Protiviti ERM Readiness Assessment Survey 2019
Many organizations of varying sizes and across industries have implemented Enterprise-wide Risk Management (ERM) programs that aim to provide management and the board of directors with information on risks and opportunities that may influence decision-making and business performance.
With growing market volatility and complexity, increased speed of changes and greater pressure from investors, stakeholders and regulators, firms are seeking more value from ERM practices. Forward thinking organizations are aware that added value can be created by evolving the ERM approach into a tool for strategy setting, driving objectives and managing business performances, as also recommended by the COSO Enterprise Risk Management Framework published in 2017.
ERM integration with strategy and performance becomes a reality when risk identification, quantification, management and monitoring activities are performed during the evaluation and selection of strategic options, the development of strategic and business plans, and the execution of those plans. This focused integration allows management and the board to make relevant and timely decisions based on “risk-return” considerations. Without it, ERM remains an appendage, which reduces its impact. However, few companies have achieved the ultimate goal of fully integrating ERM into strategy setting and performance management, and those that have still demonstrate areas for improvement.
In response to requests, coming from many companies, for a practical tool to assess the progress of their journey towards improved ERM, Protiviti has developed a proprietary readiness assessment methodology that focuses on the evaluation of the maturity level of ERM integration with strategy setting and performance management (thus aligning with the COSO view), and helps firms identify areas for improvement and develop a roadmap to move the ERM journey forward.
When adopted by several companies, our methodology can also serve as a benchmark of ERM practices in place among peers.
Accordingly, in 2019 Protiviti surveyed 63 companies with an existing ERM framework in place, of varying sizes, industries and countries.
Chief Risk Officer and C-suite-level respondents assessed several ERM best practices related to the following pillars: risk governance, risk appetite, risk culture, and how ERM supports the evaluation of strategic options, strategic planning and forecasting, and strategy and business execution.
Based on the level of sophistication of the implemented practices, companies were positioned on the Protiviti ERM Readiness Quadrant, which identifies ERM leaders — defined as those companies that present a very robust integration of their ERM frameworks with strategy setting and performance management — as well as less advanced clusters of organizations that are moving their existing programs forward.
This report explains the proprietary Protiviti ERM Readiness Assessment Methodology that has driven the survey, and continues with a summary of key findings, highlighting areas of improvement and action plans to be adopted by companies wanting to progress towards the ERM leadership section of the quadrant. The report also contains detailed analysis of the survey results with a breakdown of companies by clusters, pillars and other views provided in the Appendix, such as company size, listed or family owned, geographic location and industry.
This benchmarking tool provides companies that have participated in the study with valuable insights, as well as actionable and effective areas for improvement to enable them to move their ERM programs towards leadership status, where firms can demonstrate the power of ERM for their businesses and show real value to their stakeholders.
Protiviti would like to give special thanks to the Institute of Risk Management IRM (UK) and ANRA (Associazione Nazionale dei Risk Manager e Responsabili Assicurazioni Aziendali, Italy) for supporting the study with their members.
We are delighted to present our new readiness assessment methodology that provides unique insight into the current state of ERM development at a variety of different organizations. We thank all of the companies that have accepted our invitation to participate in this study to enable the first benchmarking analysis of ERM development towards integration with strategy setting and performance management. The study will continue to expand with the inclusion of many more firms in future assessments that will enrich the benchmarking tool for all organizations eager to progress and continuously improve their ERM programs.
- Emma Marcandalli, Managing Director, Protiviti
Using its readiness assessment methodology, Protiviti launched this study to determine the level of integration among risk, strategy and performance management practices implemented by 63 firms, as well as to assess their readiness to progress to the more advanced status of leader organizations — both aligned with the COSO requirements and demonstrating the capabilities to add real business value.
The Protiviti ERM Readiness Quadrant is the final output of our assessment methodology and identifies four categories of organization — initial adopter, actionable, influencer and leader — which are defined in detail below. These categories indicate the sophistication of their ERM programs and how well they are integrated with strategy setting and performance management within the organization.
The survey methodology is based on a questionnaire that addresses 42 ERM best practices deriving from Protiviti real-life experiences, that are categorised into the aforementioned six pillars: risk governance, risk appetite, risk culture, evaluation of strategic options, strategic planning and forecasting, and business execution. Depending on their nature, each practice contributes to integrating ERM mostly into strategy setting or into performance management, or equally in both directions.
Within the questionnaire, each best practice can be assessed on a five-point scoring scale, from “fully present” to “not present”. According to the resulting score, a company’s ERM program can move in several directions within the quadrant. The final positioning in the ERM Readiness Quadrant provides the organization with a summarised view on the maturity level of ERM integration into the two key dimensions, “strategy setting” and “performance management”, respectively represented on the “x” and “y” axes.
We believe that our readiness assessment methodology is unique: for the first time ever, it not only assesses the level of sophistication of methodologies, tools and techniques, processes and organizational solutions put in place by companies, but goes far beyond and interprets if and how they are really contributing to add value through ERM integration with strategy setting and performance management — the core focus of the COSO ERM framework — thus enabling the definition of a roadmap for advancing ERM further to benefit the business.
Many companies we meet are experiencing pressure from the board of directors to strengthen risk oversight and, in response, they have made progress by implementing processes that serve a worthwhile purpose. However, several organizations are still struggling to integrate their risk management processes with strategic planning and performance management, and are facing barriers that are impeding progress in maturing their ERM system. Ask yourself if your status quo is sufficient to meet the challenges expected over the next few years.
- Matt Taylor, Managing Director, Protiviti
Figure 1: The Protiviti ERM readiness quadrant