enterprise risk management - gbv › dms › buls › 86992821x.pdf · risk management systems have...
TRANSCRIPT
1
Enterprise Risk Management
A qualitative study of ERM effectiveness and value in non-financial DAX-30 companies
A thesis submitted to the Bucerius Master of Law and Business Program in partial fulfilment of the
requirements for the award of the Master of Law and Business (“MLB”) Degree.
Pierina Villanueva July 22, 2016
13.711 words (excluding footnotes)
Supervisor 1: Prof. Dr. habil. Stefan Prigge
Supervisor 2: Frank Schlüter
2
I. Table of Contents
I. Table of Contents......................................................................................................................................... 2
II. Acknowledgement........................................................................................................................................ 3
III. Abstract ........................................................................................................................................................ 4
IV. List of Abbreviations..................................................................................................................................... 5
V. List of Figures .............................................................................................................................................. 6
VI. List of Exhibits .............................................................................................................................................. 7
1. Introduction .................................................................................................................................................. 8
1.1 Problem definition ....................................................................................................................................... 8
1.2 Research objective ..................................................................................................................................... 9
1.3 Thesis Outline ........................................................................................................................................... 10
2. Literature Review ....................................................................................................................................... 12
2.1 Origins of ERM ......................................................................................................................................... 12
2.2. ERM definitions ....................................................................................................................................... 13
2.3 ERM legal requirements ........................................................................................................................... 15
2.3.1 ERM under EU Law ........................................................................................................................... 16
2.3.2 ERM under German Law ................................................................................................................... 17
2.4 ERM standards and guidelines ................................................................................................................. 20
2.5 ERM conceptual framework ..................................................................................................................... 22
2.5.1 ERM Components .............................................................................................................................. 22
2.5.2 ERM ‘best practices’ .......................................................................................................................... 24
2.5.3 ERM Maturity ..................................................................................................................................... 31
2.5.4 ERM Effectiveness ............................................................................................................................. 35
2.5.5 ERM Value ......................................................................................................................................... 36
3. Methodology .............................................................................................................................................. 38
3.1 Selection of target survey respondents .................................................................................................... 38
3.2 Data collection process ............................................................................................................................ 40
3.3 Elaboration of the questionnaire ............................................................................................................... 42
4. Data analysis and research findings .......................................................................................................... 44
5. Conclusion ................................................................................................................................................. 67
6. Limitations and suggestions for further research ....................................................................................... 72
VII. Annex ......................................................................................................................................................... 73
VIII. Bibliography ............................................................................................................................................... 81
3
II. Acknowledgement
I would like to express my gratitude to all those who
supported me during working on this thesis and contributed
to its completion.
First of all, I would like to thank my supervisor Frank
Schlüter, who gave me first-hand awareness of and insight
into the topic. Additionally, I would like to thank my
supervisor Dr. Stefan Prigge for suggestions and guidelines
that helped me in addressing the underlying topic of this
thesis.
Moreover, I would like to give my special thanks to
respondents of the survey for dedicating part of their
valuable time and providing insightful information.
I am deeply grateful to my family (Gemma Pierina, Jorge
Isaac and Jorge Antonio), who are the main source of
motivation in my life.
Especially, I would like to thank Francesco Louis, who has
been my loyal companion during the last 7 years. The
completion of this master thesis would not have been
possible without his daily vigorously support and words of
encouragement.
I personally hope this master thesis to be the first of many of
my forthcoming working papers concerning this passionate
topic of Corporate Governance and Risk Management.
4
III. Abstract
The world-wide Financial Crisis of 2009 demonstrated the
wide-spread existence of deficient Enterprise Risk
Management (ERM) among global corporations. While there
has been a strong willingness and efforts of companies to
correct existing ERM deficiencies, this daunting task can
certainly not be done without the absorption of corporate
resources. Thus, it is important for companies to have a
reasonable assurance that their efforts and non-trivial
investment in increasing ERM effectiveness protect and
enhance firm value. Through the use of a sophisticated
qualitative expert survey, this study reveals that non-financial
DAX-30 corporations are mostly following a compliance-
oriented ERM approach instead of a strategy-oriented &
value-driven ERM approach in their efforts of increasing
ERM effectiveness. Interestingly, the findings show that the
sole adoption of a centralized ERM function, the “Three
Lines of Defence” model and an ERM external monitoring
does not ensure high levels of ERM capability in key Risk
Management activities, neither of ERM success in achieving
strategy-oriented and value-driven goals. Furthermore, a
cross-analysis of the results between non-financial DAX-30
companies and risk oversight policy-makers reveals the
need to change the focus from compliance to the
achievement of corporate strategic goals and value creation
to be able to reasonably assure that company’s efforts and
non-trivial investment in enhancing ERM effectiveness pay
off. ERM among non-financial DAX-30 companies is today
mostly not linked to corporate strategy as it was not linked in
the deficient Risk Management systems of the companies
that failed during the Financial-crisis of 2009 (OECD, 2014).
Therefore, the findings of this study may be taken as a
“wake-up call” for a strategy-oriented and value-driven ERM
to ensure the overall reliability of ERM systems.
5
IV. List of Abbreviations
AktG Aktiengesetz
BS British Standard
CEO Chief Executive Officer
CFO Chief Financial Officer
CROCO Corporate Risk Oversight Committee
COSO Committee of Sponsoring Organizations of the
Treadway Commission
DAX Deutscher Aktienindex
ECIIA European Confederation of Institutes of Internal
Auditing
ERM Enterprise Risk Management
ES Expert Survey
EU European Union
FERMA Federation of European Risk Management
Associations
GRC Governance, Risk and Compliance
HGB Handelsgesetzbuch
ICGN International Corporate Governance Network
IIA Institute of Internal Auditors
ISO International Organization for Standardization
OCEG Open Compliance and Ethics Group
PMS Policy-Maker Survey
RIMS Risk and Insurance Management Society
RMM Risk Maturity Model
RMS Risk Management Society
S&P Standard and Poor’s
TCoR Total Cost of Risk
TRM Traditional Risk Management
6
V. List of Figures
Figure N° 1 “Thesis structure”
Figure N° 2 “ERM Components”
Figure N° 3 “Three Lines of Defence – Model”
Figure N° 4 “FERMA’s RMM topics”
Figure N° 5 “FERMA’s RMM levels”
Figure N° 6 “FERMA’s RMM multi-criteria approach”
Figure N° 7 “Data collection process”
Figure N° 8 “Survey dimensions”
Figure N° 9 “ERM effectiveness – expected metrics”
Figure N° 10 “ERM value – expected metrics”
Figure N° 11 “Current ERM approach of non-financial
DAX-30 companies”
7
VI. List of Exhibits
Exhibit N° 1 “ES - ERM maturity”
Exhibit N° 2 “ES - Integrated ERM approach”
Exhibit N° 3 “ES - 3 Lines of Defence Model”
Exhibit N° 4 “ES - External ERM monitoring”
Exhibit N° 5 “ES - ERM motivations & targets”
Exhibit N° 6 “ES - ERM Program Capabilities”
Exhibit N° 7 “ES - Barriers for an effective ERM”
Exhibit N° 8 “ES - ERM Program Success”
Exhibit N° 9 “ES - Barriers for measuring ERM value”
Exhibit N° 10 “PMS - ERM and the three ‘best practices’”
Exhibit N° 11 “PMS - expected ERM motivations & targets”
Exhibit N° 12 “PMS - Capabilities of an effective ERM”
Exhibit N° 13 “PMS - Elements of an effective ERM”
Exhibit N° 14 “PMS - Success of a value-driven ERM”
Exhibit N° 15 “PMS - expected ERM indicators”
Exhibit N° 16 “Expert Survey”
8
1. Introduction
“In the aftermath of recent corporate financial reporting
scandals, entity stakeholders are demanding greater
oversight of key risks facing the enterprise to ensure
that stakeholder value is preserved and enhanced”
(Beasley, Clune, & Hermanson, 2005)
1.1 Problem definition
Risk-taking is a fundamental driving force in business and
entrepreneurship, and a risk-adjusted growth rate of the
business is needed in order to ensure the long-term
existence of every company (OECD, 2014).
In the aftermath of the last global Financial Crisis, inefficient
Risk Management systems have been blamed for the failure
of major financial and non-financial corporations. However,
experts agree on, that many of these failures were not
primarily related to the absence of Risk Management (which
mostly existed), but rather to inefficient Enterprise Risk
Management (ERM) systems (OECD, 2014).
Different findings behind deficient and ineffective ERM
systems suggested that much more needed to be done to
ensure the overall reliability of ERM systems. In many cases
Risk Management strategy was not operated within an
enterprise-wide approach and not linked to corporate
strategy. Moreover, ERM effectiveness was understood by
many regulators and standard setters as the ability of
eliminating risk taking, whereas the goal of an improved Risk
Management is to set up an appropriate risk strategy for
every business instead of the sole elimination of risk.
Furthermore, material risk factors were not appropriately
disclosed to the market. Last but not least, most of the
Corporate Governance codes and standards did not
promote sufficient awareness of ERM (OECD, 2014).
9
The externally and internally total cost of these failures,
including the cost in terms of management time needed to
rectify the situation, are still often underestimated (OECD,
2014).
While many companies nowadays have started voluntarily to
pay a higher attention to ERM efficiency and effectiveness,
the implementation of an efficient ERM system cannot be
done without the absorption of corporate resources in terms
of finance and human resources (Monda & Giorgino, 2013).
Therefore, it is important for companies to have a
reasonable assurance that their efforts and non-trivial
investment in increasing ERM effectiveness protect and
enhance firm value.
Nonetheless, the link between an effective ERM and firm
value may be one of the most frequent but unresolved
questions in the heads of senior managers and leaders.
Certainly, a positive answer to this question would not only
justify the implementation of an effective ERM but also
encourage companies to exploit further ERM benefits in
order to extract value instead of only focusing on compliance
and risk mitigation.
1.2 Research objective
This study sought to accomplish the general aim of obtaining
a benchmark analysis of non-financial DAX-30 companies
with regard to ERM effectiveness and value contribution to
the organizations. For this purpose, an exhaustive expert
survey addressing general Risk Management information,
ERM effectiveness and ERM value has been conducted.
The study aims at answering the following main research
question:
10
“Are non-financial DAX-30 corporations following a
strategy-oriented & value-driven ERM approach in their
efforts of increasing ERM effectiveness?”
In order to answer this question, this thesis has been
structured around the following sub questions:
(1) Which underlying motivations and targets drive non-
financial DAX-30 companies to implement ERM systems?
(2) How capable and successful are ERM systems of non-
financial DAX-30 companies in addressing key ERM
activities and goals?
(3) What are the main barriers for achieving a more effective
and value-driven ERM in non-financial DAX-30 companies?
The perception of ERM effectiveness and value at the
organizations is addressed in comparison with the expected
ideal situation from the perspective of representative risk
oversight policy-makers. In addition, insights into the most
common mechanisms within non-financial DAX-30
corporations as well as expected metrics to be used for the
measurement of ERM effectiveness and value are provided.
1.3 Thesis Outline
This study is structured as follows. The current (first) chapter
begins explaining the importance of this study, as well as the
motivation, research objectives and research structure.
Then, in the second chapter, theoretical foundation of ERM
is explored by reviewing relevant literature on the topic. The
third chapter is comprised by the description of methodology
used in this study. The fourth chapter presents the data
analysis and the research findings obtained using a
sophisticated qualitative expert survey. The main
conclusions of the present study are presented in the fifth
chapter. Finally, the sixth chapter provides existing
11
limitations of this study and further suggestions for future
research.
Figure N° 1
“Thesis structure”
12
2. Literature Review
“Risk Management is about managing people,
processes, data, and projects.
Of these, people are the most important.”
(Coleman, 2012)
2.1 Origins of ERM
A wide known concept of ERM and its description as a
management function did not appear until the mid-1990s.
Nevertheless, business decision-making processes within
companies based on risk assessments can be traced back
to the late 1940s and early 1950s (Dickinson, 2001).
