1 Enterprise Risk Management A qualitative study of ERM effectiveness and value in non-financial DAX-30 companies A thesis submitted to the Bucerius Master of Law and Business Program in partial fulfilment of the requirements for the award of the Master of Law and Business (“MLB”) Degree. Pierina Villanueva July 22, 2016 13.711 words (excluding footnotes) Supervisor 1: Prof. Dr. habil. Stefan Prigge Supervisor 2: Frank Schlüter
82
Embed
Enterprise Risk Management - GBV › dms › buls › 86992821X.pdf · Risk Management systems have been blamed for the failure of major financial and non-financial corporations.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Enterprise Risk Management
A qualitative study of ERM effectiveness and value in non-financial DAX-30 companies
A thesis submitted to the Bucerius Master of Law and Business Program in partial fulfilment of the
requirements for the award of the Master of Law and Business (“MLB”) Degree.
Pierina Villanueva July 22, 2016
13.711 words (excluding footnotes)
Supervisor 1: Prof. Dr. habil. Stefan Prigge
Supervisor 2: Frank Schlüter
2
I. Table of Contents
I. Table of Contents......................................................................................................................................... 2
II. Acknowledgement........................................................................................................................................ 3
III. Abstract ........................................................................................................................................................ 4
IV. List of Abbreviations..................................................................................................................................... 5
V. List of Figures .............................................................................................................................................. 6
VI. List of Exhibits .............................................................................................................................................. 7
1.1 Problem definition ....................................................................................................................................... 8
1.2 Research objective ..................................................................................................................................... 9
2. Literature Review ....................................................................................................................................... 12
2.1 Origins of ERM ......................................................................................................................................... 12
2.5.5 ERM Value ......................................................................................................................................... 36
3.1 Selection of target survey respondents .................................................................................................... 38
3.2 Data collection process ............................................................................................................................ 40
3.3 Elaboration of the questionnaire ............................................................................................................... 42
4. Data analysis and research findings .......................................................................................................... 44
6. Limitations and suggestions for further research ....................................................................................... 72
VII. Annex ......................................................................................................................................................... 73
VIII. Bibliography ............................................................................................................................................... 81
3
II. Acknowledgement
I would like to express my gratitude to all those who
supported me during working on this thesis and contributed
to its completion.
First of all, I would like to thank my supervisor Frank
Schlüter, who gave me first-hand awareness of and insight
into the topic. Additionally, I would like to thank my
supervisor Dr. Stefan Prigge for suggestions and guidelines
that helped me in addressing the underlying topic of this
thesis.
Moreover, I would like to give my special thanks to
respondents of the survey for dedicating part of their
valuable time and providing insightful information.
I am deeply grateful to my family (Gemma Pierina, Jorge
Isaac and Jorge Antonio), who are the main source of
motivation in my life.
Especially, I would like to thank Francesco Louis, who has
been my loyal companion during the last 7 years. The
completion of this master thesis would not have been
possible without his daily vigorously support and words of
encouragement.
I personally hope this master thesis to be the first of many of
my forthcoming working papers concerning this passionate
topic of Corporate Governance and Risk Management.
4
III. Abstract
The world-wide Financial Crisis of 2009 demonstrated the
wide-spread existence of deficient Enterprise Risk
Management (ERM) among global corporations. While there
has been a strong willingness and efforts of companies to
correct existing ERM deficiencies, this daunting task can
certainly not be done without the absorption of corporate
resources. Thus, it is important for companies to have a
reasonable assurance that their efforts and non-trivial
investment in increasing ERM effectiveness protect and
enhance firm value. Through the use of a sophisticated
qualitative expert survey, this study reveals that non-financial
DAX-30 corporations are mostly following a compliance-
oriented ERM approach instead of a strategy-oriented &
value-driven ERM approach in their efforts of increasing
ERM effectiveness. Interestingly, the findings show that the
sole adoption of a centralized ERM function, the “Three
Lines of Defence” model and an ERM external monitoring
does not ensure high levels of ERM capability in key Risk
Management activities, neither of ERM success in achieving
strategy-oriented and value-driven goals. Furthermore, a
cross-analysis of the results between non-financial DAX-30
companies and risk oversight policy-makers reveals the
need to change the focus from compliance to the
achievement of corporate strategic goals and value creation
to be able to reasonably assure that company’s efforts and
non-trivial investment in enhancing ERM effectiveness pay
off. ERM among non-financial DAX-30 companies is today
mostly not linked to corporate strategy as it was not linked in
the deficient Risk Management systems of the companies
that failed during the Financial-crisis of 2009 (OECD, 2014).
Therefore, the findings of this study may be taken as a
“wake-up call” for a strategy-oriented and value-driven ERM
to ensure the overall reliability of ERM systems.
5
IV. List of Abbreviations
AktG Aktiengesetz
BS British Standard
CEO Chief Executive Officer
CFO Chief Financial Officer
CROCO Corporate Risk Oversight Committee
COSO Committee of Sponsoring Organizations of the
Treadway Commission
DAX Deutscher Aktienindex
ECIIA European Confederation of Institutes of Internal
Auditing
ERM Enterprise Risk Management
ES Expert Survey
EU European Union
FERMA Federation of European Risk Management
Associations
GRC Governance, Risk and Compliance
HGB Handelsgesetzbuch
ICGN International Corporate Governance Network
IIA Institute of Internal Auditors
ISO International Organization for Standardization
and academic researches. For instance, scholars highlight
that ERM addresses the full spectrum of risks of a company
instead of the risks related to a specific area of the business.
In this sense, scholars defined ERM as “a systematic and
integrated approach to the management of the total risks
that a company faces” (Dickinson, 2001).
