ERM: Corporate Programmes Still ‘Work in Progress’

Although enterprise risk management (ERM) has been a topic of management discussion and academic analysis for well over a decade, the economic turmoil of the past two years has thrown the importance of risk – and specifically its identification, measurement and management – into sharper focus than ever before.

Recent regulatory developments – in particular, the introduction in December 2009 of SEC Rule 33-9089, which imposes a number of new requirements relating to how companies deal with risk – have also acted as a powerful catalyst for ERM adoption.

Hard on the heels of the economic crisis, it is clear that it is not just financial institutions that feel the need to strengthen risk management programmes. Companies across all sectors are encountering scenarios that cause them to question the effectiveness with which they have historically managed risk, and demand is high for tools and techniques that they can use to manage risk more appropriately and to leverage the opportunities that it often brings to create value.

In a recent paper on ERM, the Committee of Sponsoring Organisations of the Treadway Commission (COSO) expressed the view that “the challenge facing boards is how to effectively oversee the organisation’s enterprise-wide risk management in a way that balances managing risks while adding value to the organisation.” In other words, how should companies ‘operationalise’ ERM in an effective way?

In an attempt to answer this question, BMR has conducted a detailed study of some 40 ERM programmes at large corporations (with total revenues in excess of US$1.2 trillion) and held 25 face-to-face interviews with ERM programme leaders. The results of these meetings, held during 2Q10, have recently been published in partnership with Financial Executives International in a report that explores the unprecedented levels of management and boardroom interest in ERM and identifies a number of operational trends. The report also highlights significant variations in the interpretation of what ERM means in practice; what areas of risk should be its main focus; and what role ERM should play in ongoing business management.

ERM: Still a Work in Progress

Given the maturity of ERM as a topic, one of the most surprising outcomes of the study is that ERM programmes in many large corporations have started comparatively recently. Measured purely by the length of time that they have been in place, the typical maturity of programmes under review was roughly two years – although some had clearly been operating for far longer.

Even among some long-established ERM programmes that in many respects are highly mature, the rate of development is still rapid. Some organisations have reached ‘advanced’ levels of sophistication – but they are still outnumbered by those where ERM remains a work in progress, or has not been embarked upon at all.

Purpose of ERM

In general, there is a consensus that ERM exists to make risks more visible before they affect an organisation, so that management decisions can be evaluated and (if necessary) challenged – and there is a growing recognition that ‘ad hoc’ risk management approaches are no longer acceptable.

And yet, despite the widespread agreement as to purpose, it is clear that no two ERM programmes are alike. In part, this reflects another growing consensus – that it is crucial for ERM programmes to be designed on a ‘one-size-fits-one’ basis, and developed to match the culture of the business in question, because engagement with the business drives ultimate success.

Two Main Interpretations of ERM Focus

According to our interviews, programmes that companies label ‘ERM’ tend to fall into one or other of two groups – according to whether they focus mainly on strategic risks, measured and managed qualitatively, or more on operational and financial risks, measured and managed quantitatively.

A relatively small number of ERM leaders have successfully married the two approaches in a more holistic framework, and among those who have not, most regard such integration as a desirable objective – principally because it will help to strengthen links between strategic vision and operational planning. In order to knit the two approaches together into a single, seamless programme, companies need to consider both how to analyse strategic risks on a quantitative level, and how to interpret operational and financial data in a qualitative way.

Figure 1: Risk Analysis Matrix

The upside is that if ways can be found to ‘translate’ qualitative concepts into quantifiable data – and conversely to interpret operational data in such a way that it highlights strategic risks – the value-adding potential of an ERM programme should be expected to rise significantly because a virtuous circle would be established, in which both ERM approaches are working harmoniously, and in synch with one another.

‘Institutionalisation’ of ERM

As has been noted, ERM programmes are relatively new initiatives in many organisations, and are typically resourced by small staffs – often by ‘armies of one’. While in itself this is not necessarily a problem, it can introduce risk if a programme is not properly ‘institutionalised’, since, if a programme depends too greatly on the personal equity of a single person or small group, ERM itself may cease to exist when that person leaves the organisation or takes on other responsibilities.

What is equally clear is that ERM programmes must work alongside business management in a complementary, supportive role, and responsibility for risk must remain with the business itself. Debate remains strong as to whether ERM should play only a facilitative role, or should be given more ‘teeth’ – but a consensus exists that ERM must never be allowed to be perceived as the ‘risk police’.

ERM Operations

Based on the evidence gathered in our fieldwork, most ERM programmes are operationalised around five broad activities:

  1. Gathering and organisation of ‘risk intelligence’.
  2. Cross-functional risk discussions.
  3. Risk scoring and prioritisation.
  4. Risk response plans.
  5. Reporting.

Although the activity areas do not necessarily happen in precise sequence – in fact, interviews suggest that in an ongoing programme, they are more likely to overlap with one another than to follow in any particular order – most programmes reviewed for this study operate with a certain natural ‘cadence’. As such, it can be helpful to consider the operation of an ERM programme as a cyclical process, as shown in Figure 2.

Figure 2: A Cyclical ERM Process

Action Points for Finance Professionals

Companies who have yet to embark upon an ERM journey should derive reassurance from the BMR/FEI study, since it clearly indicates that they are not alone in sitting toward the bottom end of the maturity curve. The message for such companies should be that it is never too early to start.

Smaller organisations, for whom ERM has not historically been a high priority, should understand that formalising risk management early in their growth cycle will pay dividends later on – because risk processes will be better integrated within the organisation. Companies who set aside the implementation of ERM because they want to focus on other priorities can of course still succeed – but they may experience teething problems as the organisation adapts to work with the new risk-based approach.

Organisations whose ERM programmes are more mature will also continue to face difficult challenges. For example, few organisations interviewed for the study had yet developed what they themselves considered to be a satisfactory approach to risks that interconnect or correlate, as when the measures that are put in place to mitigate or avoid one risk lead to an increase in risk elsewhere. Risk quantification also continues to be a hot topic, as does the question of how to evaluate the success of an ERM programme. And for almost all organisations surveyed, the development of risk culture remains an ongoing priority.


Debate around the topic of ERM shows no sign of slowing down. There are even those who claim that the whole concept is simply a case of ‘the emperor’s new clothes’ and that ERM is just good old fashioned risk management, properly executed. Perhaps they are right.

In the end, however, even if one concludes that ERM is little more than an institutionalisation of good business practices, it remains an important discipline. It may never be possible to completely avoid the sort of risk events that have dominated the headlines for the past few years – but at least with an effective ERM programme, it may be possible to anticipate them and minimise their impact.


Related reading