Although the concept of ERM was already being felt by
businesses, it was not until 2001 when the term “Enterprise
Risk Management” was presented officially in first academic
papers (Bromiley, 2014).
The study of Risk Management, traceable to the second half
of the 1990s, describes the struggle of businessmen trying
to find new Risk Management solutions to protect their
businesses as the milestone for the revolutionary evolution
of Risk Management. In this sense, the pursuit of less-costly
and more complete instruments in comparison with market
insurance coverage led to new and modern forms of Risk
Management at the organizations (Dionne, 2013).
In their effort to manage their risks and fight against
uncertainty, companies started developing in-house
methods and undertaking activities in order to minimize
business losses and maximize corporate performance.
Different kinds of risks were handled by different functions
within a corporation while accomplishing the goal of
managing risks. However, this independent and non-
integrated way of addressing Risk Management ended up
fragmenting it, creating Risk Management siloes (Bromiley,
2014).
13
A systems engineering approach supporting the idea of Risk
Management as an important part of the “overall managerial
decision-making process, not a separate, vacuous act”
(Haimes, 1992) was introduced in the early 1990s and called
for “the evolution toward a more holistic approach” (Haimes,
1992) of Risk Management. The aim of this new approach
was not only to present a more integrated Risk Management
concept but also a cross-disciplinary one such as ERM
(Bromiley, 2014).
2.2 ERM definitions
In comparison with the silo-based traditional Risk
Management (TRM), ERM proposes an integrated approach
of managing risks within the organization. In this sense,
ERM approach allows companies to gain a coordinated and
systematic understanding of all the risks that the company
faces instead of dealing with each risk independently
(McShane, Nair, & Rustambekov, 2010).
Literature provides a broad variety of ERM definitions among
organizations, corporations, consulting firms, rating agencies
and academic researches. For instance, scholars highlight
that ERM addresses the full spectrum of risks of a company
instead of the risks related to a specific area of the business.
In this sense, scholars defined ERM as “a systematic and
integrated approach to the management of the total risks
that a company faces” (Dickinson, 2001).
In addition, widely well-known Risk Management standards
describe ERM as a process designed to identify potential
events that can have a negative (risks) or a positive
(opportunities) impact on the achievement of the company’s
strategic goals. On one hand, Risk Management is defined
as “the culture, processes and structures that are directed
towards the effective management of potential opportunities
and adverse effects” (AS/NZS, 2004). On the other hand,
14
ERM is considered “a process, effected by an entity's board
of directors, management and other personnel, applied in
strategy setting and across the enterprise, designed to
identify potential events that may affect the entity, and
manage risk to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity
objectives” (COSO, 2004).
Advisory firms put emphasis on the optimization instead of
the elimination of enterprise-wide risks. Thus, ERM “can be
defined as an organizational commitment to proactively
govern, assess, measure, monitor, mitigate, and optimize
enterprise risks. ERM is a process designed to identify
potential events that may affect the organization in achieving
its objectives, and managing risks within risk tolerances”
(KPMG, 2009)
Moreover, board commitment to ERM is highlighted by rating
agencies, defining ERM as “an approach to assure the firm
is attending to all risks; a set of expectations among
management, shareholders, and the board about which risks
the firm will and will not take; a set of methods for avoiding
situations that might result in losses that would be outside
the firm's tolerance; a method to shift focus from
“cost/benefit” to “risk/reward”; a way to help fulfill a
fundamental responsibility of a company's board and senior
management; a toolkit for trimming excess risks and a
system for intelligently selecting which risks need trimming;
and a language for communicating the firm's efforts to
maintain a manageable risk profile” (Standard & Poor’s,
2008).
Finally, international organizations and associations give
emphasis to the link between ERM and the company’s
strategy-setting process and strategic goals. Therefore, ERM
is described as “a structured, consistent and continuous
process across the whole organization for identifying,
assessing, deciding on responses to and reporting on
15
opportunities and threats that affect the achievement of its
objectives.” (The Institute of Internal Auditors (IAA), 2009).
Additionally, ERM is considered “as a strategic business
discipline that supports the achievement of an organization’s
objectives by addressing the full spectrum of its risks and
managing the combined impact of those risks as an
interrelated risk portfolio” (RIMS, An overview of widely used
risk management standards and guidelines, 2011).
Within the tremendous challenge of organizations,
corporations, consulting firms, rating agencies and academic
researchers to agree on setting a sole definition of
Enterprise Risk Management, an emerging consensus of
what ERM constitutes has begun to emerge.
All definitions can be reduced to the following three key
elements of ERM. Firstly, managing individual risks of the
corporation is assumed by ERM as not as effective as
managing the risk of a portfolio. Secondly, strategic risks
(e.g. competitor actions) and not only traditional risks (e.g.
product liability) are incorporated in ERM. Thirdly, risk is no
longer assumed by ERM only as a potential loss or damage
that must be mitigated, but also as a potential opportunity
that could lead to a competitive advantage (Bromiley, 2014).
2.3 ERM legal requirements
During the past years, the regulatory context for Risk
Management has been changing in accordance with the
review of past learnings based on Corporate
Governance/Risk Management failures to ensure that
scandals such as Fukushima, Deepwater Horizon, Enron
and Siemens do not happen again (OECD, 2014). In this
sense, for the purpose of this study, the present chapter has
the aim to describe the minimum requirements provided by
the European and German legislation.
16
2.3.1 ERM under EU Law
On top of German national legislation and local standards,
requirements on Risk Management practices can be found in
the EU Statutory Audit Directive (Directive 2006/43/EC) and
the EU Company Reporting Directive (Directive
2006/46/EC).
The aim of the EU Statutory Audit Directive (Directive
2006/43/EC) is to harmonize statutory audit requirements
between the Member States. In this sense, according to
Article 41 of the Directive, “each public-interest entity1 shall
have an audit committee”, which “shall monitor the
effectiveness of the company's internal control, internal audit
where applicable, and Risk Management systems”
(European Parlament and Council, 2006).
The EU Company Reporting Directive (Directive
2006/46/EC), on the other side, is seeking to facilitate cross-
border investments and improve EU-wide comparability and
public confidence in financial statements and reports. In this
sense, “Companies whose securities are admitted to trading
on a regulated market and which have their registered office
in the Community should be obliged to disclose an annual
Corporate Governance statement as a specific and clearly
identifiable section of the annual report. That statement
should at least provide shareholders with easily accessible
key information about the Corporate Governance practices
actually applied, including a description of the main features
of any existing Risk Management systems and internal
controls in relation to the financial reporting process”
(European Parlament and Council, 2006).
1 Definition of “public-interest entities” in the European Union can be found in Article 2, point 13, of Directive 2014/56/EU.
17
2.3.2 ERM under German Law
In case of Germany, the establishment of the Law on Control
and Transparency within Businesses (KonTraG) in 1998 was
the first legal response to past business scandals. Following
this legislation, the German legislator introduced further legal
requirements on Risk Management on the German Stock
Corporation Act2. On the one hand, the Board of
Management of stock corporations are obliged, under
Section § 91 (2) AktG, “to take appropriate measures,
particularly the setup of a monitoring system based on an
early-risk detection, to ensure the continued existence of the
corporation”3 (AktG, 1965). Although, the term “Risk
Management” is not expressively written in the legislation,
Section § 91 (2) AktG is interpreted and commonly
understood as a requirement of a risk detection system
within the economic Risk Management concept (Korus,
2009). On the other hand, under Section § 107 (3) AktG,
“the supervisory board may appoint an audit committee in
charge of the supervision of the effectiveness of the internal
control system as well as the Risk Management system and
the internal revision system”4 (AktG, 1965).
In parallel, stock corporations must comply with the
provisions concerning Risk Management of the German
Commercial Code5. Firstly, under Section § 289 (5) HGB,
“capital market-oriented companies in the meaning of § 264d
are required to describe the essential characteristics of the
internal control system and the Risk Management system
which are related to the accounting processes”6. Secondly,
2
Also known as „AktG“ for the abbreviation form of the name in German “Aktiengesetz”. 3 Translated from German. Original version of the article as follows: “Der Vorstand hat geeignete Maßnahmen zu treffen,
insbesondere ein Überwachungssystem einzurichten, damit den Fortbestand der Gesellschaft gefährdende Entwicklungen früh erkannt werden“. 4 Extract from article translated from German. Original version of the complete article as follows: “Er kann insbesondere einen
Prüfungsausschuss bestellen, der sich mit der Überwachung des Rechnungslegungsprozesses, der Wirksamkeit des internen Kontrollsystems, des Risikomanagementsystems und des internen Revisionssystems sowie der Abschlussprüfung, hier insbesondere der Unabhängigkeit des Abschlussprüfers und der vom Abschlussprüfer zusätzlich erbrachten Leistungen, befasst“. 5
Also known as “HGB“ for the abbreviation form of the name in German “Handelsgesetzbuch”. 6
Translated from German. Original version of the article as follows: “Kapitalgesellschaften im Sinn des § 264d haben im Lagebericht die wesentlichen Merkmale des internen Kontroll- und des Risikomanagementsystems im Hinblick auf den Rechnungslegungsprozess zu beschreiben“.
18
under Section § 315 (2) HGB, “essential characteristics of
the internal control system and Risk Management system
which are related to the accounting processes must be
described in the annual report of the corporation, if one of
the companies included in the consolidated financial
statements is capital market-oriented in the meaning of §
264d”7. Thirdly, under Section § 317 (4) HGB, “in case of a
stock corporation, it is furthermore necessary to assess
within the external audit, whether the Board of Management
fulfilled the measures, according to Section § 91 (2) of the
German Stock Corporation Act, adequately and if the
implemented monitoring system is able to fulfil its tasks”8
(HGB, 1897).
Therefore, within German legislation, listed companies are
obliged to implement a monitoring system to identify at an
early stage business risks and disclose to the market
information about these risks. However, specific reporting
requirements in this regard are not provided by the German
legislator.
In order to address this matter, the Accounting Standards
Committee of Germany (ASCG) has developed a standard
on management reporting for all companies and
corporations that are required to comply with Section § 289
and § 315 of the German Commercial Code. The standard
contains a reporting element on material opportunities and
risks, which includes the disclosure of risks to which the
corporation is exposed, an overview of its risk position as
well as information regarding the management system
implemented within the corporation. Furthermore, the
standard asks the corporation to either quantify the risks in
7
Translated from German. Original version of the article as follows: “Im Konzernlagebericht ist auch einzugehen auf die wesentlichen Merkmale des internen Kontroll- und des Risikomanagementsystems im Hinblick auf den Konzernrechnungslegungsprozess, sofern eines der in den Konzernabschluss einbezogenen Tochterunternehmen oder das Mutterunternehmen kapitalmarktorientiert im Sinn des § 264d ist“. 8 Translated from German. Original version of the article as follows: “Bei einer börsennotierten Aktiengesellschaft ist außerdem im
Rahmen der Prüfung zu beurteilen, ob der Vorstand die ihm nach § 91 Abs. 2 des Aktiengesetzes obliegenden Maßnahmen in einer geeigneten Form getroffen hat und ob das danach einzurichtende Überwachungssystem seine Aufgaben erfüllen kann“.
19
order to be able to rank their importance or to associate the
risks into categories of similar risks (ASCG, 2012).
Complementary non-legally binding recommendations and
suggestions with regard to Risk Management practices can
be found in the German Corporate Governance Code, which
is primarily addressed to stock corporations and corporations
with capital market access in the meaning of Section § 161
(1) AktG (German Corporate Governance Code, 2015).
While the individual recommendations and suggestions of
the German Corporate Governance Code do not have any
legally-binding force, companies listed on the stock
exchange are obliged, since 2002 and in accordance with
Section § 161 (1) of the Stock Corporation Act, to make an
annual declaration of compliance with the Code based on
the “Comply or explain” approach. In this sense, companies
must, on the one hand, declare whether they comply or not
with the Corporate Governance principles described in the
Code, and, on the other hand, explain the reasons of non-
compliance with regard to the principles they do not comply
with (AktG, 1965).