In addition, widely well-known Risk Management standards
describe ERM as a process designed to identify potential
events that can have a negative (risks) or a positive
(opportunities) impact on the achievement of the company’s
strategic goals. On one hand, Risk Management is defined
as “the culture, processes and structures that are directed
towards the effective management of potential opportunities
and adverse effects” (AS/NZS, 2004). On the other hand,
14
ERM is considered “a process, effected by an entity's board
of directors, management and other personnel, applied in
strategy setting and across the enterprise, designed to
identify potential events that may affect the entity, and
manage risk to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity
objectives” (COSO, 2004).
Advisory firms put emphasis on the optimization instead of
the elimination of enterprise-wide risks. Thus, ERM “can be
defined as an organizational commitment to proactively
govern, assess, measure, monitor, mitigate, and optimize
enterprise risks. ERM is a process designed to identify
potential events that may affect the organization in achieving
its objectives, and managing risks within risk tolerances”
(KPMG, 2009)
Moreover, board commitment to ERM is highlighted by rating
agencies, defining ERM as “an approach to assure the firm
is attending to all risks; a set of expectations among
management, shareholders, and the board about which risks
the firm will and will not take; a set of methods for avoiding
situations that might result in losses that would be outside
the firm's tolerance; a method to shift focus from
“cost/benefit” to “risk/reward”; a way to help fulfill a
fundamental responsibility of a company's board and senior
management; a toolkit for trimming excess risks and a
system for intelligently selecting which risks need trimming;
and a language for communicating the firm's efforts to
maintain a manageable risk profile” (Standard & Poor’s,
2008).
Finally, international organizations and associations give
emphasis to the link between ERM and the company’s
strategy-setting process and strategic goals. Therefore, ERM
is described as “a structured, consistent and continuous
process across the whole organization for identifying,
assessing, deciding on responses to and reporting on
15
opportunities and threats that affect the achievement of its
objectives.” (The Institute of Internal Auditors (IAA), 2009).
Additionally, ERM is considered “as a strategic business
discipline that supports the achievement of an organization’s
objectives by addressing the full spectrum of its risks and
managing the combined impact of those risks as an
interrelated risk portfolio” (RIMS, An overview of widely used
risk management standards and guidelines, 2011).
Within the tremendous challenge of organizations,
corporations, consulting firms, rating agencies and academic
researchers to agree on setting a sole definition of
Enterprise Risk Management, an emerging consensus of
what ERM constitutes has begun to emerge.
All definitions can be reduced to the following three key
elements of ERM. Firstly, managing individual risks of the
corporation is assumed by ERM as not as effective as
managing the risk of a portfolio. Secondly, strategic risks
(e.g. competitor actions) and not only traditional risks (e.g.
product liability) are incorporated in ERM. Thirdly, risk is no
longer assumed by ERM only as a potential loss or damage
that must be mitigated, but also as a potential opportunity
that could lead to a competitive advantage (Bromiley, 2014).
2.3 ERM legal requirements
During the past years, the regulatory context for Risk
Management has been changing in accordance with the
review of past learnings based on Corporate
Governance/Risk Management failures to ensure that
scandals such as Fukushima, Deepwater Horizon, Enron
and Siemens do not happen again (OECD, 2014). In this
sense, for the purpose of this study, the present chapter has
the aim to describe the minimum requirements provided by
the European and German legislation.
16
2.3.1 ERM under EU Law
On top of German national legislation and local standards,
requirements on Risk Management practices can be found in
the EU Statutory Audit Directive (Directive 2006/43/EC) and
the EU Company Reporting Directive (Directive
2006/46/EC).
The aim of the EU Statutory Audit Directive (Directive
2006/43/EC) is to harmonize statutory audit requirements
between the Member States. In this sense, according to
Article 41 of the Directive, “each public-interest entity1 shall
have an audit committee”, which “shall monitor the
effectiveness of the company's internal control, internal audit
where applicable, and Risk Management systems”
(European Parlament and Council, 2006).
The EU Company Reporting Directive (Directive
2006/46/EC), on the other side, is seeking to facilitate cross-
border investments and improve EU-wide comparability and
public confidence in financial statements and reports. In this
sense, “Companies whose securities are admitted to trading
on a regulated market and which have their registered office
in the Community should be obliged to disclose an annual
Corporate Governance statement as a specific and clearly
identifiable section of the annual report. That statement
should at least provide shareholders with easily accessible
key information about the Corporate Governance practices
actually applied, including a description of the main features
of any existing Risk Management systems and internal
controls in relation to the financial reporting process”
(European Parlament and Council, 2006).
1 Definition of “public-interest entities” in the European Union can be found in Article 2, point 13, of Directive 2014/56/EU.
17
2.3.2 ERM under German Law
In case of Germany, the establishment of the Law on Control
and Transparency within Businesses (KonTraG) in 1998 was
the first legal response to past business scandals. Following
this legislation, the German legislator introduced further legal
requirements on Risk Management on the German Stock
Corporation Act2. On the one hand, the Board of
Management of stock corporations are obliged, under
Section § 91 (2) AktG, “to take appropriate measures,
particularly the setup of a monitoring system based on an
early-risk detection, to ensure the continued existence of the
corporation”3 (AktG, 1965). Although, the term “Risk
Management” is not expressively written in the legislation,
Section § 91 (2) AktG is interpreted and commonly
understood as a requirement of a risk detection system
within the economic Risk Management concept (Korus,
2009). On the other hand, under Section § 107 (3) AktG,
“the supervisory board may appoint an audit committee in
charge of the supervision of the effectiveness of the internal
control system as well as the Risk Management system and
the internal revision system”4 (AktG, 1965).
