adds is visible in many areas of business and life, including fitness and sports. Over the past few decades, many disciplines have experienced greater effectiveness through integration. Take the example of cross-training in fitness. By integrating cardiovascular workouts with strength training, flexibility, and endurance, athletes can prevent and rehabilitate injuries as well as enhance strength and power. Similarly, the integration of various fighting styles into mixed martial arts (MMA) has added value to centuries-old practices and beliefs. Whereas martial artists once argued about which style was superior, the emergence of MMA has changed their attitude. Mixed martial artists combine karate, kung fu, jujitsu, tae kwon do, wrestling, and multiple other fighting styles, allowing them to adapt to any situation. This gives them a significant advantage over a fighter trained in a single style.
So too, integration of ERM into business strategy leads to more informed and effective decisions. In fact, I believe the integration of strategy and risk is the next frontier in ERM, as it allows a company's board and management to understand and challenge the underlying assumptions and risks associated with their business strategy. Expanding technological capabilities have put this within the grasp of most companies. System integration allows for enterprise-level data management, robust business and data analytics, straight-through transaction processing, and more effective reporting and information sharing.
According to a 2013 Deloitte study, 81 percent of the executives surveyed now have an explicit focus on managing strategic risks, in contrast to the traditional focus on financial, operational, and regulatory ones.6 The study suggests a reason, too: Strategic risks represented approximately 36 percent of the root causes when publicly traded companies suffered significant market value declines over the past 10 years. This was followed by external risks (36 percent), financial risks (17 percent), and operational risk (approximately 10 percent).7
WHERE ERM IS NOW
The numbers show that corporations around the world are recognizing risk management as a priority and moving toward integrated ERM. The 2013 Deloitte Global Risk Management survey indicated that 83 percent of all global financial institutions have an ERM program or are in the process of implementing one, up from 59 percent in 2010.
As a management framework, ERM has been more widely adopted than other management frameworks (e.g., reengineering, balanced scorecard, total quality management). Organizations with established ERM programs have realized and reported significant benefits. For example, 85 percent of financial institutions that had ERM programs in place reported that the total value derived from their programs exceeded costs.8 Three quarters of today's executives feel that their ERM programs provide significant value compared with merely half in 2008.
As ERM adoption has increased over the past several years, the CRO has grown in stature. The 2013 Deloitte Global Risk Management survey indicated that 89 percent of global financial institutions had a CRO or equivalent position. Moreover, 80 percent of the institutions said their CRO reports directly to the CEO and had a formal reporting relationship with their board, up from about 53 percent in 2010.
Outside the financial sector, it's a different story, however. A 2012 paper produced by McKinsey & Company9 pointed out that, unlike financial institutions, most corporates still do not have a CRO, leaving the de facto role of risk manager to the CFO. Furthermore, the goals for ERM improvement vary between the two sectors. Financial institutions are keen to improve their risk culture, IT, and data infrastructure while corporates focus on improving risk-related decisions and processes. Still, the frequency and heft of the CRO is growing throughout all sectors.
Board involvement in ERM has increased as well, particularly since the global financial crisis. Several surveys indicate that risk management has replaced accounting issues as the top concern for corporate boards. Approximately 80 percent of boards now review risk policies and risk appetite statements.10
Although ERM has made significant progress over the past decade, much remains to be done. In a sense, the global financial crisis was the ultimate risk management “stress test.” Many organizations failed, and even those with established ERM programs reported mixed results. Today, organizations appear to understand the need for change. Deloitte's 2013 survey reported that 94 percent of organizations have changed their approach to strategic risk management over the previous three years. Companies cite cultural issues and integrating data across the organization as the two biggest stumbling blocks to improvement.11
WHERE ERM IS HEADED
With ERM's role increasing within organizations and across industries, the roles of the board and upper management have to adapt. Certainly, the CRO bears the brunt of this change, but the CEO, CFO, and board of directors all find that ERM is taking a more prominent position in their priorities. Here's how these parties will increasingly work together as ERM becomes embedded in corporate culture.
The CRO carries the central responsibility of ensuring that each gear in the ERM process is meshed and moving properly. He or she develops the risk appetite statement (RAS) in collaboration with the CEO and the CFO to ensure that it complies with regulations, current markets, and the organization's business strategy and objectives. The CRO monitors the risk climate, ensures compliance with regulations, sees that the firm operates within its risk appetite, and keeps the CEO and the board of directors well informed through established reporting processes.12
The CEO in turn sets “the tone from the top” in words and actions. He or she sets the appropriate business and risk management objectives, holds organizational leaders accountable for their decisions and actions, and ensures that a strong risk culture is in place. The CFO is responsible for incorporating the RAS into financial decision making, including investment, funding, and hedging strategies. If risk exposures exceed the RAS, the CFO, along with the CRO, must take mitigating action and bring it to the attention of the CEO and board.
Finally, the board of directors provides risk governance, independent oversight, and credible challenge. It reviews the RAS for compatibility with the organization's goals, approves it, and holds senior management accountable for its implementation. The board monitors the business plans against the RAS to check if they are aligned. The board also provides oversight of key business, regulatory, and reputational risk issues, as well as monitors the organization's ERM effectiveness and risk culture.
As we've seen, ERM is providing value for a large number of corporations despite its current challenges. But it is my view that we're really just beginning to see how much value ERM can offer. In less than a decade, risk management has risen to the top of corporate agendas for senior management and the board across all industry sectors. What form are these efforts taking? This question will be the focus of the next chapter, in which we'll take a deeper look at the economic, financial, and cultural drivers that are changing the face of enterprise risk management.
CHAPTER 2
Key Trends and Developments
INTRODUCTION
The world of risk management fundamentally changed in late 2007 with the onset of the global financial crisis. Longstanding financial institutions such as Lehman Brothers and Washington Mutual were left to fail, while many other banks and non-banks received bailouts from nervous national governments around the world. It was clear that excessive debt and fatally compounded risks were the primary drivers of the crisis. What's more, a relatively strong global economy had disguised the fact that many institutions were betting on unsustainable levels of growth in pursuit of greater market share and increased profitability. In this chapter, we'll review the lessons learned from the financial crisis and other corporate disasters, and how the practice of enterprise risk management has fundamentally changed.
LESSONS LEARNED FROM THE FINANCIAL CRISIS
The economic landscape that emerged following the Great Recession was vastly different from what existed prior to the 2007–2008 period. Regulators demanded that banking institutions