Embed Size (px)
Citation preview
Excellence in Risk Management IIA Qualitative Survey of Enterprise Risk Management Programs
April 18, 2005
Marsh 2
What Is ERM?
“Assessing and addressing risk from all sources.”
“A process to manage all risks of the enterprise.”
“Managing your business with a more deliberate and systematic focus on risk.”
“Implementing the infrastructure and culture within the organization to make good decisions on risk.”
Respondents shared these definitions with us:
Marsh 3
“Excellence in Risk Management” Studies
“Excellence in Risk Management I” studied the risk management practices of 30 top-performing risk managers in North America. Findings presented at the 2004 RIMS conference included the following:
– The events of the past 10 years have resulted in a dramatic shift in the the importance of risk management and its practices.
– There is an opportunity for risk managers to play a more strategic role in their organizations.
– Companies can recognize a significant financial impact by controlling risk and recognizing profit from risk-related strategies.
– Successful risk management relies on a robust hierarchy of information and integrated information systems.
Using “Excellence I” as a foundation of understanding, “Excellence II” examines the characteristics and practices of organizations that are implementing an enterprise-wide risk management program.
Marsh 4
Excellence in Risk Management II—Research Parameters and Methodology
Methodology:
Qualitative versus quantitative approach
In-depth interviews within five large organizations that are implementing an ERM program
Industries represented: Information services (2) Financial services (2) Commodity services (1)
Interviews with 25 individuals at these organizations, including risk management at each company
Interviews were administered by phone to obtain insights on practices, perceptions, organizational dynamics, and relationships
Interviews were supplemented by a short closed-end questionnaire covering basic topics
Interviews were conducted by Greenwich Associates
Marsh 5
Who We Interviewed
Risk Management (7)
Operations (8)
Audit (5)
Compliance and Legal (3)
Business-Unit Head (1)
Safety (1)
Marsh 6
Key Takeaways
Recognize the fundamental benefits of ERM
Understand how to implement ERM
Understand how to sustain ERM in your company
Marsh 7
Enterprise Risk Management—Applying Risk Management Discipline More Broadly
ObjectiveSetting
RiskIdentification
Risk Assessment
Risk MitigationControl
Activities
Monitoring
•All Types of Risk•Broad Focus•Continuous
Communication
Source: The Committee of Sponsoring Organizations of the Treadway Commission
Marsh 8
Survey Results Overview
Why ERM?
Getting Senior-Management Support
Creating a Process to Support ERM
Building ERM Into the Corporate Culture
Key Takeaways
Why ERM?
Marsh 10
ERM Benefits
“I’m liberating people in our company about risk and uncertainty so that they can better achieve the objectives that they made to the board.”
-Risk Manager
Marsh 11
As Organizations Adopt ERM, the Role of Risk Manager Becomes More Strategic
Strategic Risk Management
Progressive Risk Management
Traditional Risk Management
Impact On Impact On Organization’s Bottom Organization’s Bottom Line and CultureLine and Culture
Organizational Buy-InOrganizational Buy-In
Technical Technical ManagementManagement
Marsh 12
As Companies Develop an ERM Approach, Potential Benefits Multiply
. Support Objectives. Support Objectives
. Improve Earnings . Improve Earnings and Cash Flowand Cash Flow. Manage Growth. Manage Growth. Capture . Capture OpportunitiesOpportunities
. Reduce Losses
. Lower Insurance Costs
Managing Risk
Transferring Risk
OptimizingRisk
Advanced Risk Management
Defensive Risk Management
ERM Approach
. Purchase Insurance and Cover Risks
Marsh 13
73%
80%
80%
80%
Risk Manager
Other
Agree/Strongly Agree
The Role of Risk Management in the Firm
The firm views risk management as a keystrategic function
The role of the risk manager has becomemuch more strategicwith implementationof ERM
Risk Manager
Other
(Risk Manager: n=5; Other: n=15)
Marsh 14
31%
81%
20%
100%
60%
88%
75%
80%Strategic
Operational
Highly Significant Benefits (4 & 5)
Financial
Hazard
Q21. With the implementation of an integrated approach to risk management across the firm in all of the risk areas (ERM), how would you rate the benefits accruing—or expected to accrue—in each of the major types of risk? Please rate on a scale of 1 to 5, where 1 is “None” and 5 is “Highly Significant.”
