By B.G. YOVOVICH, who has written for national trade publications for more than 20 years
Consider, for example, the limited progress reported in the "State of ERM 2008" study, which was released by the Risk and Insurance Management Society Inc. in November. The data--which was gathered from detailed ERM assessments provided by risk managers at 564 organizations through the RIMS Risk Maturity Model for ERM online assessment tool--indicate that:
--Only 39 percent of the organizations that were rated had formalized ERM infrastructure in place.
--Even among those organizations with formal programs, only 4 percent of them achieved a level of "managed" or better in all the risk competencies that were evaluated. (Each competency was rated at one of five levels: ad hoc, initial, repeatable, managed or leadership.)
More specifically, the RIMS report particularly pointed to a severe lack in the capabilities of formal ERM programs to:
--Collect risk information from all processes (especially frontline management).
--Detect cross-departmental effects and dependencies.
--Link risks to their respective organizations' performance goals and objectives.
--Effectively compare actual risk against assessed risk.
"All of these issues are symptoms of an organization's failure to implement strong risk management governance and infrastructure," noted the report's authors, who added: "Organizations may have a false sense about all that is required for an effective risk management program."
These warnings will be echoed in a forthcoming Conference Board report scheduled to be released later in January 2009.
"Our studies have found that, in the aggregate, companies have not moved as far as I would have expected, and probably not as far as they would have expected," said Ellen S. Hexter, who leads the Conference Board's work in ERM and who headed up the new study, which is based on longitudinal data from 2004, 2006 and 2008.
"A lot of companies are not really thinking about integrating ERM into current business processes and are not doing all the things that we in the field think ought to be happening," said Hexter.
"There are companies that are doing good work, but for each one, I could name 200 companies that just go through the motions of satisfying NYSE listing rules. They are showing their board a heat map and an inventory of risks, and that is all they do--and that is not ERM," she said.
According to Hexter, the ultimate goal of an ERM program should be to create greater awareness of risk-and-reward trade-offs and to drive risk thinking and appropriate risk management throughout businesses. Achieving this takes significant support from top management.
"These changes happen when there is senior-level buy-in at the top of the organization, and when the right people are found in the organization to champion it," said Hexter.
January 19, 2009
Copyright 2009© LRP Publications