By MATTHEW BRODSKY, senior editor/Web editor of Risk & Insurance®
After chatting with risk managers at the annual meeting of the Risk and Insurance Management Society Inc. in Boston in late April, one got a sense that the discourse on enterprise risk management (ERM) is far from settled.
One risk manager commented how he was glad that the hype around ERM at RIMS had been toned down, as risk managers need to realize they've been doing it--good management--long before someone gave it a fancy acronym.
Another risk manager saw it as the opposite, and was glad that ERM was still at the forefront of the RIMS program and risk managers' minds--yet he lamented that it has not been implemented by most of his colleagues.
And another risk manager, she talked about how she wanted to pursue ERM but could not convince her bosses to release funding necessary to get any initiative off the ground.
This story sounds very similar to the three bears, but that children's tale is far too simple an analogy. The picture around ERM is confusing--just how many folks are doing it, considering it, caring about it--and it gets all the more confusing when we consider three recent surveys.
In the first, the Pulse survey conducted by Towers Watson before and during RIMS, more than half (54 percent) of respondents said their company had ERM processes in place. That number is up over past years--37 percent in 2005 and 11 percent in 2000--but out of the 2010 "yes" respondents, only 37 percent said that they regularly identify key risks and about one-quarter integrate risk into budgeting and planning.
For James Swanke Jr. at Towers Watson, these results show that ERM is not "baked in."
"We're only just beginning," he told Risk & Insurance®.
Now, one could argue that only 125 risk professionals responded to Tower Watson's initial survey, and that the final results from RIMS are still being tallied. But an equally ambiguous picture arises when we look at another study released at RIMS, this one from New York-based brokerage Marsh.
Marsh surveyed 418 companies--small, medium, large, international, private, public--and their answers on ERM are even more perplexing. The number of respondents saying they do ERM tripled from 2009 to 2010 (to 28 percent) but the number who said they don't also went up, from 35 percent to 53 percent over the same period. The Marsh researchers wonder whether this is because companies have lost confidence in their ability to pull off ERM. Or the numbers could show that more companies are at least seriously considering what it would take to implement it. Or it could come down to practicalities.
"What is absent is a practical view of ERM that unifies all of its concepts," the authors of the Marsh report wrote.
Yet many of the 201 respondents in Aon's 2010 Enterprise Risk Management Survey (conducted in the third quarter last year) seem to have a grasp of ERM's practical applications. For instance, 55 percent of respondents were at an ERM level of "defined" or "operational," meaning that have policies or procedures in place to identify, measure, monitor and manage risks. That is a 20-point increase over 2007, the survey authors noted.
"We've absolutely seen growth and maturity," said Laura A. Taylor, global practice leader for ERM for Aon Global Risk Consulting, in an interview with Risk
Firms are using risk as a competitive advantage, though she admitted these firms are a "subset" and that, at other clients, the three letters "ERM" are not to be spoken (despite the fact the clients practice it). But she also said that Aon is being asked more and more to talk to boards and executive teams about risk.
At least this attraction toward or concern about ERM makes sense, given the hullabaloo over risk management during the financial crisis; given that the Securities and Exchange Commission with its Rule No. 33-9089, now in effect, is requiring public companies to disclose board efforts to manage enterprise risks; and given how ratings agency Standard & Poor's will eventually take risk management into account for ratings for nonfinancial companies.
Eventually. As one risk manager told us at RIMS, he believes S&P had delayed in implementing ERM into ratings because they've had so much trouble finding good ERM programs to benchmark off of.
According to Steven J. Dreyer, practice leader for corporate and government ratings at S&P, the firm is working toward the next big step: when every company will receive a score or at least a comment regarding risk management in their ratings. Don't expect this to happen before the end of 2010, though.
And how does Dreyer see ERM out there? Not many companies have differentiated themselves with ERM, he said, though he is of the belief that ERM really comes down to old-fashioned good management. So if you want to pursue it but can't overcome ERM phobia within your organization, he suggested, "Stop calling it ERM."
May 10, 2010
Copyright 2010© LRP Publications