Actionable Insights Into Implementing Your …...protiviti.com Actionable Insights Into Implementing...
Transcript of Actionable Insights Into Implementing Your …...protiviti.com Actionable Insights Into Implementing...
Internal Audit, Risk, Business & Technology Consulting
Actionable Insights Into Implementing Your Advanced ERM ProgrammeProtiviti ERM Readiness Assessment Survey 2019
ERM: ADVANCING TO LEADER STATUS
1 · Protiviti
Introduction
Many organisations of varying sizes
and across industries have implemented
Enterprise-wide Risk Management
(ERM) programmes that aim to provide
management and the board of directors
with information on risks and opportunities
that may influence decision-making and
business performance. With growing market volatility and complexity,
increased speed of changes and greater pressure
from investors, stakeholders and regulators, firms
are seeking more value from ERM practices.
Forward thinking organisations are aware that
added value can be created by evolving the ERM
approach into a tool for strategy setting, driving
objectives and managing business performances,
as also recommended by the COSO Enterprise Risk
Management Framework published in 2017.
ERM integration with strategy and performance
becomes a reality when risk identification,
quantification, management and monitoring
activities are performed during the evaluation
and selection of strategic options, the development
of strategic and business plans, and the execution
of those plans. This focused integration allows
management and the board to make relevant
and timely decisions based on “risk-return”
considerations. Without it, ERM remains an
appendage, which reduces its impact. However,
few companies have achieved the ultimate goal of
fully integrating ERM into strategy setting and
performance management, and those that have
still demonstrate areas for improvement.
In response to requests, coming from many
companies, for a practical tool to assess the
progress of their journey towards improved
ERM, Protiviti has developed a proprietary
readiness assessment methodology that focuses
on the evaluation of the maturity level of ERM
integration with strategy setting and performance
management (thus aligning with the COSO view),
and helps firms identify areas for improvement and
develop a roadmap to move the ERM journey forward.
When adopted by several companies, our methodology
can also serve as a benchmark of ERM practices in
place among peers.
Accordingly, in 2019 Protiviti surveyed 63 companies
with an existing ERM framework in place, of varying
sizes, industries and countries.
Chief Risk Officer and C-suite-level respondents
assessed several ERM best practices related to the
following pillars: risk governance, risk appetite, risk
culture, and how ERM supports the evaluation of
strategic options, strategic planning and forecasting,
and strategy and business execution.
Based on the level of sophistication of the implemented
practices, companies were positioned on the Protiviti
ERM Readiness Quadrant, which identifies ERM
leaders — defined as those companies that present
a very robust integration of their ERM frameworks
with strategy setting and performance management
— as well as less advanced clusters of organisations
that are moving their existing programmes forward.
This report explains the proprietary Protiviti ERM
Readiness Assessment Methodology that has driven
the survey, and continues with a summary of key
findings, highlighting areas of improvement and
action plans to be adopted by companies wanting to
progress towards the ERM leadership section of the
quadrant. The report also contains detailed analysis
of the survey results with a breakdown of companies
by clusters, pillars and other views provided in the
Appendix, such as company size, listed or family
owned, geographic location and industry.
Actionable Insights Into Implementing Your Advanced ERM Programme · 2protiviti.com
This benchmarking tool provides companies
that have participated in the study with valuable
insights, as well as actionable and effective areas
for improvement to enable them to move their
ERM programmes towards leadership status, where
firms can demonstrate the power of ERM for their
businesses and show real value to their stakeholders.
Protiviti would like to give special thanks to the Institute of Risk
Management IRM (UK) and ANRA (Associazione Nazionale dei
Risk Manager e Responsabili Assicurazioni Aziendali, Italy) for
supporting the study with their members.
We are delighted to present our new readiness assessment methodology that provides unique insight into the current state of ERM development at a variety of different organisations. We thank all of the companies that have accepted our invitation to participate in this study to enable the first benchmarking analysis of ERM development towards integration with strategy setting and performance management. The study will continue to expand with the inclusion of many more firms in future assessments that will enrich the benchmarking tool for all organisations eager to progress and continuously improve their ERM programmes. - Emma Marcandalli, Managing Director, Protiviti
3 · Protiviti
Methodology
Using its readiness assessment methodology,
Protiviti launched this study to determine the
level of integration among risk, strategy and
performance management practices implemented
by 63 firms, as well as to assess their readiness
to progress to the more advanced status of leader
organisations — both aligned with the COSO
requirements and demonstrating the capabilities
to add real business value.
The Protiviti ERM Readiness Quadrant is the final
output of our assessment methodology and identifies
four categories of organisation — initial adopter,
actionable, influencer and leader — which are
defined in detail below. These categories indicate the
sophistication of their ERM programmes and how
well they are integrated with strategy setting and
performance management within the organisation.
The survey methodology is based on a questionnaire
that addresses 42 ERM best practices deriving from
Protiviti real-life experiences, that are categorised
into the aforementioned six pillars: risk governance,
risk appetite, risk culture, evaluation of strategic
options, strategic planning and forecasting, and
business execution. Depending on their nature, each
practice contributes to integrating ERM mostly into
strategy setting or into performance management,
or equally in both directions.
Within the questionnaire, each best practice can be
assessed on a five-point scoring scale, from “fully
present” to “not present”. According to the resulting
score, a company’s ERM programme can move in
several directions within the quadrant. The final
positioning in the ERM Readiness Quadrant provides
the organisation with a summarised view on the
maturity level of ERM integration into the two key
dimensions, “strategy setting” and “performance
management”, respectively represented on the “x”
and “y” axes.
We believe that our readiness assessment
methodology is unique: for the first time ever,
it not only assesses the level of sophistication of
methodologies, tools and techniques, processes and
organisational solutions put in place by companies,
but goes far beyond and interprets if and how they
are really contributing to add value through ERM
integration with strategy setting and performance
management — the core focus of the COSO ERM
framework — thus enabling the definition of a
roadmap for advancing ERM further to benefit
the business.