Benefits of ERM Implementation inMajor Risk Areas
Risk Manager
Other
Risk Manager
Other
Risk Manager
Other
Risk Manager
Other
(Risk Manager: n=5; Other: n=16)
Marsh 15
40%
80%
80%
100%
.
Risk Manager
Other
Present and Future Benefits of ERM
Agree/Strongly Agree
There are tremendousfuture potential benefits in ERM that have not yet been realized
The firm is recognizing substantial benefits from ERM today
Risk Manager
Other
(Risk Manager: n=5; Other: n=15)
Marsh 16
94%
88%
80%
100%
100%
94%
100%
100%
Highly Significant Benefits (4 & 5)
Risk Manager
Other
Risk Manager
Other
Risk Manager
Other
Risk Manager
Other
Improved communications on risk taking to shareholders/board
Better-informed decisions
Better allocation of capital and resources to address risk
Improved corporate governance practices
(Risk Manager: n=5; Other: n=16)
Perceived Benefits of ERM
Marsh 17
Examples of ERM Benefits
Multimillion-dollar project undertaken once risk profile understood
Offshore outsourcing program cancelled once high risk was assessed
Natural hedge discovered
Facilitated M&A process
Reduced insurance rates
Decided not to discontinue product once risk was understood
Marsh 18
ERM—Driving Forces
Company Risk Company Risk Management Management
FocusFocus
Understanding RiskUnderstanding Risk
Controlling RiskControlling Risk
Optimizing RiskOptimizing Risk
External Forces Sarbanes-Oxley
Six Sigma Corporate Scandals Regulatory Initiatives September 11 Natural Disasters
Internal Forces
Managing Earnings and Cash Flows Stakeholder Accountability Meeting Objectives Regulatory Compliance
Getting Senior-Management Support
Marsh 20
Consensus That Board and Senior-Management Buy-In of ERM Is Essential to Acceptance by the Organization
Board
Senior Management
Functional Management
Business Units and Operations
• Alignment with board objectives
• Senior-level champion
• Continued involvement
• Sets the tone
• Link to investors
Marsh 21
Continued Support From Senior Management Requires Direct Communication By ERM Team
• Risk committees
• Senior-management risk committee
• Board level: audit committee / separate risk committee
• Internal audit
• Continuous communications
• “Don’t shoot the messenger” attitude
• Help from brokers and consultants
• Can jump-start process
Creating a Process to Support ERM
Marsh 23
Accountability and Reporting at All Levels Is Required to Support the ERM Process
Board
Senior Management
CEO CFO CRO COO CTO
OperationsBusiness Units
FunctionalManagement
Cross-Functional ERM TeamRisk Management, Audit, Compliance/Legal
Risk Committee
Risk Committee
Marsh 24
Organization to Support ERM—Key Takeaways
• Separate risk committees to board and senior management
• Risk management representation in senior management
• Cross-functional ERM team—risk management, internal audit, legal, and compliance form core team
• Representation from operations/business units and functional management
• Human resources conspicuous in its absence
Marsh 25
Objectives
Policies and Procedures
Decisions
Plans and Budgets
Financial Strategy
Enterprise Risk Management
Corporate Strategy
Link to Strategic Objectives and Integrate ERM Thinking Into Regular Business Activities
Marsh 26
Reinforce the ERM Process With a CommonLanguage and Training
• Establish a common language about risk
• Simple
• In conformity with culture
• Take a consultative approach to training by using workshops
• Use available technology
• Keep it simple
Building ERM Into the Corporate Culture
Marsh 28
“Risk management is everybody’s job. Everybody who does anything in the company is a risk manager to some extent.”
