11-165 Enterpriseriskmanagement Final Feb Web

8/22/2019 11-165 Enterpriseriskmanagement Final Feb Web

1/32

Report February 2011

Enterprise Risk Management

A Review of Prevalent Practices

gzl ll


2/32

Preface

Enterprise risk management (ERM) is a process that is

critical to an organizations risk governance framework.

While organizations are pursuing ERM, many are at

different stages in the journey, and most have adopted

diverse structures and risk governance practices.

In fall 2009, The Conference Board of Canada conducted

a multi-industry online survey on various aspects of ERM.

The purpose was to provide benchmarking data on the

most prevalent risk governance practices, followed by an

in-depth interview process (published in a separate report)

to gain a clearer understanding of why organizations

have adopted certain risk management, risk oversight,

and governance practices. This report describes the

key findings from the survey.

Enterprise Risk Management: A Review of Prevalent Practices

byJoseph Rizzi, Betty J. Simkins, and Karen Schoening-Thiessen

About The ConferenceBoard of CanadaWe are:

The foremost independent, not-for-profit, applied

research organization in Canada.

Objective and non-partisan. We do not lobby

for specific interests.

Funded exclusively through the fees we charge

for services to the private and public sectors.

Experts in running conferences but also at con-

ducting, publishing, and disseminating research;

helping people network; developing individual

leadership skills; and building organizationalcapacity.

Specialists in economic trends, as well

as organizational performance and public

policy issues.

Not a government department or agency,

although we are often hired to provide

services for all levels of government.

Independent from, but affiliated with, The

Conference Board, Inc. of New York, which

serves nearly 2,000 companies in 60 nations

and has offices in Brussels and Hong Kong.

2011 he onference Board of anada*Published in Canada All rights reservedAgreement No. 40063028*Incorporated as AERIC Inc.

Forecasts and research often involve numerous assumptions and datasources, and are subject to inherent risks and uncertainties. This informationis not intended as specific investment, accounting, legal, or tax advice.


3/32

s

xecutive summary i

nterprie ik Manaement: eview of Prevaent Practice 1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Organizational Profile and Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Organizational Background on ERM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

ERM Resources and Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Risk Metrics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Key Risk Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

ERM Compensation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Embedding ERM Into Processes, Corporate Functions, and Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Risk Appetite/Tolerances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Executive and Board Involvement in ERM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Risk Management and Board Committees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Risk Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Concluding Thoughts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

ppendix Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21


4/32

About the Authors

Joe Rizzi, MBA, JD, is a Senior Strategist with CapGen Financial Group. Before joining CapGen, he was a

member of the ABN AMRO Group or its U.S. affiliate, LaSalle Bank, for 24 years and served as Managing

Director of LaSalle Bank Corporations Enterprise Risk Management unit for North America. A widely pub-

lished author, he has lectured to professional organizations in Europe and the United States and taught at the

Amsterdam Institute of Finance and the Mendoza School of Business.

Betty J. Simkins, PhD, is the Williams Companies Professor of Business and a professor of finance in the

Department of Finance at Oklahoma State Universitys Spears School of Business. She has published a number

of articles on enterprise risk management and finance and is co-editor ofEnterprise Risk Management:

Todays Leading Research and Best Practices for Tomorrows Executives. She currently serves on the

board of directors of the Financial Management Association.

Karen Schoening-Thiessen is a Senior Research Associate at The Conference Board of Canada. She is

the author of several reports on enterprise risk management and has managed the Strategic Risk Council,

an executive network for risk executives, for the past 10 years.

AcknowledgementsThe authors thank the following people, who were part of the advisory committee that developed the survey

questions: John Fraser, Senior Vice-President, Internal Audit and Chief Risk Officer, Hydro One Inc.; Paul

Summers, Director, Internal Audit, Fortis Inc.; Mark Rudowski, Director, Enterprise Risk and Compliance,

George Weston Limited; Karen McBride, Executive Vice-President, Chief Risk Officer and Chief Compliance

Officer, Concentra Financial; and Christopher Eaton, PhD student in risk management and insurance at the

University of Calgarys Haskayne School of Business.

Thanks also to Divya Krishnan, graduate of the Master of Science in Quantitative Financial Economics

program at Oklahoma State University, who provided superb research assistance in the development of

this report.

Special thanks to John Fraser, Senior Vice-President, Internal Audit and Chief Risk Officer, Hydro One Inc.;

and Christopher Eaton, PhD student at the University of Calgarys Haskayne School of Business, for their

meticulous review and feedback on the draft version of the report.

Another thank you goes to Paul Forgues at The Conference Board of Canada for reviewing the document

and providing commentary prior to its release.


5/32

Find this report and other Conference Board research at wwwe-ibraryca

Five years have passed since The Conference

Board of Canada published a report on the

status of enterprise risk management (ERM)1

in Canada. Was it time for another update? Due to

significant changes in the business world and external

1 For the purpose of this report, ERM is defined by the Committee ofSponsoring Organizations of the Treadway Commission (EnterpriseRisk Management) as a process, effected by an entitys board ofdirectors, management and other personnel, applied in strategysetting and across the enterprise, designed to identify potentialevents that may affect the entity, and manage risk to be within itsrisk appetite, to provide reasonable assurance regarding theachievement of entity objectives.

factors that have influenced how organizations are gov-

erned, we decided the risk community would benefitfrom further benchmarking data.



diverse structures and risk governance practices related

thereto. This report is part one of a two-part risk govern-

ance research project that looks at the extent to which

ERM methodologies and practices have progressed in

the past five years.

Whie oraniation are puruin M, many are at differ-

ent tae in the journey, and mot have adopted divere

tructure and rik overnance practice reated thereto

The report provides a benchmark of prevalent risk gov-

ernance practices, including key elements of and resources

for ERM accountability structures, and deals with issues

of interest to board members, though it does not necessarily

reflect a board members perspective. It summarizes the

results of the survey, rather than providing a descriptive

analysis or opinions on what the results show.

This report concludes by discussing the areas in which

organizations are excelling in their risk governance

practices, considers where they may be vulnerable and

could improve, and looks at some changes in ERM



sMM

t a gance

More than half of organizations have an enter-

prise risk management (ERM) policy, prepare

corporate risk profiles, maintain risk registers,

and establish dedicated risk management

groups to coordinate the process.

Senior managers are involved in ERM, but

boards could be more aware and involved.

Key risk indicators is still a developing area

for most organizations. While ERM integration with certain disciplines

remains consistent, integration of ERM with

performance management is still low.


6/32

ii | Enterprise Risk ManagementFebruary 2011

Find this report and other Conference Board research at www.e-library.ca

practices from 2005 until late 2009. The Conference

Board of Canadas second risk governance report, The

Adoption and Diffusion of Risk Governance Structures

and Practices (released under separate cover) will

explore the reasons for adoption of certain risk manage-

ment, risk oversight, and governance practices.

In November 2009, the Conference Board distributed

a comprehensive, multi-industry online ERM survey. It

received 89 responses out of a distribution list of 392.

The key findings are summarized below.

Organizational Background on Enterprise Risk Management:

The major growth in the rate of organizations adoption

of enterprise risk management occurred around 2003.

Since 2006, the number of new organizations from the

survey sample practicing ERM has stabilized at 7 to

10 per year. It was surprising to note that rating agencies

had very little influence on organizations decisions to

implement or upgrade ERM methodology. Predictably,

many of the respondents experienced some form of

delay in implementing ERM.

ERM Policy and Corporate Risk Profiles: More than half of

the respondents have a written ERM policy, and a little

more than three-quarters prepare a corporate risk profile.

Seven key groups were identified as having explicit

responsibilities for ERM.

Risk Registers: Sixty-nine per cent of respondents

indicated that they maintain a risk register. Virtually

all organizations with a risk register indicated that it

included the corporations objectives and described

accountabilities and action plans. However, only one-

third of organizations required periodic sign-offs by

managers indicating that risks have been identified

for their areas of responsibility.

ERM/Risk Management Group: More organizations are

establishing a dedicated risk management group to

facilitate ERM. This coincides with the influx of new

organizations practicing ERM since 2003. A majority

of organizations employ one to three full-time staff dedi-

cated purely to ERM. Canadian organizations do not

embrace ERM within a governance, risk, and compli-

ance model.2 There is, though, a tendency to have the

risk management group be responsible for business

continuity planning and insurance. While the hiringof chief risk officers (CROs) or risk executives has

increased since 2005, some organizations from this

survey sample do not have a senior official overseeing

ERM. More CROs are now reporting to CEOs as

opposed to chief financial officers (CFOs).

Risk Metrics and Key Risk Indicators: Just under half of the

respondents stated that their risk metrics consider inter-

relationships between risks and risk types, and most embed

this activity in their general risk mapping or assessment

process. Over half of the organizations use risk metrics

to guide or control day-to-day decision-making. Few

organizations use key risk indicators (KRIs) as part of

their ERM methodology. Business/operations and the

chief risk officer/vice-president of risk management were

most involved in identifying KRIs. There is difficulty in

expressing aggregate risk through quantitative measures

at the enterprise level.

ERM and Incentive Programs: Few organizations have tied

their risk management/ERM group to a form of incentive

compensation. Those that did based them on meeting

risk management objectives, capabilities, and service

levels within the organization. Very few organizations

have reviewed or plan to review their incentive pro-

grams to ensure more responsible risk-taking behaviour.

ERM Integration With Processes: Integration of ERM with

audit, compliance, corporate governance, and business

planning is rated as medium to high, whereas it ranks

low in integration with performance management.

2 A governance, risk, and compliance (GRC) model aligns thegovernance, risk, and compliance roles to collaborate and shareinformation as a unified team, often using a common softwarepackage. See www.oceg.org for a definition and explanation ofa GRC model and system.


7/32

The Conference Board of Canada | iii


ik ppetite/oerance: Articulating risk appetite/

tolerances into formal written corporate policies is

still weak. Even though the responses to the risk appetite/

tolerance questions were low, it is clear that there is still

much confusion over these misused terms. Respondents

use the terms interchangeably, both formally in writtenstatements and informally with management and the

board. Perhaps the most pragmatic approach is to refer to

ISO 31000, which requires organizations to determine

a set of risk criteria to evaluate risk.3

senior Manaement nvovement With M: Senior man-

agement takes an active role in various ERM-related

activities. These include identifying risks, participating

in strategic planning and conducting risk assessments

of the organizations strategies, ensuring that appropriate

resources are in place to implement ERM, and com-municating ERM to all employees.

Board nvovement With M: Few organizations indicated

that their boards had sufficient knowledge of and experi-

ence with ERM. Less than half of the respondents were

confident that their boards could correctly name their

organizations top five risks. However, ERM has affected

boards risk oversight responsibilities in a positive way.

3 For more information on risk criteria, see ISO 31000, Section5.3.5, Defining Risk Criteria.

More boards are prioritizing strategies, having regular

in-depth reviews of their key risks, and providing

insights into their organizations risk profile.

ik Manaement ommittee: Organizations structure

their risk management committees mostly through aseparate risk/ERM committee that includes the CEO,

or deal with ERM activities as part of another commit-

tee that reports to the CEO. The committees generally

meet on a monthly and/or quarterly basis. Meetings last

one to two hours.

Board ommittee: In the banking and insurance sectors,

risk committees of the board are becoming more com-

mon. These usually meet monthly or quarterly, and each

meeting lasts from two to three hours. Some prevalent

board oversight activities include receiving informationon key risks and mitigation strategies, providing feed-

back, and reviewing managements performance with

respect to the treatment and monitoring of risks.

ik eportin: Risk reports are mostly prepared by the

CRO, vice-president of risk, or chief auditor. The CFO

appears to review most of the reports. In 2009, risk

reports tended to include emerging risks or looming

uncertainties and risk trends.


8/32


9/32


Harvard business professor Michael Jensen

says, The social purpose of the corporation

is to seek its highest long-run expected value.

The role of management in achieving that mission is

to create and project a compelling strategic vision of

the companys futureone that enlists the support and

commitment of all stakeholder groups whose continued

participation is important to the firms futureand to

design the organization in ways that help guide and

motivate employees in carrying out the vision.1

Jensen captures the importance of risk governance and

the accountability of those overseeing the management of

our organizations. With changing demographics, global

competitiveness, and fluctuating economic conditions,

organizational interest in enterprise risk management

(ERM) is growing. Increasing governmental concern,

monitoring, and regulation following the 200709 credit

crisis have further emphasized the need for improved

risk management.

In 2005, The Conference Board of Canada published

a report on the status of enterprise risk management in

Canada. This report,Enterprise Risk Management:

Inside and Out, provided valuable benchmarking data

1 Michael Jensen, Jesse Isidor Straus Professor of BusinessAdministration Emeritus, Harvard Business School. In BaylorUniversity Roundtable, p. 13.

at a time when ERM was gaining recognition outside

of the finance and utilities industries. These industries

were the first to embrace the concept of ERM and, there-

fore, helped implement and shape ERM principles, tools,

techniques, and practices. In 2009, the Conference Board

embarked on the current benchmarking study, which was

designed, in part, as a follow-up to the 2005 report. This

study was intended as a descriptive analysis of the find-

ings and not an explanatory one.

ncreain overnmenta concern, monitorin, and reu-ation foowin the 200709 credit crii have further

emphaied the need for improved rik manaement



diverse structures and risk governance. This report is

part one of a two-part risk governance research project.

It provides a benchmark on prevalent risk governance

practices, including key components of and resources for

ERM, ERM methodologies, and accountability structures.It deals with issues of interest to board members, but does




10/32

2 | Enterprise Risk ManagementFebruary 2011


not necessarily reflect a board members perspective. It

compares and contrastswhere possiblethe survey

findings2 against the Conference Boards 2005Inside

and Outreport to determine a contextual framework on

how much change has occurred in risk governance prac-

tices in four years. This report concludes by identifyingwhere respondents are excelling in their risk governance

practices, as well as where they may be vulnerable and

could improve. The conclusion includes a look at some

changes in ERM practices from 2005 until late 2009.

hi report concude by identifyin where repondent

are excein in their rik overnance practice, a we

a where they may be vunerabe and coud improve

The second part of the risk governance project3 will

entail a report on the reasons whyas well as how

organizations have adopted and diffused certain risk over-

sight and risk management structures and practices. It

will examine a variety of organizations paired for com-

parability. The sample includes eight organizations, a pair

in each of the following sectors: financial services, energy/

utilities, telecommunications, and government sectors/

industries. Data were collected on each organizations

board of directors, management team, and risk function.

2 The 2005 report was also based on a survey, which was distrib-uted to 315 organizations (86 of which responded). While bothreports focused on organizations practicing ERM, the compari-sons are based on a somewhat different survey sample and timeperiodtherefore, the study is not of a true longitudinal design.The type of organization, mix of industry, and size and scope ofoperations varied somewhat. See charts 1 to 3 for comparisons.The 2009 survey was much more comprehensive and includedquestions on black swans, ethics, and cultural risk assessments,

which were not part of the 2005 survey. Important, though, is thatthe 2009 results do not include organizations that started ERM(possibly in 2005) but terminated it (not in the 2009 survey).

3 The second risk governance report, The Adoption and Diffusion ofRisk Governance Structures and Practices, is scheduled for releaseshortly after this one.

Mlg

In late November 2009, The Conference Board of

Canada distributed a comprehensive, multi-industry

ERM survey4 to 3925 organizations across Canada.

The survey questions for this report asked about the

following risk governance practices and risk account-

abilities: 1) ERM resources and structure; 2) basic risk

metrics used; 3) identification of key risk indicators

(KRIs) in ERM methodology; 4) compensation plans;

5) ERM integration with processes, corporate functions,

and programs; 6) risk appetite/tolerance statements;

7) executive and board involvement in ERM; 8) risk

management and board committees; and 9) risk reporting.

gzl Pl ss

In total, there were 89 respondents to the online survey,

resulting in a response rate of 22.7 per cent.6 We had

anticipated a higher response rate, given the heightened

awareness of increased organizational transparency,

enhanced regulatory requirements, and the pressure

(greater than before) on directors to demonstrate their

risk management accountability.

Charts 1, 2, and 3 show the breakdown of organizations

by type, industry, and scope of operations, respectively.

In terms of size, a wide range of organizations was

4 The online survey was divided into five main sections with the pur-pose of producing four reports. The titles of these five sectionswere Organizational Profile, ERM Background Information,Risk Governance and Accountabilities, Corporate Risk Profilesand Black Swans, and Managing Corporate Reputation andDemonstrating ERM Value. The questions in each sectionwere developed with the assistance of advisory committees.

5 The online survey was e-mailed to the designated representativewithin the organization responsible for ERM/risk management. Thetitles of these people included CRO, CFO, VP of Risk Management,VP of Strategy, VP of Internal Audit, VP of Compliance, and VP ofCorporate Governance.

6 All the survey questions were not all answered by the 89 respondents.


11/32

The Conference Board of Canada | 3


represented: 16 per cent have revenues less than

$100 million, and 53 per cent have revenues greater

than $1 billion. (See Chart 4.)

Compared with The Conference Board of Canadas 2005

Enterprise Risk Management: Inside and Outreport, the

current survey includes more public stock organizations

(26 per cent versus 23 per cent) and more organizations

operating throughout North America (30 per cent versus

19 per cent). There were, however, fewer multinational

organizations in 2009 than in 2005 (10 per cent versus29 per cent). Furthermore, the 2009 survey includes

many additional organizations that have implemented

ERM since 2005.

gzl BKg M

To gain a better understanding of the risk governance

practices applied in the survey sample, we asked foun-

dational questions about the year organizations started

practicing ERM, the drivers for doing so, and whether

from the time that they started ERMthere were any

significant barriers that halted its progress at any point.

The number of organizations in the survey sample that

started practicing ERM between 1998 and 2004 was 32;for 2005 through 2009, the number was 47. The growth

in the rate of ERM adoption by organizations occurred

around 2003, with the average year of implementation

hart 1Survey Participants by Organization Type, 2005 vs. 2009(n=89; percentage of organizations)

Note: In 2005, respondents had the opportunity to categorize their organization into one of two additional groups: cooperatives (of whichthere were eight) and associations (of which there was one). If cooperatives and associations had been grouped under other in 2005 (asthey were in 2009, if there were any in the responding sample), the other category would have had a similar response rate in both years.Source: The Conference Board of Canada.

21

25

25

8

23

8

Crown

Government

Mutual

Notforprofit

Private

Public

Other

19

16

2

713

26

17

Crown

Government

Mutual

Notforprofit

Private

Public

Other

2005 2009


12/32



being 2005. (Mean years of ERM experience was approxi-

mately 5.5 years.) Chart 5 illustrates the peaks and shows

that a number of survey participants are still in the early

stages. The number of organizations in our survey sam-

ple of 89 starting to practice ERM has stabilized at 7 to

10 per year since 2006.

What drove organizations to embark on an enterprise-

wide risk management approach? Respondents were

allowed multiple choices, and a total of 84 organizations

indicated at least one primary driver. The top 10 drivers

are listed below, with the percentage of respondents

selecting each driver shown in parentheses.

1. Enterprise-wide assessment of principal risks

(67 per cent)

2. Improved decision-making (51 per cent)

3. Board mandate (39 per cent)

4. Other reasons (enhanced strategic planning, greater

visibility, increased shareholder value, government

requirements in Canada, etc.) (20 per cent)

hart 2Survey Participants by Industry(n=89; percentage of organizations)

Source: The Conference Board of Canada.

9

14

15

4410

13

21

5

6

4

13

Banking

Health care

Insurance

Manufacturing

Mining

Other financial services

Public sector

Retail

Service

Tech

Telecom

Transportation

Utilities

hart 3Scope of Operations(n=89; percentage of organizations)

Note: Respondents were asked to select all that applied.Source: The Conference Board of Canada.

Asia

Europe

Latin America

Multinational

North America

Limited to one country

Limited to oneprovince or state

0 5 10 15 20 25 30 35 40 45

hart 4Size of Organization by Total Revenue(Non-governmental)(n=67; percentage)

Note: Due to rounding, the numbers do not add up to 100 per cent.Source: The Conference Board of Canada.

16

12

10

7

37

6

4 6

Less than $100 million

$100 million$249 million



$1 billion$4.9 billion



More than $25 billion


13/32



5. Regulatory requirements specific to an organization

(15 per cent)

6. Sarbanes-Oxley/Canadian Securities Administrators

National Instrument (NI 52-109) (10 per cent)

7. Improved bottom line (9 per cent)

8. Standard & Poors ERM evaluation process

(5 per cent)

9. Economic climate in the last two years (4 per cent)

10. Enhanced employee production (3 per cent)

Of interest is that Standard & Poors and other rating

agencies had little influence on organizations decisions

to implement or upgrade their ERM methodology. This

could be because most or all of these organizations

were early adopters and had already met or exceeded

the agencies criteria when they started to include ERM

as part of their credit rating evaluation. As well, while

board mandate was ranked third in importance overall,

it was of less relevance to private sector organizations.

Improved decision-making held significance for all

organization types, hovering between 40 and 50 per

cent on average. (See Chart 6.)

As expected, over half (56 per cent) of the 84 organiza-

tions that responded experienced some form of delay.

Common barriers cited were these: not seen as a prior-

ity, organizational change, lack of knowledge, lack of

time, lack of executive support and resources, resistance

to cultural change, and more focus on operational risk.In almost 97 per cent of these cases, respondents felt that

ERM was stalled at the board or senior management/

executive level.7

M ss s

M Pl

The process of . . . ERM . . . starts and finishes with

the board of directors, which demands and approves a

policy for risk management.8 This statement from oneof the Conference Boards original research briefings on

ERM, though it dates back to 1997, is still valid and

describes an effective way to maintain the momentum

of ERM.

f interet i that standard & Poor and other ratin

aencie had itte infuence on oraniation deciion

to impement or uprade their M methodooy

It is encouraging to note, then, that almost 60 per cent

(50 organizations) of respondents to our 2009 survey

had a written ERM policy, and these organizations had,

on average, 5.4 years of ERM experience. Twenty-two

of these 50 respondents were either Crown corporations

or government organizations. Thirty-three organizations

had their ERM process mandated or driven by the board

or at the executive level. More encouraginglyalthough

the progress was slowis the 16 per cent increase from

7 Only 48 organizations responded to the question At what level ofmanagement did you feel the implementation of ERM was stalledor that there were significant barriers that halted its progress?

8 Nottingham, A Conceptual Framework.

hart 5Growth in Rate of ERM Adoption by Organizations(n=79; number of organizations)

Note: There are any number of possible explanations for thegrowth rate in ERM adoption: the corporate governance failuresthat led to Sarbanes-Oxley, Treasury Board Secretariat estab-lishing its Integrated Risk Management (IRM) guidelines, theAuditor General conducting IRM audits of several federal gov-

ernment departments, Basel II ramping up, the Joint Committeeon Corporate Governance report release in late 2001, etc.Source: The Conference Board of Canada.

1998 99 00 01 02 03 04 05 06 07 08 09

0

2

4

6

8

10

12

14

16


14/32



the 2005 ERM survey, which had 86 respondents in total.

As Table 1 illustrates, the 2009 survey identified seven

key groups with explicit responsibilities for ERM.

P sK Pls9

A corporate risk profile is defined inEnterprise Risk

Management: Todays Leading Research and Best

Practices for Tomorrows Executives as a periodic

documentation of the key risks to an organization to

achieving its stated business objectives over a specified

9 For more information on identification and assessment techniques

used to develop a corporate risk profile, see Hoyt and Schoening-Thiessen, The Role of Black Swans in Enterprise Risk Management.

hart 6Type of Organization and Drivers for ERM(n=82; percentage of organizations selecting each driver)


0

10

20

30

40

50

60

70

80

90

100

110

Enterprise-wide assessment

of principal risksBoard mandate

Improved decision-making

Regulatory requirements specific

to your organization

Sarbanes-Oxley/Canadian Securities Administrators

National Instrument (NI 52109)Standard & Poors ERM evaluation

Crown

(n=16)

Government

(n=14)

Mutual

(n=2)

Not-for-profit

(n=6)

Private

(n=12)

Public

(n=24)

Other

(n=15)

abe 1Groups Responsible for ERM Based on

Written Policy

group Percentae of repone

Board 80

CEO 75

Line managers 65

Chief risk officer 65

Risk owners 61

Internal audit 48

Executive committee 7

Note: Respondents were asked to select all that were identifiedin their ERM policy.Source: The Conference Board of Canada.


15/32



future time period.10 Its primary purpose is to com-

municate information from management to the board.11

A corporate risk profile, therefore, could be classified

as one of the most important elements of ERM.

Our survey asked organizations if they prepared a corpor-ate risk profilethat is, a list of their key risks. Of the

89 organizations that responded, 78 per cent (69 organ-

izations) did so. This list is prepared and updated annu-

ally in 51 per cent of the organizations and quarterly in

32 per cent. The remaining organizations undertook this

effort semi-annually.

irtuay a repondent indicated that their rik reiter

identified rik a affectin the corporation objective

and decribed accountabiitie and action pan; otherinformation incuded the ource of the rik

Just over 60 per cent of the 69 respondents indicated

that risk profiles are prepared at least at some level for

subsidiaries/divisions. (Forty-two per cent said yes,

19 per cent said some.) The remaining 39 per cent

responded that they did not prepare risk profiles at the

subsidiary or division level.

sK gssClearly, maintaining a risk register is an important ele-

ment in the ERM process. It not only helps track risks

and relevant information, but also helps identify risk

trends that affect corporate goals and helps determine

possible reporting formats.

Do organizations maintain risk registers for major risks?

Fifty-eight organizations (69 per cent of the 84 respond-

ents) indicated that they do. This percentage increased

by only 11 per cent since the 2005Enterprise Risk

Management: Inside and Outreport. Within the risk

register, several significant elements are logged and

maintained. Virtually all respondents indicated that

their risk register identified risks as affecting the cor-

porations objectives and described accountabilities and

10 Fraser and Simkins, Enterprise Risk Management, How to Preparea Risk Profile, Ch. 11, p. 171.

11 Ibid.

action plans. Other information included a description

of the risk, impact and probability levels, the source of

the risk, and mitigation plans.

Of the 58 organizations maintaining a risk register,

approximately two-thirds indicated that managers arenot required to periodically sign off on risks that have

been identified for their areas of responsibility and are

being mitigated. Slightly over one-third of respondents

(25 organizations) require sign-offs, and most12 are done

annually or quarterly. While this is a small portion, it

is instructive to see at what level these sign-offs are being

reported. (See Chart 7.) Most common are the executive

committee, audit committee of the board, and risk man-

agement committee of the board.

12 One organization required a weekly sign-off, and two organizationsrequired a monthly sign-off. The remaining 22 organizations requiredquarterly, semi-annual, or annual sign-offs.

hart 7Level at Which Sign-Offs Get Reported(n=25; percentage of organizations listing each response)


Executive committee

Audit committeeof the board

Risk managementcommittee

CEO

Chief risk officer

Risk management committeeof the board

Full board

Legal head

Governance committee

CEO of subsidiary

Compliance committeeof the board

Quality control committee

0 10 20 30 40 50 60 70


16/32



sK MgM/M gP

An overwhelming 81 per cent (72 respondents) use a

dedicated risk management group to facilitate ERM. The

number of these groups appears to be growing. In 2005,

61 per cent had such a group. For the 2009 survey, when

asked what year the risk management group was formed,57 of the 72 organizations provided the year. As shown

in Chart 8,13 the trend is striking. Note the dramatic

growth since 2004, which also mirrors the findings in

Chart 5 for ERM implementation.

sK ql

Seventy-three per cent of the respondents (64 organiza-

tions) have a chief risk officer (CRO) or senior risk

executive responsible for their ERM process. Again,

this number has grown since 2005, when 49 per cent

had CROs or an equivalent and another 10 per cent were

considering appointing a CRO. Of the 64 organizations

that have CROs or a senior risk executive, 23 were

within Crown corporations or government organizations.

Somewhat disturbingly, in 2009, 21 per cent had nosenior official overseeing ERM. Such organizations may

be more likely to encounter a number of cultural and

implementation issues due to lack of proper oversight

13 A total of 68 responses were received to this question, but ninerespondents did not state the year that the risk group was formed,and two respondents indicated that the risk management groupwould be formed in 2010. The chart excludes these responses.

and leadership. Of 80 responses, 53 per cent stated that the

CRO or risk executive responsible for ERM is a senior

member of the executive management team. This is

critical to ensure the credibility and transparency of

the organizations efforts in implementing ERM.

seventy-three per cent of the repondent have a chief rik

officer or enior rik executive reponibe for their M

proce; in 2005, 49 per cent had or an euivaent

One dramatic change in the reporting relationship occurred

between 2005 and 2009. In 2005, 28 per cent of CROs

reported directly to the CEO, but in 2009, 54 per cent14

did so. Another 20 per cent reported to the chief financial

officer (CFO) (this has not changed since 2005), and 7 percent reported to the audit committee of the board (this

has increased by 4 per cent). Chart 9 shows an overwhelm-

ing 69 respondents reporting on a quarterly basis. As a

percentage of the responses, 65 per cent reported to a

board committee, 51 per cent reported to the CEO, and

42 per cent reported to the board. In all these instances,

reporting to any one of these three groups has increased

since 2005, especially to the CEO and a board committee.

14 The percentage is based on having received 69 responses tothe question.

hart 8Formation of Risk Management Groups, by Year(n=57; number of responses)

Note: While 72 organizations responded to the question onwhether they use a dedicated risk management group, only 57out of the 72 indicated the year in which the group was formed.Source: The Conference Board of Canada.

1999 00 01 02 03 04 05 06 07 08 09

0

2

4

6

8

10

hart 9Frequency of Reporting on ERM(n=69; number of responses)

Note: Respondents were asked to select all that applied.Therefore, the total number of responses equal more than the69 responses received.Source: The Conference Board of Canada.

Daily Weekly Monthly Quarterly Annually

0

20

40

60

80100

120

CEO Board Board committee


17/32



Our survey listed a few ERM-related responsibilities

and asked respondents to select all that applied to them.

Of the 70 responses, most organizations saw the CRO

as a supporting role. Responses showed that the CROs

main responsibility was to:

1. facilitate, set standards and methodologies, and pro-vide support to the organization (61 organizations);

2. challenge major initiatives, transactions, and strategic

decisions (42 organizations);

3. follow up on implementation of action plans com-

mitted to by the owner of the risk to mitigate the

risk (42 organizations); and

4. approve major initiatives, transactions, and strategic

decisions (14 organizations).

raniation in the bankin, inurance, or other financiaindutrie are more ikey to empoy more taff dedicated

to M-reated activitieamot three fu-time M

empoyee on averae

Of the 42 organizations that selected the challenge func-

tion (bullet 2) and the 14 organizations that selected the

approve function (bullet 4), 11 organizations selected both

bullets and 64 per cent (7 organizations) were from the

financial and utility industries. The CRO or risk executive

of all 11 organizations is a member of the executive team.

Only 6 of the 11 stated that they are both a designated

officer and a member of the executive team.

Thirty-one organizations selected the challenge function

but not the approve function (bullet 2, but not bullet 4).

A majority of them were from either financial and utilities

industries (17) or government organizations (6). Only

three organizations selected the approve function only

(bullet 4), and two of these were in the financial and

utility industries.15

15 While two questions were directed at whether the CRO or riskexecutives ERM-related responsibilities included challengingand/or approving major initiatives, transactions, and strategicdecisions, we could not confirm if the respondents interpretedthe questions to mean challenge or approve strictly on their ownrecognizance or as part of a group decision.

M s

A majority of the organizations (53 of the 73 that

responded) employ one to three full-time employees

devoted purely to ERM.16 An additional two to four full-

time equivalents assist when required.17 Organizations

in the banking, insurance, or other financial industriesare more likely to employ more staff dedicated to ERM-

related activities (almost three full-time ERM employees,

with an additional six full-time equivalents, on average).

Compared with the 2005 Conference Board survey, all

these findings could be considered improvements to 2005,

when 41 per cent did not have any full-time employees

devoted to ERM, and 21 per cent had only one staff person.

M s P g, sK,

MPl Ml

It appears that Canadian organizations are led more by aprinciple-based than a compliance-based risk governance

framework. Forty-one per cent (of 72 that responded to

this question) have not incorporated a governance, risk,

and compliance (GRC) model.18

Yet there are a number of other programs for which the

risk management/ERM group is accountable. Although the

sample size was small (38 responses), the findings show

that the risk management/ERM group is often charged

with two additional accountabilities: business continuity

planning and insurance. (See Table 2.) No conclusions

in terms of industry, scope of operations, or size could

be drawn as to why these 38 organizations had other

programs assigned to the risk management/ERM group.

However, 22 of these 38 organizations (58 per cent)

had more than four years of ERM experience.

A larger group responded to whether the risk management/

ERM group was responsible for monitoring and enforce-

ment activities. Over half (57 per cent) responded no.

The remaining 43 per cent (31 of the 72 organizations

that answered) indicated yes.

16 Seventy-three responses were received to the question Howmany full-time employees are devoted purely to ERM?

17 Sixty-four responses were received to the question How manyfull-time equivalents are devoted to ERM-related activities?

18 A GRC model aligns the governance, risk, and compliance rolesto collaborate and share information as a unified team, often usinga common software package.


18/32



MBg M Bsss s

Successful organizations embed ERM into business

units through actions taken by business unit functions

and by tying business planning into ERM.19 We looked

further into how organizations formally structured ERMinto their business operations.

19 Thiessen, Enterprise Risk Management: Inside and Out.

Because respondents were allowed to select all options

that applied, we were able to show that the business/

operational units are usually structured according to the

eight criteria listed in Table 3, with the percentage of

responses ranking the criterions importance for both

2005 and 2009. (Note that the responses did not dependon the organizations years of ERM experience.)

abe 2Additional Accountabilities of the RiskManagement Group(n=38)

ccountabiitie umber ofrepondent

Business continuity planning 21

Insurance 20

Financial risk management/services

(credit, trading, hedging, fraud, asset

liability, CEO-CFO certification and other

related finance activities) 7

Internal audit 7

Corporate policy 6

Corporate security/investigations 4

Regulatory/compliance 4Emergency /crisis management 3

Patient safety/relations/quali ty assurance 3

Information technology/security 3

Project management 2

Ethics 2

Privacy 2

Strategic planning 2

Contract management 2

Loss control/prevention 2

Legal 2

Environment 1

Corporate social responsibility 1

Corporate performance management 1


abe 3How Organizations Structure ERM Into TheirBusiness Operations(per cent)

structure 2005 2009

Designated ERM champions within the

business/operational units with appro-

priate delegation of authority * 35.0

Specific actions related to risks carried

out by specific functions within the

business/operational units * 60.0

Established reporting structures for ERM

linked with the functional operation of

business/operational units 27 43.8

Key metrics exist for evaluation

and reporting on risk management

performance 24 41.3

Business planning process of busi-

ness/operational units directly tied

into the ERM process 19 47.5

Capital allocated to business/operational

units for the mitigation of risks 20 23.8

Access to ERM software, supporting

interactive communications, and infor-

mation-sharing across the business/

operational units and the organization 8 17.5

Each business/operational unit identifies

evaluation points to mark achievements

in ERM 12 16.3

*no findingsNote: Respondents were asked to select all that applied.



19/32


Find this report and other Conference Board research at www.-lbrary.a

Rik MeRic

Approximately 43 per cent of 81 respondents indicated

that their organizations risk metrics consider interrela-

tionships between different risks: 18 per cent said yes,

25 per cent said some, and 57 per cent said no.

How is this accomplished? While all of the responses

suggest a systematic review of the key risks and their

relationship to other risks, there is some variation in the

extent to which this is driven by actual data and more

qualitative factors. Most organizations appear to embed

this activity in their general risk mapping or assessment

process. (See Table 4.)

Half of th organzatons that largly us rs mtrsn aptal funng/alloaton prosss wr from th

banng, nsuran/rnsuran, an othr fnanal

srvs nustrs.

To what extent are risk metrics used to guide or control

day-to-day decision-making? Of the 81 organizations

that responded to this question, over one-half mentioned

that risk metrics are used to guide or control day-to-day

decision-making (38 per cent listed somewhat, and

15 per cent listed largely).

And what of risk metrics used in capital funding/allocation

processes? Of the 82 organizations that responded to this

question, 58 per cent mentioned that risk metrics are used

very little in capital funding/allocation processes. Of

the other respondents, 27 per cent listed somewhat, and

15 per cent listed largely. Perhaps not surprisingly, half

of the organizations that largely use risk metrics in the

capital funding/allocation processes were from the bank-

ing, insurance/reinsurance, and other financial services

industries. Otherwise, no by-industry pattern appeared

for organizations with regard to this question.

ke Rik idicR

Key risk indicators (KRIs) are forward-looking or lead-

ing. Key performance indicators (KPIs) are historical or

backward-looking.Enterprise Risk Management: Todays

Leading Research and Best Practices for Tomorrows

Executives defines a KRI as a measure to indicate the

potential presence, level or trend of a risk.20

Overall, the responses to the survey questions on KRIs

were relatively few. This shows that KRIs are still an

evolving area, where organizations are still learning how

to identify them and use the information effectively.

This is an area that could be researched in more depth

to enhance the effectiveness of an enterprise-wide risk

management approach.

20 Fraser and Simkins, Enterprise Risk Management: Todays LeadingResearch and Best Pract ices for Tomorrows Executives, Ch. 8.

abl 4Common Risk Metric Themes

Rs mtr thmurvy xampls of how ntrrlatonshpsbtwn rss ar assss

Risk mapping Risks are mapped to their sources and to

metrics.

Related risks are identified and mapped to

each of the key risks.

Risks are categorized into external and inter-

nal sources and mapped according to whether

they affect more than one business objective.

Review of historical data Organizations consider the history of correla-

tion of key risks. The historical data, after the

organization has conducted enterprise risk

assessments for several years, point to cor-

relations between certain risks.

Risk workshops If data are not available, perceived correlations

are established through risk workshops.

Causal analysis An analysis is conducted on whether there is

a causal relationship between correlated risks

and if so, in what direction.

Risk statements are in the form of potential

causes, risks, and impacts.

Causal relationships are analyzed through

bowtie exercises.*

*For more information on bowtie exercises, see Enterprise Risk Management: TodaysLeading Research and Best Practices for Tomorrows Executives, p. 291.



20/32



KRIs are a part of an organizations ERM methodology

in only 39 per cent of the 81 responding organizations.

(Seven per cent responded to a large extent, and 32 per

cent responded some use made of them.) The other

49 organizations indicated that KRIs are not specifically

tracked as part of ERM.

Of the 32 organizations that use KRIs to some or a

large extent, operations/lines of business and the CRO

or vice-president of risk were the most commonly

involved in identifying KRIs. (See Chart 10 for a

summary.) Close to 60 per cent of the 32 organizations

responded that their KRIs are either largely or some-

what linked to objectives, performance metrics, or key

performance indicators.

nteretiny, not one oraniation ued hare price a a

criterion; incentive pan are baed on meetin rik man-

aement objective and capabiitie and ervice eve

Are KRIs reported to management and the board?

Yes. Not surprisingly, information was shared on a

more frequent basis with management (monthly or

quarterly) than with the board (quarterly or annually).

M MPs

Is the risk management/ERM groups work tied to a form

of incentive compensation? While 72 responded to this

question, only 29 per cent (21 organizations) replied yes.

Fourteen of the 21 organizations (67 per cent) were finan-

cial institutions, insurance organizations, or utilities. These

organizations were further along in their development

of ERM. The remaining eight organizations each repre-

sented a different industry.

The 21 organizations that used incentive compensation

for the risk management/ERM group followed the criteria

shown in Chart 11. Interestingly, not one organization

used share price as a criterion. The groups incentive

plans, on the other hand, are based on meeting risk

management objectives and capabilities and service

levels within the organization.

We asked whether organizations reviewed or planned

to review their remuneration programs to promote more

responsible behaviour and risk-taking. Of the 85 that

responded, only 16 per cent (14 organizations) indicated

they have reviewedtheir incentive programs to ensure more

responsible risk-taking. Another 11 per cent (9 organiz-

ations)plan to review their compensation programs. The

remaining 73 per cent (62 organizations) selected neither

of the above choices. Again, the 14 organizations that

have already reviewed their incentive programs were from

the financial, insurance, and utility industries. These

organizations, as well, had an average of 5.35 years

of ERM experience.

MBg M Psss,P s, PgMs

Overall, the survey findings show that ERM has been

adopted by or integrated into many existing processes

and functions. The distribution of how well it is integrated

is reflected in Chart 12. Between 83 and 85 organizations

responded to all the choices in the chart.21 Collectively,

21 The survey asked how fully ERM is integrated with 14 processes/functions. Not every organization responded regarding how inte-grated they were with all 14 processes/functions. Between 83 and85 organizations provided a response regarding all these 14 processes/functions.

hart 10Those Involved in Identifying Key Risk Indicators(n=32; percentage of respondents)


Operations/business

CRO/VP-risk

management

Corporate group

CFO

Management

risk committee

0 10 20 30 40 50 60 70


21/32



the results indicate that the level of ERM integration is

medium to high in several areas (audit, compliance,

corporate, and planning), but low in other important

areas (performance management, product development,

and mergers and acquisitions).

ny 32 oraniation had forma rik appetite or toerance

tatement, mainy repreentin bankin, inurance, other

financia ervice, utiitie, or overnment

Compared with the Conference Boards 2005 survey,

a few changes are worth noting:

High integration with strategic planning has gone up by

only 5 per cent; medium integration remains similar.

High integration with business planning has droppedby 7 per cent; medium integration has increased by

19 per cent.

High integration with corporate governance has

declined by 8 per cent; medium integration has

gone up by 12 per cent.

High integration with performance management is

slightly lower, by 2 per cent; medium integration

has improved by 11 per cent.

High and medium integration with internal audit

remain at similar percentages.

sK PP/ls

Risk appetite or risk tolerances? Which do organizations

use? Or are the terms used interchangeably? We asked

these three questions in the hope of clarifying whether

organizations are formally or informally applying the

terms and, if so, how. However, it is obvious that much

confusion remains.

While the findings are described below, we make no

attempt to explain the ambiguity of these terms. Perhaps,

as ISO 31000 dictates, the most pragmatic approach is

to require organizations to determine a set of risk criteria

to evaluate risk.22

22 For more information on risk criteria, see ISO 31000: 2009, Section5.3.5, Defining Risk Criteria.

Foremost, out of 82 responses, it was evident that

organizations responded to the questions23 on the

basis that they informally use the terms risk appetite

or risk tolerance:

Thirty-two organizations used the terms risk

appetite and risk tolerance interchangeably.

Seventeen used the terms separately, with different

definitions.

Five used risk appetite only.

Nine used risk tolerance only.

Nineteen organizations used neither term.

While organizations may use either or both of these terms,

only 32 organizations24 had formal, approved corporate

risk appetite or tolerance statements (13 had formal,

approved corporate risk appetite statements, and 19 had

formal, approved corporate risk tolerance statements).

Most of the organizations represented banking, insur-

ance, other financial services, utilities, or government.

An interesting aspect of this topic is that while many

organizations did nothave formal, approved risk appetite/

risk tolerance statements, they usedeither or both the

23 The survey asked these questions: Does your organizationuse the terms risk appetite and/or tolerances: interchangeably?Neither? Separately, with different definitions for each? If sepa-rately, which term do you use more?

24 Five of the 32 organizations had formal statements for bothtolerance and appetite.

hart 11Incentive Compensation for the Risk Management/ERM Group(n=21; number of responses)


Meeting risk management

objectives and capabilities

Service levels to

external stakeholders

Service levels with

the organization

Share price

Earnings

15 20 251050


22/32



terms informally and still informally discussed and

reviewed risk appetite/risk tolerances with management

and the board. There were 26 organizations that fell

into this category out of 57 responses to the question

What is the most senior level that reviews the risk

appetite/tolerance levels?

Of these 57 responses, the collective board reviewed

and discussed either informal or formal statements in

25 of the cases, a board committee in 16, the CEO in

9, and a management committee in the remaining 7.

These percentages have risen significantly since the

2005 Conference Board survey, since at that time the

board and board committee were considered one group,

at 26 per cent, and the CEO and management committee

were another, at 10 per cent. Similarly, the 2009 survey

showed annual reviews at 42 per cent, whereas this was

at a low 25 per cent in 2005. The quarterly review per-

centages are fairly close: 6 per cent in 2009 and 5 per

cent in 2005.

nnua i the mot common approva proce freuency

n 19 per cent of the oraniation, the approved the

informa rik appetite/toerance eve or forma tatement

The full board approves the informal risk appetite/

tolerance levels or formal statements in 27 per cent

of the 57 responding organizations, whereas a board

committee does so in only 8 per cent of the organiza-

tions. Predictably, annual is the most common frequency

for the approval process, at 46 per cent. In 19 per cent

of the organizations (11), the CEO approved the informal

hart 12Level of ERM Integration(n=83 to 85; percentage of respondents)

Note: Respondents were asked to select all that apply.Source: The Conference Board of Canada.

Strate

gicplannin

g

Busin

ess/b

udgetplan

ning

Loss

contr

olAu

dit

Comp

lianc

e

Corpo

rateg

overn

ance

Disclos

ure

Capit

alma

nageme

nt

Perfo

rmancema

nageme

nt

Productd

evelopm

ent

Merge

rsanda

cquisitio

ns

Insura

nceand

hedging

Ethics

/busin

esscond

uct

Comp

lianc

e0

10

20

30

40

50

60

70

80

90

100

HighMediumLowNot at allNot applicable


23/32



risk appetite/tolerance levels or formal statements.

Various industries made up this 19 per cent (two public

sector, three insurance, two education, one technology,

one telecommunications, one financial service, and one

manufacturing).

How do organizations establish risk appetite/tolerance lev-

els? Respondents were asked to select all that applied from

the list below. Only two organizations, out of 59 respond-

ents, identified other means to establish risk appetite/

tolerances, and this was linked to the impact on corpor-

ate reputation.

Thirty organizations qualitatively had them defined

by management and reviewed by a board committee

or the collective board.

Twenty-six organizations tied them into measurables

such as earnings and capital or developed them inreference to these.

Sixteen based them on scenarios.

Fourteen organizations tied them into materiality

or developed them in reference to materiality.

Seven built them on easy-to-understand examples

that could impede the organizations agreed-on

business objectives.

Six organizations qualitatively had them defined

by the board.

B lM M

lls s MgM lM

It is vital that ERM have executive involvement and

board support. This tone from the top breeds the right

culture for staff to embrace the organizations approach

to ERM and the accompanying tools, techniques, and

practices. It is encouraging to report that over two-thirds

of the surveyed organizations (85 responses) felt that

their senior management took an active role in their

ERM process. Table 5 shows how involved senior

management is in various ERM-related activities.

B Wss P sKs

Asking board members to correctly name the top five

risks and what is being done about them is one measure

that could validate how interested and involved boards

are in the ERM reporting process.

Disturbingly, only 47 per cent of 85 respondents believed

that their board members could somewhat identify the

organizations top five risks and the actions being taken to

address them. Forty-two per cent believed that their boards

could positively identify the organizations top risks.

This suggests that additional effort is needed to raise board

members awareness of risk and risk management. Efforts

could include more rigorous risk discussions at each board

meeting, as well as the conduct of risk workshops.

ccordin to the findin (84 repone), approximatey

one-third of the oraniation tated that their board

overiht reponibiitie have chaned omewhat

This may also indicate a need to staff boards with more

ERM experience. According to the 86 responses received,

only 34 per cent indicated that the board had either excel-

lent or moderate knowledge of and experience with ERM.

Approximately half of these (14 organizations) were in

the financial or utility industries. Sixty-six per cent had

either fair or no experience with ERM at the board level.

In other words, two-thirds had boards with little or no

ERM proficiency. This may also help explain why a high

percentage of respondents indicated that ERM stalled

or failed at the top levels of the organization.

Has ERM changed boards oversight role or activities?

According to the findings, which comprised 84 responses,

approximately one-third of the organizations (28 respond-

ents) stated that their boards oversight responsibilities

have changed somewhat. Another one-third (28 respond-

ents) indicated that their ERM experience has completely

changed their board activities. Fourteen of the respondents

were from the financial, utility, and insurance industries;

the other 14 were from other industries. Reasons for the

change included the following:

prioritizing strategies, thus placing a greater focus

on risk;

providing key insights into their firms risk profile;

greater awareness and accountability for risk

oversight; and

regular in-depth reviews of their top 10 risks.


24/32



sK MgM B MMs

sK MgM MMs

Through the survey, we identified two possible types

of risk/ERM management committees: one dedicated

solely to risk matters/ERM and one that is part of a bigger

agenda, such as the executive committee. Table 6 shows

how organizations currently structure their risk manage-

ment committees.

raniation with rik committee of the board howed

hiher percentae in pecific accountabiitie for board

rik overiht and manaement rik reponibiitie

Risk management committees tend to meet monthly(40 per cent) in the banking, health care, insurance/

reinsurance, and technology industries; and quarterly

(38 per cent) in the utility, mining, and other financial

services industries. The meetings usually last one to

two hours. All other frequencies (biannually, every two

weeks, or more than every two weeks) were 8 per cent or

under. When asked who owns each risk in the organiza-

tion, 64 per cent of the 79 responding organizations

identified executive management as being responsible.

B sK MMs

Over the last few years, the notion of establishing risk

committees of the board has gained significance. The

reasons are self-evident: corporate failures, stakeholders

demanding board accountability, regulatory requirements,

and more time devoted to risk agendas and discussions.

In reality, is Canada moving toward this concept? And

if so, how frequently do risk committees of the board

meet, and for how long? Of the 86 organizations that

responded, 22 per cent (19 organizations) have risk

committees of the board, and these committees usuallymeet once a month or quarterly. As illustrated in Chart 13,

organizations with risk committees of the board showed

higher percentages in specific accountabilities for board

risk oversight and management risk responsibilities.

abe 5Level of Senior Management Involvement(n=80; percentage of organizations)

one some subtantia u

Helping to define or review the companys risk policy

and risk appetite/tolerances* 1 37 52 11

Setting or approving risk appetite/tolerances* 4 35 47 14

Ensuring appropriate communication from the executive

level in order to promote ERM within the company 4 49 31 15

Participating in assessing risks and assigning quantitative

and qualitative measures of risk impact and likelihood 2 46 42 8

Actively participating in strategic planning and working

with the senior team to conduct risk assessments of

the organizations strategies 1 36 51 11

Ensuring that appropriate resources are in place

to coordinate, monitor, and report on ERM 6 47 36 10

*Percentages provided include the informal use of the term risk appetite/tolerances.Note: Respondents were asked to select all that applied. Numbers might not add up to 100 per cent due to rounding.Source: The Conference Board of Canada.


25/32



The industries that have risk committees of the board

are banking, insurance, health care, and mining. The

first two industries are regulated and, as such, they are

expected to put in place more stringent rules to oversee

risk management. Their scope of operations was also

geographically dispersed in and outside North America.The final two are complex organizations, covering large

geographic areas that require consistent engagement

with the public.

Sixty-nine organizations25 provided the length of their

risk committee meetings: these meetings tend to last

two hours in most of the organizations (38 per cent)

and three hours or longer in some others (38 per cent).

The rest of the organizations (78 per cent) have a board

committee, such as audit, governance, human resources,

or regulatory, that is charged with ERM accountabilities.

notabe difference i that the repondent in 2009 iden-

tified emerin rik or oomin uncertaintie and trend

a part of their rik report, and for obviou reaon

Boards administer various forms of risk/ERM oversight

activity. Table 7 showsin descending orderthe per-

centage of votes received for each activity.

sK Pg

As expected, the person responsible for preparing,

reviewing, and presenting the main risk reports to

executive management and the board is most often

the vice-president of risk management, the chief

risk officer, or the chief audit executive. The CFO

appeared to review most of the reports. Of the 35 organ-

izations that responded that the CFO reviewed the reports,

12 were from the financial and utility sectors. The reports

25 While 86 organizations responded regarding whether they have arisk committee of the board, only 69 responded to the question onhow long the risk committee meetings last.

contain information on the principal risks, emerging

risks or looming uncertainties, risk trends, mitigating

measures, risk metrics, and action plans. (See Chart 14.)

A notable difference is that the respondents in 2009 identi-

fied emerging risks or looming uncertainties and trends

as part of their risk reports, and for obvious reasons

given the profile that black swantype events have been

receiving recently. These did not appear very often back

in 2005.

And what of risk mitigation plans: to whom and how

often are they reported? Of the 72 responding organiza-

tions, the CRO reported the risk mitigation plans mostly

abe 6Structure of Risk Management Committees(n=79)

ik/M manaement com-mittee tructure Percentae ofrepone

verae year

of Mexperience

A separate risk/ERM commit-

tee that includes the CEO 31 4.71

ERM activities dealt with as

part of another committee that

reports to the CEO 27 5.62


tee that reports to the CEO 14 5.64

ERM not a formal part of a

management committees

activities 13 5.60

ERM activities dealt with aspart of another committee that

reports to one of the CEOs

direct reports 9 3.29


tee that reports to one of the

CEOs direct reports 6 4.00

ota 100 5.03*

*This is a weighted average.Source: The Conference Board of Canada.