In compliance with Recommendation 3.4 of the German
Corporate Governance Code, “the Management Board
informs the Supervisory Board regularly, without delay and
comprehensively, of all issues important to the enterprise
with regard to strategy, planning, business development, risk
situation, Risk Management and compliance”. Moreover,
according to Recommendation 4.1.4 of the Code, “the
Management Board ensures appropriate Risk Management
and risk controlling in the enterprise”. More specifically,
Recommendation 5.2 of the Code indicates that “the
Chairman of the Supervisory Board shall regularly maintain
contact with the Management Board, in particular, with the
Chairman or Spokesman of the Management Board, and
consult with it on issues of strategy, planning, business
development, risk situation, Risk Management and
20
compliance of the enterprise”. In addition and in the same
way as Section § 107 (3) of the German Stock Corporation
Act, “The Supervisory Board shall set up an Audit Committee
which -in so far as no other committee is entrusted with this
work-, in particular, handles the monitoring of the accounting
process, the effectiveness of the internal control system,
Risk Management system and internal audit system, the
audit of the Annual Financial Statements, here in particular
the independence of the auditor, the services rendered
additionally by the auditor, the issuing of the audit mandate
to the auditor, the determination of auditing focal points and
the fee agreement, and compliance” (German Corporate
Governance Code, 2015).
2.4 ERM standards and guidelines
Besides legal requirements, companies also started to adopt
voluntary standards and recommendations designed by
international organizations to help companies with the
implementation of ERM9.
Some examples of these worldwide and well-known
standards and guidelines regarding enterprise Risk
Management are: FERMA:2002, COSO:2004, Australia/
New Zealand 4360:2004, BS 31100:2008, ISO 31000:2009,
and BASEL III:2010, SOLVENCY II:2012 and OCEG “Red
Book” 3.0:2015.
Many of these standards are not mandatory regulations and,
therefore, companies are not obliged to implement them.
However, in some cases these standards are referred by
legislation and, therefore, become mandatory. However,
indirectly, companies see themselves nowadays being
forced to follow these recommendations in order to reach
international competitiveness, have access to a broader
financial support, and attract international and long-term
9 Therefore, these standards are also commonly called “how to” standards.
21
investors. Thus, it seems that companies have become more
and more aware of the benefits and value that ERM brings
to the organization.
The methods, processes and principles described in the
non-regulatory standards and guidelines, unlike those laid
down in legislative documents, are presented in detail and
give a more accurate notion regarding its purpose and its
process of adoption. Furthermore, these standards
encompass international policies and procedures, providing
companies with an international perspective instead of a
limited national focus.
According to a study based on the review of six well-known
international standards10 and carried out by the Risk and
Insurance Management Society, Inc. (RIMS), the number of
common elements exceeds the number of differences
among the standards. This indicates the universal
applicability and confirms the intention of different
organizations to create a harmonizing tool for worldwide
companies regardless of the local market and sector to
which the companies belong. Nevertheless, it may be
convenient to look into the differences between the
standards, since these distinguishing elements may
determine whether a specific organization is more adaptable
to one or another of these standards (RIMS, 2011).
Regarding the similarities among the “how to” standards, the
study carried out by RIMS points out that all of them require
an enterprise-wide management of risks based on a
structured process steps to identify, assess, oversight and
report the risks. Moreover, companies are inquired to define
their risk appetite and risk tolerance. Furthermore, a formal
documentation of risk assessment and a monitoring of
treatment plans are also required. Finally, ERM goals and
10 Reviewed Standards: ISO 31000: 2009, OCEG “Red Book” 2.0: 2009, BS 31100: 2008, COSO: 2004, FERMA: 2002 and SOLVEN CY II: 2012.
22
activities must be established and communicated within the
organizations (RIMS, An overview of widely used risk
management standards and guidelines, 2011).
In comparing the “how to” standards, major differences of
each standard were found by the reviewers. Firstly, ISO
standard highlights the importance of Risk Management as
part of the business decision-making process instead of its
perceived function as a compliance-oriented tool. Secondly,
OCEG “Red Book” standard emphasizes the adoption of an
integrated governance, risk and compliance approach, which
relies on an integrated technology platform. Thirdly, British
standard, which is found by the reviewers to be significantly
alike to ISO standard, gives emphasis to the use of a risk
maturity model to be able to measure and follow the
improvement of the Risk Management system. Fourthly,
COSO standard highlights Board commitment, which
comprises the support and involvement of the highest
decision-making body, in the Risk Management process.
Fifthly, FERMA guideline focuses on the key elements of an
ERM framework. Finally, Solvency II standard, which has a
focus on companies throughout the insurance industry within
the European Union, puts emphasis on quantitative capital
requirements as well as disclosure and transparency
requirements. Unlike the other standards but similarly to
BASEL III standard on the banking industry, Solvency II is a
mandatory standard within the European Union (RIMS,
2011).
2.5 ERM conceptual framework
After analysing the regulatory and non-regulatory framework
of ERM applicable to non-financial DAX-30 companies, this
chapter aims to give insights into the major elements to be
considered when implementing ERM.
2.5.1 ERM Components
Among the various and similar design alternatives to
implement ERM at any organization, COSO ERM Integrated
23
Framework is the most prominent (Paape & Speklé, 2012).
Therefore, this study shows the main components of ERM
embraced by COSO standard.
According to COSO ERM Integrated Framework, eight
interrelated components define the implementation of ERM.
First, risk-aware culture within the organization determines
the internal environment in which ERM operates. Second,
strategic, operations, reporting and compliance objectives
aligned with the company’s mission are defined in order to
set the risk appetite of the organization. Third, risks and
opportunities affecting the achievement of the company’s
objectives are identified. Fourth, the identified risks are
assessed according to their likelihood of occurrence and
impact on an inherent and a residual basis. Fifth,
management selects a risk strategy to manage the risk
(avoiding, accepting, reducing, or sharing risk) in accordance
to company’s risk appetite and tolerance. Sixth, control
activities are implemented in order to ensure the risks are
effectively managed. Seventh, relevant information about
Risk Management is communicated through the whole
organization. Finally, risk monitoring is ensured through
ongoing management activities and/or separate evaluations
(COSO, 2004).
Figure N° 2
“ERM Components”
24
2.5.2 ERM ‘best practices’
A variety of so-called ‘best practices’, can be found in the
standards and guidelines for the implementation of ERM. For
the purpose of this study, three ERM ‘best practices’ are
embraced in line with the last release of EU Directives
concerning Risk Management practices:
2.5.2.1 Best practice N° 1: Integrated ERM approach
There are basically two divergent archetypes for managing
risk at the organizations. Companies can either decide to
give independence to their business units when developing
and executing their own risk strategies, or they can establish
a corporate central unit in charge of the enterprise-wide
implementation of the risk strategy within the organization
(COSO, 2004).
In this sense, Risk Management is meant to be led,
supported and controlled by a central unit within the
centralized approach. While a higher level of flexibility
concerning Risk Management practices is provided to
business units by following the first decentralized approach,
the centralized approach proposes a sound and consistent
implementation of the risk strategy through the whole
organization. However, different degrees and types of
centralization can be found between companies. Whereas,
for example, the risk strategy might be set by the central unit
of the organization, business units have the freedom to use
different tools for the identification and evaluation of their
risks. Moreover, business units in different companies might
have a more or less flexible reporting policy regarding their
risks and associated mitigation actions.
Although many companies might argue that the application
of either a more decentralized or centralized approach has
been decided in accordance with their particular needs,
COSO suggests that a holistic approach is more favourable
25
for strengthening the effectiveness of Risk Management
(COSO, 2004)11.
FERMA recommends that an integrated, holistic approach
should dominate the implementation of the Risk
Management process in order to align the enterprise-wide
objectives with the ERM strategy. Ideally, a chief risk officer,
as the head of the enterprise-wide Risk Management
function, should report through the chief executive officer to
the Supervisory Board (FERMA & ECIIA, Guidance on the
8th EU Company Law Directive, 2010).
Since ERM contemplates the company’s total risk exposure,
this straightforward view of managing risks holistically gives
companies a competitive advantage and a strengthened
ability to achieve successfully their strategic plan (Nocco &
Stulz, 2006). This can be explained by the fact that a
broader range of risks such as strategic risks can be
identified and managed through the implementation of ERM
(McShane, Nair, & Rustambekov, 2010).
In order to manage risks across the whole organization, a
close relationship and cooperation between risk functions12
is necessary in order to avoid working in silos. The lower the
level of coordination between risk functions, the less optimal
use of the company´s resources and the poorer internal
communication between Risk Management actors.
Therefore, only the collaboratively work on ERM among
different areas of the organization strengthens the
company’s culture of integrated Risk Management.
Therefore, risk functions coordination should be fully in place
(FERMA, 2014).
An integrated Risk Management involves a “strategic”
approach instead of a “tactical” approach. Therefore,
11
See Best practice N° 1 described in chapter 2.5.2.1 of this study. 12
e.g. risk management, internal audit, internal control, compliance, quality or supply chain.
26
coordination of Risk Management across distinct areas of
the company must take place in order to succeed with the
implementation of ERM within the organization. Moreover,
the fact that risks are not anymore managed individually or
isolated introduces the need of risk aggregation. In this
sense, an integrated Risk Management approach requires a
central unit in charge of the enterprise-wide risk function
(Meulbroek, 2002).
In line with FERMA’s recommendation regarding risk
functions coordination, the OCEG Red Book 3.0 proposes
the establishment of a Governance, Risk and Compliance
(GRC) approach. This approach, which follows the logic of
integrating GRC capabilities, aligns performance, risk and
compliance indicators (KPIs, KRIs and KCIs) to corporate
objectives and decision-making criteria. The proper
implementation of this approach allows company’s governing
authority to provide direction to management so capabilities
are harmonized with decision-making criteria. Elements such
as risk capacity, appetite and tolerance along with decision-
making criteria are determined and defined, which govern
the set-up of appropriate actions and controls while
achieving desired levels of performance and compliance.
According to OCEG, the establishment of this GRC
integrated approach makes companies more agile, resilient
and competitive. In particular, companies improve the
alignment between their objectives and mission, vision and
values. Moreover, they improve their decision-making
process and their capability to create long-term value.
Furthermore, the establishment of a GRC approach provides
better use of resources (e.g. capital and time) when
implementing initiatives, which allows companies to reach
meaningful cost-savings. Additionally, it encourages ‘‘top to
bottom’’ accountability regarding the achievement of key
objectives. Therefore, the adoption of a GRC approach
constitutes a Risk Management competitive advantage,
since companies can take more benefit from managing their
27
risks within the accomplishment of their risk strategy goals
(OCEG, 2015).
In order to fulfil the requirements of this strategic approach,
senior management commitment to Risk Management
activities is crucial when setting the firm’s risk appetite,
determining ERM strategy and creating risk-aware culture
within the organization (COSO, 2004). Whereas the
commitment of the Supervisory Board is also an essential
element for ERM monitoring, management carries out the
effective implementation of the ERM program (Beasley,
Clune, & Hermanson, 2005). However, ERM also
emphasizes the need of spreading risk ownership within the
organization in order to identify, assess and manage the
risks the company is facing in a more accurate manner
(Bottom-up approach). Although senior managers play a key
role on determining ultimately the most relevant risks of the
company, line managers’ risk assessment supplements
significantly the understanding of the risks since they are
who are closest to the risks and enables the company to
improve the associated risk mitigating actions (Nocco &
Stulz, 2006).
2.5.2.2 Best practice N° 2: “3 Lines of Defence” Model
As already mentioned, internal audit and internal control
constitute risk functions in line with their monitoring role at an
organization, which ultimately supports the basis of the
Board’s duty regarding risk oversight.
In seeking for the success of the oversight of Risk
Management activities, FERMA encourages the
implementation of the “Three Lines of Defence” Model,
described in Figure N° 3.
