie are more ikey to empoy more taff dedicated
to M-reated activitieamot three fu-time M
empoyee on averae
Of the 42 organizations that selected the challenge func-
tion (bullet 2) and the 14 organizations that selected the
approve function (bullet 4), 11 organizations selected both
bullets and 64 per cent (7 organizations) were from the
financial and utility industries. The CRO or risk executive
of all 11 organizations is a member of the executive team.
Only 6 of the 11 stated that they are both a designated
officer and a member of the executive team.
Thirty-one organizations selected the challenge function
but not the approve function (bullet 2, but not bullet 4).
A majority of them were from either financial and utilities
industries (17) or government organizations (6). Only
three organizations selected the approve function only
(bullet 4), and two of these were in the financial and
utility industries.15
15 While two questions were directed at whether the CRO or riskexecutives ERM-related responsibilities included challengingand/or approving major initiatives, transactions, and strategicdecisions, we could not confirm if the respondents interpretedthe questions to mean challenge or approve strictly on their ownrecognizance or as part of a group decision.
M s
A majority of the organizations (53 of the 73 that
responded) employ one to three full-time employees
devoted purely to ERM.16 An additional two to four full-
time equivalents assist when required.17 Organizations
in the banking, insurance, or other financial industriesare more likely to employ more staff dedicated to ERM-
related activities (almost three full-time ERM employees,
with an additional six full-time equivalents, on average).
Compared with the 2005 Conference Board survey, all
these findings could be considered improvements to 2005,
when 41 per cent did not have any full-time employees
devoted to ERM, and 21 per cent had only one staff person.
M s P g, sK,
MPl Ml
It appears that Canadian organizations are led more by aprinciple-based than a compliance-based risk governance
framework. Forty-one per cent (of 72 that responded to
this question) have not incorporated a governance, risk,
and compliance (GRC) model.18
Yet there are a number of other programs for which the
risk management/ERM group is accountable. Although the
sample size was small (38 responses), the findings show
that the risk management/ERM group is often charged
with two additional accountabilities: business continuity
planning and insurance. (See Table 2.) No conclusions
in terms of industry, scope of operations, or size could
be drawn as to why these 38 organizations had other
programs assigned to the risk management/ERM group.
However, 22 of these 38 organizations (58 per cent)
had more than four years of ERM experience.
A larger group responded to whether the risk management/
ERM group was responsible for monitoring and enforce-
ment activities. Over half (57 per cent) responded no.
The remaining 43 per cent (31 of the 72 organizations
that answered) indicated yes.
16 Seventy-three responses were received to the question Howmany full-time employees are devoted purely to ERM?
17 Sixty-four responses were received to the question How manyfull-time equivalents are devoted to ERM-related activities?
18 A GRC model aligns the governance, risk, and compliance rolesto collaborate and share information as a unified team, often usinga common software package.
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
18/32
10 | Enterprise Risk ManagementFebruary 2011
Find this report and other Conference Board research at wwwe-ibraryca
MBg M Bsss s
Successful organizations embed ERM into business
units through actions taken by business unit functions
and by tying business planning into ERM.19 We looked
further into how organizations formally structured ERMinto their business operations.
19 Thiessen, Enterprise Risk Management: Inside and Out.
Because respondents were allowed to select all options
that applied, we were able to show that the business/
operational units are usually structured according to the
eight criteria listed in Table 3, with the percentage of
responses ranking the criterions importance for both
2005 and 2009. (Note that the responses did not dependon the organizations years of ERM experience.)
abe 2Additional Accountabilities of the RiskManagement Group(n=38)
ccountabiitie umber ofrepondent
Business continuity planning 21
Insurance 20
Financial risk management/services
(credit, trading, hedging, fraud, asset
liability, CEO-CFO certification and other
related finance activities) 7
Internal audit 7
Corporate policy 6
Corporate security/investigations 4
Regulatory/compliance 4Emergency /crisis management 3
Patient safety/relations/quali ty assurance 3
Information technology/security 3
Project management 2
Ethics 2
Privacy 2
Strategic planning 2
Contract management 2
Loss control/prevention 2
Legal 2
Environment 1
Corporate social responsibility 1
Corporate performance management 1
Source: The Conference Board of Canada.