Many companies we meet are experiencing pressure from the board of directors to strengthen risk oversight and, in response, they have made progress by implementing processes that serve a worthwhile purpose. However, several organisations are still struggling to integrate their risk management processes with strategic planning and performance management, and are facing barriers that are impeding progress in maturing their ERM system. Ask yourself if your status quo is sufficient to meet the challenges expected over the next few years. - Matt Taylor, Managing Director, Protiviti
Figure 1: The Protiviti ERM readiness quadrant
ERM is mainly focused on execution of strategies and business activities and is aimed at preserving
value and reputation
ERM is at its early stage and its value add still needs to
be addressed
ERM strongly supports both strategy setting and execution, thus significantly influencing business performances and
their sustainability over time
ERM is strongly integrated in planning processes and concretely
contributes to strategy setting
protiviti.com Actionable Insights into Implementing your Advanced ERM programme · 4
ERM integration with STRATEGY SETTING
ACTIONABLE
INITIAL ADOPTER
LEADER
INFLUENCERERM
inte
grat
ion
with
PER
FORM
AN
CE M
AN
AG
EMEN
T10
0
1000
INITIAL ADOPTERS
“Initial adopters” are those companies that have not yet completely defined nor fully implemented an ERM programme throughout the organisation. Such companies also do not have clearly defined ERM goals or objectives nor roles and responsibilities of the various parties involved in the process. Their risk culture needs to be addressed and reinforced.
ACTIONABLE
Companies are considered “Actionable” when the focus of their ERM programme is on strategy execution, process management and day-to-day business activities. In this quadrant, ERM mostly aims at protecting business performance in the short to medium term — including the company’s value and reputation. Although actionable companies have set strategic goals and understand the risks that may impact and/or alter how these goals are approached, ERM does not yet influence strategy-setting.
INFLUENCER
“Influencers” are firms with ERM programmes well integrated with strategic and business planning processes. As influencers, risks and opportunities are analysed and taken into deep consideration when strategic goals and objectives are defined; this integrated process is often driven by those functions that are responsible for strategic planning and business development. Although very mature in the integration with strategy setting, ERM is less evolved with regards to methodologies, tools, techniques, and ownerships, for managing and monitoring recurring risks that may impact day-to-day business performances.
LEADER
At “Leader” firms, ERM programmes are balanced and strongly support both strategy and performance thanks to a diffuse risk culture. During strategy and objectives setting (i.e. evaluation of strategic options, strategic planning, budgeting and forecasting activities), ERM analyses how risks and opportunities may influence value creation, providing management and the board with “risk-return” considerations to align strategies with the company’s risk appetite. During strategy and business execution, ERM proactively contributes to addressing these risks and opportunities on a recurring basis and throughout the entire organisation. This approach enables leading ERM organisations to significantly influence business performance and sustainability not only in the short and medium term, but also in the long term.
01 The analysis of survey results shows that the majority of organisations surveyed remain in the early phases of their journey, with 44% falling into the initial adopter quadrant, with most in the later phases of development.
02Encouragingly, 37% of companies are situated in the leader quadrant — almost a third of those are identified as top leaders, while the rest were defined as moving towards leadership. All top leaders are larger companies (revenue >€5bn) and mainly belong to the Financial Services (FS) or Energy and Utilities (E&U) sectors, reflecting the maturity of ERM in regulated industries.
03Almost one-fifth of participants were identified as actionable organisations, meaning that they have reached a satisfactory level of maturity in managing risks that can affect the achievement of defined business objectives (i.e. integration with performance management), while still having no or little capability to influence the definition of the firm’s strategy (i.e. integration with strategy setting).
04
None of the companies surveyed is categorised as predominantly influencers. The lack of influencer-only companies is predictable, since the typical ERM journey begins with an approved strategic plan rather than the strategy-setting process. Only once a company truly understands the risk profile behind its strategic objectives can it begin to increase the value of ERM by anticipating the risk and opportunity analysis during the strategic planning processes. This integrated approach supports the setting of objectives and strategies that present an acceptable risk-return profile. At this point, organisations are mature enough to formally embrace risk appetite considerations and thus move into the leader quadrant.
05 There is an even mix of listed and unlisted companies in all four quadrants. This suggests that there is no evidence for linking corporate governance requirements for listed companies with the status of their ERM programmes.
06 The top leaders in this survey — and almost all the other companies — continue to invest in risk programmes, declaring that they have a stable or increasing ERM budget in 2019.
07 Overall, companies exhibit the highest level of maturity in the risk governance and business execution pillars, albeit with some room for improvement, while risk appetite and risk culture are the least developed pillars.
5 · Protiviti
The analysis of the Protiviti ERM Readiness Quadrant
provides a high-level overview of the current ERM
landscape. The majority of organisations surveyed
remain in the early phases of their journey, but
encouragingly only slightly fewer companies are
situated in the leader quadrant. The main findings
from the survey are detailed below.
Key Findings
Actionable Insights Into Implementing Your Advanced ERM Programme · 6protiviti.com
The results are encouraging since the increasing budgets
are a sign that organisations recognise the benefits of
implementing more advanced ERM programmes that
influence strategic planning and have a direct impact on
business performance. Clearly, there are firms early on
their journey that still need to understand the real
value of ERM, while top leaders will continue to
need guidance for continuous improvement.
The full survey report provides more detailed
guidance for firms in each quadrant to focus on
advancing their ERM programmes towards top
leader status. The table below gives an overview
of the main improvement actions that the firms
in each quadrant can consider to progress the
journey to the next level.
MAIN IMPROVEMENT ACTIONS TO MOVE THE ERM JOURNEY FORWARD
INITIAL ADOPTER ACTIONABLE LEADER
Enhance risk governance by formally defining and communicating roles, ownership and responsibilities of risk management
Enhance the integration with strategy setting by performing a regular risk and opportunity analysis during strategic planning and evaluation of strategic options
Enhance the existing risk culture by adopting dedicated programmes (on a regular basis)
Adopt structured methodologies and tools for risk quantification, monitoring and reporting
Engage the CRO at an early stage in the strategy setting process (including evaluation of strategic options)
Consider risk culture elements when hiring and promoting personnel. This may also include linking performance targets to risk culture elements
Define a process that allows the coordination of the risk and opportunity analysis with planning processes
Augment the collaboration between strategic planning and ERM functions during the strategic planning process
Review the entity’s business strategies whenever the underlying risks are not aligned with the entity’s risk appetite
Protiviti’s advice over many years to clients on ERM methodologies and frameworks has aligned with the latest COSO view which integrates ERM with strategy setting, performance management and decision-making processes. As such, the Protiviti ERM Readiness Quadrant is a useful benchmark for gap assessment as well as action planning. - Dolores Atallo, Managing Director, Protiviti
On average, the survey shows that risk governance as
well as the management of risks related to strategy
and business execution are the most advanced ERM
elements, suggesting that they are the ones typically
approached first when starting an ERM journey.
The pillars of lowest maturity among the companies
surveyed are risk appetite, risk culture and ERM
integration with evaluation of strategic options,
business planning and forecasting. Based on
our experience, confirmed by this study, these
pillars require a stronger commitment, and often
more resources and more sophisticated tools
and techniques, to be adopted in a structured way
throughout the organisation. Ensuring the support
7 · Protiviti
of top and senior management is therefore essential
to advance further along the ERM journey.
The results of this survey are aligned with the Protiviti
vision of a progressive ERM journey towards a mature
“risk-informed” decision-making system, depicted
in Figure 3.
The Protiviti Enterprise Risk Management Methodology
Framework is based on a risk-informed perspective
to assist companies that wish to implement an ERM
programme that helps them anticipate, adapt and
respond to change, focusing resources on risks
and opportunities that can impact their strategy
and performance.
48%
55%
48%
48%
Risk Governance
Evaluation of Strategic Options
Risk Appetite
Business Planning and Forecasting
Risk Culture
Business Execution
43%
65%
Figure 2: Maturity level of each ERM pillar — Average of all respondents
Area of focus
ESTABLISH AND EVOLVE THE OVERALL ERM GOVERNANCE
STRATEGY AND BUSINESS EXECUTION
Do we know our risks?
Do we manage and monitor what
really matters?
Do we make risk-adjusted
decisions?
Do we make decisions
in line with our risk
appetite?
Do we act as desired at all levels?
Disseminate a risk-based mindset across
the organisationImplement
a robust risk appetite
framework
Integrate risk and opportunity
analysis into strategy setting
and planning
Quantify, proactively manage
and monitor top risks
Identify andprioritise
enterprise risks
EVALUATION OF STRATEGIC OPTIONS,BUSINESS PLANNING AND FORECASTING
RISK CULTURE AND BEHAVIOURS
Mat
urity
leve
l
Value added to “risk-informed” decision-making
Figure 3: The journey continuum to move the ERM programme forward
Actionable Insights Into Implementing Your Advanced ERM Programme · 8protiviti.com
Analysis by cluster: Advancing to Leader
Given the positioning of participants into the Protiviti
ERM Readiness Quadrant, the organisations have been
subdivided into the following different sub-clusters
(represented in Fig. 4): two related to the Leader
quadrant, one related to the Actionable quadrant
and three related to the Initial Adopter quadrant.
The following sections describe the key attributes and
strengths of the companies placed in each cluster (and
related sub-clusters), and further outlines an action
plan for advancing to Top Leader status, as well as
suggesting areas for continuous improvement.
Leaders
The survey classified 37% of the participant companies
as belonging within the leader quadrant which has
been sub-divided into two levels — Top Leaders and
Towards Leadership — to identify those companies
that are making significant progress towards leader
status, but are still evolving in some areas. Almost a
third of the companies in the leader quadrant were
identified as top leaders, while the rest were defined
as moving towards leadership.
Survey Results
ERM integration with STRATEGY SETTING
Initial Adopter (phase one)
Initial Adopter (phase two)
Initial Adopter (phase three)
Actionable
Towards Leadership
Top Leader
ERM
inte
grat
ion
with
PER
FORM
AN
CE M
AN
AGEM
ENT
Figure 4: Clusters within the Protiviti ERM readiness quadrant
ACTIONABLE
INITIAL ADOPTER
LEADER
INFLUENCER
100
0 100
88%
86%
78%
88%
Risk Governance
Risk Appetite
Risk Culture
Business Execution
87%
94%
Evaluation of Strategic Options
Business Planning and Forecasting
9 · Protiviti
Top Leaders
Top leaders in this survey are large companies with
revenues above 5 billion euros and more than 10,000
employees. They mainly belong to the Financial
Services or Energy and Utilities sectors, where ERM
is influenced by regulations. Since there is an even mix
of listed and unlisted companies, this suggests that
there is an appetite for linking corporate governance
requirements for listed companies with the status of
their ERM programmes. Moreover, even though they
have a mature and advanced ERM programme, top
leaders continue to invest in ERM, with all companies
in this category declaring that they have a stable or
increasing ERM budget in 2019.
Top leaders have mature ERM programmes, with
most having begun their ERM journey prior to 2015.
Their advanced ERM systems strongly support both
strategy-setting and performance management
processes within the organisation.
Top leaders exhibit a high level of maturity in each
of the pillars, with risk governance as the most
advanced. The role of the chief risk officer (CRO) is
clearly defined and communicated, and the CRO is
systemically involved in the strategy-setting process
and in the evaluation of strategic options, using
advanced methodologies that estimate the volatility
of target performance and the robustness of the
business plan.
Only leaders consider risk management ability and
effectiveness when evaluating the performance of
executives and senior managers.
Top leaders have integrated risk and opportunity
analysis into the strategic planning process and have
adopted specific methodologies to evaluate the risk-
return profile of strategic initiatives. Leaders also
periodically monitor the risk profile of the strategic
plan and/or initiatives as an input to business
planning and forecasting.
Top leaders also adopt structured performance
indicators to periodically measure and monitor top
risk exposures. They also perform risk response
decision-making in a robust way, considering for
example the defined tolerance thresholds, early
warnings, cost and benefits of the risk response.
Risk appetite is strongly defined at leading
organisations, and is communicated throughout
the organisation and monitored for each specific risk.
Figure 5: Top Leaders cluster
E&U large listed
E&U large listed
I&C large listed
FS large unlisted
FS large listed
FS medium unlisted
FS small unlisted
Actionable Insights Into Implementing Your Advanced ERM Programme · 10protiviti.com
Areas for improvementTop leaders have a well-defined risk culture that has
been clearly communicated throughout the entire
organisation by top management. However, the
ERM journey never really ends: risks are constantly
shifting, and there are always new ways to improve.
Risk culture specifically benefits from continuous
readiness assessment and improvement, as long
as progress can be made to reinforce risk culture
further. To this end, leaders may develop specific
risk culture programmes designed to ensure that
the desired behaviours and attitudes towards risk
are embedded at all levels of the organisation.
Leaders can also adopt processes, methodologies
and tools to periodically assess the type and
maturity level of existing risk cultures. Finally,
firms may also consider risk culture elements,
such as personal risk attitude and competencies,
when hiring or promoting personnel.
Risk appetite is the least developed pillar, even for
leader organisations. Very few companies (with the
exception of E&U and FS companies) consider this
pillar when defining strategy. The risk appetite score
for FS companies is 11 percentage points higher
than the overall average (54% compared to 43%),
demonstrating that strict financial regulations
govern risk appetite frameworks in this industry.