28
Figure N° 3
“Three Lines of Defence – Model”
Source: IIA, adapted from ECIIA/FERMA Guidance on the 8
th EU Company Law Directive
The model is comprised by the following three major
functions within the organization: operating management,
risk functions and internal audit.
The 1st Line of Defence of this model is comprised by the
operational management. At this first level, each operational
unit is responsible for identifying, assessing and mitigating
their own risks while implementing effective internal controls.
The 2nd Line of Defence of the model consist of a centralized
Risk Management function in charge of the facilitation,
assistance and monitoring of the implementation of ERM
practices by operational management. This centralized Risk
Management function is overall in charge of the assistance
and monitoring of ERM implementation and risk reporting
within the organization.
Finally, the 3rd Line of Defence is comprised by the internal
audit function, which is responsible for assessing the
effectiveness of the Risk Management system and reporting
it directly to the Board (FERMA & ECIIA, Guidance on the
8th EU Company Law Directive, 2010).
Through the approach of clear separation of roles of each
function, this model enables Boards to obtain an unbiased
report of company’s risks and associated control efforts.
Therefore, the implementation of this Risk Management and
control model enables governing bodies, management, and
29
internal auditors to work together on managing the
organization’s key risks in a more efficient and effective
manner. In this sense, clear roles and responsibilities
between key Risk Management and risk monitoring actors
ensures the efficiency and the effectiveness of the
organization’s Risk Management strategy (IIA, 2013).
2.5.2.3 Best practice N° 3: External ERM monitoring
According to ICGN13, the Audit Committee should be
comprised of non-executive directors, in order to guarantee
the protection of shareholders interest. Moreover, the
majority of the Audit Committee members should be
independent, in order to guarantee an unbiased judgement
when carrying out their role (ICGN, 2014).
This is also the case for capital market-oriented companies,
which shall comply with the new EU Directive 2014/56/EU
amending Directive 2006/43/EC on statutory audits of
annual accounts and consolidated accounts. According to
Article 39, fourth subparagraph of paragraph 1, “a majority of
the members of the audit committee shall be independent of
the audited entity”. Furthermore, “the chairman of the audit
committee shall be appointed by its members or by the
supervisory body of the audited entity, and shall be
independent of the audited entity” (European Parlament and
Council, 2006).
While all members of the Board receive regularly information
concerning the Risk Management process and
organization´s major risks and opportunities; the Audit
Committee may need to receive further detailed information
on risk governance (e.g. steering committees, definition of
acceptable and accepted limits, benchmarks, controls and
audit) in order to fulfil its role in monitoring the effectiveness
13 ICGN was established in 1995 and is led by global investors responsible for assets under management in excess
of US$26 trillion. The aim of the organization is to inspire and promote effective standards of Corporate Governance.
30
of the Risk Management system. Some other specific tasks,
such as the review of risk control or mitigation, can be
performed by the Risk Committee, if applicable (FERMA &
ECIIA, Guidance on the 8th EU Company Law Directive,
2010).
An independent external auditor is another body who can
provide impartially assurance regarding the implementation
of an appropriate and effective Risk Management system.
Regardless of who of these external parties checked and
monitored the effectiveness of the ERM system; this best
practice emphasizes the need of an external, independent
body being able to provide an objective and unbiased
judgement in the matter.
ICGN guideline14 on an effective Risk Management oversight
provides examples of questions to be addressed by the
parties in charge of the risk monitoring. For instance, these
bodies shall raise the question whether the ERM system of
the company is adequate, capable and effective or whether
ERM enables the business model to deliver sustainable
profits and long-term value to the organization (ICGN Risk
Oversight Committee, 2015).
14
This guidance is addressed to not only company board members and investors, but also auditors, risk advisory firms, rating agencies and local and international supervisory bodies.
31
2.5.3 ERM Maturity
The implementation of ERM does not end with the selection
of design alternative and the adoption of Risk Management
‘best practices’. In order to be aware of the quality and
development of the ERM Program, the maturity of ERM
implementation shall be measured. Practitioners,
consultancy firms and international ERM standards offer a
variety of indicators of ERM maturity (Monda & Giorgino,
2013). Though, for the purpose of this study, the maturity
model to be explained in the present chapter is the one
designed and presented by the Federation of European Risk
Management Associations15.
FERMA’s risk maturity model includes the following four
main risk topics:
Figure N° 4
“FERMA’s RMM topics”
15
(FERMA, Keys to Understanding the Diversity of Risk Management in a Riskier World, 2012).
A. Risk governance B. Risk practices and
tools
C. Risk reporting and communication
D. Risk management functions alignment
32
Within the first main topic “Risk governance”, FERMA’s
maturity model assesses to what extent the Board is
involved in Risk Management activities. In this regard, the
model evaluates the scope of the mandate assigned to the
Board, Audit and/or Risk Committee in terms of Risk
Management. In addition, companies are asked to assess
the independent assurance over the Risk Management
system.
Specifically, the mandate of the Board, Audit and/or Risk
Committee includes monitoring the effectiveness of the Risk
Management system, monitoring and ensuring the
compliance of ERM framework with respect to
standards/local regulations, challenging the company’s risk
appetite, company’s Risk Management strategy, and
residual risk exposure and relevance of existing mitigation
actions.
Within the second main topic “Risk practices and tools”,
FERMA’s method assesses to what extent the company’s
risk mapping exercise is implemented. Moreover, the model
evaluates whether the company uses an improved
assessment methodology for risk quantification. In addition,
the model assesses whether the risk analysis is formally and
systematically linked to the company’s decision making
process.
According to FERMA, risk measurement approaches include
risk assessment workshop, internal or external databases
(e.g. incident, losses), value at risk simulation models (e.g.
Monte Carlo), scenario simulation models, stochastic
aggregation models, and benchmarking.
Moreover, strategic decisions considered by FERMA include
major projects, strategic planning, investment decisions,
contracts/bids, acquisitions/transfers decisions, and budget
decisions.
33
Within the third main topic “Risk reporting and
communication”, the model asks whether the company has
defined and communicated to all members of the
organization a formal Risk Management policy or charter.
Furthermore, companies are asked whether risk-oriented
information is embedded in decision making at the Board
level. Besides that, the extent of external risk reporting is
also examined.
Within the fourth main topic “Risk Management functions
alignment”, the method aims to reveal the level of
coordination and cooperation between internal areas
concerning Risk Management at the organization. Therefore,
the model evaluates to what extent the coordination between
risk functions is in place. Moreover, companies are
specifically asked to assess the interaction between Risk
Management and internal audit functions. Finally, the model
assesses to what extent Risk Management cooperates with
other internal functions.
In order to assess the four categories of the risk maturity
model (RMM) designed by FERMA, the multi-criteria
approach is based on the following four maturity levels:
Figure N° 5
“FERMA’s RMM levels”
Emerging: low or
basic level of RMM
Moderate: intermediate level of
RMM
Mature: good level of RMM
Advanced: high level of RMM
34
The following figure provides a summary of the multi-criteria
approach based on the four maturity levels described above:
Figure N° 6
“FERMA’s RMM multi-criteria approach”
A. Risk
governance
B. Risk
practices
and tools
C. Risk
reporting and
communication
D. Risk
Management
functions
alignment
Ad
va
nc
ed
Fully
involved Full
Approach
Full
scope
Very close
relationship
Ma
ture
Partially
involved Partial
approach
Partial
scope
Close
relationship
Mo
de
rate
Involved on a
limited basis Limited
Approach
Limited
scope
Relationship
on a limited
basis
Em
erg
ing
Not
involved
No approach in place
Non-existent
scope
No
relationship
35
2.5.4 ERM Effectiveness
Although the assessment of the maturity of ERM
implementation provides companies with an insight into the
quality of the ERM Program, this quality refers to ERM
strengths and weaknesses (Ciorciari & Blattner, 2008),
rather than ERM effectiveness.
Since ERM does not eliminate risk, an effective ERM is
reflected in a better estimate of expected value and in a
better understanding of unexpected losses. Thus, the
effectiveness of ERM must be assessed in terms of the
ability of key risk actors to understand and manage the
company’s risk. A better understanding of the firm’s risk
enables an improved management of risks and this ensures
a better allocation of the company’s resources. Therefore,
the confidence of company’s stakeholders is enhanced
despite the occurrence of an unfavourable outcome (Nocco
& Stulz, 2006). In this sense, an effective ERM enables
company’s stakeholders to obtain a reasonable assurance of
companies meeting corporate objectives (Ciorciari &
Blattner, 2008).
The achievement of corporate objectives through an
effective ERM requires senior management commitment to
ERM activities (Walker, Shenkir, & Barton, 2002).
Furthermore, according to a study using survey data
obtained from chief audit executives, not only leadership of
board and senior management on ERM is a critical element
for the implementation of ERM. In addition, the presence of a
chief risk officer, board independence, CEO and CFO
apparent support for ERM, the presence of a Big Four
auditor and entity size also influences positively the
implementation of an effective ERM (Beasley, Clune, &
Hermanson, 2005).
The estimation of a multivariate OLS model using data from
156 organizations to analyse whether specific Risk
Management design choices affects positively on perceived
36
Risk Management effectiveness suggests that the frequency
of risk assessment, the use of quantitative risk assessment
techniques, and the frequency of risk reporting also improve
ERM effectiveness (Paape & Speklé, 2012).
With regard to an effective ERM oversight, Supervisory
Board member’s independence plays a key role. An
independent board member provides an objective and
unbiased judgement in assessing management actions
concerning Risk Management activities. Thus, the
importance of independent board members and in charge of
the review and monitoring of the ERM system is an essential
element of the board’s oversight effectiveness (Beasley,
Clune, & Hermanson, 2005).
2.5.5 ERM Value
The aim of Risk Management under the ERM approach goes
beyond the traditional purpose of reducing total risk. Instead,
ERM places more emphasis on a strategic risk allocation. In
this sense, companies may exploit risks in those areas
where comparative information advantage exists. In contrast,
risk exposure may be reduced in areas where companies
lack this advantage. This means that risk allocation within
the company may depend on the firms’ strengths. As a result
of this strategic risk allocation, the total risk can end up being
not necessarily reduced but rather increased (McShane,
Nair, & Rustambekov, 2010).
Hence, a key question arises: If ERM is not seeking to
reduce company’s total risk, what is it seeking for?
The underlying general premise of ERM is that it is designed
to provide reasonable assurance in achieving company’s
objectives. Since the ultimate objective of a company is to
protect and enhance stakeholder value, ERM enables
companies to maximize value. In this regard, value is
maximized when management, during the strategy-setting
process, efficiently and effectively allocates company’s
37
resources in order to achieve an optimal balance between
growth and return goals and related risks (COSO, 2004).
ERM creates value by enabling companies to carry out their
strategic plan through the embedment of an enterprise-wide
risk analysis, which allocates effectively the firm’s resources.
Furthermore, ERM spread of risk ownership creates an
internalized pattern of life at all levels of the organization,
which ensures risk-return trade-off associated with individual
risks (Nocco & Stulz, 2006).
An analysis regarding whether the adoption of enterprise
Risk Management (ERM) has a positive impact on
shareholder wealth by examining equity market reactions to
the appointment of a chief risk officer (CRO) reveals that
shareholders of large non-financial firms that share certain
characteristics16 respond positively to the implementation of
ERM (Beasley, Pagach, & Warr, 2008).
An academic research using Tobin’s Q as a proxy for firm
value and based on the sample of large non-financial firms
with foreign currency exposures, reveals a positive relation
between the use of foreign currency derivatives as ERM
response strategy and firm value (Allayannis & Weston,
2001).
Not only academic studies support the value-driven benefit
of ERM. Well-known accepted and implemented Risk
Management standards also highlight the capability of ERM
in driving value. For example, COSO ERM Integrated
Framework manifests that an effective ERM enhances
company’s ability to balance exposure against opportunity,
enhancing its capabilities to create, preserve, and realize
value to its stakeholders (COSO, 2016).