abe 3How Organizations Structure ERM Into TheirBusiness Operations(per cent)
structure 2005 2009
Designated ERM champions within the
business/operational units with appro-
priate delegation of authority * 35.0
Specific actions related to risks carried
out by specific functions within the
business/operational units * 60.0
Established reporting structures for ERM
linked with the functional operation of
business/operational units 27 43.8
Key metrics exist for evaluation
and reporting on risk management
performance 24 41.3
Business planning process of busi-
ness/operational units directly tied
into the ERM process 19 47.5
Capital allocated to business/operational
units for the mitigation of risks 20 23.8
Access to ERM software, supporting
interactive communications, and infor-
mation-sharing across the business/
operational units and the organization 8 17.5
Each business/operational unit identifies
evaluation points to mark achievements
in ERM 12 16.3
*no findingsNote: Respondents were asked to select all that applied.
Source: The Conference Board of Canada.
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
19/32
The Conference Board of Canada | 11
Find this report and other Conference Board research at www.-lbrary.a
Rik MeRic
Approximately 43 per cent of 81 respondents indicated
that their organizations risk metrics consider interrela-
tionships between different risks: 18 per cent said yes,
25 per cent said some, and 57 per cent said no.
How is this accomplished? While all of the responses
suggest a systematic review of the key risks and their
relationship to other risks, there is some variation in the
extent to which this is driven by actual data and more
qualitative factors. Most organizations appear to embed
this activity in their general risk mapping or assessment
process. (See Table 4.)
Half of th organzatons that largly us rs mtrsn aptal funng/alloaton prosss wr from th
banng, nsuran/rnsuran, an othr fnanal
srvs nustrs.
To what extent are risk metrics used to guide or control
day-to-day decision-making? Of the 81 organizations
that responded to this question, over one-half mentioned
that risk metrics are used to guide or control day-to-day
decision-making (38 per cent listed somewhat, and
15 per cent listed largely).
And what of risk metrics used in capital funding/allocation
processes? Of the 82 organizations that responded to this
question, 58 per cent mentioned that risk metrics are used
very little in capital funding/allocation processes. Of
the other respondents, 27 per cent listed somewhat, and
15 per cent listed largely. Perhaps not surprisingly, half
of the organizations that largely use risk metrics in the
capital funding/allocation processes were from the bank-
ing, insurance/reinsurance, and other financial services
industries. Otherwise, no by-industry pattern appeared
for organizations with regard to this question.
ke Rik idicR
Key risk indicators (KRIs) are forward-looking or lead-
ing. Key performance indicators (KPIs) are historical or
backward-looking.Enterprise Risk Management: Todays
Leading Research and Best Practices for Tomorrows
Executives defines a KRI as a measure to indicate the
potential presence, level or trend of a risk.20
Overall, the responses to the survey questions on KRIs
were relatively few. This shows that KRIs are still an
evolving area, where organizations are still learning how
to identify them and use the information effectively.
This is an area that could be researched in more depth
to enhance the effectiveness of an enterprise-wide risk
management approach.
20 Fraser and Simkins, Enterprise Risk Management: Todays LeadingResearch and Best Pract ices for Tomorrows Executives, Ch. 8.
abl 4Common Risk Metric Themes
Rs mtr thmurvy xampls of how ntrrlatonshpsbtwn rss ar assss
Risk mapping Risks are mapped to their sources and to
metrics.
Related risks are identified and mapped to
each of the key risks.
Risks are categorized into external and inter-
nal sources and mapped according to whether
they affect more than one business objective.
Review of historical data Organizations consider the history of correla-
tion of key risks. The historical data, after the
organization has conducted enterprise risk
assessments for several years, point to cor-
relations between certain risks.
Risk workshops If data are not available, perceived correlations
are established through risk workshops.
Causal analysis An analysis is conducted on whether there is
a causal relationship between correlated risks
and if so, in what direction.
Risk statements are in the form of potential
causes, risks, and impacts.
Causal relationships are analyzed through
bowtie exercises.*
*For more information on bowtie exercises, see Enterprise Risk Management: TodaysLeading Research and Best Practices for Tomorrows Executives, p. 291.
