There is always a lot of buzz about “risk appetite statements” and “risk tolerance.” In theory, these sound like a natural launching point for ERM Programs – how can risk managers manage risks without a known goal of what they should be managing towards?
However, the problem with risk appetite is that it is not actionable, thus organizations see very little impact from having perfectly established risk appetite statements that far too many risk managers spend months developing.. As a result, senior management begins to question the value the ERM program is delivering in the early stages.
A recent study in The Journal of Risk and Insurance, using RIMS Risk Maturity Model (RMM) data suggests that organizations with mature and effective ERM Programs see up to 25% higher market value than firms with immature ERM programs.
The RMM is an umbrella framework with a free assessment tool that enables organizations to evaluate the effectiveness and adequacy of an organization’s risk management program, determining where and how their program can improve. The RMM is broken down into seven core attribute sections, each focusing on a different core element of ERM.
In addition to the 25% composite result, the authors were able to study the individual attribute maturity scores to provide a much clearer insight into which attributes in particular appear to be contributing most to ERM.
Here are the results:
- Performance Management – 23% contribution
- ERM Process Management – 20% contribution
- Adoption of ERM Based Approach – 17% contribution
- Root Cause Discipline – 16% contribution
- Uncovering Risks – 15% contribution
- Risk Appetite Management - insignificant
- Business Resilience and Sustainability – insignificant
The challenge with risk appetite is how to implement and enforce it, making it relevant to business units on a day-to-day basis. In other words, linking risk appetite to business decisions and having appropriate business metrics to measure it.
These results show that in order to get the most value from ERM, the processes must be scalable, repeatable, and embedded throughout the organization with accountability. The quality of the process must be monitored and improved by having a clear feedback mechanism throughout an organization, so that issues can effectively be escalated and prioritized. A strong connection between strategic business goals and risk management, and a monitoring and reporting capability to ensure any deviation from stated goals are measured and communicated, is the key to ERM success.
Most organizations think they need to fully develop their ERM program before they are ready for software, but organizations should be approaching this the opposite way. An ERM Content Solution Software like LogicManager, has all the templates and best practices for building an organization’s ERM charter, risk appetite and tolerance, frameworks, roles and responsibilities, assessment criteria, and more, along with a dedicated business analyst to help you mold these to fit your organization and share other best practices.
As a result, you can accomplish the baseline foundation of your program in a fraction of the time with expert guidance to mentor you, so that you can quickly begin working on the attributes of ERM that bring value – significant value – to your organization’s bottom line. All of the aspects that the study showed are crucial for ERM success, such as scalability, repeatability, reporting, and feedback mechanisms, are what ERM Software was designed to do.