Actionable Insights Into Implementing Your …...protiviti.com Actionable Insights Into Implementing...

Internal Audit, Risk, Business & Technology Consulting

Actionable Insights Into Implementing Your Advanced ERM ProgrammeProtiviti ERM Readiness Assessment Survey 2019

ERM: ADVANCING TO LEADER STATUS

1 · Protiviti

Introduction

Many organisations of varying sizes

and across industries have implemented

Enterprise-wide Risk Management

(ERM) programmes that aim to provide

management and the board of directors

with information on risks and opportunities

that may influence decision-making and

business performance. With growing market volatility and complexity,

increased speed of changes and greater pressure

from investors, stakeholders and regulators, firms

are seeking more value from ERM practices.

Forward thinking organisations are aware that

added value can be created by evolving the ERM

approach into a tool for strategy setting, driving

objectives and managing business performances,

as also recommended by the COSO Enterprise Risk

Management Framework published in 2017.

ERM integration with strategy and performance

becomes a reality when risk identification,

quantification, management and monitoring

activities are performed during the evaluation

and selection of strategic options, the development

of strategic and business plans, and the execution

of those plans. This focused integration allows

management and the board to make relevant

and timely decisions based on “risk-return”

considerations. Without it, ERM remains an

appendage, which reduces its impact. However,

few companies have achieved the ultimate goal of

fully integrating ERM into strategy setting and

performance management, and those that have

still demonstrate areas for improvement.

In response to requests, coming from many

companies, for a practical tool to assess the

progress of their journey towards improved

ERM, Protiviti has developed a proprietary

readiness assessment methodology that focuses

on the evaluation of the maturity level of ERM

integration with strategy setting and performance

management (thus aligning with the COSO view),

and helps firms identify areas for improvement and

develop a roadmap to move the ERM journey forward.

When adopted by several companies, our methodology

can also serve as a benchmark of ERM practices in

place among peers.

Accordingly, in 2019 Protiviti surveyed 63 companies

with an existing ERM framework in place, of varying

sizes, industries and countries.

Chief Risk Officer and C-suite-level respondents

assessed several ERM best practices related to the

following pillars: risk governance, risk appetite, risk

culture, and how ERM supports the evaluation of

strategic options, strategic planning and forecasting,

and strategy and business execution.

Based on the level of sophistication of the implemented

practices, companies were positioned on the Protiviti

ERM Readiness Quadrant, which identifies ERM

leaders — defined as those companies that present

a very robust integration of their ERM frameworks

with strategy setting and performance management

— as well as less advanced clusters of organisations

that are moving their existing programmes forward.

This report explains the proprietary Protiviti ERM

Readiness Assessment Methodology that has driven

the survey, and continues with a summary of key

findings, highlighting areas of improvement and

action plans to be adopted by companies wanting to

progress towards the ERM leadership section of the

quadrant. The report also contains detailed analysis

of the survey results with a breakdown of companies

by clusters, pillars and other views provided in the

Appendix, such as company size, listed or family

owned, geographic location and industry.

Actionable Insights Into Implementing Your Advanced ERM Programme · 2protiviti.com

This benchmarking tool provides companies

that have participated in the study with valuable

insights, as well as actionable and effective areas

for improvement to enable them to move their

ERM programmes towards leadership status, where

firms can demonstrate the power of ERM for their

businesses and show real value to their stakeholders.

Protiviti would like to give special thanks to the Institute of Risk

Management IRM (UK) and ANRA (Associazione Nazionale dei

Risk Manager e Responsabili Assicurazioni Aziendali, Italy) for

supporting the study with their members.

We are delighted to present our new readiness assessment methodology that provides unique insight into the current state of ERM development at a variety of different organisations. We thank all of the companies that have accepted our invitation to participate in this study to enable the first benchmarking analysis of ERM development towards integration with strategy setting and performance management. The study will continue to expand with the inclusion of many more firms in future assessments that will enrich the benchmarking tool for all organisations eager to progress and continuously improve their ERM programmes. - Emma Marcandalli, Managing Director, Protiviti

3 · Protiviti

Methodology

Using its readiness assessment methodology,

Protiviti launched this study to determine the

level of integration among risk, strategy and

performance management practices implemented

by 63 firms, as well as to assess their readiness

to progress to the more advanced status of leader

organisations — both aligned with the COSO

requirements and demonstrating the capabilities

to add real business value.

The Protiviti ERM Readiness Quadrant is the final

output of our assessment methodology and identifies

four categories of organisation — initial adopter,

actionable, influencer and leader — which are

defined in detail below. These categories indicate the

sophistication of their ERM programmes and how

well they are integrated with strategy setting and

performance management within the organisation.

The survey methodology is based on a questionnaire

that addresses 42 ERM best practices deriving from

Protiviti real-life experiences, that are categorised

into the aforementioned six pillars: risk governance,

risk appetite, risk culture, evaluation of strategic

options, strategic planning and forecasting, and

business execution. Depending on their nature, each

practice contributes to integrating ERM mostly into

strategy setting or into performance management,

or equally in both directions.

Within the questionnaire, each best practice can be

assessed on a five-point scoring scale, from “fully

present” to “not present”. According to the resulting

score, a company’s ERM programme can move in

several directions within the quadrant. The final

positioning in the ERM Readiness Quadrant provides

the organisation with a summarised view on the

maturity level of ERM integration into the two key

dimensions, “strategy setting” and “performance

management”, respectively represented on the “x”

and “y” axes.

We believe that our readiness assessment

methodology is unique: for the first time ever,

it not only assesses the level of sophistication of

methodologies, tools and techniques, processes and

organisational solutions put in place by companies,

but goes far beyond and interprets if and how they

are really contributing to add value through ERM


management — the core focus of the COSO ERM

framework — thus enabling the definition of a

roadmap for advancing ERM further to benefit

the business.