Source: The Conference Board of Canada.
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
20/32
12 | Enterprise Risk ManagementFebruary 2011
Find this report and other Conference Board research at wwwe-ibraryca
KRIs are a part of an organizations ERM methodology
in only 39 per cent of the 81 responding organizations.
(Seven per cent responded to a large extent, and 32 per
cent responded some use made of them.) The other
49 organizations indicated that KRIs are not specifically
tracked as part of ERM.
Of the 32 organizations that use KRIs to some or a
large extent, operations/lines of business and the CRO
or vice-president of risk were the most commonly
involved in identifying KRIs. (See Chart 10 for a
summary.) Close to 60 per cent of the 32 organizations
responded that their KRIs are either largely or some-
what linked to objectives, performance metrics, or key
performance indicators.
nteretiny, not one oraniation ued hare price a a
criterion; incentive pan are baed on meetin rik man-
aement objective and capabiitie and ervice eve
Are KRIs reported to management and the board?
Yes. Not surprisingly, information was shared on a
more frequent basis with management (monthly or
quarterly) than with the board (quarterly or annually).
M MPs
Is the risk management/ERM groups work tied to a form
of incentive compensation? While 72 responded to this
question, only 29 per cent (21 organizations) replied yes.
Fourteen of the 21 organizations (67 per cent) were finan-
cial institutions, insurance organizations, or utilities. These
organizations were further along in their development
of ERM. The remaining eight organizations each repre-
sented a different industry.
The 21 organizations that used incentive compensation
for the risk management/ERM group followed the criteria
shown in Chart 11. Interestingly, not one organization
used share price as a criterion. The groups incentive
plans, on the other hand, are based on meeting risk
management objectives and capabilities and service
levels within the organization.
We asked whether organizations reviewed or planned
to review their remuneration programs to promote more
responsible behaviour and risk-taking. Of the 85 that
responded, only 16 per cent (14 organizations) indicated
they have reviewedtheir incentive programs to ensure more
responsible risk-taking. Another 11 per cent (9 organiz-
ations)plan to review their compensation programs. The
remaining 73 per cent (62 organizations) selected neither
of the above choices. Again, the 14 organizations that
have already reviewed their incentive programs were from
the financial, insurance, and utility industries. These
organizations, as well, had an average of 5.35 years
of ERM experience.
MBg M Psss,P s, PgMs
Overall, the survey findings show that ERM has been
adopted by or integrated into many existing processes
and functions. The distribution of how well it is integrated
is reflected in Chart 12. Between 83 and 85 organizations
responded to all the choices in the chart.21 Collectively,
21 The survey asked how fully ERM is integrated with 14 processes/functions. Not every organization responded regarding how inte-grated they were with all 14 processes/functions. Between 83 and85 organizations provided a response regarding all these 14 processes/functions.
hart 10Those Involved in Identifying Key Risk Indicators(n=32; percentage of respondents)
Note: Respondents were asked to select all that applied.Source: The Conference Board of Canada.
Operations/business
CRO/VP-risk
management
Corporate group
CFO
Management
risk committee
0 10 20 30 40 50 60 70
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
21/32
The Conference Board of Canada | 13
Find this report and other Conference Board research at wwwe-ibraryca
the results indicate that the level of ERM integration is
medium to high in several areas (audit, compliance,
corporate, and planning), but low in other important
areas (performance management, product development,
and mergers and acquisitions).
ny 32 oraniation had forma rik appetite or toerance
tatement, mainy repreentin bankin, inurance, other
financia ervice, utiitie, or overnment
Compared with the Conference Boards 2005 survey,
a few changes are worth noting:
High integration with strategic planning has gone up by
only 5 per cent; medium integration remains similar.
High integration with business planning has droppedby 7 per cent; medium integration has increased by
19 per cent.
High integration with corporate governance has
declined by 8 per cent; medium integration has
gone up by 12 per cent.
High integration with performance management is
slightly lower, by 2 per cent; medium integration
has improved by 11 per cent.
