When the question of whether ERM is a success or failure comes up, it raises a further question: Why aren’t companies doing a better job of measuring the value it generates?
The reasons that the value of ERM is not quantified by companies include:
- It is extremely hard to know when a loss did not happen because of ERM.
- It is just as hard to quantify the cost of loss that did not happen.
- It is difficult to quantify the “soft” benefits of enhanced reputation because ERM is practiced or because of improved strategic alignment in the organization; ERM requires an understanding of the company’s strategic goals and objectives to identify the risks that might derail their achievement.
- It is often hard to justify the time and expense of measuring something that is not easy to measure.
Having acknowledged some of these obstacles, the only way that companies will know if their ERM efforts are successful is to create some measurement scheme that makes sense for their particular situation. Without measurement, how would a company know not only if it wants to continue an ERM implementation but also how much to invest in it.
Let us look at a few possible approaches to measuring the value of ERM:
Once an ERM process has gained some level of maturity in an organization, this approach would take the form of looking at fairly common and reliable metrics on a before-ERM and after-ERM basis. (There are ERM maturity models, developed by experts, that can be used to evaluate how far along the path to full or optimal implementation a company has progressed.) In fact, each of the approaches described would only be reasonable if the ERM process had been in place and well-executed for some period.
Naturally, there will multiple variables, not just the practice of ERM, that play into these metrics, but that is true for most metrics, and explanations can and should accompany the numbers to explain such variables.
Such metrics would include: 1) number of insurance claims, 2) number of worker injuries, 3) number of lawsuits related to a risk/loss events, 4) number of days or hours production is lost because of a risk/loss event, 5) cost of insurance and 6) total cost of risk (TCOR). Thus, when reviewed before and after ERM, the metrics can be charted to show absolute changes in value as well as trend lines. It might even be possible to notice on a relative basis that there are fewer risk-related surprises brought to management’s attention because ERM effectively identified risks while there was still time to deal with them.
Each company will be able to come up with its own unique metrics based on what it is currently capturing, what it could capture and what is important to its business operations.
The value of ERM would be evident or could be computed from the before-and-after metrics.
“What If” Approach
In the “what if” approach, one or more of the most significant risks in the risk register, which did not materialize when expected because of mitigation by the company, would be selected. Perhaps this was a regulatory change that would have harmed a product line, but the company took lobbying efforts or did product redesign because the risk was appropriately identified, prioritized and mitigated.
The amount of the loss that the risk would have likely have produced would be computed. Even if it were an insured loss, the estimate would take into account such things as the potential increase in insurance rates, management time and all other attendant expenses not covered.
Since the risk did not produce a loss, the amount of the “what if” loss is the value of ERM.
Alternatively, a significant loss event that affected key competitors but did not affect the company using ERM could be used to assess value. Perhaps it was a natural catastrophe that the company was better protected for or a demographic shift that the company anticipated and reacted to because of ERM.
To get at ERM’s value, the company would have to approximate what the risk, if ignored, would have cost.
Lacking Any Other Explanation Approach
In “The Valuation Implications of Enterprise Risk Management Maturity,” a wholly independent and peer-reviewed research project conducted by Mark Farrell of Queen’s University Management School and Dr. Ronan Gallagher of University of Edinburgh Business School, published in The Journal of Risk and Insurance, using data from the RIMS Risk Maturity Model, the case is made that, failing any other explanation, the companies with greater maturity have higher valuations because of it. Specifically, the study found that there was “clear and significant statistical correlation between mature enterprise risk management practices and a firm’s value.” Organizations exhibiting mature risk management practices-as assessed with the RIMS Risk Maturity Model-realize a valuation premium of 25%.
Yet another approach that does not rely on metrics, per se, is a discretionary approach. In other words, the board, CEO or C-suite could attribute a value to ERM that is based on the recognition that the ERM process has, for example: 1) created a risk aware culture, 2) helped to identify and ameliorate risk, 3) made recovery from risks that have materialized much faster and more efficiently and 4) enhanced the brand among stakeholders.
The discretionary approach does require that management is involved in the ERM process, has an open mind about its contribution and will articulate its conclusions about ERM’s value so that the entire organization is aware of this assessment. Without management’s giving voice to its success, the question of whether it is a success or failure will haunt ERM.
There are undoubtedly other approaches that could be used. The key point is that companies that have invested in introducing ERM should do so in a vigorous way and should measure and communicate its value. This will ensure that the entire organization maintains a commitment to this important process.