Measures of Success in Enterprise Risk Management

Protiviti Board Perspectives
Measures of Success in Enterprise Risk Management

Often, we hear the question many consider to be the Holy Grail in risk management: “How do we measure the value of enterprise risk management (ERM)?” This is a deceptively simple question for which there is no simple answer. How do we measure the success of ERM, or risk management in general, when there are so many forces at work – external and internal – that shape the future and the organization’s ultimate success or failure over time? If management makes good decisions, how do we know whether the decision would have been different had the entity’s ERM process not been in place? On the other hand, if management makes a poor decision, how do we know whether a better decision would have been made had the organization implemented ERM? Would an ERM process have made a meaningful difference in the decision-making process? Proofs are elusive on this score.

Following are examples of 10 measures of success that companies can use. While they don’t necessarily answer the Holy Grail question directly and are decidedly outcome oriented, they nonetheless provide useful insights on the contribution of ERM to an organization’s success.

  1. Accomplishment of management’s ERM objectives: To assess the value or success of ERM, management must first articulate clearly what ERM is intended to accomplish. Examples of possible objectives include reducing performance variability to an acceptable level, enhancing executive management’s dialogue with the board, aligning strategy and corporate culture with the desired risk appetite, protecting the organization’s reputation, and positioning the organization as an “early mover” in dealing with emerging market opportunities and risks, among others. Once an objective is identified, relevant measures would be used to address progress toward achieving it. For example, assuming the objective is to update risk management capabilities continuously in a changing business environment, success measures could include specific improvements in closing gaps in capabilities for managing specific risks and tracking the maturity of the organization’s capabilities in specific areas to a more defined and managed state.
  2. A difference-maker in terms of reshaping strategy in advance of disruptive change: When the fundamentals of the business are about to change, is executive management able to secure “early mover” positioning in the marketplace to capitalize on emerging market opportunities and risks? If changes occur in critical assumptions underlying the strategy due to external events and developments, are they identified on a timely basis to avoid the organization being placed in the untenable position of executing a flawed or obsolete business model? Are changes in the business environment monitored to ensure that strategic assumptions remain valid over time? Assessments of strategic risks and the effects of potentially disruptive changes in the external environment can provide valuable insights into the strategy-setting process, as they can spur actions that can preserve enterprise value that took a long time to build.
  3. Effective assessments of operational risk to improve preparedness for the unexpected: In the global economy, organizations are literally boundaryless. A strategic perspective applied to operational risks focuses on an end-to-end extended enterprise view of the value chain, including consideration of upstream and downstream relationships. This perspective enables management to focus on what would happen if any critical component of this chain were lost for an indeterminate time period. If the potential loss of a component is high severity, high velocity and high persistence in terms of its impact on business model continuity, the organization’s response readiness should be assessed. The success measure is the organization’s ability to navigate the unexpected loss of, say, a strategic supplier through execution of an effective response plan.
  4. Integration of risk assessment into core management processes: The relevance of the ERM process increases if it is integrated with the activities that matter to the success of the business. The nature and extent of integration varies from industry to industry and is highly dependent on management’s operating style. The integration scope could include strategy setting, annual business planning, performance management, budgeting and/or capital expenditure funding. Such integration reduces the risk that ERM will be perceived across the organization as a stand-alone appendage and instills in the board and executive management greater confidence that strategies, plans and performance reporting are more robust, leading to more effective execution in delivering expected results. In addition, the increased engagement of the right people and intensity of focus resulting from effective integration help to make the organization’s risk assessment process(es) more insightful.
  5. An informed and effectively functioning board risk oversight process: Management and directors typically desire a clear delineation between risk management and risk oversight. When both risk management and risk oversight start at the same place – with the formulation of strategy, including an understanding of the key assumptions underlying the strategy – and the ERM process results in actionable reporting around the critical enterprise risks and how they are being managed relative to the organization’s risk appetite, the dialogue between executive management and the board is properly focused and in sync with how the business is run and managed.