High and medium integration with internal audit
remain at similar percentages.
sK PP/ls
Risk appetite or risk tolerances? Which do organizations
use? Or are the terms used interchangeably? We asked
these three questions in the hope of clarifying whether
organizations are formally or informally applying the
terms and, if so, how. However, it is obvious that much
confusion remains.
While the findings are described below, we make no
attempt to explain the ambiguity of these terms. Perhaps,
as ISO 31000 dictates, the most pragmatic approach is
to require organizations to determine a set of risk criteria
to evaluate risk.22
22 For more information on risk criteria, see ISO 31000: 2009, Section5.3.5, Defining Risk Criteria.
Foremost, out of 82 responses, it was evident that
organizations responded to the questions23 on the
basis that they informally use the terms risk appetite
or risk tolerance:
Thirty-two organizations used the terms risk
appetite and risk tolerance interchangeably.
Seventeen used the terms separately, with different
definitions.
Five used risk appetite only.
Nine used risk tolerance only.
Nineteen organizations used neither term.
While organizations may use either or both of these terms,
only 32 organizations24 had formal, approved corporate
risk appetite or tolerance statements (13 had formal,
approved corporate risk appetite statements, and 19 had
formal, approved corporate risk tolerance statements).
Most of the organizations represented banking, insur-
ance, other financial services, utilities, or government.
An interesting aspect of this topic is that while many
organizations did nothave formal, approved risk appetite/
risk tolerance statements, they usedeither or both the
23 The survey asked these questions: Does your organizationuse the terms risk appetite and/or tolerances: interchangeably?Neither? Separately, with different definitions for each? If sepa-rately, which term do you use more?
24 Five of the 32 organizations had formal statements for bothtolerance and appetite.
hart 11Incentive Compensation for the Risk Management/ERM Group(n=21; number of responses)
Note: Respondents were asked to select all that applied.Source: The Conference Board of Canada.
Meeting risk management
objectives and capabilities
Service levels to
external stakeholders
Service levels with
the organization
Share price
Earnings
15 20 251050
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
22/32
14 | Enterprise Risk ManagementFebruary 2011
Find this report and other Conference Board research at wwwe-ibraryca
terms informally and still informally discussed and
reviewed risk appetite/risk tolerances with management
and the board. There were 26 organizations that fell
into this category out of 57 responses to the question
What is the most senior level that reviews the risk
appetite/tolerance levels?
Of these 57 responses, the collective board reviewed
and discussed either informal or formal statements in
25 of the cases, a board committee in 16, the CEO in
9, and a management committee in the remaining 7.
These percentages have risen significantly since the
2005 Conference Board survey, since at that time the
board and board committee were considered one group,
at 26 per cent, and the CEO and management committee
were another, at 10 per cent. Similarly, the 2009 survey
showed annual reviews at 42 per cent, whereas this was
at a low 25 per cent in 2005. The quarterly review per-
centages are fairly close: 6 per cent in 2009 and 5 per
cent in 2005.
nnua i the mot common approva proce freuency
n 19 per cent of the oraniation, the approved the
informa rik appetite/toerance eve or forma tatement
The full board approves the informal risk appetite/
tolerance levels or formal statements in 27 per cent
of the 57 responding organizations, whereas a board
committee does so in only 8 per cent of the organiza-
tions. Predictably, annual is the most common frequency
for the approval process, at 46 per cent. In 19 per cent
of the organizations (11), the CEO approved the informal
hart 12Level of ERM Integration(n=83 to 85; percentage of respondents)
Note: Respondents were asked to select all that apply.Source: The Conference Board of Canada.
Strate
gicplannin
g
Busin
ess/b
udgetplan
ning
Loss
contr
olAu
dit
Comp
lianc
e
Corpo
rateg
overn
ance
Disclos
ure
Capit
alma
nageme
nt
Perfo
rmancema
nageme
nt
Productd
evelopm
ent
Merge
rsanda
cquisitio
ns
Insura
nceand
hedging
Ethics
/busin
esscond
uct
Comp
lianc
e0
10
20
30
40
50
60
70
80
90
100
HighMediumLowNot at allNot applicable
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
23/32
The Conference Board of Canada | 15
Find this report and other Conference Board research at wwwe-ibraryca
risk appetite/tolerance levels or formal statements.
