One should not take things for granted and this also applies
to ERM. In the case of ERM, this would
mean identifying feedback mechanisms about the effectiveness of ERM to provide
assurance to boards about the value generated.
This should also generate further insights to enhance ERM’s value
added.
This connection between ERM and value has not escaped
supervisors. On a company level, EU
directives covering prudential regulation of banks and insurers include
requirements that aim to formalise these feedback mechanisms.
While boards and regulators may be interested in the
effectiveness of ERM in specific companies, there seems to be less evidence at
an industry level. Wouldn’t it be useful
to understand the link between ERM effectiveness and the role and experience of
the CRO? How does board oversight contribute to ERM effectiveness?
These are challenging questions, which are considered in a
recent working paper by Cristina Bailey, assistant professor at the University of New Hampshire,
using data for publicly traded US insurers.*
There is a fair amount of statistics and econometrics in this paper
which would have been covered through peer review. There are differences between regulatory requirements
on the two sides of the Atlantic, which could challenge the ability to infer
from US data for Europe. However, it
would seem that ERM effectiveness is driven by the underlying business rather
than regulatory requirements and that the lessons should be transferable.
So what can we learn from this paper? There are a number of measures of ERM
effectiveness and benefits. The
effectiveness of risk management can be gauged by reference to the ratings
awarded by S&P for risk management.
There are five possible ratings: very strong, strong, adequate with
strong risk control, adequate and weak.
In the paper, ERM is defined as holistic risk management and is
associated with the top two S&P ratings.
ERM benefits can be considered by referring to the volatility in stock
returns. ERM benefits can also be
inferred using a measure of strategic industry positioning defined as the
difference between the return on assets for the insurer and the top quartile.
Normally, it is important to consider the experience that
the CRO brings to the role. A number of
experiences are specifically identified: oversight (e.g. prior experience as
CEO or COO), financial (e.g. accountancy qualification or prior role as CFO or
financial controller), industry (previous employment in the insurance industry)
and risk (previous experience as a CRO or a senior risk management
position).
The analysis suggests that the breadth of the CRO’s
experience is positively related to ERM effectiveness after controlling for a
wide range of relevant factors. However,
this logic does not seem to apply to the expertise of the risk or audit
committee. But before you despair about
the value of effective risk governance provided by a board committee, consider
the impact on ERM benefits mentioned earlier by reference to volatility or
strategic industry positioning. The
breadth of expertise of the committee members turns out to be a significant
determinant of the ERM benefits.
This result is a useful reminder of the difference between
outputs (effective ERM) and business outcomes (e.g. risk reduction). A potential way of pulling together these
results is as follows: a CRO with broad expertise can successfully shape the
effectiveness of ERM. However, the wider
ERM benefits depend on shaping the overall direction of the company which
requires, amongst others, board committee members with a similar breadth of
experience to act on the outputs that the CRO leading an effective ERM system
would generate. The above points to the
importance of the qualities of CROs.
Headhunters Hedley May have also published an interesting
paper on the role of the CRO – and the risk function – based on discussions
with CROs in banking, insurance, investment management and other
stakeholders.** Their analysis seems to
support the above hypotheses about the difference between an effective ERM
system and delivering business benefits such as lower volatility. The qualities of a good CRO were found to
include relationship building, influence and an ability to synthesise. These
would provide the CRO with appropriate credibility in front of the board to go
beyond an effective ERM and affect business decisions.
* ‘The Effect of Chief Risk Officer and Risk Committee Expertise
on Risk Management', (forthcoming, www.ssrn.com)
If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here. My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox.