ERM's links to financial performance

CFOs are often asked to look at the expense levels of organisational units labelled as cost centres. These are units that do not directly touch the customer or produce a product.

Enterprise risk management (ERM) is generally considered a cost centre. And like most cost centres, it needs to juxtapose the cost of what it does with the value it provides. Working with the CFO and finance function, the chief risk officer (CRO), or someone with equivalent responsibilities, can develop metrics to measure its value to the organisation.

Before-and-after cost comparisons

If the organisation measures the total cost of risk (TCOR) before it implements ERM, it can then measure TCOR after ERM implementation. If it did not measure the TCOR beforehand, it can look at various TCOR components before and after for which data exist. For example:

• Cost of insurance programme, including premiums and fees paid for purchased insurance;
• Cost of paid deductibles, self-insured retentions;
• Cost of insurance reinstatements after certain losses;
• Cost of lost productivity due to accidents and injuries; or
• Cost of replacing people, plants, or equipment due to hazards not insured.

If a robust ERM process has enabled the company to save on any of these costs, then the savings are part of ERM's value. It is important to remember that the value ERM provides can also be measured in terms of the costs or expenses the company can save before actual expenses occur.

Avoiding a strategic loss

The CRO could identify a significant risk while creating or executing some component of the company's strategy; for example, deciding on a geographic expansion or doing due diligence for an acquisition. If the risk is addressed before it arises, the avoidance of the cost of that risk should be considered as value added by ERM.

Consider a situation in which the CRO, through the ERM process, identifies a supply chain risk that the acquisition target, a snack food company, has not disclosed. The risk has flown under the radar of the due-diligence team. Suppose that the acquisition target has almost all the raw food material for its top-selling product coming from a location that has been suffering from flooding. The flooding creates uncertainty about the quality and quantity of the raw food material as well as other uncertainties.

Suppose further that there has been some reputational damage to the acquisition target relating to its payment practices to food growers, which the CRO identifies when looking into the supply chain risk.

Assuming the potential acquirer, the CRO's company, mitigates the risk by requiring the target to locate and contract with new sources of the raw food before the deal is complete, negotiates a better buyout price due to the risk, or scuttles the acquisition, the acquirer will have saved itself major time and expense. Those savings should accrue to ERM.

Share price effect

Share price volatility generally occurs when a public or listed company has a history of events that either causes it to take an unexpected loss in its accounts or damages its reputation. Some sectors have volatility built into the very nature of the sector itself, of course; but to the extent that some companies within the sector have more volatility than others, there must be some differentiating factor. ERM can be that differentiating factor. ERM is designed to reduce surprises, especially negative ones, and to reduce losses in general. Fewer surprises and fewer losses equate to less share price volatility.

In 2016, global insurance broker Aon reported on the effect of a mature ERM process on share price volatility (based on Aon's risk maturity model scores). The report noted a "strong statistical correlation between risk maturity and reduced stock price volatility. This further validates the findings that advanced risk management practices are one of the factors that smooth out volatility in an organisation's stock price," the report said. "... [D]uring periods of plunging equity sentiment, robust risk management practices are essential to an organisation's performance."

The same study also said researchers observed direct correlations between enhanced risk management practices and improved performance in the financial markets. "Working with annual financial results from more than 300 publicly traded companies around the world, our research has found continued correlation between higher risk maturity and improved market performance, profitability, and organisational resiliency," the report said. "These findings continue to emphasise the importance of a robust, integrated, and holistic risk management programme."

Share prices can go up or down for many reasons. Thus, it is hard to pinpoint one factor that helps or hurts. A number of studies have tried to link the practice of ERM to stock performance. One of the earliest such studies, conducted by rating agency Standard & Poor's, linked actual share performance to the effect of ERM. "Standard & Poor's has found that ERM scores correlate with companies' stock performance," the report said. "Although average stock prices declined among all public multiline insurers in 2008, companies with more advanced ERM programmes experienced smaller stock price reductions." Insurers were, not surprisingly, one of the first industries to adopt ERM to better manage risk — underwriting and general business risk.

Another way that a company can measure the value of its ERM relative to share price is to plot its own share price and share price volatility before and after adoption of a robust ERM process. Although ERM may not be the only causation of such movement, there is reason to assume some linkage. To the extent that the result is positive, that can be considered value from ERM.

Some organisations may not feel the need to measure the value of ERM because it makes such good business sense. But in today's data-rich and analytically oriented environment, measuring value will likely be the path most taken.

Al Decker and Donna Galer are authors of two books on enterprise risk management, including Enterprise Risk Management: Straight to the Value. To comment on this article or to suggest an idea for another article, contact Neil Amato, an FM magazine senior editor, at Neil.Amato@aicpa-cima.com.