As risk appetites change over time, leading
organisations are reminded to review or alter
their business strategies if the associated risks
are inconsistent with the risk appetite framework,
or when significant changes in context occur.
As part of their ongoing strategic evaluation process,
leaders should continuously select those business
initiatives (such as new investments, products or
markets) that better fit the entity’s risk appetite
based on the expected risk-return profile.
Top leaders may also improve on their business
execution pillar by leveraging internal and external
data to develop predictive risk analytics, when
appropriate, to reinforce forecasting capabilities
and support risk-informed decision making.Leaders are not at the end of their journey since any process may improve over time. Leaders need to focus on risk culture in a more structured way to ensure that the entire organisation is aligned with the vision of top management and the board on risks and risk management. The challenge for leaders is to work in a highly structured way in order to improve the company’s risk culture, as well as maintain an effective and always updatable risk appetite. - Emma Marcandalli, Managing Director, Protiviti
64%
66%
64%
70%
Risk Governance
Risk Appetite
Risk Culture
Business Execution
62%
78%
Evaluation of Strategic Options
Business Planning and Forecasting
11 · Protiviti
Towards Leadership
Some 16 firms were identified as moving towards
leadership — again, these were a mix of listed
and unlisted companies, although they were all of
heterogeneous size and from a variety of industries.
Such companies began their ERM journey before or in
2016. They have a high level of maturity in all of the six
pillars, with a good balance of ERM integration observed
in both strategy-setting and performance management;
however, these companies still have room to improve
if they are to be assessed as top leaders.
Companies defined as moving towards leadership
are distinguished by a strong commitment to risk
management throughout the organisation, with
dedicated management committees in place along
with the regular involvement of the board of
directors. Risk governance is well defined, with
roles and responsibilities clearly assigned and
communicated. However, in most cases, the CRO
is not involved with the strategy setting process.
Organisations moving towards leadership have
established a good definition of a homogeneous
ERM methodology that features guidelines, metrics,
and scoring scales: for example, support for risk
management activities and a formal process that
actively engages management in risk assessment
activities. However, to reach a higher level of maturity,
these companies should broaden the range of tools
used to support risk management activities to better
measure and monitor their risk exposure, as well as
improve the effectiveness of the risk responses that
have already been implemented.
Even though these companies consider risks and
opportunities in the business planning phase,
the lack of timely and regular involvement of the
risk management function precludes a proper risk
analysis, which would lead to more risk-aware
decisions typical of leader companies.
Some companies defined as moving towards leadership
are already implementing a well-defined risk appetite
framework, while others remain at an initial level.
Risk culture is spread throughout these organisations,
with the board regularly engaging in significant
risk-related discussions. However, as with top leader
companies, risk culture elements are rarely taken into
consideration when hiring or promoting personnel.
Areas for improvementCompanies in this quadrant need to ensure the early
involvement of the CRO in the strategy-setting
process and when evaluating strategic options. They
also need to ensure the full integration of risk and
opportunity analysis into strategic planning processes.
These organisations would benefit from the adoption
of specific tools and techniques to better evaluate their risk
exposure and the effectiveness of their risk responses.
Figure 6: Towards Leadership cluster
E&U medium listed
I&C large listed
FS small unlisted
FS large listed
OS small unlisted
E&U medium listedI&C large listed
OS medium unlisted
FS small unlisted
E&U medium listed
E&U small unlisted
E&U large listed
FS medium unlistedTMT large listed
TMT large listed
FS small unlisted
42%
58%
48%
36%
Risk Governance
Risk Appetite
Risk Culture
Business Execution
39%
69%
Evaluation of Strategic Options
Business Planning and Forecasting
Actionable Insights Into Implementing Your Advanced ERM Programme · 12protiviti.com
Actionable
A good proportion of the organisations surveyed
(19%) were defined as actionable companies. These
organisations are primarily medium-large-sized
companies, with revenues between 500 million euros
and 5 billion euros, with more than 1,000 employees.
They also declare a stable or increasing ERM budget
for 2019. As with the leaders, the industries and listed
status of these companies are heterogeneous.
As the name suggests, actionable companies are focused
on business execution with the aim of preserving the
entity’s value. Actionable companies are characterised
by the strong involvement of senior managers in
periodic risk identification and prioritisation, and
have often already adopted guidelines and metrics
or other methods to facilitate risk prioritisation.
Typically, these companies have already implemented
more sophisticated risk assessment methodologies
and tools to help analyse their risk portfolio, and are
thereby able to determine whether any of these risks
are interrelated or whether a single event may have
cascading impacts.
As with the leading companies, risk governance is
the most advanced pillar among actionable firms.
These companies have also established a clear
definition of the relationship between ERM and
the other lines of defence.
Areas for improvementAlthough actionable companies may use sophisticated
techniques and tools to periodically measure and
monitor their risk exposure, these tend to have a
business-as-usual focus on operational, compliance
or legal risks. These organisations need to move away
from a narrow focus on recurring operational processes
towards more strategic decision-making processes.
Although actionable companies clearly define and
communicate the CRO’s role and responsibilities, the CRO
is occasionally involved in the strategy-setting process.
While the board of an actionable company may be
engaged in significant risk-related discussions on
a regular basis, these companies only occasionally
adopt the processes, methodologies and tools required
to periodically assess the type and maturity level of
existing risk culture at various organisational levels;
moreover, they rarely consider culture elements (such
as personal attitude to risk and risk management
competencies) when hiring or promoting personnel.
Risk appetite is one of the less developed pillars
for most companies, but is specifically lacking
for firms that fall into this quadrant. Actionable
companies scored 39% in the risk appetite segment
of the survey, which is below the average score of
43%. Even if the company has processes in place to
define, articulate and clearly communicate a specific
Figure 7: Actionable cluster
OS medium unlisted
E&U medium listed
E&U large listed
P&H medium listed
FS medium unlistedFS small
unlisted
E&U small unlisted
OS small unlisted
OS medium listed
OS medium unlisted
I&C medium listed
OS medium listed
OS medium unlisted
OS small unlisted
13 · Protiviti
appetite for risk-taking and has risk appetites
that are periodically approved and reviewed by the
board, risk appetite statements are rarely set in
conjunction with the strategic planning process.
These companies tend to monitor approved risk
appetite statements and tolerances only occasionally.
In order to advance to top leader status, these
organisations need to better define and/or review
their risk appetite statements and tolerances in
conjunction with the strategic planning process.
They also need to review their business strategy (or
select an alternative strategy) if the risk associated
with this strategy is inconsistent with the entity’s
risk appetite or in the event of significant context
changes. This typically occurs when there is a strong
collaboration between strategic planning and ERM
functions during the strategic planning process.
Initial Adopter
Finally, the majority of the organisations surveyed
(44%) fall into the initial adopter quadrant.
Initial adopters are mainly small and medium-sized
enterprises, with revenue below 1 billion euros, and are
mostly unlisted companies. Their ERM programmes
vary widely, with most organisations being categorised
as currently residing in the second or third phase.
Due to the varying levels of ERM maturity observed
among the organisations during this study, the initial
adopter category has been sub-divided into three
levels that outline specific criteria met by these
companies as they progress along their ERM journey:
Phase one companies have just taken their first
steps towards ERM and, on average, the system’s
key pillars are consequently underdeveloped. Such
companies may have introduced some concepts of
risk governance, but still need to formally define
and implement key roles and responsibilities for
risk officers, senior management and the board
of directors.
Phase two companies have a stronger involvement
of senior management in the risk identification
process and have clearer governance, with defined
relationships between ERM and the other lines of
defence in the organisation. Compared to phase
three companies, they are almost exclusively
focused on processes and business execution,
the framework has a less formal structure, and
overall their risk culture is less developed.
Phase three companies have a stronger risk
governance, with the ERM function typically
reporting to the CFO and the board. Compared to
other initial adopters, phase three companies have
a higher maturity level across all pillars. They are
experiencing the identification and understanding
of potential risks and opportunities for each of
the strategies being considered, challenging
critical assumptions and scenarios, albeit in an
unstructured or sporadic manner.
While actionable companies normally have a short-term view of risks, leaders have a more medium- to long-term view of additional risks. They look at emerging risks that can profoundly influence strategy-setting within a company. This is probably the most crucial difference between an actionable company and a leader. Actionable companies should try to shift or refocus their energy, attention and analysis towards emerging risks. To do so effectively, the CRO (or equivalent) must be present from the outset, as well as during the strategic planning process, to facilitate the understanding of risks and opportunities over both the shorter and the longer term. At present, this is a real challenge, because the CRO needs to have the stature to sit at the same table and to engage in strategic conversations with the top management of the company. - Dolores Atallo, Managing Director, Protiviti
42%
42%
37%
43%
Risk Governance
Risk Appetite
Risk Culture
Business Execution
35%
46%
Evaluation of Strategic Options
Business Planning and Forecasting
Actionable Insights Into Implementing Your Advanced ERM Programme · 14protiviti.com
Initial Adopter Phase Three
Phase three initial adopter companies have already set
up an ERM function that typically reports to the CFO and
the board of directors. Compared to other companies in
the initial adopters’ quadrant, phase three organisations
have a higher maturity level in terms of both strategy-
setting and performance management.
Occasionally, these companies have begun to
identify and understand the potential risks and
opportunities associated with certain strategies, and
are also beginning to challenge critical assumptions
and take potential different scenarios and conditions
into account. However, there are still clear areas in
which improvement is required.
Areas for improvementRisk governance is an obvious area for improvement,
particularly in regard to defining and communicating
the roles, ownerships and responsibilities of the
CRO and/or the heads of risk management. The CRO
also needs to be involved in the strategic planning
process from the beginning, while risk escalation
processes and related roles and responsibilities
need to be more clearly defined.
As noted above, one of the strengths of initial adopter
phase three companies compared to those in phase
two is that they are more developed on how ERM
supports the evaluation of strategic options: at least
occasionally, they seek to identify and understand
the potential risks and opportunities of each strategy
being considered. However, the CRO should be
involved earlier in the strategic evaluation process.
Moreover, while phase three firms challenge
strategic planning assumptions and consider
potential different scenarios and conditions, they
rarely identify and measure the impact of risks
and opportunities using scenario analysis, stress
testing, and/or other quantitative techniques.
Figure 8: Initial Adopter cluster — Phase Three
P&H medium unlisted
OS small unlisted
I&C small unlisted
TMT medium listed
I&C large listed
FS small unlisted FS medium unlisted
OS large listedOS small unlisted
FS small listed
FS small unlisted
FS medium unlistedP&H medium unlisted
For initial adopters that wish to advance on their ERM journey, the first pillar to focus on is risk governance. Companies need to ensure they are effectively defining and communicating risk governance roles and ownership responsibilities. This is the most important step towards improvement and moving the ERM journey forward, because without clear ownership of these roles inside the organisation, it is challenging to invest enough focus and energy on this type of programme. - Esther Delgado, Director, Protiviti
15 · Protiviti
Initial adopters tend to use qualitative risk scoring
methodologies and tools, which are suitable for
the beginning of the ERM journey. However, firms
wishing to ensure that risk influences their decision-
making process need to make more objective
and quantitative information available to the
top management.
Risk and opportunity analysis, when conducted by
initial adopter phase three firms, rarely provides
input for the potential review of strategic plan
assumptions if the resulting risk exposure is considered
unacceptable. This analysis should be implemented
in a more structured and periodic manner during the
strategic planning process, which means that the risk
conversation should start well before the planning
process begins (rather than after a strategy plan has
been drafted or approved). This is typically the step
required for companies to move from initial adopter
phase three towards the leadership quadrant, or at
least the influencer quadrant.
The less mature pillars in these companies are
risk culture and risk appetite. Improvements in
risk culture should begin at the definition stage,
with leadership’s desired behaviours and attitudes
towards risk being clearly communicated throughout
the organisation. Both management and personnel
should also be encouraged to report concerns about
potentially inappropriate or excessive risk taking.
Most initial adopter companies do not have a risk
appetite framework in place. A formal process therefore
needs to be created to define risk appetite, as well
as to engage the board in periodically approving
and reviewing the firm’s set risk appetite.
Initial Adopter Phase Two
Phase two companies are mainly medium-sized,
unlisted companies, with an ERM function in place
that typically reports to the Chief Executive Officer
and Chief Financial Officer.
Phase two companies have good risk governance,
generally with a clear definition and communication
of the roles and responsibilities of the CRO or head
of risk management in place, while ERM usually
has a functional relationship with the other lines of
defence. The board of directors typically has a risk
oversight role.
Compared to phase three initial adopter companies,
phase two firms are mainly focused on business
execution. They have already adopted a formal process
that periodically involves senior management in the
risk identification process. They also adopt guidelines,
metrics and/or a scoring scale to help individuals
prioritise risks in a consistent way.
These companies tend to be more oriented towards
the integration of their ERM system with performance
management. If these firms continue in this direction,
they will move toward the actionable quadrant; if they
wish to move toward the influencer (if not directly
the leadership) quadrant, they should improve the
integration of ERM with strategy-setting.
For an effective “risk-informed” decision making process, it’s not enough to say whether a risk is high, medium or low. Instead, risk officers should try to quantify the financial impact of a risk, or its impact on business objectives, and fortify controls and strategies to compensate. Otherwise, it’s hard to really understand the risk exposure and how much the company should be willing to invest to reduce that exposure. By quantifying the impact, organisations are able to check their risk-return balance and better facilitate the risk-return discussion. Improving methodologies and tools for affecting, measuring and reporting risks is probably the most important step for initial adopters. - Pasquale Vico, Associate Director, Protiviti
Figure 9: Initial Adopter cluster — Phase Two
OS medium unlisted
FS small unlisted
OS medium unlisted FS medium unlisted
I&C medium unlisted
FS medium unlisted
FS small unlisted
E&U medium listedOS medium listed
OS medium unlisted
25%
44%
29%
17%
Risk Governance
Risk Appetite
Risk Culture
Business Execution
9%
56%
Actionable Insights Into Implementing Your Advanced ERM Programme · 16protiviti.com
Areas for improvementIn order to balance ERM integration with both
strategy-setting and performance management,
initial adopter phase two companies should work
on the following areas to move to the next clusters.
Integration with performance management.
Phase two companies can improve existing practices
by adopting tools and methodologies to measure
and monitor risks in a more systematic way (e.g.
introducing key risk indicators as well as IT tools
to support risk measurement and monitoring
activities). They should also improve their risk-
response decision making so that it considers
defined tolerances and early warnings, as well as
the company’s capacity to survive risk events.
Integration with strategic options evaluation.
Phase two companies should start to work on this
integration. They need to identify and understand the
potential risks and opportunities of each strategy being
considered and determine the potential impact of each
option on the organisation’s existing enterprise-wide
risk profile. Moreover, to progress within the journey,
these firms should continue to monitor the risk profile
of strategic initiatives during their execution.
Integration with strategic planning. After risk
appetite, strategic planning and forecasting is the
least developed pillar for phase two firms. By defining
a formal process to integrate both risk and opportunity
analysis into the strategic planning process and by
adopting a methodology to estimate the volatility/
variation of planned performances, these companies
will consequently be able to challenge strategic plan
assumptions and to evaluate the resilience of business
plans. To this end, firms should work to better engage
the CRO and senior managers in this integrated
process, and should also present the plan’s risk
profile to the board for approval.
Risk appetite. It is undoubtedly the pillar with the most
room for improvement where initial adopter phase
two companies are concerned. With a few exceptions,
these companies’ appetite for risk taking is never
formally defined, communicated to and/or approved
by the board. In order to enhance the maturity in this
pillar, phase two organisations should start by defining
and communicating risk appetite statements and
tolerances, and should then consider reviewing specific
strategies to determine whether the associated risks
are inconsistent with the desired risk appetite.
Risk culture. Although the board is regularly involved
in significant risk-related discussions, there remains
widespread room for improvement regarding the
spread of risk culture across the organisation. This
could be achieved starting from a dedicated training
programme, along with other awareness initiatives
and communication channels, followed, in next stages,
by a programme that should ensure the desired risk
culture is properly driven throughout the enterprise.
Evaluation of Strategic Options
Business Planning and Forecasting
Figure 10: Initial Adopter cluster — Phase One
I&C medium listed
FS small unlisted
OS small unlisted
17 · Protiviti
Initial Adopter Phase One
Only three of the companies surveyed were defined
as phase one initial adopters. These are small
and medium-sized companies, with a general
low maturity level in all six ERM pillars.
Areas for improvementAs one of the first areas that companies develop
when starting their ERM journey, risk governance is
the most developed pillar in phase one companies.
Even if they have already addressed some aspects,
in order to develop a stronger risk governance and
continue their ERM journey, these companies
should first enhance their risk governance by
clearly defining and communicating risk
ownerships and responsibilities.
As a second improvement step, phase one companies
should introduce processes and methodologies
allowing them to identify, assess and prioritise the
risks that could potentially affect the company’s
ability to achieve its goals.
Analysis by Pillars
All participant companies were assessed on the
maturity of the six main pillars of their ERM
frameworks: risk governance, risk appetite, risk
culture, evaluation of strategic options, strategic
planning and forecasting, and business execution.
They were asked to evaluate best practices in those
areas on a scoring scale from “fully present” to
“not present”.
The overall results per pillar are summarised below
and reflect the fact that the pillars with the higher
maturity, like risk governance and business execution,
are typically the ones that are approached first when
starting an ERM journey, while the ones with a lower
maturity, like risk appetite, evaluation of strategic
options, business planning and forecasting, and
risk culture, require a stronger commitment (and
sometimes more resources and more sophisticated
tools and techniques) to be adopted in a structured
way throughout the organisation.
48%
55%
48%
48%
Risk Governance
Risk Appetite
Risk Culture
Business Execution
43%
65%
Evaluation of Strategic Options
Business Planning and Forecasting
Figure 11: Maturity level of each ERM pillar — Average of all respondents
Evaluation of Strategic Options
Business Planning and Forecasting
15%
19%
13%
15%
Risk Governance
Risk Appetite
Risk Culture
Business Execution
14%
32%
Actionable Insights Into Implementing Your Advanced ERM Programme · 18protiviti.com
Risk Governance
Average score – 65%
Risk governance is one of the first areas that
companies develop when starting their ERM
journey; even those companies that have recently
implemented their ERM system are deemed more
mature in this area.
Risk Appetite
Average score – 43%Risk appetite is the least developed pillar. In most cases, the appetite for risk-taking is not adequately defined nor communicated across the organisation, and very few companies consider it when defining their strategy. Exceptions are the Energy & Utilities industry, which is very mature across all areas, and Financial Services, which is characterised by stricter regulation of risk appetite frameworks.
Risk Culture
Average score – 48%Most companies engage the board in significant risk-related discussions. However, only leader companies have training programmes and awareness initiatives in place to spread and strengthen risk culture
throughout the organisation.
Evaluation of Strategic Options
Average score – 48%
The evaluation of strategic options is performed
by identifying and understanding potential risks
and opportunities. However, only a few companies
involve the ERM function in this process and adopt
a structured methodology to evaluate the resilience
of the business plan and the volatility of the
target performances.
Business Planning and Forecasting
Average score – 48%
While many companies challenge critical strategic
plan assumptions, only a few have implemented
a formal and structured process for assessing the
strategic plan risk profile. Such a process should
involve CROs and senior management in identifying
and measuring the impact of risks and opportunities,
as well as ensuring the timely definition of risk responses.
Business Execution
Average score – 55%Almost all companies have processes and methodologies in place to identify and assess the risks that could affect the achievement of the company’s business goals. However, only a few companies perform risk measurement, risk mitigation and risk monitoring in a structured way by adopting dedicated tools, techniques and/or indicators/indexes, and performing cost-benefit analysis before implementing risk responses.
Overall, companies exhibit the highest level of maturity in the risk governance and business execution pillars, albeit with some room for improvement. This is not surprising, since companies normally start their journey by focusing on risks that may affect the achievement of defined strategic and business objectives and by assigning roles and responsibilities to management, the board, and the risk management and control functions.
On the contrary, risk appetite is the least developed pillar. And this is also expected, since the introduction of a risk appetite dialogue requires a higher maturity at the management and board level, including a better understanding of key strategic risk exposures, as well as the application of more sophisticated techniques, as this can concretely influence strategy setting and business planning.
The results of this survey are substantially aligned with the Protiviti vision of a progressive ERM journey
(Fig.3 on page 7).
60%
69%
68%
67%
Risk Governance
Evaluation of Strategic Options
Risk Appetite
Business Planning and Forecasting
Risk Culture
Business Execution
64%
78%
44%
51%
42%
41%
36%
61%
LARGE FIRMS SMALL & MEDIUM FIRMS
19 · Protiviti
Assessment results — Large firms vs. others
ERM integration with STRATEGY SETTING
Initial Adopter (phase one)
Initial Adopter (phase two)
Initial Adopter (phase three)
Actionable
Towards Leadership
Top Leader
ERM
inte
grat
ion
with
PER
FORM
AN
CE M
AN
AGEM
ENT
ACTIONABLE
INITIAL ADOPTER
LEADER
INFLUENCER
100
0 100
Further analysis
The survey results have been further analysed by various factors, including company size, listed status, ERM programme maturity, industry type and geographic location, to determine which, if any, are linked to the progression of the ERM
journey toward Leader.
Company sizeThe results show that companies with revenues
in excess of 5 billion euros (most of which are
listed and have more than 10,000 employees) are
characterised by a high level of ERM system maturity.
About 70% of these companies have a good level of
integration with strategy setting and performance
management. Only three companies show a less
mature ERM system. However, these companies
have a stable or increasing ERM budget in 2019 and
therefore continue to invest in their ERM systems.
Appendix
Large firms
Evaluation of Strategic Options
Business Planning and Forcasting
LISTED COMPANIES NOT LISTED COMPANIES
46%
51%
44%
42%
52%
63%
56%
39%
61%
57%
Risk Governance
Risk Appetite
Risk Culture
Business Execution
50%
71%
Actionable Insights Into Implementing Your Advanced ERM Programme · 20protiviti.com
ERM integration with STRATEGY SETTING
Initial Adopter (phase one)
Initial Adopter (phase two)
Initial Adopter (phase three)
Actionable
Towards Leadership
Top Leader
ERM
inte
grat
ion
with
PER
FORM
AN
CE M
AN
AGEM
ENT
Assessment results — Listed companies
ACTIONABLE
INITIAL ADOPTER
LEADER
INFLUENCER
100
0 100
Two companies with lower revenues, both belonging
to the Financial Services sector, are positioned
among the most developed companies.
As a consequence of their positioning, larger firms have more developed ERM pillars compared to small or medium-size organisations.
Listed vs. unlisted companies
Though some unlisted companies appear in the
Leader quadrant, listed companies show, on average,
a more mature ERM system than unlisted ones.
Listed companies
BEFORE 2011 2011-2016 AFTER 2016
55%
61%
56%
57%
Risk Governance
Evaluation of Strategic Options
Risk Appetite
Business Planning and Forecasting
Risk Culture
Business Execution
50%
66%
47% 41%
58% 43%
47% 39%
49% 35%
43% 25%
67% 57%
ERM implemented from 2017 onwards
21 · Protiviti
Year of implementation
With only one exception, companies that started
their ERM journey two years ago or less show, not
surprisingly, a less mature ERM system.
Analysing the results by year of ERM system setup,
it is confirmed that companies have improved over
time. Those that have implemented the ERM system
for the longest time are characterised by a higher
level of maturity in all the pillars, confirming that
ERM is not a one-off exercise but a structured
and periodic process.
On average, risk governance is the more mature
pillar for these companies, while risk appetite
is less developed. This outcome confirms that
risk governance is the first element addressed by
companies when starting their ERM journey.
ERM integration with STRATEGY SETTING
Initial Adopter (phase one)
Initial Adopter (phase two)
Initial Adopter (phase three)
Actionable
Towards Leadership
Top Leader
ERM
inte
grat
ion
with
PER
FORM
AN
CE M
AN
AGEM
ENT
Assessment results — Year of ERM implementation
ACTIONABLE
INITIAL ADOPTER
LEADER
INFLUENCER
100
0 100
Stable or increasing ERM budget Decreasing ERM budget
Actionable Insights Into Implementing Your Advanced ERM Programme · 22protiviti.com
ERM integration with STRATEGY SETTING
Initial Adopter (phase one)
Initial Adopter (phase two)
Initial Adopter (phase three)
Actionable
Towards Leadership
Top Leader
ERM
inte
grat
ion
with
PER
FORM
AN
CE M
AN
AGEM
ENT
Assessment results — ERM budget
ACTIONABLE
INITIAL ADOPTER
LEADER
100
0 100
ERM budget trends
Most companies (42) have a stable (28) or increasing
(14) ERM budget in 2019, meaning that the trend is
to continue investing in this direction. Only four
companies have a diminishing ERM budget.
More than half of companies with an increasing ERM
budget have an already mature ERM system in place.
23 · Protiviti
Industry
The companies that declare very mature ERM
systems mainly belong to the Energy & Utilities
and Financial Services industries, illustrating the
tenure of ERM in regulated industries for multiple
reasons, including regulatory requirements.