In parallel, stock corporations must comply with the
provisions concerning Risk Management of the German
Commercial Code5. Firstly, under Section § 289 (5) HGB,
“capital market-oriented companies in the meaning of § 264d
are required to describe the essential characteristics of the
internal control system and the Risk Management system
which are related to the accounting processes”6. Secondly,
2
Also known as „AktG“ for the abbreviation form of the name in German “Aktiengesetz”. 3 Translated from German. Original version of the article as follows: “Der Vorstand hat geeignete Maßnahmen zu treffen,
insbesondere ein Überwachungssystem einzurichten, damit den Fortbestand der Gesellschaft gefährdende Entwicklungen früh erkannt werden“. 4 Extract from article translated from German. Original version of the complete article as follows: “Er kann insbesondere einen
Prüfungsausschuss bestellen, der sich mit der Überwachung des Rechnungslegungsprozesses, der Wirksamkeit des internen Kontrollsystems, des Risikomanagementsystems und des internen Revisionssystems sowie der Abschlussprüfung, hier insbesondere der Unabhängigkeit des Abschlussprüfers und der vom Abschlussprüfer zusätzlich erbrachten Leistungen, befasst“. 5
Also known as “HGB“ for the abbreviation form of the name in German “Handelsgesetzbuch”. 6
Translated from German. Original version of the article as follows: “Kapitalgesellschaften im Sinn des § 264d haben im Lagebericht die wesentlichen Merkmale des internen Kontroll- und des Risikomanagementsystems im Hinblick auf den Rechnungslegungsprozess zu beschreiben“.
18
under Section § 315 (2) HGB, “essential characteristics of
the internal control system and Risk Management system
which are related to the accounting processes must be
described in the annual report of the corporation, if one of
the companies included in the consolidated financial
statements is capital market-oriented in the meaning of §
264d”7. Thirdly, under Section § 317 (4) HGB, “in case of a
stock corporation, it is furthermore necessary to assess
within the external audit, whether the Board of Management
fulfilled the measures, according to Section § 91 (2) of the
German Stock Corporation Act, adequately and if the
implemented monitoring system is able to fulfil its tasks”8
(HGB, 1897).
Therefore, within German legislation, listed companies are
obliged to implement a monitoring system to identify at an
early stage business risks and disclose to the market
information about these risks. However, specific reporting
requirements in this regard are not provided by the German
legislator.
In order to address this matter, the Accounting Standards
Committee of Germany (ASCG) has developed a standard
on management reporting for all companies and
corporations that are required to comply with Section § 289
and § 315 of the German Commercial Code. The standard
contains a reporting element on material opportunities and
risks, which includes the disclosure of risks to which the
corporation is exposed, an overview of its risk position as
well as information regarding the management system
implemented within the corporation. Furthermore, the
standard asks the corporation to either quantify the risks in
7
Translated from German. Original version of the article as follows: “Im Konzernlagebericht ist auch einzugehen auf die wesentlichen Merkmale des internen Kontroll- und des Risikomanagementsystems im Hinblick auf den Konzernrechnungslegungsprozess, sofern eines der in den Konzernabschluss einbezogenen Tochterunternehmen oder das Mutterunternehmen kapitalmarktorientiert im Sinn des § 264d ist“. 8 Translated from German. Original version of the article as follows: “Bei einer börsennotierten Aktiengesellschaft ist außerdem im
Rahmen der Prüfung zu beurteilen, ob der Vorstand die ihm nach § 91 Abs. 2 des Aktiengesetzes obliegenden Maßnahmen in einer geeigneten Form getroffen hat und ob das danach einzurichtende Überwachungssystem seine Aufgaben erfüllen kann“.
19
order to be able to rank their importance or to associate the
risks into categories of similar risks (ASCG, 2012).
Complementary non-legally binding recommendations and
suggestions with regard to Risk Management practices can
be found in the German Corporate Governance Code, which
is primarily addressed to stock corporations and corporations
with capital market access in the meaning of Section § 161
2.5.2.3 Best practice N° 3: External ERM monitoring
According to ICGN13, the Audit Committee should be
comprised of non-executive directors, in order to guarantee
the protection of shareholders interest. Moreover, the
majority of the Audit Committee members should be
independent, in order to guarantee an unbiased judgement
when carrying out their role (ICGN, 2014).
This is also the case for capital market-oriented companies,
which shall comply with the new EU Directive 2014/56/EU
amending Directive 2006/43/EC on statutory audits of
annual accounts and consolidated accounts. According to
Article 39, fourth subparagraph of paragraph 1, “a majority of
the members of the audit committee shall be independent of
the audited entity”. Furthermore, “the chairman of the audit
committee shall be appointed by its members or by the
supervisory body of the audited entity, and shall be
independent of the audited entity” (European Parlament and
Council, 2006).
While all members of the Board receive regularly information
concerning the Risk Management process and
organization´s major risks and opportunities; the Audit
Committee may need to receive further detailed information
on risk governance (e.g. steering committees, definition of
acceptable and accepted limits, benchmarks, controls and
audit) in order to fulfil its role in monitoring the effectiveness
13 ICGN was established in 1995 and is led by global investors responsible for assets under management in excess
of US$26 trillion. The aim of the organization is to inspire and promote effective standards of Corporate Governance.
30
of the Risk Management system. Some other specific tasks,
such as the review of risk control or mitigation, can be
performed by the Risk Committee, if applicable (FERMA &
ECIIA, Guidance on the 8th EU Company Law Directive,
2010).
An independent external auditor is another body who can
provide impartially assurance regarding the implementation
of an appropriate and effective Risk Management system.
Regardless of who of these external parties checked and
monitored the effectiveness of the ERM system; this best
practice emphasizes the need of an external, independent
body being able to provide an objective and unbiased
judgement in the matter.
ICGN guideline14 on an effective Risk Management oversight
provides examples of questions to be addressed by the
parties in charge of the risk monitoring. For instance, these
bodies shall raise the question whether the ERM system of
the company is adequate, capable and effective or whether
ERM enables the business model to deliver sustainable
profits and long-term value to the organization (ICGN Risk
Oversight Committee, 2015).
14
This guidance is addressed to not only company board members and investors, but also auditors, risk advisory firms, rating agencies and local and international supervisory bodies.