Many companies we meet are experiencing pressure from the board of directors to strengthen risk oversight and, in response, they have made progress by implementing processes that serve a worthwhile purpose. However, several organisations are still struggling to integrate their risk management processes with strategic planning and performance management, and are facing barriers that are impeding progress in maturing their ERM system. Ask yourself if your status quo is sufficient to meet the challenges expected over the next few years. - Matt Taylor, Managing Director, Protiviti

Figure 1: The Protiviti ERM readiness quadrant

ERM is mainly focused on execution of strategies and business activities and is aimed at preserving

value and reputation

ERM is at its early stage and its value add still needs to

be addressed

ERM strongly supports both strategy setting and execution, thus significantly influencing business performances and

their sustainability over time

ERM is strongly integrated in planning processes and concretely

contributes to strategy setting

protiviti.com Actionable Insights into Implementing your Advanced ERM programme · 4

ERM integration with STRATEGY SETTING

ACTIONABLE

INITIAL ADOPTER

LEADER

INFLUENCERERM

inte

grat

ion

with

PER

FORM

AN

CE M

AN

AG

EMEN

T10

0

1000

INITIAL ADOPTERS

“Initial adopters” are those companies that have not yet completely defined nor fully implemented an ERM programme throughout the organisation. Such companies also do not have clearly defined ERM goals or objectives nor roles and responsibilities of the various parties involved in the process. Their risk culture needs to be addressed and reinforced.

ACTIONABLE

Companies are considered “Actionable” when the focus of their ERM programme is on strategy execution, process management and day-to-day business activities. In this quadrant, ERM mostly aims at protecting business performance in the short to medium term — including the company’s value and reputation. Although actionable companies have set strategic goals and understand the risks that may impact and/or alter how these goals are approached, ERM does not yet influence strategy-setting.

INFLUENCER

“Influencers” are firms with ERM programmes well integrated with strategic and business planning processes. As influencers, risks and opportunities are analysed and taken into deep consideration when strategic goals and objectives are defined; this integrated process is often driven by those functions that are responsible for strategic planning and business development. Although very mature in the integration with strategy setting, ERM is less evolved with regards to methodologies, tools, techniques, and ownerships, for managing and monitoring recurring risks that may impact day-to-day business performances.

LEADER

At “Leader” firms, ERM programmes are balanced and strongly support both strategy and performance thanks to a diffuse risk culture. During strategy and objectives setting (i.e. evaluation of strategic options, strategic planning, budgeting and forecasting activities), ERM analyses how risks and opportunities may influence value creation, providing management and the board with “risk-return” considerations to align strategies with the company’s risk appetite. During strategy and business execution, ERM proactively contributes to addressing these risks and opportunities on a recurring basis and throughout the entire organisation. This approach enables leading ERM organisations to significantly influence business performance and sustainability not only in the short and medium term, but also in the long term.

01 The analysis of survey results shows that the majority of organisations surveyed remain in the early phases of their journey, with 44% falling into the initial adopter quadrant, with most in the later phases of development.

02Encouragingly, 37% of companies are situated in the leader quadrant — almost a third of those are identified as top leaders, while the rest were defined as moving towards leadership. All top leaders are larger companies (revenue >€5bn) and mainly belong to the Financial Services (FS) or Energy and Utilities (E&U) sectors, reflecting the maturity of ERM in regulated industries.

03Almost one-fifth of participants were identified as actionable organisations, meaning that they have reached a satisfactory level of maturity in managing risks that can affect the achievement of defined business objectives (i.e. integration with performance management), while still having no or little capability to influence the definition of the firm’s strategy (i.e. integration with strategy setting).

04

None of the companies surveyed is categorised as predominantly influencers. The lack of influencer-only companies is predictable, since the typical ERM journey begins with an approved strategic plan rather than the strategy-setting process. Only once a company truly understands the risk profile behind its strategic objectives can it begin to increase the value of ERM by anticipating the risk and opportunity analysis during the strategic planning processes. This integrated approach supports the setting of objectives and strategies that present an acceptable risk-return profile. At this point, organisations are mature enough to formally embrace risk appetite considerations and thus move into the leader quadrant.

05 There is an even mix of listed and unlisted companies in all four quadrants. This suggests that there is no evidence for linking corporate governance requirements for listed companies with the status of their ERM programmes.

06 The top leaders in this survey — and almost all the other companies — continue to invest in risk programmes, declaring that they have a stable or increasing ERM budget in 2019.

07 Overall, companies exhibit the highest level of maturity in the risk governance and business execution pillars, albeit with some room for improvement, while risk appetite and risk culture are the least developed pillars.

5 · Protiviti

The analysis of the Protiviti ERM Readiness Quadrant

provides a high-level overview of the current ERM

landscape. The majority of organisations surveyed

remain in the early phases of their journey, but

encouragingly only slightly fewer companies are

situated in the leader quadrant. The main findings

from the survey are detailed below.

Key Findings


The results are encouraging since the increasing budgets

are a sign that organisations recognise the benefits of

implementing more advanced ERM programmes that

influence strategic planning and have a direct impact on

business performance. Clearly, there are firms early on

their journey that still need to understand the real

value of ERM, while top leaders will continue to

need guidance for continuous improvement.

The full survey report provides more detailed

guidance for firms in each quadrant to focus on

advancing their ERM programmes towards top

leader status. The table below gives an overview

of the main improvement actions that the firms

in each quadrant can consider to progress the

journey to the next level.

MAIN IMPROVEMENT ACTIONS TO MOVE THE ERM JOURNEY FORWARD

INITIAL ADOPTER ACTIONABLE LEADER

Enhance risk governance by formally defining and communicating roles, ownership and responsibilities of risk management

Enhance the integration with strategy setting by performing a regular risk and opportunity analysis during strategic planning and evaluation of strategic options

Enhance the existing risk culture by adopting dedicated programmes (on a regular basis)

Adopt structured methodologies and tools for risk quantification, monitoring and reporting

Engage the CRO at an early stage in the strategy setting process (including evaluation of strategic options)

Consider risk culture elements when hiring and promoting personnel. This may also include linking performance targets to risk culture elements

Define a process that allows the coordination of the risk and opportunity analysis with planning processes

Augment the collaboration between strategic planning and ERM functions during the strategic planning process

Review the entity’s business strategies whenever the underlying risks are not aligned with the entity’s risk appetite

Protiviti’s advice over many years to clients on ERM methodologies and frameworks has aligned with the latest COSO view which integrates ERM with strategy setting, performance management and decision-making processes. As such, the Protiviti ERM Readiness Quadrant is a useful benchmark for gap assessment as well as action planning. - Dolores Atallo, Managing Director, Protiviti

On average, the survey shows that risk governance as

well as the management of risks related to strategy

and business execution are the most advanced ERM

elements, suggesting that they are the ones typically

approached first when starting an ERM journey.

The pillars of lowest maturity among the companies

surveyed are risk appetite, risk culture and ERM

integration with evaluation of strategic options,

business planning and forecasting. Based on

our experience, confirmed by this study, these

pillars require a stronger commitment, and often

more resources and more sophisticated tools

and techniques, to be adopted in a structured way

throughout the organisation. Ensuring the support

7 · Protiviti

of top and senior management is therefore essential

to advance further along the ERM journey.

The results of this survey are aligned with the Protiviti

vision of a progressive ERM journey towards a mature

“risk-informed” decision-making system, depicted

in Figure 3.

The Protiviti Enterprise Risk Management Methodology

Framework is based on a risk-informed perspective

to assist companies that wish to implement an ERM

programme that helps them anticipate, adapt and

respond to change, focusing resources on risks

and opportunities that can impact their strategy

and performance.

48%

55%

48%

48%

Risk Governance

Evaluation of Strategic Options

Risk Appetite

Business Planning and Forecasting

Risk Culture

Business Execution

43%

65%

Figure 2: Maturity level of each ERM pillar — Average of all respondents

Area of focus

ESTABLISH AND EVOLVE THE OVERALL ERM GOVERNANCE

STRATEGY AND BUSINESS EXECUTION

Do we know our risks?

Do we manage and monitor what

really matters?

Do we make risk-adjusted

decisions?

Do we make decisions

in line with our risk

appetite?

Do we act as desired at all levels?

Disseminate a risk-based mindset across

the organisationImplement

a robust risk appetite

framework

Integrate risk and opportunity

analysis into strategy setting

and planning

Quantify, proactively manage

and monitor top risks

Identify andprioritise

enterprise risks

EVALUATION OF STRATEGIC OPTIONS,BUSINESS PLANNING AND FORECASTING

RISK CULTURE AND BEHAVIOURS

Mat

urity

leve

l

Value added to “risk-informed” decision-making

Figure 3: The journey continuum to move the ERM programme forward


Analysis by cluster: Advancing to Leader

Given the positioning of participants into the Protiviti

ERM Readiness Quadrant, the organisations have been

subdivided into the following different sub-clusters

(represented in Fig. 4): two related to the Leader

quadrant, one related to the Actionable quadrant

and three related to the Initial Adopter quadrant.

The following sections describe the key attributes and

strengths of the companies placed in each cluster (and

related sub-clusters), and further outlines an action

plan for advancing to Top Leader status, as well as

suggesting areas for continuous improvement.

Leaders

The survey classified 37% of the participant companies

as belonging within the leader quadrant which has

been sub-divided into two levels — Top Leaders and

Towards Leadership — to identify those companies

that are making significant progress towards leader

status, but are still evolving in some areas. Almost a

third of the companies in the leader quadrant were

identified as top leaders, while the rest were defined

as moving towards leadership.

Survey Results


Initial Adopter (phase one)

Initial Adopter (phase two)

Initial Adopter (phase three)

Actionable

Towards Leadership

Top Leader

ERM

inte

grat

ion

with

PER

FORM

AN

CE M

AN

AGEM

ENT

Figure 4: Clusters within the Protiviti ERM readiness quadrant

ACTIONABLE

INITIAL ADOPTER

LEADER

INFLUENCER

100

0 100

88%

86%

78%

88%

Risk Governance

Risk Appetite

Risk Culture

Business Execution

87%

94%



9 · Protiviti

Top Leaders

Top leaders in this survey are large companies with

revenues above 5 billion euros and more than 10,000

employees. They mainly belong to the Financial

Services or Energy and Utilities sectors, where ERM

is influenced by regulations. Since there is an even mix

of listed and unlisted companies, this suggests that

there is an appetite for linking corporate governance

requirements for listed companies with the status of

their ERM programmes. Moreover, even though they

have a mature and advanced ERM programme, top

leaders continue to invest in ERM, with all companies

in this category declaring that they have a stable or

increasing ERM budget in 2019.

Top leaders have mature ERM programmes, with

most having begun their ERM journey prior to 2015.

Their advanced ERM systems strongly support both

strategy-setting and performance management

processes within the organisation.

Top leaders exhibit a high level of maturity in each

of the pillars, with risk governance as the most

advanced. The role of the chief risk officer (CRO) is

clearly defined and communicated, and the CRO is

systemically involved in the strategy-setting process

and in the evaluation of strategic options, using

advanced methodologies that estimate the volatility

of target performance and the robustness of the

business plan.

Only leaders consider risk management ability and

effectiveness when evaluating the performance of

executives and senior managers.

Top leaders have integrated risk and opportunity

analysis into the strategic planning process and have

adopted specific methodologies to evaluate the risk-

return profile of strategic initiatives. Leaders also

periodically monitor the risk profile of the strategic

plan and/or initiatives as an input to business

planning and forecasting.

Top leaders also adopt structured performance

indicators to periodically measure and monitor top

risk exposures. They also perform risk response

decision-making in a robust way, considering for

example the defined tolerance thresholds, early

warnings, cost and benefits of the risk response.

Risk appetite is strongly defined at leading

organisations, and is communicated throughout

the organisation and monitored for each specific risk.

Figure 5: Top Leaders cluster

E&U large listed

E&U large listed

I&C large listed

FS large unlisted

FS large listed

FS medium unlisted

FS small unlisted


Areas for improvementTop leaders have a well-defined risk culture that has

been clearly communicated throughout the entire

organisation by top management. However, the

ERM journey never really ends: risks are constantly

shifting, and there are always new ways to improve.

Risk culture specifically benefits from continuous

readiness assessment and improvement, as long

as progress can be made to reinforce risk culture

further. To this end, leaders may develop specific

risk culture programmes designed to ensure that

the desired behaviours and attitudes towards risk

are embedded at all levels of the organisation.

Leaders can also adopt processes, methodologies

and tools to periodically assess the type and

maturity level of existing risk cultures. Finally,

firms may also consider risk culture elements,

such as personal risk attitude and competencies,

when hiring or promoting personnel.

Risk appetite is the least developed pillar, even for

leader organisations. Very few companies (with the

exception of E&U and FS companies) consider this

pillar when defining strategy. The risk appetite score

for FS companies is 11 percentage points higher

than the overall average (54% compared to 43%),

demonstrating that strict financial regulations

govern risk appetite frameworks in this industry.

As risk appetites change over time, leading

organisations are reminded to review or alter

their business strategies if the associated risks

are inconsistent with the risk appetite framework,

or when significant changes in context occur.

As part of their ongoing strategic evaluation process,

leaders should continuously select those business

initiatives (such as new investments, products or

markets) that better fit the entity’s risk appetite

based on the expected risk-return profile.

Top leaders may also improve on their business

execution pillar by leveraging internal and external

data to develop predictive risk analytics, when

appropriate, to reinforce forecasting capabilities

and support risk-informed decision making.Leaders are not at the end of their journey since any process may improve over time. Leaders need to focus on risk culture in a more structured way to ensure that the entire organisation is aligned with the vision of top management and the board on risks and risk management. The challenge for leaders is to work in a highly structured way in order to improve the company’s risk culture, as well as maintain an effective and always updatable risk appetite. - Emma Marcandalli, Managing Director, Protiviti

64%

66%

64%

70%

Risk Governance

Risk Appetite

Risk Culture

Business Execution

62%

78%



11 · Protiviti

Towards Leadership

Some 16 firms were identified as moving towards

leadership — again, these were a mix of listed

and unlisted companies, although they were all of

heterogeneous size and from a variety of industries.

Such companies began their ERM journey before or in

2016. They have a high level of maturity in all of the six

pillars, with a good balance of ERM integration observed

in both strategy-setting and performance management;

however, these companies still have room to improve

if they are to be assessed as top leaders.

Companies defined as moving towards leadership

are distinguished by a strong commitment to risk

management throughout the organisation, with

dedicated management committees in place along

with the regular involvement of the board of

directors. Risk governance is well defined, with

roles and responsibilities clearly assigned and

communicated. However, in most cases, the CRO

is not involved with the strategy setting process.

Organisations moving towards leadership have

established a good definition of a homogeneous

ERM methodology that features guidelines, metrics,

and scoring scales: for example, support for risk

management activities and a formal process that

actively engages management in risk assessment

activities. However, to reach a higher level of maturity,

these companies should broaden the range of tools

used to support risk management activities to better

measure and monitor their risk exposure, as well as

improve the effectiveness of the risk responses that

have already been implemented.

Even though these companies consider risks and

opportunities in the business planning phase,

the lack of timely and regular involvement of the

risk management function precludes a proper risk

analysis, which would lead to more risk-aware

decisions typical of leader companies.

Some companies defined as moving towards leadership

are already implementing a well-defined risk appetite

framework, while others remain at an initial level.

Risk culture is spread throughout these organisations,

with the board regularly engaging in significant

risk-related discussions. However, as with top leader

companies, risk culture elements are rarely taken into

consideration when hiring or promoting personnel.

Areas for improvementCompanies in this quadrant need to ensure the early

involvement of the CRO in the strategy-setting

process and when evaluating strategic options. They

also need to ensure the full integration of risk and

opportunity analysis into strategic planning processes.

These organisations would benefit from the adoption

of specific tools and techniques to better evaluate their risk

exposure and the effectiveness of their risk responses.

Figure 6: Towards Leadership cluster

E&U medium listed

I&C large listed

FS small unlisted

FS large listed

OS small unlisted

E&U medium listedI&C large listed

OS medium unlisted

FS small unlisted

E&U medium listed

E&U small unlisted

E&U large listed

FS medium unlistedTMT large listed

TMT large listed

FS small unlisted

42%

58%

48%

36%

Risk Governance

Risk Appetite

Risk Culture

Business Execution

39%

69%




Actionable

A good proportion of the organisations surveyed

(19%) were defined as actionable companies. These

organisations are primarily medium-large-sized

companies, with revenues between 500 million euros

and 5 billion euros, with more than 1,000 employees.

They also declare a stable or increasing ERM budget

for 2019. As with the leaders, the industries and listed

status of these companies are heterogeneous.

As the name suggests, actionable companies are focused

on business execution with the aim of preserving the

entity’s value. Actionable companies are characterised

by the strong involvement of senior managers in

periodic risk identification and prioritisation, and

have often already adopted guidelines and metrics

or other methods to facilitate risk prioritisation.

Typically, these companies have already implemented

more sophisticated risk assessment methodologies

and tools to help analyse their risk portfolio, and are

thereby able to determine whether any of these risks

are interrelated or whether a single event may have

cascading impacts.

As with the leading companies, risk governance is

the most advanced pillar among actionable firms.

These companies have also established a clear

definition of the relationship between ERM and

the other lines of defence.

Areas for improvementAlthough actionable companies may use sophisticated

techniques and tools to periodically measure and

monitor their risk exposure, these tend to have a

business-as-usual focus on operational, compliance

or legal risks. These organisations need to move away

from a narrow focus on recurring operational processes

towards more strategic decision-making processes.

Although actionable companies clearly define and

communicate the CRO’s role and responsibilities, the CRO

is occasionally involved in the strategy-setting process.

While the board of an actionable company may be

engaged in significant risk-related discussions on

a regular basis, these companies only occasionally

adopt the processes, methodologies and tools required

to periodically assess the type and maturity level of

existing risk culture at various organisational levels;

moreover, they rarely consider culture elements (such

as personal attitude to risk and risk management

competencies) when hiring or promoting personnel.

Risk appetite is one of the less developed pillars

for most companies, but is specifically lacking

for firms that fall into this quadrant. Actionable

companies scored 39% in the risk appetite segment

of the survey, which is below the average score of

43%. Even if the company has processes in place to

define, articulate and clearly communicate a specific

Figure 7: Actionable cluster

OS medium unlisted

E&U medium listed

E&U large listed

P&H medium listed

FS medium unlistedFS small

unlisted

E&U small unlisted

OS small unlisted

OS medium listed

OS medium unlisted

I&C medium listed

OS medium listed

OS medium unlisted

OS small unlisted

13 · Protiviti

appetite for risk-taking and has risk appetites

that are periodically approved and reviewed by the

board, risk appetite statements are rarely set in

conjunction with the strategic planning process.

These companies tend to monitor approved risk

appetite statements and tolerances only occasionally.

In order to advance to top leader status, these

organisations need to better define and/or review

their risk appetite statements and tolerances in

conjunction with the strategic planning process.

They also need to review their business strategy (or

select an alternative strategy) if the risk associated

with this strategy is inconsistent with the entity’s

risk appetite or in the event of significant context

changes. This typically occurs when there is a strong

collaboration between strategic planning and ERM

functions during the strategic planning process.

Initial Adopter

Finally, the majority of the organisations surveyed

(44%) fall into the initial adopter quadrant.

Initial adopters are mainly small and medium-sized

enterprises, with revenue below 1 billion euros, and are

mostly unlisted companies. Their ERM programmes

vary widely, with most organisations being categorised

as currently residing in the second or third phase.

Due to the varying levels of ERM maturity observed

among the organisations during this study, the initial

adopter category has been sub-divided into three

levels that outline specific criteria met by these

companies as they progress along their ERM journey:

Phase one companies have just taken their first

steps towards ERM and, on average, the system’s

key pillars are consequently underdeveloped. Such

companies may have introduced some concepts of

risk governance, but still need to formally define

and implement key roles and responsibilities for

risk officers, senior management and the board

of directors.

Phase two companies have a stronger involvement

of senior management in the risk identification

process and have clearer governance, with defined

relationships between ERM and the other lines of

defence in the organisation. Compared to phase

three companies, they are almost exclusively

focused on processes and business execution,

the framework has a less formal structure, and

overall their risk culture is less developed.

Phase three companies have a stronger risk

governance, with the ERM function typically

reporting to the CFO and the board. Compared to

other initial adopters, phase three companies have

a higher maturity level across all pillars. They are

experiencing the identification and understanding

of potential risks and opportunities for each of

the strategies being considered, challenging

critical assumptions and scenarios, albeit in an

unstructured or sporadic manner.

While actionable companies normally have a short-term view of risks, leaders have a more medium- to long-term view of additional risks. They look at emerging risks that can profoundly influence strategy-setting within a company. This is probably the most crucial difference between an actionable company and a leader. Actionable companies should try to shift or refocus their energy, attention and analysis towards emerging risks. To do so effectively, the CRO (or equivalent) must be present from the outset, as well as during the strategic planning process, to facilitate the understanding of risks and opportunities over both the shorter and the longer term. At present, this is a real challenge, because the CRO needs to have the stature to sit at the same table and to engage in strategic conversations with the top management of the company. - Dolores Atallo, Managing Director, Protiviti

42%

42%

37%

43%

Risk Governance

Risk Appetite

Risk Culture

Business Execution

35%

46%




Initial Adopter Phase Three

Phase three initial adopter companies have already set

up an ERM function that typically reports to the CFO and

the board of directors. Compared to other companies in

the initial adopters’ quadrant, phase three organisations

have a higher maturity level in terms of both strategy-

setting and performance management.

Occasionally, these companies have begun to

identify and understand the potential risks and

opportunities associated with certain strategies, and

are also beginning to challenge critical assumptions

and take potential different scenarios and conditions

into account. However, there are still clear areas in

which improvement is required.

Areas for improvementRisk governance is an obvious area for improvement,

particularly in regard to defining and communicating

the roles, ownerships and responsibilities of the

CRO and/or the heads of risk management. The CRO

also needs to be involved in the strategic planning

process from the beginning, while risk escalation

processes and related roles and responsibilities

need to be more clearly defined.

As noted above, one of the strengths of initial adopter

phase three companies compared to those in phase

two is that they are more developed on how ERM

supports the evaluation of strategic options: at least

occasionally, they seek to identify and understand

the potential risks and opportunities of each strategy

being considered. However, the CRO should be

involved earlier in the strategic evaluation process.

Moreover, while phase three firms challenge

strategic planning assumptions and consider

potential different scenarios and conditions, they

rarely identify and measure the impact of risks

and opportunities using scenario analysis, stress

testing, and/or other quantitative techniques.

Figure 8: Initial Adopter cluster — Phase Three

P&H medium unlisted

OS small unlisted

I&C small unlisted

TMT medium listed

I&C large listed

FS small unlisted FS medium unlisted

OS large listedOS small unlisted

FS small listed

FS small unlisted

FS medium unlistedP&H medium unlisted

For initial adopters that wish to advance on their ERM journey, the first pillar to focus on is risk governance. Companies need to ensure they are effectively defining and communicating risk governance roles and ownership responsibilities. This is the most important step towards improvement and moving the ERM journey forward, because without clear ownership of these roles inside the organisation, it is challenging to invest enough focus and energy on this type of programme. - Esther Delgado, Director, Protiviti

15 · Protiviti

Initial adopters tend to use qualitative risk scoring

methodologies and tools, which are suitable for

the beginning of the ERM journey. However, firms

wishing to ensure that risk influences their decision-

making process need to make more objective

and quantitative information available to the

top management.

Risk and opportunity analysis, when conducted by

initial adopter phase three firms, rarely provides

input for the potential review of strategic plan

assumptions if the resulting risk exposure is considered

unacceptable. This analysis should be implemented

in a more structured and periodic manner during the

strategic planning process, which means that the risk

conversation should start well before the planning

process begins (rather than after a strategy plan has

been drafted or approved). This is typically the step

required for companies to move from initial adopter

phase three towards the leadership quadrant, or at

least the influencer quadrant.

The less mature pillars in these companies are

risk culture and risk appetite. Improvements in

risk culture should begin at the definition stage,

with leadership’s desired behaviours and attitudes

towards risk being clearly communicated throughout

the organisation. Both management and personnel

should also be encouraged to report concerns about

potentially inappropriate or excessive risk taking.

Most initial adopter companies do not have a risk

appetite framework in place. A formal process therefore

needs to be created to define risk appetite, as well

as to engage the board in periodically approving

and reviewing the firm’s set risk appetite.

Initial Adopter Phase Two

Phase two companies are mainly medium-sized,

unlisted companies, with an ERM function in place

that typically reports to the Chief Executive Officer

and Chief Financial Officer.

Phase two companies have good risk governance,

generally with a clear definition and communication

of the roles and responsibilities of the CRO or head

of risk management in place, while ERM usually

has a functional relationship with the other lines of

defence. The board of directors typically has a risk

oversight role.

Compared to phase three initial adopter companies,

phase two firms are mainly focused on business

execution. They have already adopted a formal process

that periodically involves senior management in the

risk identification process. They also adopt guidelines,

metrics and/or a scoring scale to help individuals

prioritise risks in a consistent way.

These companies tend to be more oriented towards

the integration of their ERM system with performance

management. If these firms continue in this direction,

they will move toward the actionable quadrant; if they

wish to move toward the influencer (if not directly

the leadership) quadrant, they should improve the

integration of ERM with strategy-setting.

For an effective “risk-informed” decision making process, it’s not enough to say whether a risk is high, medium or low. Instead, risk officers should try to quantify the financial impact of a risk, or its impact on business objectives, and fortify controls and strategies to compensate. Otherwise, it’s hard to really understand the risk exposure and how much the company should be willing to invest to reduce that exposure. By quantifying the impact, organisations are able to check their risk-return balance and better facilitate the risk-return discussion. Improving methodologies and tools for affecting, measuring and reporting risks is probably the most important step for initial adopters. - Pasquale Vico, Associate Director, Protiviti

Figure 9: Initial Adopter cluster — Phase Two

OS medium unlisted

FS small unlisted

OS medium unlisted FS medium unlisted

I&C medium unlisted

FS medium unlisted

FS small unlisted

E&U medium listedOS medium listed

OS medium unlisted

25%

44%

29%

17%

Risk Governance

Risk Appetite

Risk Culture

Business Execution

9%

56%


Areas for improvementIn order to balance ERM integration with both

strategy-setting and performance management,

initial adopter phase two companies should work

on the following areas to move to the next clusters.

Integration with performance management.

Phase two companies can improve existing practices

by adopting tools and methodologies to measure

and monitor risks in a more systematic way (e.g.

introducing key risk indicators as well as IT tools

to support risk measurement and monitoring

activities). They should also improve their risk-

response decision making so that it considers

defined tolerances and early warnings, as well as

the company’s capacity to survive risk events.

Integration with strategic options evaluation.

Phase two companies should start to work on this

integration. They need to identify and understand the

potential risks and opportunities of each strategy being

considered and determine the potential impact of each

option on the organisation’s existing enterprise-wide

risk profile. Moreover, to progress within the journey,

these firms should continue to monitor the risk profile

of strategic initiatives during their execution.

Integration with strategic planning. After risk

appetite, strategic planning and forecasting is the

least developed pillar for phase two firms. By defining

a formal process to integrate both risk and opportunity

analysis into the strategic planning process and by

adopting a methodology to estimate the volatility/

variation of planned performances, these companies

will consequently be able to challenge strategic plan

assumptions and to evaluate the resilience of business

plans. To this end, firms should work to better engage

the CRO and senior managers in this integrated

process, and should also present the plan’s risk

profile to the board for approval.

Risk appetite. It is undoubtedly the pillar with the most

room for improvement where initial adopter phase

two companies are concerned. With a few exceptions,

these companies’ appetite for risk taking is never

formally defined, communicated to and/or approved

by the board. In order to enhance the maturity in this

pillar, phase two organisations should start by defining

and communicating risk appetite statements and

tolerances, and should then consider reviewing specific

strategies to determine whether the associated risks

are inconsistent with the desired risk appetite.

Risk culture. Although the board is regularly involved

in significant risk-related discussions, there remains

widespread room for improvement regarding the

spread of risk culture across the organisation. This

could be achieved starting from a dedicated training

programme, along with other awareness initiatives

and communication channels, followed, in next stages,

by a programme that should ensure the desired risk

culture is properly driven throughout the enterprise.



Figure 10: Initial Adopter cluster — Phase One

I&C medium listed

FS small unlisted

OS small unlisted

17 · Protiviti

Initial Adopter Phase One

Only three of the companies surveyed were defined

as phase one initial adopters. These are small

and medium-sized companies, with a general

low maturity level in all six ERM pillars.

Areas for improvementAs one of the first areas that companies develop

when starting their ERM journey, risk governance is

the most developed pillar in phase one companies.

Even if they have already addressed some aspects,

in order to develop a stronger risk governance and

continue their ERM journey, these companies

should first enhance their risk governance by

clearly defining and communicating risk

ownerships and responsibilities.

As a second improvement step, phase one companies

should introduce processes and methodologies

allowing them to identify, assess and prioritise the

risks that could potentially affect the company’s

ability to achieve its goals.

Analysis by Pillars

All participant companies were assessed on the

maturity of the six main pillars of their ERM

frameworks: risk governance, risk appetite, risk

culture, evaluation of strategic options, strategic

planning and forecasting, and business execution.

They were asked to evaluate best practices in those

areas on a scoring scale from “fully present” to

“not present”.

The overall results per pillar are summarised below

and reflect the fact that the pillars with the higher

maturity, like risk governance and business execution,

are typically the ones that are approached first when

starting an ERM journey, while the ones with a lower

maturity, like risk appetite, evaluation of strategic

options, business planning and forecasting, and

risk culture, require a stronger commitment (and

sometimes more resources and more sophisticated

tools and techniques) to be adopted in a structured

way throughout the organisation.

48%

55%

48%

48%

Risk Governance

Risk Appetite

Risk Culture

Business Execution

43%

65%



Figure 11: Maturity level of each ERM pillar — Average of all respondents



15%

19%

13%

15%

Risk Governance

Risk Appetite

Risk Culture

Business Execution

14%

32%


Risk Governance

Average score – 65%

Risk governance is one of the first areas that

companies develop when starting their ERM

journey; even those companies that have recently

implemented their ERM system are deemed more

mature in this area.