26/32



on a quarterly basis to the executive management team,

the committee of the board responsible for ERM, and

the full board. (See Chart 15.)

lg gs

Canadian organizations are continuously striving to

improve their risk governance practices and organiza-

tional structures to effectively integrate a holistic approachto risk management and risk oversight at the senior man-

agement and board level. The major unexpected corpor-

ate bankruptcies from 2001 onwards, followed by the

credit crisis of 200709, have made it crystal clear that

ERM effectiveness requires significant organizational

consideration. ERM is a process that links the controlaspects of governance, capital management, and per-

formance management.26

26 Rizzi, Risk Management.

hart 13Management and Board Risk Oversight Responsibilities(n=83 to 85; percentage of organizations responding)


Roles and responsibilities of management

and board explicitly outlined in ERM policy

Roles and responsibilities explicitly

written into committee charters

Sign-off by management and/or

board members of ERM policy

and committee charters

Individual job responsibilities identified

and signed off by individuals

Clear segregation of duties

Organizational structure mapped to

reflect hierarchy of r isk accountabilities

0

All organizationsOrganizations with dedicated risk

committees of the board

10 20 30 40 50 60 70

abe 7Forms of Board Oversight for the ERM Process(n=78)

orm of overiht

Percentae

of repondentwho eectedthi form

Receives information on the

organizations principal risks

and mitigation strategies and

provides feedback 79

Receives periodic ERM updates

(on strategy, framework, practices,

etc.) and provides feedback 69

Approves policies, framework,

and practices associated with risk

assessment and risk management 51

Reviews managements perform-

ance regarding the treatment and

monitoring of risks 51

Reviews policies, framework,

and practices associated with risk

assessment and risk management 50

Reviews risk appetite/tolerances only 33

Approves risk appetite/tolerances

only 21

Actively involved in contributing to

the definition of the companys risk

policy and risk appetite/tolerances 19

Receives periodic ERM updates,

but provides little feedback 18

Actively involved in setting

ERM strategy 12

Note: A total of 78 responses were received. Each selected atleast one of the categories. Percentages are calculated based onhow many of the 78 responses selected each form of oversight.Source: The Conference Board of Canada.


27/32



Together, the 2005 and 2009 Conference Board surveys

have shown that ERM has continued to increase in pro-

file and importance. The findings of the 2009 survey are

summarized below. We begin with top marks, where

organizations are excelling; move on to areas of vul-

nerability and improvement, where organizations arevulnerable; and finish with changes in ERM practices

(what has happened after 2005 and up to late 2009).

P MKs

ERM is gaining traction, as is evident from the progres-

sive tie-in with business functions and operating units.

More and more organizations are putting formal ERM

policies in place. Preparing corporate risk profiles at

least annually and maintaining risk registers are also

widely accepted principles of ERM.

mpementin an enterprie-wide rik manaement approach

ha it chaene, mietone, and iueidentifyin

K i an area that reuire further in-depth exporation

Risk management/ERM groups are becoming more com-

mon and an increasing influence within organizations.

There is strong senior-level involvement in ERM, which

shows in the dramatic increase since 2005 of the CRO/

risk executive reporting to the CEO.

Over the last few years, the notion of establishing risk

committees of the board has gained momentum. Twenty-

two per cent of respondents currently have such a com-

mittee. As expected, the banking and insurance industries

lead on this, yet health care and mining are also setting

a pattern.

It is noteworthy that, in 2009, risk reports to executive man-

agement and the board contained information on emer-

ging risks or looming uncertainties as well as risk trends.

s lBl MPM

Implementing an enterprise-wide risk management

approach has its challenges, milestones, and issues.

Identifying key risk indicators is an area that requires

further in-depth exploration. We reviewed the topic to

hart 14Information Contained in Risk Reports(n=82; percentage of organizations selecting this response)


Top 5 or 10 risks

Emerging risks/looming uncertainties

Risk owners

Risk metrics

Mitigating measures

Effectiveness of these measures

Exceptions and breachesof risk policies or limits

Action plans

Residual risks

Risk trends

Sign-offs on risk policies

0 10 20 30 40 50 60 70 80 90

hart 15

Reporting of Risk Mitigation Plans(n=72)


Monthly Quarterly Biannually Annually

020406080

100120140160180

To business units/operations

To executive management team

To committee responsible for ERM

To full board


28/32



get a pulse on how KRIs are being used in an organiza-

tions ERM methodology. Not surprisingly, we found that

only some organizations make at least some use of them.

Organizations also struggle with expressing aggregate risk

through quantitative measures at the enterprise level.

Articulating approved written risk appetite/tolerances is

a definite weakness for organizations outside the financial

and utility industries. For many, there was a difference

between using the terms informally and articulating

them into formal policy.

More / rik executive are deinated officer and

have a eat on the executive manaement team, and

more of them are reportin to a oppoed to

While senior-level engagement is on the rise, the board of

directors is still somewhat removed from the risk man-

agement process. Slightly less than half of respondents

stated that their directors were only somewhat able to

identify their organizations top five risks and the actions

being taken to address them. Only one-third of the respond-

ents indicated that their directors had either excellent or

moderate knowledge of and experience in ERM.

Organizations should consider doing a better job of

linking ERM performance to compensation, or, at the

very least, they should collect benchmarking data that

could help them plan or revisit their incentive programs.

gs M Ps BW 2005 2009

According to the 2009 survey, the growth rate of organ-

izations adoption of ERM has risen since 2005. Forty-

seven organizations started their ERM process since 2005,

and 42 organizations have been practicing ERM since

before 2005.

As the survey results show, more CROs/ risk executives

are designated officers and have a seat on the executive

management team. More of them are reporting to CEOs

as opposed to CFOs. This could well continue to rise

as the value and necessity of ERM and their designated

leadership become better understood.

Organizations structure their risk management commit-

tees mostly through a separate risk/ERM management

committee that includes the CEO. Alternatively, theydeal with ERM activities through another committee

that reports to the CEO.

If the ERM position is or must be tagged with other

assigned responsibilities, organizations should try to

harmonize and take advantage of the natural linkages

with strategy, business continuity planning, and corporate

policy. This helps ERM take root at the very top level

as part of strategy and policy.


29/32


Bibliography

PP

Baylor University Roundtable on the Corporate

Mission, CEO Pay, and Improving the Dialogue with

Investors. Held on November 13, 2009. Panelists:

Michael Jensen, Ron Naples, Trevor Harris, and Don

Chew; Moderator: John Martin.Journal of Applied

Corporate Finance, 22, 1 (Winter 2010), 831.

Committee of Sponsoring Organizations of the

Treadway Commission.Enterprise Risk Management:

Integrated Framework, Executive Summary. New York:

American Institute of Certified Public Accountants,

September 2004.www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf.

Enterprise Risk Management: Current Initiatives and

IssuesJournal of Applied Finance Roundtable. Panelists:

Bruce Branson, Pat Concessi, John Fraser, Michael

Hofmann, Robert Kolb, Todd Perkins, and Joseph

Rizzi; Moderator: Betty Simkins.Journal of Applied

Finance, 18, 1 (Spring/Summer 2008), 115132.

Fraser, John R.S., Karen Schoening-Thiessen, and Betty

J. Simkins. Who Reads What Most Often? A Surveyof Enterprise Risk Management Literature Read by

Risk Executives.Journal of Applied Finance, 18, 1

(Spring/Summer 2008), 7391.

Fraser, John R.S., and Betty J. Simkins.

Documents

11-165 Enterpriseriskmanagement Final Feb Web