31
2.5.3 ERM Maturity
The implementation of ERM does not end with the selection
of design alternative and the adoption of Risk Management
‘best practices’. In order to be aware of the quality and
development of the ERM Program, the maturity of ERM
implementation shall be measured. Practitioners,
consultancy firms and international ERM standards offer a
variety of indicators of ERM maturity (Monda & Giorgino,
2013). Though, for the purpose of this study, the maturity
model to be explained in the present chapter is the one
designed and presented by the Federation of European Risk
Management Associations15.
FERMA’s risk maturity model includes the following four
main risk topics:
Figure N° 4
“FERMA’s RMM topics”
15
(FERMA, Keys to Understanding the Diversity of Risk Management in a Riskier World, 2012).
A. Risk governance B. Risk practices and
tools
C. Risk reporting and communication
D. Risk management functions alignment
32
Within the first main topic “Risk governance”, FERMA’s
maturity model assesses to what extent the Board is
involved in Risk Management activities. In this regard, the
model evaluates the scope of the mandate assigned to the
Board, Audit and/or Risk Committee in terms of Risk
Management. In addition, companies are asked to assess
the independent assurance over the Risk Management
system.
Specifically, the mandate of the Board, Audit and/or Risk
Committee includes monitoring the effectiveness of the Risk
Management system, monitoring and ensuring the
compliance of ERM framework with respect to
standards/local regulations, challenging the company’s risk
appetite, company’s Risk Management strategy, and
residual risk exposure and relevance of existing mitigation
actions.
Within the second main topic “Risk practices and tools”,
FERMA’s method assesses to what extent the company’s
risk mapping exercise is implemented. Moreover, the model
evaluates whether the company uses an improved
assessment methodology for risk quantification. In addition,
the model assesses whether the risk analysis is formally and
systematically linked to the company’s decision making
process.
According to FERMA, risk measurement approaches include
risk assessment workshop, internal or external databases
(e.g. incident, losses), value at risk simulation models (e.g.
Monte Carlo), scenario simulation models, stochastic
aggregation models, and benchmarking.
Moreover, strategic decisions considered by FERMA include
major projects, strategic planning, investment decisions,
contracts/bids, acquisitions/transfers decisions, and budget
decisions.
33
Within the third main topic “Risk reporting and
communication”, the model asks whether the company has
defined and communicated to all members of the
organization a formal Risk Management policy or charter.
Furthermore, companies are asked whether risk-oriented
information is embedded in decision making at the Board
level. Besides that, the extent of external risk reporting is
also examined.
Within the fourth main topic “Risk Management functions
alignment”, the method aims to reveal the level of
coordination and cooperation between internal areas
concerning Risk Management at the organization. Therefore,
the model evaluates to what extent the coordination between
risk functions is in place. Moreover, companies are
specifically asked to assess the interaction between Risk
Management and internal audit functions. Finally, the model
assesses to what extent Risk Management cooperates with
other internal functions.
In order to assess the four categories of the risk maturity
model (RMM) designed by FERMA, the multi-criteria
approach is based on the following four maturity levels:
Figure N° 5
“FERMA’s RMM levels”
Emerging: low or
basic level of RMM
Moderate: intermediate level of
RMM
Mature: good level of RMM
Advanced: high level of RMM
34
The following figure provides a summary of the multi-criteria
approach based on the four maturity levels described above:
Figure N° 6
“FERMA’s RMM multi-criteria approach”
A. Risk
governance
B. Risk
practices
and tools
C. Risk
reporting and
communication
D. Risk
Management
functions
alignment
Ad
va
nc
ed
Fully
involved Full
Approach
Full
scope
Very close
relationship
Ma
ture
Partially
involved Partial
approach
Partial
scope
Close
relationship
Mo
de
rate
Involved on a
limited basis Limited
Approach
Limited
scope
Relationship
on a limited
basis
Em
erg
ing
Not
involved
No approach in place
Non-existent
scope
No
relationship
35
2.5.4 ERM Effectiveness
Although the assessment of the maturity of ERM
implementation provides companies with an insight into the
quality of the ERM Program, this quality refers to ERM
strengths and weaknesses (Ciorciari & Blattner, 2008),
rather than ERM effectiveness.
Since ERM does not eliminate risk, an effective ERM is
reflected in a better estimate of expected value and in a
better understanding of unexpected losses. Thus, the
effectiveness of ERM must be assessed in terms of the
ability of key risk actors to understand and manage the
company’s risk. A better understanding of the firm’s risk
enables an improved management of risks and this ensures
a better allocation of the company’s resources. Therefore,
the confidence of company’s stakeholders is enhanced
despite the occurrence of an unfavourable outcome (Nocco
& Stulz, 2006). In this sense, an effective ERM enables
company’s stakeholders to obtain a reasonable assurance of
The achievement of corporate objectives through an
effective ERM requires senior management commitment to
ERM activities (Walker, Shenkir, & Barton, 2002).
Furthermore, according to a study using survey data
obtained from chief audit executives, not only leadership of
board and senior management on ERM is a critical element
for the implementation of ERM. In addition, the presence of a
chief risk officer, board independence, CEO and CFO
apparent support for ERM, the presence of a Big Four
auditor and entity size also influences positively the
implementation of an effective ERM (Beasley, Clune, &
Hermanson, 2005).
The estimation of a multivariate OLS model using data from
156 organizations to analyse whether specific Risk
Management design choices affects positively on perceived
36
Risk Management effectiveness suggests that the frequency
of risk assessment, the use of quantitative risk assessment
techniques, and the frequency of risk reporting also improve
ERM effectiveness (Paape & Speklé, 2012).
With regard to an effective ERM oversight, Supervisory
Board member’s independence plays a key role. An
independent board member provides an objective and
unbiased judgement in assessing management actions
concerning Risk Management activities. Thus, the
importance of independent board members and in charge of
the review and monitoring of the ERM system is an essential
element of the board’s oversight effectiveness (Beasley,
Clune, & Hermanson, 2005).
2.5.5 ERM Value
The aim of Risk Management under the ERM approach goes
beyond the traditional purpose of reducing total risk. Instead,
ERM places more emphasis on a strategic risk allocation. In
this sense, companies may exploit risks in those areas
where comparative information advantage exists. In contrast,
risk exposure may be reduced in areas where companies
lack this advantage. This means that risk allocation within
the company may depend on the firms’ strengths. As a result
of this strategic risk allocation, the total risk can end up being
not necessarily reduced but rather increased (McShane,
Nair, & Rustambekov, 2010).
Hence, a key question arises: If ERM is not seeking to
reduce company’s total risk, what is it seeking for?
The underlying general premise of ERM is that it is designed
to provide reasonable assurance in achieving company’s
objectives. Since the ultimate objective of a company is to
protect and enhance stakeholder value, ERM enables
companies to maximize value. In this regard, value is
maximized when management, during the strategy-setting
process, efficiently and effectively allocates company’s
37
resources in order to achieve an optimal balance between
growth and return goals and related risks (COSO, 2004).
ERM creates value by enabling companies to carry out their
strategic plan through the embedment of an enterprise-wide
risk analysis, which allocates effectively the firm’s resources.
Furthermore, ERM spread of risk ownership creates an
internalized pattern of life at all levels of the organization,
which ensures risk-return trade-off associated with individual
risks (Nocco & Stulz, 2006).
An analysis regarding whether the adoption of enterprise
Risk Management (ERM) has a positive impact on
shareholder wealth by examining equity market reactions to
the appointment of a chief risk officer (CRO) reveals that
shareholders of large non-financial firms that share certain
characteristics16 respond positively to the implementation of
ERM (Beasley, Pagach, & Warr, 2008).
An academic research using Tobin’s Q as a proxy for firm
value and based on the sample of large non-financial firms
with foreign currency exposures, reveals a positive relation
between the use of foreign currency derivatives as ERM
response strategy and firm value (Allayannis & Weston,
2001).
Not only academic studies support the value-driven benefit
of ERM. Well-known accepted and implemented Risk
Management standards also highlight the capability of ERM
in driving value. For example, COSO ERM Integrated
Framework manifests that an effective ERM enhances
company’s ability to balance exposure against opportunity,
enhancing its capabilities to create, preserve, and realize
value to its stakeholders (COSO, 2016).
16
These characteristics include volatile earnings, low amounts of leverage, and low amounts of cash on hand.
38
3. Methodology
“Managing risk requires thinking about risk, and
thinking about risk requires thinking about and being
comfortable with uncertainty and randomness”
(Coleman, 2012)
The literature reviewed in the previous chapter presents the
framework in which an effective and valuable Risk
Management system should take place. Nevertheless, a
well-designed ERM implementation does not necessarily
indicate the proper functioning of the system, neither a high
level of assurance of its effectiveness, nor the achievement
of a value-driven ERM.
An in-depth description of the methodological tools used in
this study is provided by the present chapter. First, the
selection criteria of the target survey respondents that fit the
objectives of this study are explained. Second, the data
collection process is described. Third, the framework of
reference used to elaborate the questionnaire is presented.
3.1 Selection of target survey respondents
Since this study focuses on the effectiveness and value
contribution of a Risk Management system within a
corporation, the first group of target survey respondents is
comprised by risk managers of companies. The objective of
conducting this first “Expert Survey” (ES) is to obtain
information about the current perception of ERM
effectiveness and value among non-financial DAX-30
companies (“how it is” approach).
In addition, this study encompasses a second group of
target survey respondents formed by ICGN Corporate Risk
39
Oversight Committee (CROCO) members17, who are
investors and risk oversight policy-makers. The conduction
of this second “Policy-Maker Survey” (PMS) is to obtain the
expected results of the same matters from a policy-maker
perspective ("how it should be" approach).
An analysis of certain Risk Management-oriented selection
criteria is carried out for selection of participating companies.
First of all, company’s size is one of the criteria to consider
when it comes to “target companies” selection. The bigger
the company, the more complex it becomes. This complexity
leads in turn to a more complex decision-making process to
attainment of strategic business goals.
Another factor is company’s financial performance. While
referring to creation of value, it immediately brings to mind
long-term business growth in revenues and profits.
Therefore, it can be expected that companies in good
financial health place more emphasis on identifying drivers
of value.
Capital-market exposure is also taken into consideration
when selecting the target companies. Capital-market
companies face a high level of accountability and
transparency. Thus, it can be expected that a solid Risk
Management system is behind the enhancement of these
last key capital-market requirements.
Since one of the objectives of this study is to analyse the
existence of correlation between international Risk
Management ‘best practices’ and the effectiveness / value
contribution of the Risk Management program, company’s
international presence is also an element of the selection
17
ICGN Corporate Risk Oversight Committee (ICGN CROCO), driven by ICGN members with broad and recognized Risk Management-oriented experience, encourages the effective oversight of Risk Management as well as the appropriate reflection of risk in corporate strategy.
40
criteria. Companies playing in an international market may
be aware of the Risk Management standards, guidelines and
‘best practices’ described in the previous chapter in view of
the need to strengthen their international competitiveness to
preserve their position in the global market.
In addition to the factors described above, the involvement
of non-financial companies implementing voluntarily the
three Risk Management ‘best practices’ described in chapter
2.5.2 is also desired.
It is also considered reasonable to select only companies
regulated by the same legal and regulatory framework. In
that sense, a fair comparison of the results of the
questionnaire can take place. Therefore, companies
belonging to insurance and banking sectors are not
considered, since they must comply with another set of legal
provisions and regulatory standards of Risk Management
practices.
In order to select the companies’ country jurisdiction, a study
conducted by FERMA in 2012 about the impact of the EU 8th
Directive on European companies is taken into
consideration, since it is desired that the target group of
companies operates within a solid Risk Management legal
framework. According to the study, German companies are
overall the least impacted due to their relative higher level of
maturity of Risk Management practices (FERMA, 2012).