Various industries made up this 19 per cent (two public
sector, three insurance, two education, one technology,
one telecommunications, one financial service, and one
manufacturing).
How do organizations establish risk appetite/tolerance lev-
els? Respondents were asked to select all that applied from
the list below. Only two organizations, out of 59 respond-
ents, identified other means to establish risk appetite/
tolerances, and this was linked to the impact on corpor-
ate reputation.
Thirty organizations qualitatively had them defined
by management and reviewed by a board committee
or the collective board.
Twenty-six organizations tied them into measurables
such as earnings and capital or developed them inreference to these.
Sixteen based them on scenarios.
Fourteen organizations tied them into materiality
or developed them in reference to materiality.
Seven built them on easy-to-understand examples
that could impede the organizations agreed-on
business objectives.
Six organizations qualitatively had them defined
by the board.
B lM M
lls s MgM lM
It is vital that ERM have executive involvement and
board support. This tone from the top breeds the right
culture for staff to embrace the organizations approach
to ERM and the accompanying tools, techniques, and
practices. It is encouraging to report that over two-thirds
of the surveyed organizations (85 responses) felt that
their senior management took an active role in their
ERM process. Table 5 shows how involved senior
management is in various ERM-related activities.
B Wss P sKs
Asking board members to correctly name the top five
risks and what is being done about them is one measure
that could validate how interested and involved boards
are in the ERM reporting process.
Disturbingly, only 47 per cent of 85 respondents believed
that their board members could somewhat identify the
organizations top five risks and the actions being taken to
address them. Forty-two per cent believed that their boards
could positively identify the organizations top risks.
This suggests that additional effort is needed to raise board
members awareness of risk and risk management. Efforts
could include more rigorous risk discussions at each board
meeting, as well as the conduct of risk workshops.
ccordin to the findin (84 repone), approximatey
one-third of the oraniation tated that their board
overiht reponibiitie have chaned omewhat
This may also indicate a need to staff boards with more
ERM experience. According to the 86 responses received,
only 34 per cent indicated that the board had either excel-
lent or moderate knowledge of and experience with ERM.
Approximately half of these (14 organizations) were in
the financial or utility industries. Sixty-six per cent had
either fair or no experience with ERM at the board level.
In other words, two-thirds had boards with little or no
ERM proficiency. This may also help explain why a high
percentage of respondents indicated that ERM stalled
or failed at the top levels of the organization.
Has ERM changed boards oversight role or activities?
According to the findings, which comprised 84 responses,
approximately one-third of the organizations (28 respond-
ents) stated that their boards oversight responsibilities
have changed somewhat. Another one-third (28 respond-
ents) indicated that their ERM experience has completely
changed their board activities. Fourteen of the respondents
were from the financial, utility, and insurance industries;
the other 14 were from other industries. Reasons for the
change included the following:
prioritizing strategies, thus placing a greater focus
on risk;
providing key insights into their firms risk profile;
greater awareness and accountability for risk
oversight; and
regular in-depth reviews of their top 10 risks.
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
24/32
16 | Enterprise Risk ManagementFebruary 2011
Find this report and other Conference Board research at wwwe-ibraryca
sK MgM B MMs
sK MgM MMs
Through the survey, we identified two possible types
of risk/ERM management committees: one dedicated
solely to risk matters/ERM and one that is part of a bigger
agenda, such as the executive committee. Table 6 shows
how organizations currently structure their risk manage-
ment committees.
raniation with rik committee of the board howed
hiher percentae in pecific accountabiitie for board
rik overiht and manaement rik reponibiitie
Risk management committees tend to meet monthly(40 per cent) in the banking, health care, insurance/
reinsurance, and technology industries; and quarterly
(38 per cent) in the utility, mining, and other financial
services industries. The meetings usually last one to
two hours. All other frequencies (biannually, every two
weeks, or more than every two weeks) were 8 per cent or
under. When asked who owns each risk in the organiza-
tion, 64 per cent of the 79 responding organizations
identified executive management as being responsible.