  6. Identification of emerging risks in a timely manner and implementation of effective early warning systems: If focused on identifying emerging risks and informing decision-makers about what they don’t know, risk assessment and monitoring processes reduce the likelihood of the organization retaining risk out of ignorance, thereby reducing exposure to unacceptable losses. Early warning systems enhance strategy setting through increased emphasis on data analytics, scenario analysis, stress testing and intelligence gathering to anticipate risk, monitor continued validity of strategic assumptions and assess the impact of alternative futures on projected performance. To the extent that organizational resiliency is strengthened, business performance is improved over time.
  7. Reduced performance variability: A firm may encounter fewer surprises in reported results due to (a) a more systematic, anticipatory and proactive risk evaluation process, (b) improved risk measures, and (c) preventive controls that preempt risk at the source – a result attributed to risk management. Improved risk measures, metrics and monitoring integrated with key performance indicator (KPI) reporting facilitates the shift from “guessing” to “knowing” or “understanding” as well as from “reacting” to “being prepared” or “proactive” or “forward-looking.” These shifts provide evidence of improved risk management over time.
  8. Reducing the number of or avoiding risk incidents or near misses: If a firm can demonstrate fewer risk incidents or loss events than the industry average, it has clear evidence of superior performance. Environmental or workplace safety is a practical example of risks where such benchmarking is possible. Information about risk – risk responses, risk measures, risk incidents, near misses, best practices and status of improvement plans – made available across the organization facilitates knowledge sharing and continuous process improvements.
  9. Reduction in cost of capital and improvement in shareholder value: As analysts, debt rating agencies, regulators and others learn to differentiate between various firms’ risk management capabilities, organizations able to put in place effective ERM capabilities should realize a lower cost of capital over time in relation to the firms choosing to do nothing at all. If a firm’s reputation gains stature because its risk management is viewed in the marketplace as a differentiating skill relative to its peers, then the company’s borrowing costs should decline and its share valuations should increase accordingly. A firm with an effective ERM process should acknowledge its capabilities in its messaging to the street.
  10. Increased risk sensitivity and awareness in the firm’s culture: A cultural shift in an organization leading to an increased focus on and reinforcement of risk management is an indicator of increased effectiveness. For example, in a trading operation, a desirable risk culture appropriately balances entrepreneurial activities and control activities so that neither one is too disproportionately strong relative to the other, meaning a healthy tension exists between the two. In manufacturing, achievement of a demanding goal for a historically high target of injury-free days in the production process may require a cultural shift to modify behavior. In highly capital-intensive industries, a cultural shift to more robust evaluations of the attractiveness of investment opportunities might mean factoring uncertainty into probabilistic assessments of discounted future cash flows or modeling different projections based on different assumptions. In these instances, risk management is actually integral to managing the business as it addresses potential obstacles that may prohibit the achievement of a critical business objective or imperative.

In closing, while the above 10 measures of success are more directly related to risk management, an argument can be made that building and sustaining competitive advantage and producing incremental increases in cash flows and earnings per share are, in themselves, indirect measures of risk management effectiveness. Other traditional measures used in this regard include return on investment (ROI), return on equity (ROE) and shareholder value added. Useful non-financial measures include customer satisfaction and retention, employee satisfaction and reduced attrition, channel throughput, market share, and brand image.

Questions for Boards

Following are some suggested questions that boards of directors may consider, based on the risks inherent in the entity’s operations:

  • Is the board satisfied that management is periodically monitoring changes in the business environment to identify significant impacts on the assumptions and risks inherent in the corporate strategy? Are necessary changes to the strategy made in a timely manner in response to the specter of disruptive change?
  • Is the board satisfied that management is able to demonstrate the value contributed by the ERM process?

Board Perspectives: Risk Oversight (Issue 56)

Click here to access all series

Ready to work with us?