16
These characteristics include volatile earnings, low amounts of leverage, and low amounts of cash on hand.
38
3. Methodology
“Managing risk requires thinking about risk, and
thinking about risk requires thinking about and being
comfortable with uncertainty and randomness”
(Coleman, 2012)
The literature reviewed in the previous chapter presents the
framework in which an effective and valuable Risk
Management system should take place. Nevertheless, a
well-designed ERM implementation does not necessarily
indicate the proper functioning of the system, neither a high
level of assurance of its effectiveness, nor the achievement
of a value-driven ERM.
An in-depth description of the methodological tools used in
this study is provided by the present chapter. First, the
selection criteria of the target survey respondents that fit the
objectives of this study are explained. Second, the data
collection process is described. Third, the framework of
reference used to elaborate the questionnaire is presented.
3.1 Selection of target survey respondents
Since this study focuses on the effectiveness and value
contribution of a Risk Management system within a
corporation, the first group of target survey respondents is
comprised by risk managers of companies. The objective of
conducting this first “Expert Survey” (ES) is to obtain
information about the current perception of ERM
effectiveness and value among non-financial DAX-30
companies (“how it is” approach).
In addition, this study encompasses a second group of
target survey respondents formed by ICGN Corporate Risk
39
Oversight Committee (CROCO) members17, who are
investors and risk oversight policy-makers. The conduction
of this second “Policy-Maker Survey” (PMS) is to obtain the
expected results of the same matters from a policy-maker
perspective ("how it should be" approach).
An analysis of certain Risk Management-oriented selection
criteria is carried out for selection of participating companies.
First of all, company’s size is one of the criteria to consider
when it comes to “target companies” selection. The bigger
the company, the more complex it becomes. This complexity
leads in turn to a more complex decision-making process to
attainment of strategic business goals.
Another factor is company’s financial performance. While
referring to creation of value, it immediately brings to mind
long-term business growth in revenues and profits.
Therefore, it can be expected that companies in good
financial health place more emphasis on identifying drivers
of value.
Capital-market exposure is also taken into consideration
when selecting the target companies. Capital-market
companies face a high level of accountability and
transparency. Thus, it can be expected that a solid Risk
Management system is behind the enhancement of these
last key capital-market requirements.
Since one of the objectives of this study is to analyse the
existence of correlation between international Risk
Management ‘best practices’ and the effectiveness / value
contribution of the Risk Management program, company’s
international presence is also an element of the selection
17
ICGN Corporate Risk Oversight Committee (ICGN CROCO), driven by ICGN members with broad and recognized Risk Management-oriented experience, encourages the effective oversight of Risk Management as well as the appropriate reflection of risk in corporate strategy.
40
criteria. Companies playing in an international market may
be aware of the Risk Management standards, guidelines and
‘best practices’ described in the previous chapter in view of
the need to strengthen their international competitiveness to
preserve their position in the global market.
In addition to the factors described above, the involvement
of non-financial companies implementing voluntarily the
three Risk Management ‘best practices’ described in chapter
2.5.2 is also desired.
It is also considered reasonable to select only companies
regulated by the same legal and regulatory framework. In
that sense, a fair comparison of the results of the
questionnaire can take place. Therefore, companies
belonging to insurance and banking sectors are not
considered, since they must comply with another set of legal
provisions and regulatory standards of Risk Management
practices.
In order to select the companies’ country jurisdiction, a study
conducted by FERMA in 2012 about the impact of the EU 8th
Directive on European companies is taken into
consideration, since it is desired that the target group of
companies operates within a solid Risk Management legal
framework. According to the study, German companies are
overall the least impacted due to their relative higher level of
maturity of Risk Management practices (FERMA, 2012).
In line with the Risk Management-oriented selection criteria
described above, the target sample of the “Expert Survey” is
comprised by nineteen non-financial DAX-30 companies.
3.2 Data collection process
The data collection process of this study consists of two
main stages. On the one hand, publicly disclosed Risk
Management information is gathered and analysed and, on
41
the other hand, ad hoc questionnaires are conducted.
Analysis of survey data is based on interplay between
survey results from non-financial DAX-30 companies and
ICGN CROCO members.
Figure N° 7
“Data collection process”
In the first stage, overall Risk Management information is
gathered by conducting a comprehensive review and
analysis of target companies’ annual reports. As part of this
review, public information concerning Risk Management
strategy, process and overall practices within the target
companies is collected.
In the second stage, the information gathered in step one is
used to generate and conduct an online “Expert Survey”
addressed to risk managers or their equivalent within the
target companies. Risk managers of the target companies,
based on their “Expert judgement”, are asked to answer 10
Risk Management-oriented questions in order to provide a
benchmarking analysis regarding ERM Programs against
non-financial German companies.
In parallel to the conduction of the “Expert Survey”, the
online “Policy-Maker Survey” addressed to members of the
ICGN CROCO is developed and carried out.
Analysis of
risk management
information
(annual reports review)
“Expert Survey”
- Risk managers
("how it is" approach)
“Policy-Maker Survey”
- ICGN members
("how it should be" approach)
42
Data analysis and research findings are based on twelve
survey responses from a group of nineteen target survey
companies, which already denotes a representative sample.
3.3 Elaboration of the questionnaire
For the compilation of the “Expert Survey”18, the review of
publicly disclosed Risk Management-oriented information of
the target companies as well as international and well-known
reports on Risk Management is taken into account. FERMA
Risk Management benchmarking survey, FERMA European
Survey on ERM maturity and global enterprise Risk
Management surveys conducted by the Risk Management
Society (RMS) and other international Risk Management-
advisory firms such as Deloitte and EON comprised the
framework of reference, by which the set of questions are
drawn up.
The questionnaire is organized around the following
dimensions:
Figure N° 8
“Survey dimensions”
18
See Exhibit N° 16 of the Annex.
A. ERM Program
general information
B. ERM Program effectiveness
C. ERM Program
value contribution
D. Information
about metrics
43
The aim of the “ERM Program General Information”
dimension is to gather general information from the target
companies about the overall stage of ERM Maturity, the level
of compliance with the three Risk Management ‘best
practices’ described in Chapter 2.5.2 and the overall
motivations and targets for implementing an ERM Program.
Within the “ERM Program Effectiveness” dimension,
companies are asked to assess the capability of their ERM
program as well as to evaluate the main impediments to an
effective ERM Program.
The “ERM Program Value Contribution” dimension
comprises questions regarding, on the one hand, the level of
success in achieving internal as well as external Risk
Management strategic objectives and, on the other hand, the
main impediments to measuring ERM value.
Last, within the “Information about metrics” dimension, risk
managers are asked to provide specific examples about the
metrics used to measure ERM effectiveness and value
contribution.
The “Policy-Maker Survey” questionnaire follows the
structure and content of the “Expert Survey” questionnaire.
However, the formulation of the questions, as expected,
differs.
44
4. Data analysis and research findings
“For those organizations that choose to weather this
economic storm with the aid of ERM, the benefits of
their efforts today will likely remain long thereafter.”
(Grant Thornton, 2009)
The present chapter reports the findings of the “Expert
Survey” and “Policy-Maker Survey” conducted for the
purpose of addressing the questions and accomplishing the
objectives of this research described in the introduction.
Furthermore, a cross-analysis of the findings of both surveys
is provided in order to present the gap between the actual
elements which define the perception of ERM effectiveness
and value among non-financial DAX-30 companies and the
expected results of a representative risk oversight policy-
maker.
Within the first dimension “ERM general information” of the
questionnaire, non-financial DAX-30 companies were firstly
asked to give information about the stage of ERM maturity in
their organizations. The analysis follows the ERM Maturity
Model provided by FERMA, which is described in chapter
2.5.3. For the purpose of this study, companies were asked
to answer separately information regarding “Risk
governance”. This matter is addressed when answering the
question concerning the adoption of the third Risk
Management “best practice”. The aim of this separation was
to obtain detailed evidence about the independent
assurance over the Risk Management system.
With regard to the category “Risk practices and tools” of the
ERM maturity model, the majority of the surveyed
companies (67%) ranked ERM at a mature level. This
means that most of the companies may have implemented a
45
Risk Management approach at the global corporate level.
Moreover, most of the companies may use improved risk
measurement approaches19 to assess their risks. However,
advanced quantification tools may mostly not be in place.
Furthermore, most of the companies’ major decisions may
be partially embedded with a risk analysis.
Nonetheless, the other 33% of the surveyed companies
reported an advanced level of ERM maturity, meaning that
risk mapping may take place from a corporate level down to
divisions and business units. Furthermore, advanced
quantification tools for risk assessment may be used at
these organizations and major corporate decisions may
include systematically a risk analysis.
With regard to the category “Risk reporting and
communication” of the ERM maturity model, 83% of the
surveyed companies indicated an advanced level of ERM
maturity, meaning that a formal internal and external risk
reporting policy, which is also enterprise-wide communicated
may be in place. Moreover, most of the surveyed companies
may use risk-oriented information as an input for the
decision-making process of the Board.
Finally, with regard to the category “Risk Management
functions alignment” of the ERM maturity model, 75% of risk
managers ranked ERM at an advanced level. This indicates
that a strong cooperation and flow of information between
Risk Management and other areas, which strengthens the
ability of the companies to avoid Risk Management silos,
may be in place. Another 17% of risk managers said that the
company is at the mature level of ERM maturity concerning
the alignment of its Risk Management functions. This
indicates that the Risk Management function of almost all
19
Improved risk measurement approaches are explained in chapter 2.5.3.
46
surveyed companies may have at least a close relationship
with the internal audit function of the company.
In terms of ERM maturity level among the surveyed
companies, respondents, overall, described themselves
towards an advanced level. This first result of the “Expert
Survey” provides the basis on which the analysis of the
research findings takes place. Therefore, the subsequent
benchmark analysis uncovers characteristics and
components of apparent top-performing enterprise Risk
Management programs towards an advanced stage of ERM.
Exhibit N° 1
“ES - ERM maturity”
The next three questions, which also belong to the first
dimension “ERM Program general information”, reveal
whether or not the surveyed companies have adopted the
Risk Management ‘best practices’ described in chapter
2.5.2.
With regard to the first Risk Management “best practice”20,
which suggests that the ERM Program shall be operated in
an integrated, holistic approach; most surveyed companies
revealed to have created a corporate central unit in charge
20
See Best practice N°1 described in chapter 2.5.2.1 of this study.
47
of the conduction, support and control of the Risk
Management strategy within the organization.
In addition, most surveyed ICGN CROCO members
supported the idea that the implementation of a holistic
approach has a considerably positive impact on ERM
effectiveness and value. Moreover, one-third of them
manifested that this best practice influences to a great extent
ERM success21.
Among the surveyed companies that have assigned a
central unit to carry out ERM, half of them have either
created a centralised Risk Management unit or have
appointed the corporate risk function to another corporate
central unit, such as the Department of Finance.
Although 83% of the surveyed companies hold a central unit
responsible for ensuring and monitoring a consistent and
comparable Risk Management model overall the
organization, less than half reported to have implemented
not only a centralised but also an independent unit in charge
of the enterprise-wide risk function.
Moreover, only one-third of surveyed companies manifested
to have implemented ERM within the Governance, Risk &
Compliance approach as recommended by the OCEG.
21
See Exhibit N° 10 of the Annex.
48
Exhibit N° 2
“ES – Integrated ERM approach”
When companies were asked about the second Risk
Management “best practice” regarding the implementation of
the “3 Lines of Defence” Model suggested by FERMA, 92%
of them assured to have this structure22 in place.
Half of ICGN CROCO members considered that the
implementation of the “3 Lines of Defence” Model increases
significantly the effectiveness and value of ERM at the
organization. Another third of them agreed on this statement,
although only up to some extent23.
22
See Best practice N°2 described in chapter 2.5.2.2 of this study. 23
See Exhibit N° 10 of the Annex.