B sK MMs
Over the last few years, the notion of establishing risk
committees of the board has gained significance. The
reasons are self-evident: corporate failures, stakeholders
demanding board accountability, regulatory requirements,
and more time devoted to risk agendas and discussions.
In reality, is Canada moving toward this concept? And
if so, how frequently do risk committees of the board
meet, and for how long? Of the 86 organizations that
responded, 22 per cent (19 organizations) have risk
committees of the board, and these committees usuallymeet once a month or quarterly. As illustrated in Chart 13,
organizations with risk committees of the board showed
higher percentages in specific accountabilities for board
risk oversight and management risk responsibilities.
abe 5Level of Senior Management Involvement(n=80; percentage of organizations)
one some subtantia u
Helping to define or review the companys risk policy
and risk appetite/tolerances* 1 37 52 11
Setting or approving risk appetite/tolerances* 4 35 47 14
Ensuring appropriate communication from the executive
level in order to promote ERM within the company 4 49 31 15
Participating in assessing risks and assigning quantitative
and qualitative measures of risk impact and likelihood 2 46 42 8
Actively participating in strategic planning and working
with the senior team to conduct risk assessments of
the organizations strategies 1 36 51 11
Ensuring that appropriate resources are in place
to coordinate, monitor, and report on ERM 6 47 36 10
*Percentages provided include the informal use of the term risk appetite/tolerances.Note: Respondents were asked to select all that applied. Numbers might not add up to 100 per cent due to rounding.Source: The Conference Board of Canada.
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
25/32
The Conference Board of Canada | 17
Find this report and other Conference Board research at wwwe-ibraryca
The industries that have risk committees of the board
are banking, insurance, health care, and mining. The
first two industries are regulated and, as such, they are
expected to put in place more stringent rules to oversee
risk management. Their scope of operations was also
geographically dispersed in and outside North America.The final two are complex organizations, covering large
geographic areas that require consistent engagement
with the public.
Sixty-nine organizations25 provided the length of their
risk committee meetings: these meetings tend to last
two hours in most of the organizations (38 per cent)
and three hours or longer in some others (38 per cent).
The rest of the organizations (78 per cent) have a board
committee, such as audit, governance, human resources,
or regulatory, that is charged with ERM accountabilities.
notabe difference i that the repondent in 2009 iden-
tified emerin rik or oomin uncertaintie and trend
a part of their rik report, and for obviou reaon
Boards administer various forms of risk/ERM oversight
activity. Table 7 showsin descending orderthe per-
centage of votes received for each activity.
sK Pg
As expected, the person responsible for preparing,
reviewing, and presenting the main risk reports to
executive management and the board is most often
the vice-president of risk management, the chief
risk officer, or the chief audit executive. The CFO
appeared to review most of the reports. Of the 35 organ-
izations that responded that the CFO reviewed the reports,
12 were from the financial and utility sectors. The reports
25 While 86 organizations responded regarding whether they have arisk committee of the board, only 69 responded to the question onhow long the risk committee meetings last.
contain information on the principal risks, emerging
risks or looming uncertainties, risk trends, mitigating
measures, risk metrics, and action plans. (See Chart 14.)
A notable difference is that the respondents in 2009 identi-
fied emerging risks or looming uncertainties and trends
as part of their risk reports, and for obvious reasons
given the profile that black swantype events have been
receiving recently. These did not appear very often back
in 2005.
And what of risk mitigation plans: to whom and how
often are they reported? Of the 72 responding organiza-
tions, the CRO reported the risk mitigation plans mostly
abe 6Structure of Risk Management Committees(n=79)
ik/M manaement com-mittee tructure Percentae ofrepone
verae year
of Mexperience
A separate risk/ERM commit-
tee that includes the CEO 31 4.71
ERM activities dealt with as
part of another committee that
reports to the CEO 27 5.62
A separate risk/ERM commit-
tee that reports to the CEO 14 5.64
ERM not a formal part of a
management committees
activities 13 5.60
ERM activities dealt with aspart of another committee that
reports to one of the CEOs
direct reports 9 3.29
A separate risk/ERM commit-
tee that reports to one of the
CEOs direct reports 6 4.00
ota 100 5.03*
*This is a weighted average.Source: The Conference Board of Canada.