In line with the Risk Management-oriented selection criteria
described above, the target sample of the “Expert Survey” is
comprised by nineteen non-financial DAX-30 companies.
3.2 Data collection process
The data collection process of this study consists of two
main stages. On the one hand, publicly disclosed Risk
Management information is gathered and analysed and, on
41
the other hand, ad hoc questionnaires are conducted.
Analysis of survey data is based on interplay between
survey results from non-financial DAX-30 companies and
ICGN CROCO members.
Figure N° 7
“Data collection process”
In the first stage, overall Risk Management information is
gathered by conducting a comprehensive review and
analysis of target companies’ annual reports. As part of this
review, public information concerning Risk Management
strategy, process and overall practices within the target
companies is collected.
In the second stage, the information gathered in step one is
used to generate and conduct an online “Expert Survey”
addressed to risk managers or their equivalent within the
target companies. Risk managers of the target companies,
based on their “Expert judgement”, are asked to answer 10
Risk Management-oriented questions in order to provide a
benchmarking analysis regarding ERM Programs against
non-financial German companies.
In parallel to the conduction of the “Expert Survey”, the
online “Policy-Maker Survey” addressed to members of the
ICGN CROCO is developed and carried out.
Analysis of
risk management
information
(annual reports review)
“Expert Survey”
- Risk managers
("how it is" approach)
“Policy-Maker Survey”
- ICGN members
("how it should be" approach)
42
Data analysis and research findings are based on twelve
survey responses from a group of nineteen target survey
companies, which already denotes a representative sample.
3.3 Elaboration of the questionnaire
For the compilation of the “Expert Survey”18, the review of
publicly disclosed Risk Management-oriented information of
the target companies as well as international and well-known
reports on Risk Management is taken into account. FERMA
Risk Management benchmarking survey, FERMA European
Survey on ERM maturity and global enterprise Risk
Management surveys conducted by the Risk Management
Society (RMS) and other international Risk Management-
advisory firms such as Deloitte and EON comprised the
framework of reference, by which the set of questions are
drawn up.
The questionnaire is organized around the following
dimensions:
Figure N° 8
“Survey dimensions”
18
See Exhibit N° 16 of the Annex.
A. ERM Program
general information
B. ERM Program effectiveness
C. ERM Program
value contribution
D. Information
about metrics
43
The aim of the “ERM Program General Information”
dimension is to gather general information from the target
companies about the overall stage of ERM Maturity, the level
of compliance with the three Risk Management ‘best
practices’ described in Chapter 2.5.2 and the overall
motivations and targets for implementing an ERM Program.
Within the “ERM Program Effectiveness” dimension,
companies are asked to assess the capability of their ERM
program as well as to evaluate the main impediments to an
effective ERM Program.
The “ERM Program Value Contribution” dimension
comprises questions regarding, on the one hand, the level of
success in achieving internal as well as external Risk
Management strategic objectives and, on the other hand, the
main impediments to measuring ERM value.
Last, within the “Information about metrics” dimension, risk
managers are asked to provide specific examples about the
metrics used to measure ERM effectiveness and value
contribution.
The “Policy-Maker Survey” questionnaire follows the
structure and content of the “Expert Survey” questionnaire.
However, the formulation of the questions, as expected,
differs.
44
4. Data analysis and research findings
“For those organizations that choose to weather this
economic storm with the aid of ERM, the benefits of
their efforts today will likely remain long thereafter.”
(Grant Thornton, 2009)
The present chapter reports the findings of the “Expert
Survey” and “Policy-Maker Survey” conducted for the
purpose of addressing the questions and accomplishing the
objectives of this research described in the introduction.
Furthermore, a cross-analysis of the findings of both surveys
is provided in order to present the gap between the actual
elements which define the perception of ERM effectiveness
and value among non-financial DAX-30 companies and the
expected results of a representative risk oversight policy-
maker.
Within the first dimension “ERM general information” of the
questionnaire, non-financial DAX-30 companies were firstly
asked to give information about the stage of ERM maturity in
their organizations. The analysis follows the ERM Maturity
Model provided by FERMA, which is described in chapter
2.5.3. For the purpose of this study, companies were asked
to answer separately information regarding “Risk
governance”. This matter is addressed when answering the
question concerning the adoption of the third Risk
Management “best practice”. The aim of this separation was
to obtain detailed evidence about the independent
assurance over the Risk Management system.
With regard to the category “Risk practices and tools” of the
ERM maturity model, the majority of the surveyed
companies (67%) ranked ERM at a mature level. This
means that most of the companies may have implemented a
45
Risk Management approach at the global corporate level.
Moreover, most of the companies may use improved risk
measurement approaches19 to assess their risks. However,
advanced quantification tools may mostly not be in place.
Furthermore, most of the companies’ major decisions may
be partially embedded with a risk analysis.
Nonetheless, the other 33% of the surveyed companies
reported an advanced level of ERM maturity, meaning that
risk mapping may take place from a corporate level down to
divisions and business units. Furthermore, advanced
quantification tools for risk assessment may be used at
these organizations and major corporate decisions may
include systematically a risk analysis.
With regard to the category “Risk reporting and
communication” of the ERM maturity model, 83% of the
surveyed companies indicated an advanced level of ERM
maturity, meaning that a formal internal and external risk
reporting policy, which is also enterprise-wide communicated
may be in place. Moreover, most of the surveyed companies
may use risk-oriented information as an input for the
decision-making process of the Board.
Finally, with regard to the category “Risk Management
functions alignment” of the ERM maturity model, 75% of risk
managers ranked ERM at an advanced level. This indicates
that a strong cooperation and flow of information between
Risk Management and other areas, which strengthens the
ability of the companies to avoid Risk Management silos,
may be in place. Another 17% of risk managers said that the
company is at the mature level of ERM maturity concerning
the alignment of its Risk Management functions. This
indicates that the Risk Management function of almost all
19
Improved risk measurement approaches are explained in chapter 2.5.3.
46
surveyed companies may have at least a close relationship
with the internal audit function of the company.
In terms of ERM maturity level among the surveyed
companies, respondents, overall, described themselves
towards an advanced level. This first result of the “Expert
Survey” provides the basis on which the analysis of the
research findings takes place. Therefore, the subsequent
benchmark analysis uncovers characteristics and
components of apparent top-performing enterprise Risk
Management programs towards an advanced stage of ERM.
Exhibit N° 1
“ES - ERM maturity”
The next three questions, which also belong to the first
dimension “ERM Program general information”, reveal
whether or not the surveyed companies have adopted the
Risk Management ‘best practices’ described in chapter
2.5.2.
With regard to the first Risk Management “best practice”20,
which suggests that the ERM Program shall be operated in
an integrated, holistic approach; most surveyed companies
revealed to have created a corporate central unit in charge
20
See Best practice N°1 described in chapter 2.5.2.1 of this study.
47
of the conduction, support and control of the Risk
Management strategy within the organization.
In addition, most surveyed ICGN CROCO members
supported the idea that the implementation of a holistic
approach has a considerably positive impact on ERM
effectiveness and value. Moreover, one-third of them
manifested that this best practice influences to a great extent
ERM success21.
Among the surveyed companies that have assigned a
central unit to carry out ERM, half of them have either
created a centralised Risk Management unit or have
appointed the corporate risk function to another corporate
central unit, such as the Department of Finance.
Although 83% of the surveyed companies hold a central unit
responsible for ensuring and monitoring a consistent and
comparable Risk Management model overall the
organization, less than half reported to have implemented
not only a centralised but also an independent unit in charge
of the enterprise-wide risk function.
Moreover, only one-third of surveyed companies manifested
to have implemented ERM within the Governance, Risk &
Compliance approach as recommended by the OCEG.
21
See Exhibit N° 10 of the Annex.
48
Exhibit N° 2
“ES – Integrated ERM approach”
When companies were asked about the second Risk
Management “best practice” regarding the implementation of
the “3 Lines of Defence” Model suggested by FERMA, 92%
of them assured to have this structure22 in place.
Half of ICGN CROCO members considered that the
implementation of the “3 Lines of Defence” Model increases
significantly the effectiveness and value of ERM at the
organization. Another third of them agreed on this statement,
although only up to some extent23.
22
See Best practice N°2 described in chapter 2.5.2.2 of this study. 23
See Exhibit N° 10 of the Annex.
49
Exhibit N° 3
“ES – 3 Lines of Defence Model”
With regard to the third Risk Management “best practice”,
which gives emphasis on the external monitoring of ERM24;
surveyed companies were required to indicate to what extent
the ERM Program is checked and monitored by external
parties, such as by independent supervisory board members
(Audit Committee) or by an external auditor.
All survey respondents reported that the ERM Program is
reviewed and monitored by, both, independent supervisory
board members (Audit Committee) and an external auditor.
This result also addresses the “Risk governance” topic of the
Risk Maturity Model. In this sense, this result supplements
the findings about the other three topics of the ERM maturity
and is consistent with the observation that surveyed
companies describe themselves mostly towards an
advanced stage of ERM.
Moreover, 67% of the surveyed companies’ ERM Programs
are reviewed to a great extent by an external auditor while
the other 33% declared that the external auditor evaluates to
some extent the Risk Management system of the company.
24
See Best practice N°3 described in chapter 2.5.2.3 of this study.
50
When assessing the risk monitoring role of independent
supervisory board members within the surveyed companies,
the opposite occurs. Only 33% of the ERM Programs are
monitored to a great extent by independent supervisory
board members, compared to the 67% of ERM Programs
that are monitored also by them but only up to some extent.
Most of ICGN CROCO members (67%) manifested that an
objective and unbiased opinion from an external,
independent body about the Risk Management system
influences to a great extent the effectiveness and value of
ERM. In addition, 17% of them supported the idea that this
best practice enhances the success of ERM25, but only up to
some extent.
Exhibit N° 4
“ES – External ERM monitoring”
With the aim of gathering further last general information of
the ERM Programs of the surveyed companies, risk
managers were asked to rate a variety of motivations and
targets linked to their Risk Management strategy.
Not surprisingly, risk managers pointed out the need to
comply with regulatory and non-regulatory standards and
‘best practices’ as the most common primary motivation for
implementing an ERM Program. ‘Meeting regulatory
25
See Exhibit N° 10 of the Annex.
51
requirements’ as well as ‘Corporate Governance and Risk
Management ‘best practices’’ were, both, mostly rated as the
main drivers for their ERM Program implementation (75%).
Moreover, the other 25% of the surveyed companies also
manifested to be driven by these motivations, although, only
up to some extent.
This result is consistent with the fact that an increasing
number of companies are voluntarily adopting Risk
Management standards and guidelines during the last years
in order to be up-to-date with the most recent and well-
known international ‘best practices’.
In contrast, ICGN CROCO members manifested that ERM
shall be driven by the internal need to improve performance
& decision making and that ERM shall be encouraged within
the “tone at the top” approach26. In addition, secondary
drivers of ERM shall include shareholder pressure and
improvement of Corporate Governance/’best practices’27.
Yet, only half the surveyed companies reported “Improved
performance & decision making” and “Board directive” as
their primary drivers and roughly the other half reported them
as secondary drivers.
Shareholders and peer/stakeholders pressure as well as
rating agencies and financial institutions requirements were
reported in general by the surveyed companies to be only to
some extent drivers for implementing an ERM Program.
As expected, the need to meet regulatory requirements was
not only ranked as the most common primary motivation but
also as the most common target of ERM (83%).
26
Term used to point out the need of management’s leadership and commitment towards ERM implementation. 27
See Exhibit N° 11 of the Annex.