The two companies in E&U with less mature ERM
systems started their ERM journey during the past
two years.
The results among Financial Services respondents
are varied. For these companies, the assessment of
their ERM pillar maturity score is in line with the
average. The only exception is risk appetite, with
a score of 54%, which is 10 percentage points higher
than the total average, demonstrating the more strict
regulation of risk appetite frameworks in this sector.
Almost all the financial services companies with less
mature ERM systems (located in the Initial Adopter
quadrant) have less than 10,000 employees and
revenues below 5 million euros.
ERM integration with STRATEGY SETTING
Initial Adopter (phase one)
Initial Adopter (phase two)
Initial Adopter (phase three)
Actionable
Towards Leadership
Top Leader
ERM
inte
grat
ion
with
PER
FORM
AN
CE M
AN
AGEM
ENT
Assessment results — Industry
ACTIONABLE
INITIAL ADOPTER
LEADER
INFLUENCER
100
0 100
E&U Financial Services Other Industries
Actionable Insights Into Implementing Your Advanced ERM Programme · 24protiviti.com
CRO/Head of ERM
45
Compliance
5
Audit
2
CEO
2
CIO
1
Other
8
RESPONDENTS
HEADQUARTERS
Financial Services & Real Estate 20
Other Services 17
Energy & Utilities 11
Industrial & Construction 8
Technology, Media & Telecommunications 4
TOTAL 63
Pharmaceutical & Healthcare 3
INDUSTRY
70%+22
13
11
4
6
7
Italy
UK
Rest of Europe
Other
US & Canada
Africa
25 · Protiviti
Sixty-three companies took part in the Protiviti
ERM Readiness Survey, which ran from March 2019
to June 2019. The companies were of varying size
and spread across regions as well as industries.
Responses were gathered mainly from CROs,
heads of ERM, or heads of risk management.
Demographics
Not Listed
60%
LISTED/NOT LISTED
Listed
40%
YEAR OF ERM SETUP*
Number of companies
15
4
4
9
8
< 0.1 billion
1-5 billion
0.1-0.5 billion
5-10 billion
10-50 billion
0.5-1 billion
> 50 billion
8
15
2018 REVENUE (€/$) DISTRIBUTION
Number of companies
5
4
3
26
9
> 50,000
500-1,000
10,000-50,000
150-500
50-150
1000-10,000
<50
13
3
NUMBER OF EMPLOYEES
*Eight companies declined to answer
Before 2011 2011-2016 After 2016
32
12 11
Actionable Insights Into Implementing Your Advanced ERM Programme · 26protiviti.com
Risk Governance Culture
27 · Protiviti
The Protiviti Enterprise Risk Management Methodology
Framework is based on a risk-informed perspective
to assist companies that want to implement an ERM
programme to anticipate, adapt and respond to change,
focusing resources on risks and opportunities that can
impact their strategy and performance.
How Protiviti Can Help
The new Protiviti ERM framework is based on a risk-informed perspective.
A major goal of ERM is to provide management and the board with information on risks and opportunities that may influence key decision-making. This can be accomplished by an ERM journey guided by a trusted advisor to facilitate their success.
Identify Quantify
Risk Governance Risk Appetite
Identify Risks and Opportunities
Assess and Quantify Impacts
Prioritise Enterprise Risks
Quantify Top Risks
Set Up Risk Appetite
Integrate with Evaluation of
Strategic Options
Integrate with Planning, Budgeting
and Forecasting
Integrate with Performance Monitoring
and Reporting
Make Risk-Informed Decisions
Monitor and Report
Risk Culture
Strategy and Business Execution
Methodologies, Data and ToolsERM Enablers
External Factors Industry/Business Context
DRIVE THE CHANGE
Internal Factors Expectations, Needs and Constraints
ERM Pillars
ERM Process Steps Integrated into Strategy Setting and Performance Management
Drive the change towards risk-informed decision-making.
Business Planning and Forecasting
Evaluation of Strategic Options
Decide Monitor
Actionable Insights Into Implementing Your Advanced ERM Programme · 28protiviti.com
ABOUT PROTIVITI
Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 75 offices in over 20 countries.
We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
United States
Dolores AtalloManaging DirectorNorth America Lead, ERMNew York
Europe
Emma MarcandalliManaging DirectorGlobal Lead, ERMMilan
Matt TaylorManaging Director, ERMLondon
Pasquale VicoAssociate DirectorRome
Esther DelgadoDirector, ERMLondon
OUR EXPERTS
NOTES:
29 · Protiviti
NOTES:
Actionable Insights Into Implementing Your Advanced ERM Programme · 30protiviti.com
© 2019 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. PRO-1019-108210
© 2
018
Proti
viti
Inc.
An
Equa
l Opp
ortu
nity
Em
ploy
er M
/F/D
isab
ility
/Vet
eran
s. P
RO-0
918
THE AMERICAS UNITED STATESAlexandriaAtlantaBaltimoreBostonCharlotteChicagoCincinnatiClevelandDallasDenverFort Lauderdale
HoustonKansas CityLos AngelesMilwaukeeMinneapolisNew YorkOrlandoPhiladelphiaPhoenixPittsburghPortlandRichmond
SacramentoSalt Lake City San FranciscoSan JoseSeattleStamfordSt. LouisTampaWashington, D.C.WinchesterWoodbridge
ARGENTINA*Buenos Aires
BRAZIL*Rio de Janeiro Sao Paulo
CANADAKitchener-Waterloo Toronto
CHILE*Santiago
COLOMBIA*Bogota
MEXICO*Mexico City
PERU*Lima
VENEZUELA*Caracas
EUROPE, MIDDLE EAST & AFRICA
FRANCEParis
GERMANYFrankfurtMunich
ITALYMilanRomeTurin
NETHERLANDSAmsterdam
UNITED KINGDOMBirminghamBristolLeedsLondonManchesterMilton KeynesSwindon
BAHRAIN*Manama
KUWAIT*Kuwait City
OMAN*Muscat
QATAR*Doha
SAUDI ARABIA*Riyadh
UNITED ARAB EMIRATES*Abu DhabiDubai
EGYPT*Cairo
SOUTH AFRICA *DurbanJohannesburg
ASIA-PACIFIC AUSTRALIABrisbaneCanberraMelbourneSydney
CHINABeijingHong KongShanghaiShenzhen
INDIA*BengaluruHyderabadKolkataMumbaiNew Delhi
JAPANOsaka Tokyo
SINGAPORESingapore
*MEMBER FIRM