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
26/32
18 | Enterprise Risk ManagementFebruary 2011
Find this report and other Conference Board research at wwwe-ibraryca
on a quarterly basis to the executive management team,
the committee of the board responsible for ERM, and
the full board. (See Chart 15.)
lg gs
Canadian organizations are continuously striving to
improve their risk governance practices and organiza-
tional structures to effectively integrate a holistic approachto risk management and risk oversight at the senior man-
agement and board level. The major unexpected corpor-
ate bankruptcies from 2001 onwards, followed by the
credit crisis of 200709, have made it crystal clear that
ERM effectiveness requires significant organizational
consideration. ERM is a process that links the controlaspects of governance, capital management, and per-
formance management.26
26 Rizzi, Risk Management.
hart 13Management and Board Risk Oversight Responsibilities(n=83 to 85; percentage of organizations responding)
Note: Respondents were asked to select all that applied.Source: The Conference Board of Canada.
Roles and responsibilities of management
and board explicitly outlined in ERM policy
Roles and responsibilities explicitly
written into committee charters
Sign-off by management and/or
board members of ERM policy
and committee charters
Individual job responsibilities identified
and signed off by individuals
Clear segregation of duties
Organizational structure mapped to
reflect hierarchy of r isk accountabilities
0
All organizationsOrganizations with dedicated risk
committees of the board
10 20 30 40 50 60 70
abe 7Forms of Board Oversight for the ERM Process(n=78)
orm of overiht
Percentae
of repondentwho eectedthi form
Receives information on the
organizations principal risks
and mitigation strategies and
provides feedback 79
Receives periodic ERM updates
(on strategy, framework, practices,
etc.) and provides feedback 69
Approves policies, framework,
and practices associated with risk
assessment and risk management 51
Reviews managements perform-
ance regarding the treatment and
monitoring of risks 51
Reviews policies, framework,
and practices associated with risk
assessment and risk management 50
Reviews risk appetite/tolerances only 33
Approves risk appetite/tolerances
only 21
Actively involved in contributing to
the definition of the companys risk
policy and risk appetite/tolerances 19
Receives periodic ERM updates,
but provides little feedback 18
Actively involved in setting
ERM strategy 12
Note: A total of 78 responses were received. Each selected atleast one of the categories. Percentages are calculated based onhow many of the 78 responses selected each form of oversight.Source: The Conference Board of Canada.
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
27/32
The Conference Board of Canada | 19
Find this report and other Conference Board research at wwwe-ibraryca
Together, the 2005 and 2009 Conference Board surveys
have shown that ERM has continued to increase in pro-
file and importance. The findings of the 2009 survey are
summarized below. We begin with top marks, where
organizations are excelling; move on to areas of vul-
nerability and improvement, where organizations arevulnerable; and finish with changes in ERM practices
(what has happened after 2005 and up to late 2009).
P MKs
ERM is gaining traction, as is evident from the progres-
sive tie-in with business functions and operating units.
More and more organizations are putting formal ERM
policies in place. Preparing corporate risk profiles at
least annually and maintaining risk registers are also
widely accepted principles of ERM.
mpementin an enterprie-wide rik manaement approach
ha it chaene, mietone, and iueidentifyin
K i an area that reuire further in-depth exporation
Risk management/ERM groups are becoming more com-
mon and an increasing influence within organizations.
There is strong senior-level involvement in ERM, which
shows in the dramatic increase since 2005 of the CRO/
risk executive reporting to the CEO.
Over the last few years, the notion of establishing risk
committees of the board has gained momentum. Twenty-
two per cent of respondents currently have such a com-
mittee. As expected, the banking and insurance industries
lead on this, yet health care and mining are also setting
a pattern.
It is noteworthy that, in 2009, risk reports to executive man-
agement and the board contained information on emer-
ging risks or looming uncertainties as well as risk trends.
s lBl MPM
Implementing an enterprise-wide risk management
approach has its challenges, milestones, and issues.
Identifying key risk indicators is an area that requires
further in-depth exploration. We reviewed the topic to
hart 14Information Contained in Risk Reports(n=82; percentage of organizations selecting this response)
Note: Respondents were asked to select all that apply.Source: The Conference Board of Canada.