Risk Appetite

Average score – 43%Risk appetite is the least developed pillar. In most cases, the appetite for risk-taking is not adequately defined nor communicated across the organisation, and very few companies consider it when defining their strategy. Exceptions are the Energy & Utilities industry, which is very mature across all areas, and Financial Services, which is characterised by stricter regulation of risk appetite frameworks.

Risk Culture

Average score – 48%Most companies engage the board in significant risk-related discussions. However, only leader companies have training programmes and awareness initiatives in place to spread and strengthen risk culture

throughout the organisation.



The evaluation of strategic options is performed

by identifying and understanding potential risks

and opportunities. However, only a few companies

involve the ERM function in this process and adopt

a structured methodology to evaluate the resilience

of the business plan and the volatility of the

target performances.



While many companies challenge critical strategic

plan assumptions, only a few have implemented

a formal and structured process for assessing the

strategic plan risk profile. Such a process should

involve CROs and senior management in identifying

and measuring the impact of risks and opportunities,

as well as ensuring the timely definition of risk responses.

Business Execution

Average score – 55%Almost all companies have processes and methodologies in place to identify and assess the risks that could affect the achievement of the company’s business goals. However, only a few companies perform risk measurement, risk mitigation and risk monitoring in a structured way by adopting dedicated tools, techniques and/or indicators/indexes, and performing cost-benefit analysis before implementing risk responses.

Overall, companies exhibit the highest level of maturity in the risk governance and business execution pillars, albeit with some room for improvement. This is not surprising, since companies normally start their journey by focusing on risks that may affect the achievement of defined strategic and business objectives and by assigning roles and responsibilities to management, the board, and the risk management and control functions.

On the contrary, risk appetite is the least developed pillar. And this is also expected, since the introduction of a risk appetite dialogue requires a higher maturity at the management and board level, including a better understanding of key strategic risk exposures, as well as the application of more sophisticated techniques, as this can concretely influence strategy setting and business planning.

The results of this survey are substantially aligned with the Protiviti vision of a progressive ERM journey

(Fig.3 on page 7).

60%

69%

68%

67%

Risk Governance


Risk Appetite


Risk Culture

Business Execution

64%

78%

44%

51%

42%

41%

36%

61%

LARGE FIRMS SMALL & MEDIUM FIRMS

19 · Protiviti

Assessment results — Large firms vs. others





Actionable

Towards Leadership

Top Leader

ERM

inte

grat

ion

with

PER

FORM

AN

CE M

AN

AGEM

ENT

ACTIONABLE

INITIAL ADOPTER

LEADER

INFLUENCER

100

0 100

Further analysis

The survey results have been further analysed by various factors, including company size, listed status, ERM programme maturity, industry type and geographic location, to determine which, if any, are linked to the progression of the ERM

journey toward Leader.

Company sizeThe results show that companies with revenues

in excess of 5 billion euros (most of which are

listed and have more than 10,000 employees) are

characterised by a high level of ERM system maturity.

About 70% of these companies have a good level of


management. Only three companies show a less

mature ERM system. However, these companies

have a stable or increasing ERM budget in 2019 and

therefore continue to invest in their ERM systems.

Appendix

Large firms


Business Planning and Forcasting

LISTED COMPANIES NOT LISTED COMPANIES

46%

51%

44%

42%

52%

63%

56%

39%

61%

57%

Risk Governance

Risk Appetite

Risk Culture

Business Execution

50%

71%






Actionable

Towards Leadership

Top Leader

ERM

inte

grat

ion

with

PER

FORM

AN

CE M

AN

AGEM

ENT

Assessment results — Listed companies

ACTIONABLE

INITIAL ADOPTER

LEADER

INFLUENCER

100

0 100

Two companies with lower revenues, both belonging

to the Financial Services sector, are positioned

among the most developed companies.

As a consequence of their positioning, larger firms have more developed ERM pillars compared to small or medium-size organisations.

Listed vs. unlisted companies

Though some unlisted companies appear in the

Leader quadrant, listed companies show, on average,

a more mature ERM system than unlisted ones.

Listed companies

BEFORE 2011 2011-2016 AFTER 2016

55%

61%

56%

57%

Risk Governance


Risk Appetite


Risk Culture

Business Execution

50%

66%

47% 41%

58% 43%

47% 39%

49% 35%

43% 25%

67% 57%

ERM implemented from 2017 onwards

21 · Protiviti

Year of implementation

With only one exception, companies that started

their ERM journey two years ago or less show, not

surprisingly, a less mature ERM system.

Analysing the results by year of ERM system setup,

it is confirmed that companies have improved over

time. Those that have implemented the ERM system

for the longest time are characterised by a higher

level of maturity in all the pillars, confirming that

ERM is not a one-off exercise but a structured

and periodic process.

On average, risk governance is the more mature

pillar for these companies, while risk appetite

is less developed. This outcome confirms that

risk governance is the first element addressed by

companies when starting their ERM journey.





Actionable

Towards Leadership

Top Leader

ERM

inte

grat

ion

with

PER

FORM

AN

CE M

AN

AGEM

ENT

Assessment results — Year of ERM implementation

ACTIONABLE

INITIAL ADOPTER

LEADER

INFLUENCER

100

0 100

Stable or increasing ERM budget Decreasing ERM budget






Actionable

Towards Leadership

Top Leader

ERM

inte

grat

ion

with

PER

FORM

AN

CE M

AN

AGEM

ENT

Assessment results — ERM budget

ACTIONABLE

INITIAL ADOPTER

LEADER

100

0 100

ERM budget trends

Most companies (42) have a stable (28) or increasing

(14) ERM budget in 2019, meaning that the trend is

to continue investing in this direction. Only four

companies have a diminishing ERM budget.

More than half of companies with an increasing ERM

budget have an already mature ERM system in place.

23 · Protiviti

Industry

The companies that declare very mature ERM

systems mainly belong to the Energy & Utilities

and Financial Services industries, illustrating the

tenure of ERM in regulated industries for multiple

reasons, including regulatory requirements.