52
Half of ICGN CROCO members, on the other site,
expressed a contrary position manifesting that regulatory
requirements shall be by no means an ERM target.
According to ICGN CROCO members, ERM shall be mainly
set to enable risk-based decision making and drive value
creation for the organization. Although, in general,
companies reported that linking Risk Management with
decision-making process was another main ERM objective,
they manifested that it was not as important as meeting
regulatory and legal requirements. Furthermore, less than
half the risk managers indicated value-driven creation as the
main goal for ERM at their organizations.
Other goals that were not mostly manifested as the main
ERM targets include managing total cost of risk (TCoR) or
managing volatility to earnings as other key financial
indicators. Moreover, half the risk managers reported that
they are not seeking the management of the total cost of risk
at all.
These results suggest that strategy-oriented and value-
driven factors are neither the main source, nor the main aim
behind the implementation of ERM at non-financial DAX-30
companies. Considerable work remains to be done to build
up awareness of the importance of the alignment between
Risk Management and corporate strategy & firm value in
order to move from a compliance-oriented Risk Management
to a value-oriented risk approach.
Since the findings indicate that regulatory and non-
regulatory Risk Management standards are companies’ main
source of motivation to implement and strengthen their ERM,
it seems quite challenging to expect that the companies
address the matter on their own initiative. Therefore, either
regulators or international organizations, or both, may take a
leading role. A wide range of company and country-oriented
characteristics might be taken into account while assessing
53
the issue of whether the regulatory approach or the
voluntarily approach should be the optimal strategy to put in
place. For example, risk culture might play a key role.
Companies within an existing and solid risk-oriented
business environment, such as the target companies of this
study, might respond better and voluntarily to non-regulatory
standards in their need to maintain or gain market
competitiveness. However, regulators shall need to follow up
international organizations in order to provide the minimum
legal requirements to speed up the process of progress.
Looking ahead, the forthcoming COSO ERM Aligning Risk
with Strategy and Performance Framework seems to arise at
an opportune time to encourage companies to raise
awareness about the matter. COSO has already announced
that the aim of this tool is to show how business growth and
performance can be enhanced by linking strategy and
objectives to both risk and opportunity. Furthermore, it was
also announced that the new framework would show the
clear path to creating, preserving, and realizing value
through ERM (COSO, 2016).
54
Exhibit N° 5
“ES - ERM motivations & targets”
Legend for Exhibit N° 5
Motivations
A Regulatory requirements
B Rating Agency/Financial Institutions requirements
C Shareholder pressure
D Peer/Stakeholder pressure
E Corporate Governance/Best practice
F Improved performance and decision making
G Board Directive
Targets
H Enable risk-based decision making
I Drive value creation for the organization
J Manage Total Cost of Risk (TCoR)
K Manage volatility to earnings and other key financial metrics
L Meet regulatory requirements
Within the second dimension of the survey, called “ERM
Program effectiveness”, the capability of the ERM Program
concerning different Risk Management-oriented activities
was assessed.
Risk managers were most likely to consider ERM as
moderately capable in executing overall Risk Management-
oriented activities. Though, 58% of risk managers said ERM
was not too capable in linking Risk Management with
corporate strategy.
In anticipating and managing emerging risks, most surveyed
companies reported to be moderately capable (67%). Only
17% of risk managers assessed their ERM Program as a
very capable system for identifying new threats.
55
Although a greater number of surveyed companies
assessed ERM at their organizations as very capable in
taking action on identified important risks (25%), nearly 70%
risk managers were most likely to rate ERM as moderately
capable in conducting mitigating actions.
Similarly, 75% of all respondents reported their ERM as
moderately capable in strengthening risk culture.
An increased number of ERM was ranked as not too
capable in terms of instilling awareness of risk in decision
making increases (33%). However, most of surveyed
companies (58%) still assessed ERM as moderately capable
in this regard.
In contrast, when it comes to linking Risk Management with
corporate strategy, more than half of surveyed companies
(58%) reported ERM as not too capable.
These results indicate that the ERM process is mostly not
integrated into the strategy-setting process at the
organizations. Thus, corporate strategic decisions may be
barely based on risk information, which ends up increasing
uncertainty and endangering the execution of the company’s
strategic plan and the achievement of the associated
strategic goals.
For an ERM to be assessed as effective and value-driven,
ICGN CROCO members unanimously expected that ERM
enhance to a great extent company’s ability to link Risk
Management with corporate strategy and to instil awareness
of risk in decision making, which are precisely those
activities that non-financial DAX-30 companies seem to be
less capable of28.
28
See Exhibit N° 12 of the Annex.
56
Exhibit N° 6
“ES – ERM Program Capabilities”
Legend for Exhibit N° 6
A Anticipating and managing emerging risks
B Taking action on identified important risks
C Linking Risk Management with corporate strategy
D Instilling awareness of risk in decision making
E Strengthening risk culture
The second dimension of the survey, called “ERM Program
effectiveness” is supplemented with an assessment of the
main impediments for an effective ERM Program. This
assessment reveals that embedding risk-aware culture
within the organization is, overall, the main obstacle for
achieving a greater ERM effectiveness. Half of ICGN
CROCO members agreed on the statement that risk culture
seems to be today the main impediment for increasing ERM
effectiveness29.
Two thirds of surveyed companies reported that establishing
a risk-oriented culture is overall the major impediment for
enhancing the effectiveness of ERM at their organizations.
Whereas most risk managers previously said ERM is
moderately capable in strengthening risk culture, they
revealed through this assessment that more is needed to be
done in this regard in order to increase ERM effectiveness.
29
See Exhibit N° 13 of the Annex.
57
Not surprisingly, risk culture reflects the values, norms and
behaviours shared by all members of an organization, which
governs the attitude they have towards the company’s risks
and this influences the effective implementation of the
company’s strategic plan and the achievement of the