-Senior Manager
ERM in the Corporate Culture
“The most important thing is to get buy-in from the most senior levels of the organization first. Until you do that, you’re going to have great ideas, but they’ll never see the light of day.”
-Risk Manager
Marsh 29
93%
100%Risk Manager
Other
Agree/Strongly Agree
Embedding ERM in Corporate Culture
Implementation of ERM requires and results in a cultural change in the organization
(Risk Manager: n=5; Other: n=15)
Marsh 30
How to Influence Thinking to Include ERM
Communications
Compensation
Performance Measurement
Learning & Development
“Grooming”Internally
All Company
Employees
“Lifetime” Mentality to ERM
Key Takeaways
Marsh 32
ERM Risk Analysis Involves Five Fundamental Steps—Applied to All Areas of Risk
1. IdentifyRisks
2. AssessImpact
3. AssessLikelihood
4. Quantify &
Prioritize
5. Optimize
Marsh 33
ERM Demands a Strategic Role for Risk Managers
ERM ApproachERM Approach
Advanced RiskAdvanced RiskManagementManagement
Defensive Risk Defensive Risk ManagementManagement
Strategic Risk Management
Progressive Risk Management
Traditional Risk Management
Compa
ny E
RM E
volu
tionRisk M
anager Evolution
VALUE
Marsh 34
For Low-Frequency Risks, ERM Can RevealHidden Risks Requiring Action and Help in Prioritizing Resources
High ImpactHigh Impact Low Likelihood
Low Impact Low Likelihood
High Impact High Likelihood
Low Impact High Likelihood Low Impact
Low Likelihood High Likelihood
Marsh 35
Cautions
• Don’t treat ERM as one-time project
• Overkill can create backlash
• Need tangible accomplishments to keep momentum
Marsh 36
Recommendations
“Just do it! ”
Get started
Identify a champion
Get senior-management buy-in
Start prioritizing risks using “Top10” approach
Perform business practice reviews
Hold risk workshops
Leverage existing initiatives– Sarbanes-Oxley– Six Sigma– Audit and compliance initiatives– Strategic planning
Maintain sensitivity to seismic events in the company
Employ team approach to the task of implementing ERM
Formalize it: – Structured approach to
organizing processes / lines of reporting
Keep ERM technology simple and understandable
Embed ERM in existing business processes
Treat ERM as a process, not a project
Marsh 37
Final Thought
“The key to high-performance risk management is aligning risk strategy among key risk stakeholders, obtaining and sustaining senior management engagement, and achieving effective integration with strategic planning.”
-Risk Manager
Thank You
RIMS and Marsh are proud to have sponsored the Excellence in Risk Management II survey
Marsh is part of the family of MMC companies, including Kroll, Guy Carpenter, Putnam Investments, Mercer Human Resource Consulting (including Mercer Health & Benefits, Mercer HR Services, Mercer Investment Consulting, and Mercer Global Investments), and Mercer specialty consulting businesses (including Mercer Management Consulting, Mercer Oliver Wyman, Mercer Delta Organizational Consulting, NERA Economic Consulting, and Lippincott Mercer).
The Risk and Insurance Management Society, Inc. (RIMS) is a not-for-profit organization dedicated to advancing the practice of risk management, a professional discipline that protects physical, financial and human resources. Founded in 1950, RIMS represents nearly 4,000 industrial, service, nonprofit, charitable, and governmental entities. The Society serves over 9,600 risk management professionals around theworld.
Copyright 2005 Marsh Inc. All rights reserved. Compliance # MA6-10480
![Risk Management Qualitative versus Quantitative · Risk Management Qualitative versus Quantitative ISO 27001 clause 6.1.3 (f) [Excerpt] The organization shall retain documented information](https://img.pdfslide.us/doc/110x75/6059091ea5fe1965fd436484/risk-management-qualitative-versus-quantitative-risk-management-qualitative-versus.jpg)