The two companies in E&U with less mature ERM

systems started their ERM journey during the past

two years.

The results among Financial Services respondents

are varied. For these companies, the assessment of

their ERM pillar maturity score is in line with the

average. The only exception is risk appetite, with

a score of 54%, which is 10 percentage points higher

than the total average, demonstrating the more strict

regulation of risk appetite frameworks in this sector.

Almost all the financial services companies with less

mature ERM systems (located in the Initial Adopter

quadrant) have less than 10,000 employees and

revenues below 5 million euros.





Actionable

Towards Leadership

Top Leader

ERM

inte

grat

ion

with

PER

FORM

AN

CE M

AN

AGEM

ENT

Assessment results — Industry

ACTIONABLE

INITIAL ADOPTER

LEADER

INFLUENCER

100

0 100

E&U Financial Services Other Industries


CRO/Head of ERM

45

Compliance

5

Audit

2

CEO

2

CIO

1

Other

8

RESPONDENTS

HEADQUARTERS

Financial Services & Real Estate 20

Other Services 17

Energy & Utilities 11

Industrial & Construction 8

Technology, Media & Telecommunications 4

TOTAL 63

Pharmaceutical & Healthcare 3

INDUSTRY

70%+22

13

11

4

6

7

Italy

UK

Rest of Europe

Other

US & Canada

Africa

25 · Protiviti

Sixty-three companies took part in the Protiviti

ERM Readiness Survey, which ran from March 2019

to June 2019. The companies were of varying size

and spread across regions as well as industries.

Responses were gathered mainly from CROs,

heads of ERM, or heads of risk management.

Demographics

Not Listed

60%

LISTED/NOT LISTED

Listed

40%

YEAR OF ERM SETUP*

Number of companies

15

4

4

9

8

< 0.1 billion

1-5 billion

0.1-0.5 billion

5-10 billion

10-50 billion

0.5-1 billion

> 50 billion

8

15

2018 REVENUE (€/$) DISTRIBUTION

Number of companies

5

4

3

26

9

> 50,000

500-1,000

10,000-50,000

150-500

50-150

1000-10,000

<50

13

3

NUMBER OF EMPLOYEES

*Eight companies declined to answer

Before 2011 2011-2016 After 2016

32

12 11


Risk Governance Culture

27 · Protiviti

The Protiviti Enterprise Risk Management Methodology

Framework is based on a risk-informed perspective

to assist companies that want to implement an ERM

programme to anticipate, adapt and respond to change,

focusing resources on risks and opportunities that can

impact their strategy and performance.

How Protiviti Can Help

The new Protiviti ERM framework is based on a risk-informed perspective.

A major goal of ERM is to provide management and the board with information on risks and opportunities that may influence key decision-making. This can be accomplished by an ERM journey guided by a trusted advisor to facilitate their success.

Identify Quantify

Risk Governance Risk Appetite

Identify Risks and Opportunities

Assess and Quantify Impacts

Prioritise Enterprise Risks

Quantify Top Risks

Set Up Risk Appetite

Integrate with Evaluation of

Strategic Options

Integrate with Planning, Budgeting

and Forecasting

Integrate with Performance Monitoring

and Reporting

Make Risk-Informed Decisions

Monitor and Report

Risk Culture

Strategy and Business Execution

Methodologies, Data and ToolsERM Enablers

External Factors Industry/Business Context

DRIVE THE CHANGE

Internal Factors Expectations, Needs and Constraints

ERM Pillars

ERM Process Steps Integrated into Strategy Setting and Performance Management

Drive the change towards risk-informed decision-making.



Decide Monitor


ABOUT PROTIVITI

Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 75 offices in over 20 countries.

We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

United States

Dolores AtalloManaging DirectorNorth America Lead, ERMNew York

Europe

Emma MarcandalliManaging DirectorGlobal Lead, ERMMilan

Matt TaylorManaging Director, ERMLondon

Pasquale VicoAssociate DirectorRome

Esther DelgadoDirector, ERMLondon

OUR EXPERTS

NOTES:

29 · Protiviti

NOTES:


© 2019 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. PRO-1019-108210

© 2

018

Proti

viti

Inc.

An

Equa

l Opp

ortu

nity

Em

ploy

er M

/F/D

isab

ility

/Vet

eran

s. P

RO-0

918

THE AMERICAS UNITED STATESAlexandriaAtlantaBaltimoreBostonCharlotteChicagoCincinnatiClevelandDallasDenverFort Lauderdale

HoustonKansas CityLos AngelesMilwaukeeMinneapolisNew YorkOrlandoPhiladelphiaPhoenixPittsburghPortlandRichmond

SacramentoSalt Lake City San FranciscoSan JoseSeattleStamfordSt. LouisTampaWashington, D.C.WinchesterWoodbridge

ARGENTINA*Buenos Aires

BRAZIL*Rio de Janeiro Sao Paulo

CANADAKitchener-Waterloo Toronto

CHILE*Santiago

COLOMBIA*Bogota

MEXICO*Mexico City

PERU*Lima

VENEZUELA*Caracas

EUROPE, MIDDLE EAST & AFRICA

FRANCEParis

GERMANYFrankfurtMunich

ITALYMilanRomeTurin

NETHERLANDSAmsterdam

UNITED KINGDOMBirminghamBristolLeedsLondonManchesterMilton KeynesSwindon

BAHRAIN*Manama

KUWAIT*Kuwait City

OMAN*Muscat

QATAR*Doha

SAUDI ARABIA*Riyadh

UNITED ARAB EMIRATES*Abu DhabiDubai

EGYPT*Cairo

SOUTH AFRICA *DurbanJohannesburg

ASIA-PACIFIC AUSTRALIABrisbaneCanberraMelbourneSydney

CHINABeijingHong KongShanghaiShenzhen

INDIA*BengaluruHyderabadKolkataMumbaiNew Delhi

JAPANOsaka Tokyo

SINGAPORESingapore

*MEMBER FIRM

Actionable Insights Into Implementing Your …...protiviti.com Actionable Insights Into Implementing...

Documents

Transcript of Actionable Insights Into Implementing Your …...protiviti.com Actionable Insights Into Implementing...