49
Exhibit N° 3
“ES – 3 Lines of Defence Model”
With regard to the third Risk Management “best practice”,
which gives emphasis on the external monitoring of ERM24;
surveyed companies were required to indicate to what extent
the ERM Program is checked and monitored by external
parties, such as by independent supervisory board members
(Audit Committee) or by an external auditor.
All survey respondents reported that the ERM Program is
reviewed and monitored by, both, independent supervisory
board members (Audit Committee) and an external auditor.
This result also addresses the “Risk governance” topic of the
Risk Maturity Model. In this sense, this result supplements
the findings about the other three topics of the ERM maturity
and is consistent with the observation that surveyed
companies describe themselves mostly towards an
advanced stage of ERM.
Moreover, 67% of the surveyed companies’ ERM Programs
are reviewed to a great extent by an external auditor while
the other 33% declared that the external auditor evaluates to
some extent the Risk Management system of the company.
24
See Best practice N°3 described in chapter 2.5.2.3 of this study.
50
When assessing the risk monitoring role of independent
supervisory board members within the surveyed companies,
the opposite occurs. Only 33% of the ERM Programs are
monitored to a great extent by independent supervisory
board members, compared to the 67% of ERM Programs
that are monitored also by them but only up to some extent.
Most of ICGN CROCO members (67%) manifested that an
objective and unbiased opinion from an external,
independent body about the Risk Management system
influences to a great extent the effectiveness and value of
ERM. In addition, 17% of them supported the idea that this
best practice enhances the success of ERM25, but only up to
some extent.
Exhibit N° 4
“ES – External ERM monitoring”
With the aim of gathering further last general information of
the ERM Programs of the surveyed companies, risk
managers were asked to rate a variety of motivations and
targets linked to their Risk Management strategy.
Not surprisingly, risk managers pointed out the need to
comply with regulatory and non-regulatory standards and
‘best practices’ as the most common primary motivation for
implementing an ERM Program. ‘Meeting regulatory
25
See Exhibit N° 10 of the Annex.
51
requirements’ as well as ‘Corporate Governance and Risk
Management ‘best practices’’ were, both, mostly rated as the
main drivers for their ERM Program implementation (75%).
Moreover, the other 25% of the surveyed companies also
manifested to be driven by these motivations, although, only
up to some extent.
This result is consistent with the fact that an increasing
number of companies are voluntarily adopting Risk
Management standards and guidelines during the last years
in order to be up-to-date with the most recent and well-
known international ‘best practices’.
In contrast, ICGN CROCO members manifested that ERM
shall be driven by the internal need to improve performance
& decision making and that ERM shall be encouraged within
the “tone at the top” approach26. In addition, secondary
drivers of ERM shall include shareholder pressure and
improvement of Corporate Governance/’best practices’27.
Yet, only half the surveyed companies reported “Improved
performance & decision making” and “Board directive” as
their primary drivers and roughly the other half reported them
as secondary drivers.
Shareholders and peer/stakeholders pressure as well as
rating agencies and financial institutions requirements were
reported in general by the surveyed companies to be only to
some extent drivers for implementing an ERM Program.
As expected, the need to meet regulatory requirements was
not only ranked as the most common primary motivation but
also as the most common target of ERM (83%).
26
Term used to point out the need of management’s leadership and commitment towards ERM implementation. 27
See Exhibit N° 11 of the Annex.
52
Half of ICGN CROCO members, on the other site,
expressed a contrary position manifesting that regulatory
requirements shall be by no means an ERM target.
According to ICGN CROCO members, ERM shall be mainly
set to enable risk-based decision making and drive value
creation for the organization. Although, in general,
companies reported that linking Risk Management with
decision-making process was another main ERM objective,
they manifested that it was not as important as meeting
regulatory and legal requirements. Furthermore, less than
half the risk managers indicated value-driven creation as the
main goal for ERM at their organizations.
Other goals that were not mostly manifested as the main
ERM targets include managing total cost of risk (TCoR) or
managing volatility to earnings as other key financial
indicators. Moreover, half the risk managers reported that
they are not seeking the management of the total cost of risk
at all.
These results suggest that strategy-oriented and value-
driven factors are neither the main source, nor the main aim
behind the implementation of ERM at non-financial DAX-30
companies. Considerable work remains to be done to build
up awareness of the importance of the alignment between
Risk Management and corporate strategy & firm value in
order to move from a compliance-oriented Risk Management
to a value-oriented risk approach.
Since the findings indicate that regulatory and non-
regulatory Risk Management standards are companies’ main
source of motivation to implement and strengthen their ERM,
it seems quite challenging to expect that the companies
address the matter on their own initiative. Therefore, either
regulators or international organizations, or both, may take a
leading role. A wide range of company and country-oriented
characteristics might be taken into account while assessing
53
the issue of whether the regulatory approach or the
voluntarily approach should be the optimal strategy to put in
place. For example, risk culture might play a key role.
Companies within an existing and solid risk-oriented
business environment, such as the target companies of this
study, might respond better and voluntarily to non-regulatory
standards in their need to maintain or gain market
competitiveness. However, regulators shall need to follow up
international organizations in order to provide the minimum
legal requirements to speed up the process of progress.
Looking ahead, the forthcoming COSO ERM Aligning Risk
with Strategy and Performance Framework seems to arise at
an opportune time to encourage companies to raise
awareness about the matter. COSO has already announced
that the aim of this tool is to show how business growth and
performance can be enhanced by linking strategy and
objectives to both risk and opportunity. Furthermore, it was
also announced that the new framework would show the
clear path to creating, preserving, and realizing value
through ERM (COSO, 2016).
54
Exhibit N° 5
“ES - ERM motivations & targets”
Legend for Exhibit N° 5
Motivations
A Regulatory requirements
B Rating Agency/Financial Institutions requirements
C Shareholder pressure
D Peer/Stakeholder pressure
E Corporate Governance/Best practice
F Improved performance and decision making
G Board Directive
Targets
H Enable risk-based decision making
I Drive value creation for the organization
J Manage Total Cost of Risk (TCoR)
K Manage volatility to earnings and other key financial metrics
L Meet regulatory requirements
Within the second dimension of the survey, called “ERM
Program effectiveness”, the capability of the ERM Program
concerning different Risk Management-oriented activities
was assessed.
Risk managers were most likely to consider ERM as
moderately capable in executing overall Risk Management-
oriented activities. Though, 58% of risk managers said ERM
was not too capable in linking Risk Management with
corporate strategy.
In anticipating and managing emerging risks, most surveyed
companies reported to be moderately capable (67%). Only
17% of risk managers assessed their ERM Program as a
very capable system for identifying new threats.
55
Although a greater number of surveyed companies
assessed ERM at their organizations as very capable in
taking action on identified important risks (25%), nearly 70%
risk managers were most likely to rate ERM as moderately
capable in conducting mitigating actions.
Similarly, 75% of all respondents reported their ERM as
moderately capable in strengthening risk culture.
An increased number of ERM was ranked as not too
capable in terms of instilling awareness of risk in decision
making increases (33%). However, most of surveyed
companies (58%) still assessed ERM as moderately capable
in this regard.
In contrast, when it comes to linking Risk Management with
corporate strategy, more than half of surveyed companies
(58%) reported ERM as not too capable.
These results indicate that the ERM process is mostly not
integrated into the strategy-setting process at the
organizations. Thus, corporate strategic decisions may be
barely based on risk information, which ends up increasing
uncertainty and endangering the execution of the company’s
strategic plan and the achievement of the associated
strategic goals.
For an ERM to be assessed as effective and value-driven,
ICGN CROCO members unanimously expected that ERM
enhance to a great extent company’s ability to link Risk
Management with corporate strategy and to instil awareness
of risk in decision making, which are precisely those
activities that non-financial DAX-30 companies seem to be
less capable of28.
28
See Exhibit N° 12 of the Annex.
56
Exhibit N° 6
“ES – ERM Program Capabilities”
Legend for Exhibit N° 6
A Anticipating and managing emerging risks
B Taking action on identified important risks
C Linking Risk Management with corporate strategy
D Instilling awareness of risk in decision making
E Strengthening risk culture
The second dimension of the survey, called “ERM Program
effectiveness” is supplemented with an assessment of the
main impediments for an effective ERM Program. This
assessment reveals that embedding risk-aware culture
within the organization is, overall, the main obstacle for
achieving a greater ERM effectiveness. Half of ICGN
CROCO members agreed on the statement that risk culture
seems to be today the main impediment for increasing ERM
effectiveness29.
Two thirds of surveyed companies reported that establishing
a risk-oriented culture is overall the major impediment for
enhancing the effectiveness of ERM at their organizations.
Whereas most risk managers previously said ERM is
moderately capable in strengthening risk culture, they
revealed through this assessment that more is needed to be
done in this regard in order to increase ERM effectiveness.
29
See Exhibit N° 13 of the Annex.
57
Not surprisingly, risk culture reflects the values, norms and
behaviours shared by all members of an organization, which
governs the attitude they have towards the company’s risks
and this influences the effective implementation of the
company’s strategic plan and the achievement of the
strategic goals (Althonayan, Killackey, & Keith, 2012).
In order to succeed implementing ERM, company’s internal
stakeholders at all levels of the organization need to
understand and believe that ERM will enable the firm to
implement and meet its corporate strategy (Nocco & Stulz,
2006). Therefore, the lack of culture toward risk not only
impedes a more effective ERM but also the alignment
between Risk Management and corporate strategy and risk-
oriented value creation.
In addition, half of risk managers reported challenges
associated with enhancing the company’s internal
communication in order to increase the ERM Program’s
effectiveness. This result seems to be directly related to the
risk culture barrier. It is to be expected that an effective
exchange of information about Risk Management
concerning company’s risk strategy, major risks and risk-
oriented business performance encourages the engagement
of internal stakeholders in the Risk Management process,
which may lead to the enhancement of an internal risk-aware
culture.
It is interesting to note that only a quarter of all respondents
ranked ‘senior management engagement’ to ERM as one of
the main impediments of ERM effectiveness. In contrast,
about 70% of risk managers reported that the engagement
of senior management is by no means or only to a minimal
extent an impediment for an effective ERM at their
organizations. This result is consistent with the findings of
the research made by the British multinational corporation
AON in 2010, in which Board-level engagement to ERM is
positively correlated to advanced stages of ERM activity
58
(AON, 2010). Therefore, since all surveyed companies of
this study are considered to be towards an advanced level of
ERM maturity, it is expected that Board-level engagement is
not anymore one of the main impediments for improving
ERM at their organizations.
Yet, companies might still maintain and enhance the “Tone
at the top” approach at their organizations since this element
is essential for an effective ERM. Moreover, according to
most ICGN CROCO members, senior management
engagement facilitates significantly the success of ERM and
is the most important element to increase ERM
effectiveness.
Other elements to be assessed by risk managers as
impediments for an effective ERM Program included IT tool,
methodology and talent resources. However, more than half
of respondents said these elements impede by no means or
only to a minimal extent the ERM effectiveness at their
organizations.
Exhibit N° 7
“ES - Barriers for an effective ERM”
Legend for Exhibit N° 7
A Senior management engagement
B Risk culture
C IT tool
D Methodology
E Talent resources
F Internal communication
59
The third dimension of the survey, called “ERM Program
value contribution”, covered the question of whether the
implementation of the ERM Program within the organization
has successfully contributed to the achievement of key
company’s internal and external aims.
All ICGN CROCO members manifested that a value-driven
ERM shall succeed in enabling the organization to meet its
corporate objectives and in using risk-based information in
decision making. Moreover, 83% of the respondents
emphasized that both aims are to a great extent the main
indicators of a value-driven ERM. Unfortunately, most of the
surveyed companies (67%) reported ERM is not too
successful in achieving both aims30.
Similarly, ERM success at most of the surveyed companies
in managing company’s earnings variability or optimizing
company’s Total Cost of Risk (TCoR) shows also not
favourable results.
Overall, surveyed companies reported to be successful in
using ERM to improve regulator perception and Corporate
Governance/’best practices’.