Top 5 or 10 risks
Emerging risks/looming uncertainties
Risk owners
Risk metrics
Mitigating measures
Effectiveness of these measures
Exceptions and breachesof risk policies or limits
Action plans
Residual risks
Risk trends
Sign-offs on risk policies
0 10 20 30 40 50 60 70 80 90
hart 15
Reporting of Risk Mitigation Plans(n=72)
Note: Respondents were asked to select all that apply.Source: The Conference Board of Canada.
Monthly Quarterly Biannually Annually
020406080
100120140160180
To business units/operations
To executive management team
To committee responsible for ERM
To full board
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
28/32
20 | Enterprise Risk ManagementFebruary 2011
Find this report and other Conference Board research at wwwe-ibraryca
get a pulse on how KRIs are being used in an organiza-
tions ERM methodology. Not surprisingly, we found that
only some organizations make at least some use of them.
Organizations also struggle with expressing aggregate risk
through quantitative measures at the enterprise level.
Articulating approved written risk appetite/tolerances is
a definite weakness for organizations outside the financial
and utility industries. For many, there was a difference
between using the terms informally and articulating
them into formal policy.
More / rik executive are deinated officer and
have a eat on the executive manaement team, and
more of them are reportin to a oppoed to
While senior-level engagement is on the rise, the board of
directors is still somewhat removed from the risk man-
agement process. Slightly less than half of respondents
stated that their directors were only somewhat able to
identify their organizations top five risks and the actions
being taken to address them. Only one-third of the respond-
ents indicated that their directors had either excellent or
moderate knowledge of and experience in ERM.
Organizations should consider doing a better job of
linking ERM performance to compensation, or, at the
very least, they should collect benchmarking data that
could help them plan or revisit their incentive programs.
gs M Ps BW 2005 2009
According to the 2009 survey, the growth rate of organ-
izations adoption of ERM has risen since 2005. Forty-
seven organizations started their ERM process since 2005,
and 42 organizations have been practicing ERM since
before 2005.
As the survey results show, more CROs/ risk executives
are designated officers and have a seat on the executive
management team. More of them are reporting to CEOs
as opposed to CFOs. This could well continue to rise
as the value and necessity of ERM and their designated
leadership become better understood.
Organizations structure their risk management commit-
tees mostly through a separate risk/ERM management
committee that includes the CEO. Alternatively, theydeal with ERM activities through another committee
that reports to the CEO.
If the ERM position is or must be tagged with other
assigned responsibilities, organizations should try to
harmonize and take advantage of the natural linkages
with strategy, business continuity planning, and corporate
policy. This helps ERM take root at the very top level
as part of strategy and policy.
8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web
29/32
Find this report and other Conference Board research at wwwe-ibraryca
Bibliography
PP
Baylor University Roundtable on the Corporate
Mission, CEO Pay, and Improving the Dialogue with
Investors. Held on November 13, 2009. Panelists:
Michael Jensen, Ron Naples, Trevor Harris, and Don
Chew; Moderator: John Martin.Journal of Applied
Corporate Finance, 22, 1 (Winter 2010), 831.
Committee of Sponsoring Organizations of the
Treadway Commission.Enterprise Risk Management:
Integrated Framework, Executive Summary. New York:
American Institute of Certified Public Accountants,
September 2004.www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf.
Enterprise Risk Management: Current Initiatives and
IssuesJournal of Applied Finance Roundtable. Panelists:
Bruce Branson, Pat Concessi, John Fraser, Michael
Hofmann, Robert Kolb, Todd Perkins, and Joseph
Rizzi; Moderator: Betty Simkins.Journal of Applied
Finance, 18, 1 (Spring/Summer 2008), 115132.
Fraser, John R.S., Karen Schoening-Thiessen, and Betty
J. Simkins. Who Reads What Most Often? A Surveyof Enterprise Risk Management Literature Read by
Risk Executives.Journal of Applied Finance, 18, 1
(Spring/Summer 2008), 7391.
Fraser, John R.S., and Betty J. Simkins.