Value-driven aims are not successfully accomplished
through ERM among surveyed companies. In contrast, half
of respondents affirmed ERM has considerably succeeded in
decreasing company’s financial losses. Not surprisingly,
regulatory aims are also connected to the decrease of
financial losses since they are positively correlated with the
avoidance of sanctions, fines or penalties. It can therefore
be concluded that ERM is perceived among non-financial
DAX-30 companies as a useful tool in preventing the
company to have a loss, rather than in adding value to the
organization.
30
See Exhibit N° 14 of the Annex.
60
Other aims in which ERM is more likely to be successful are
comprised by external purposes such as improving rating
agencies and shareholders/stakeholders perception. About
60% of risk managers reported ERM helps the companies to
meet successfully stakeholders’ demands, which leads to
stakeholders’ positive perception of the company.
ERM increases transparency within capital markets and this
allows market participants to make more informed decisions
based on company’s risk exposure. Therefore, improving
transparency and disclosure of risk-oriented information to
capital market participants may have a positive and
significant impact on stakeholders’ positive perception.
Certainly, continuing efforts have been done by regulators to
increase transparency and stakeholders’ confidence in
global capital markets and German legislators have definitely
not been the exception. However, the present research
points out one risk-oriented aspect in which the target
companies of this study may need, in the near future, to
embrace to meet transparency demands: ERM effectiveness
and value contribution to the organization.
Whereas all target companies provide general information
about ERM as well as relevant risks faced by their
organizations in their annual reports, none of them deliver
comprehensive public information concerning ERM
effectiveness and value contribution. Information available
regarding ERM effectiveness encompasses only the
effective exercise of the Supervisory Board’s responsibility to
review and monitor the effectiveness of the Risk
Management system. In best case scenarios, companies
provide additional information on the monitoring role of the
external auditor in the same regard. Not surprisingly, no
information is available on whether and to what extent ERM
creates value to the organization.
61
The results concerning the ERM success can be interpreted
as a call to exploit value-driven benefits through ERM.
Recalling the findings of this study about the main ERM
motivations and targets31, this study found that non-financial
DAX-30 companies are mainly seeking, through ERM
implementation, to meet regulatory requirements instead of
pursuing value-driven aims. Remarkably, this underlying
premise tends to bias the setting of ERM strategy and limits
the entire scope of capabilities that ERM provides to an
organization. Certainly, ERM helps the organization to
respond to compliance-oriented activities. However, it seems
that companies are focusing on this element instead of
exploiting the broad range of ERM benefits.
Exhibit N° 8
“ES - ERM Program Success”
31
See Exhibit N° 5 of this study.
Legend for Exhibit N° 8
A Enabling organization to meet corporate objectives
B Decreasing financial losses
C Managing earnings variability
D Optimizing Total Cost of Risk (TCoR)
E Improving Corporate Governance
F Using risk-based information in decision making
G Improving regulator perception
H Improving rating agencies perception
I Improving Shareholders/Stakeholders perception
J Improving financial institutions perception
K Improving market reputation
62
When it comes to effectively linking ERM with company’s
value creation, measurement-related challenges come up for
discussion. In order to address this matter, within the third
dimension of the survey, called “ERM Program value
contribution”, risk managers were asked to judge to what
extent four common indicators obstruct the measurement of
ERM value at their organizations.
The biggest challenge among surveyed companies for
measuring ERM value is the quantification of prevented
losses from non-materialized risks. Three-quarters (75%) of
respondents reported it is tough to estimate the losses that
did not occur due to an effective ERM. Nearly 60% of risk
managers reported this challenge is not only tough but also
the main barrier to assess the value that ERM delivers.
In contrast, most surveyed companies reported not having
significantly barriers in quantifying ERM value through the
use of the other three methods. Only a quarter (25%) of
surveyed companies reported facing considerably
complications in measuring ERM value through the
quantification of financial losses due to materialized risks.
Not surprisingly, this method does not need rocket science,
neither the use of sophisticated models for risk estimation.
Assessing the consequences and impacts of a risk that has
materialized is a question of time rather than a matter of
method. Nevertheless, this approach continues to present
some complications. For example, assessing non-financial
impacts such as reputational consequences of materialized
risks may remain a major challenge among companies.
63
A relatively increased number of surveyed companies (33%)
reported that the quantification of “soft” benefits of ERM
represents an impediment for measuring ERM value at their
organizations. However, most of risk managers said the
assessment of ERM intangible benefits is only to some
extent impeding the measurement of ERM value. These
“soft” benefits may include the benefits gained from enabling
organization to meet corporate objectives and using risk-
based information in company’s decision making process.
In addition, only 17% of surveyed companies reported that
the assessment of the TCoR32 is significantly obstructing the
measurement of ERM value. Another 42% of surveyed
companies reported this method as a barrier for measuring
ERM value but only up to some extent.
From all these four value-driven indicators, half of ICGN
CROCO members manifested that they expect companies to
quantify financial losses due to materialized risks in order to
be sufficiently able to assess ERM value. The other three
indicators are also considered by most of the respondents
as useful measurement tools of ERM value but only up to
some extent33.
It remains unclear whether the surveyed companies are able
to determine the value their organizations had achieved from
ERM investment by using any of the four methods. However,
the quantification of financial losses due to materialized risks
seems to be the most accessible method to start measuring
ERM value. Coincidentally, this method is also the one
mostly expected to be used by ICGN CROCO members.
32
TCoR may include for example capital costs, ERM Program costs, compliance Program costs, hedging costs and insurance costs. 33
See Exhibit N° 15 of the Annex.
64
Exhibit N° 9
“ES - Barriers for measuring ERM value”
Legend for Exhibit N° 9
A Quantify prevented losses from non-materialized risks
B Quantify financial losses due to materialized risks
C Quantify "soft" benefits from ERM Program
D Asses Total Cost of Risk (TCoR)
Finally, within the fourth and last dimension of the survey,
called “Information about metrics”, risk managers were
asked to give information about the mechanisms and metrics
used to measure ERM effectiveness and value at their
organizations.
No information concerning specific metrics used to measure
ERM effectiveness and value was provided by surveyed
companies. Nevertheless, risk managers mentioned the
following mechanisms in place in order to ensure the
effectiveness of the Risk Management system at their
organizations:
Conduction of a qualitative comparison analysis
between risk-oriented functions within the organization.
Discussion within the members of the Board of
Management on whether the ERM Program is effective
and is functioning well.
Conduction of regular audits by the internal audit unit to
assess the effectiveness of the Risk Management
system.
65
Review and monitoring of the ERM effectiveness on a
regular basis by the Audit Committee members of the
Supervisory Board.
Examination of the effectiveness of the ERM system by
the external auditor.
ICGN CROCO members enhanced the transfer of their
expert knowledge by providing the following additional
indicators expected from them for measuring ERM
effectiveness and value at the organizations:
Figure N° 9
“ERM effectiveness – expected metrics”
ER
M E
ffe
cti
ven
es
s
1 Number of times the actual risk level exceeded
the risk appetite of the organization.
2
Number of risk-oriented variables considered in
decision making at the corporate and business
unit levels.
3 Level of risk-oriented decision making in business
units.
4 VaR exercise over budget.
5 Level of Risk Management integration in core
strategic planning processes.
6 Level of risk-aware culture within the
organization.
7 Level of capability maturity improvement in line
management and corporate risk function.
8 Number of business lines scoring 4 out of 5 in
depth adoption of risk-return decision making.
9 Level of risk-oriented coordination across the
firm.
10 Time and cost savings in roll out of new methods
in each business line.
66
Figure N° 10
“ERM value – expected metrics”
ER
M v
alu
e
1 Financial losses prevented due to effective Risk
Management.
2 Losses from unquantified risks.
3 Level of success in achieving strategic corporate
goals.
4 Improved return-adjusted return per period and
risk-adjusted growth rate.
5 Level of litigation.
6 Firm value.
7 Progressively less uncertainty when calculating
risk-adjusted returns.
8 Optimal risk allocation level.
9 Reduced pro-forma financial forecasting errors
for each budget line items.
10 Number of times of company’s negative media
coverage due to improper risk mitigation.
67
5. Conclusion
High-profile company scandals and failures encourage Risk
Management awareness to make companies more resilient
and adaptable to major changes in a world where
transparency, regulation and globalization challenges are
constantly increasing. Therefore, companies’ efforts and
non-trivial investment in increasing ERM effectiveness may
reasonably assure the achievement of firm’s value protection
and enhancement.
In order to answer whether non-financial DAX-30
corporations are following a strategy-oriented and value-
driven ERM approach in their efforts of increasing ERM
effectiveness, this study reveals the following main findings:
First of all, surveyed companies perceived themselves to be
overall towards an advanced stage of ERM with regard to
risk governance, risk practices & tools, risk reporting and
communication, and Risk Management functions alignment.
In addition, all of the three ERM ‘best practices’ addressed in
this study are mostly adopted at the surveyed companies.
With regard to the first ERM ‘best practice’, most of the
surveyed companies manifested that a corporate central unit
is in charge of the conduction, support and control of the
enterprise-wide Risk Management strategy. In this sense,
ERM is operated within an integrated, holistic approach, in
which different aspects of risks across functions are
connected. However, only half of them reported to have
implemented not only a centralised but also an independent
risk function. This means that although ERM addresses the
full spectrum of risks that the company faces, firm’s
resources are not specifically allocated for this central Risk
Management function, meaning that another central
business unit (e.g. Finance) is in charge of the Risk
Management central activities. Moreover, only one-third of
surveyed companies manifested following the GRC
68
approach, which ensures appropriate actions and controls
aligned to risk capacity, appetite and tolerance while
achieving desired levels of performance and compliance.
With regard to the second ERM ‘best practice’, the “Three
Lines of Defence” Model is implemented among almost all
surveyed companies, which ensures a clear and more
effective role between Risk Management, Internal Control
and Internal Audit functions while implementing ERM.
With regard to the third ERM ‘best practice’, companies
stated that all ERM Programs are being checked and
monitored by an external body, which ensures an
independent assurance over the Risk Management system.
Moreover, this study reveals that the external auditor plays a
more active role than independent supervisory board
members in giving an objective and unbiased judgement on
the ERM system. However, the reason behind this finding
remains unclear. For instance, this can either reflect the lack
of commitment from supervisory board members to ERM or
the lack of supervisory board independence.
Main ERM motivations and targets among the surveyed
companies are compliance-oriented rather than value-driven.
Companies implement ERM mostly due to the need to meet
and comply with regulatory and non-regulatory standards.
Strategy-oriented and value-driven factors are neither the
main source, nor the main aim behind the implementation of
ERM.
While addressing ERM capability in key ERM activities, the
majority of ERM Programs are moderately capable of
performing Risk Management-oriented activities such as
anticipating and managing risks, taking action on identified
important risks, strengthening risk-aware culture and
instilling awareness of risk in decision making. However,
most ERM are not too capable of linking Risk Management
with corporate strategy, which indicates that ERM is mostly
69
not integrated into the strategy-setting process at the
organizations, endangering the achievement of strategic
goals.
The embedment of risk-aware culture within the organization
is mostly the main obstacle for achieving a more effective
ERM at the organizations, which in turn impedes the
alignment between Risk Management and corporate
strategy & risk-oriented value creation.
While risk oversight policy-makers manifest that a value-
driven ERM shall succeed in enabling the organization to
meet its corporate objectives and in using risk-based
information in decision making, both aims seem to be the
goals in which ERM Programs are less successful. In
contrast, most surveyed companies indicated ERM has
contributed successfully to the improvement of Corporate
Governance/’best practices’ and regulator perception.
The findings reveal that the sole adoption of the three ERM
‘best practices’ addressed in this study does not ensure high
levels of ERM capability in key Risk Management activities,
neither of ERM success in achieving strategy-oriented and
value-driven goals.
Overall, ERM is perceived among the surveyed companies
as a useful tool in preventing the company to have a loss,
rather than in adding value to the organization. Therefore,
building understanding and awareness of the value-driven
ERM benefits seems today to be the biggest ERM challenge
of non-financial DAX-30 companies.
The lack of attention among surveyed companies to exploit
value-driven benefits through ERM may be linked to the
existence of challenging barriers among non-financial
companies to measure ERM value. Specifically, companies
may not possess the incentive to seek more value creation-
70
related ERM targets since no quantifiable information
regarding value-driven ERM benefits is provided.
This study found that non-financial DAX-30 corporations
following a compliance-oriented ERM approach instead of a
strategy-oriented & value-driven ERM approach in their
efforts of increasing ERM effectiveness. Moreover, the
cross-analysis of the results between non-financial DAX-30
companies and risk oversight policy-makers reveals the
need to change the focus from compliance to the
achievement of corporate strategic goals and value creation
to be able to reasonably assure that company’s efforts and
investment in enhancing ERM effectiveness pay off.
Figure N° 11
“Current ERM approach of non-financial DAX-30 companies”
The trend towards a compliance-oriented approach is likely
to continue unless the awareness of strategy-oriented and
value-driven ERM benefits is raised. Although the adoption
of the forthcoming COSO ERM Aligning Risk with Strategy
and Performance Framework can be challenging for most of
the surveyed companies, its effective implementation may
enable companies to move beyond a regulatory approach
toward a value-driven ERM approach.
ERM among non-financial DAX-30 companies is today
mostly not linked to corporate strategy as it was not linked in
the deficient Risk Management systems of the companies
71
that failed during the Financial-crisis of 2009 (OECD, 2014).
Therefore, the observations made in this study may be taken
as a “wake-up call” for a more exhaustive review of ERM
maturity and a strategy-oriented & value-driven ERM
approach to ensure the overall reliability of ERM systems.
72
6. Limitations and suggestions for
further research
“There are still important questions as to the long term
value creation of ERM. Additional research is needed on
enterprise Risk Management”
(Pagach & Warr, 2010)
Despite providing some insights about ERM effectiveness
and value among non-financial DAX-30 companies, this
study presents some limitations that could be addressed in
future research.
Since data results were collected using an anonymous
survey to protect respondents’ confidentiality, individual and
specific analysis-scenarios could not be carried out. For
example, this study does not answer whether a more
capable ERM leads to a higher level of ERM success or
whether a specific approach used to establish a central Risk
Management unit is positively related to a higher level of
ERM capability and success.
Moreover, differences according to industry sectors could
not be identified due to the anonymity of the survey.
Since one of the main findings of this study is that ERM is
not linked to corporate strategy, the question of whether
ERM is defined within a risk appetite/tolerance framework
arises. However, this matter was not addressed in the
present study.
The question about whether the adoption of the forthcoming
COSO ERM Aligning Risk with Strategy and Performance
Framework enables companies to move beyond a risk
mitigation approach toward a value-driven ERM is also
subject for future research.
73
VII. Annex
Exhibit N° 10
“PMS – ERM and the three ‘best practices’”
Exhibit N° 11
“PMS – expected ERM motivations & targets”
Legend for Exhibit N° 11
Motivations
A Regulatory requirements
B Rating Agency/Financial Institutions requirements
C Shareholder pressure
D Peer/Stakeholder pressure
E Corporate Governance/Best practice
F Improved performance and decision making
G Board Directive34
Targets
H Enable risk-based decision making
I Drive value creation for the organization
J Manage Total Cost of Risk (TCoR)
K Manage volatility to earnings and other key financial metrics
L Meet regulatory requirements
34
It refers specifically to policy setting at the Management Board level
74
Exhibit N° 12
“PMS – Capabilities of an effective ERM”
Legend for Exhibit N° 12
A Anticipating and managing emerging risks
B Taking action on identified important risks
C Linking Risk Management with corporate strategy
D Instilling awareness of risk in decision making
E Strengthening risk culture
Exhibit N° 13
“PMS – Elements of an effective ERM”
Legend for Exhibit N° 13
A Senior management engagement
B Risk culture
C IT tool
D Methodology
E Talent resources
F Internal communication
75
Exhibit N° 14
“PMS – Success of a value-driven ERM”
Exhibit N° 15
“PMS – expected ERM indicators”
Legend for Exhibit N° 15
A Quantify prevented losses from non-materialized risks
B Quantify financial losses due to materialized risks
C Quantify "soft" benefits from ERM Program
D Asses Total Cost of Risk (TCoR)
Legend for Exhibit N° 14
A Enabling organization to meet corporate objectives
B Decreasing financial losses
C Managing earnings variability
D Optimizing Total Cost of Risk (TCoR)
E Improving Corporate Governance
F Using risk-based information in decision making
G Improving regulator perception
H Improving rating agencies perception
I Improving Shareholders/Stakeholders perception
J Improving financial institutions perception
K Improving market reputation
76
Exhibit N° 16
“Expert Survey”
77
78
79
80
81
VIII. Bibliography
AktG. (1965). www.gesetze-im-internet.de. Retrieved June 16, 2016, from http://www.gesetze-im-
internet.de/aktg/__91.html
Allayannis, G., & Weston, J. (2001). The use of foreign currency derivatives and firm value. The Review of
Financial Studies, 14(1), 243-276.
Althonayan, A., Killackey, H., & Keith, J. (2012). ERM Culture Alignment to Enhance Competitive Advantage.
ERM symposium.
An Empirical Analysis of Factors Associated with the Extent of Implementation. (n.d.).
AON. (2010). Global Enterprise Risk Management Survey. Chicago: Aon Global Risk Consulting.
AS/NZS. (2004). Risk Management Standard. Retrieved June 15, 2016, from SAI GLOBAL:
https://infostore.saiglobal.com/store/PreviewDoc.aspx?saleItemID=719568
ASCG. (2012). ASCG The German Accounting Standards. Retrieved June 17, 2016, from
https://www.drsc.de/service/drs/standards/index_en.php?ixstds_do=show_details&entry_id=38
Beasley, M., Clune, R., & Hermanson, D. (2005). Enterprise Risk Management: An Empirical Analysis of
Factors Associated with the Extent of Implementation. The Journal of Accounting and Public Policy,
24, 521-531.
Beasley, M., Pagach, D., & Warr, R. (2008). The information conveyed in hiring announcements of senior
executives overseeing enterprise-wide risk management processes. Journal of Accounting, Auditing
and Finance, 23(3), 311-332.
Bromiley, P. e. (2014). Enterprise Risk Management: Review, Critique, and Research. Long Range Planning,
1-12.
Ciorciari, M., & Blattner, P. (2008). Enterprise Risk Management: Maturity-Level Assessment Tool. Enterprise
Risk Management Symposium. Chicago.
Coleman, T. (2012). A Practical Guide to Risk Management. The Research Foundation of CFA Institute.
COSO. (2004, September). Retrieved June 15, 2016, from
http://www.coso.org/documents/COSO_ERM_ExecutiveSummary.pdf
COSO. (2016, June). Retrieved July 15, 2016, from http://erm.coso.org/Documents/COSO-ERM-Public-
Exposure.pdf
Dickinson, G. (2001). The Geneva Papers on Risk and Insurance. Oxford: Blackwell Publishers.
Dionne, G. (2013). Risk management: History, definition and critique. Montreal.
ECIIA, F. /. (2014). Audit and Risk Committees: News from EU Legislation and Best Practices. Brussels:
FERMA / ECIIA.
European Parlament and Council. (2006, May 17). EUR-Lex. Retrieved July 01, 2016, from http://eur-
lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02006L0043-20140616&from=EN
European Parlament, & Council of the European Union. (2006, May 17). EUR-Lex. Retrieved June 17, 2016,
from http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32006L0043&from=GA
FERMA. (2012). FERMA European Survey 2012. Federation of European Risk Management Associations
(FERMA).
FERMA. (2012). Keys to Understanding the Diversity of Risk Management in a Riskier World. FERMA.
FERMA. (2014). European Risk and Insurance Report. Brussels: Federation of European Risk Management
Associations.
FERMA. (2016, April 21). Retrieved July 12, 2016, from http://www.ferma.eu/blog/2016/04/ferma-calls-
commission-include-enterprise-risk-management-non-financial-reporting-guidelines/
FERMA, & ECIIA. (2010). Guidance on the 8th EU Company Law Directive. Brussels: Federation of European
Risk Management Associations and European Confederation of Institutes of Internal Auditing.
German Corporate Governance Code. (2015, May 5). http://www.dcgk.de. Retrieved June 16, 2016, from
http://www.dcgk.de//files/dcgk/usercontent/en/download/code/2015-05-
05_Corporate_Governance_Code_EN.pdf
82
Grant Thornton. (2009). Enterprise risk management: Creating value in a volatile economy. Chicago: Grant
Thornton LLP.
Haimes, Y. (1992). Toward a Holistic Approach to Total Risk Management. The Geneva Papers on Risk and
Insurance Issues and Practice, 17(3), 314-321.
HGB. (1897). http://www.gesetze-im-internet.de. Retrieved June 16, 2016, from http://www.gesetze-im-
internet.de/bundesrecht/hgb/gesamt.pdf
ICGN. (2014). ICGN Global Governance Principles. London: International Corporate Governance Network.
ICGN Risk Oversight Committee. (2015). ICGN Guidance on Corporate Risk Oversight. London: International
Corporate Governance Network.
IIA. (2013). Risk Management: Easy as 1 … 2 … 3. The Institute of Internal Auditors.
Korus, M. (2009, July 17). Corporate Risk Management and Compliance. Bucerius/WHU.
KPMG. (2009). Retrieved June 15, 2016, from
https://www.kpmg.com/PT/pt/IssuesAndInsights/Documents/erm22432PHL.pdf
McShane, M., Nair, A., & Rustambekov, E. (2010). Does Enterprise Risk Management Increase Firm Value?
Journal of Accounting, Auditing, and Finance.
Meulbroek, L. (2002). A senior manager's guide to integrated risk management. Journal of Applied Corporate
Finance, 14(4), 56-70.
Monda, B., & Giorgino, M. (2013). An ERM Maturity Model. ERM Symposium 2013 . Chicago: Politecnico di
Milano - Management, Economics and Industrial Engineering Department.
Nocco, B., & Stulz, R. (2006). Enterprise Risk Management: Theory and Practice. Journal of Applied Corporate
Finance, 18(4).
Norton Rose LPP. (2011). Retrieved June 16, 2016, from http://www.nortonrosefulbright.com/files/german-
stock-corporation-act-2010-english-translation-pdf-59656.pdf
OCEG. (2015). OCEG Red Book GRC Capability Model 3.0. Arizona: OCEG.
OECD. (2014, April 01). Risk Management and Corporate Governance. OECD.
Paape, L., & Speklé, R. (2012). The Adoption and Design of Enterprise Risk Management Practices: An
Empirical Study. European Accounting Review, 21(3), 533-564.
Pagach, D., & Warr, P. (2010, April). The Effects of Enterprise Risk Management on Firm Performance. North
Carolina. Retrieved July 14, 2016, from http://ssrn.com/abstract=1155218
RIMS. (2011). An overview of widely used risk management standards and guidelines. Risk and Insurance
Management Society, Inc. (RIMS).
RIMS. (2011). An overview of widely used risk management standards and guidelines. New York: Risk and
Insurance Management Society, Inc. (RIMS).
Standard & Poor’s. (2008, May 7). Retrieved June 15, 2016, from
http://www.logicmanager.com/pdf/ERM_for_corporate_ratings.pdf
The Institute of Internal Auditors (IAA). (2009, January). Retrieved June 15, 2016, from
https://na.theiia.org/standards-
guidance/Public%20Documents/PP%20The%20Role%20of%20Internal%20Auditing%20in%20Enterp
rise%20Risk%20Management.pdf
Walker, P., Shenkir, W., & Barton, T. (2002). Enterprise Risk Management: Pulling it all together. Institute of
Internal Auditors Research Foundation.