One should not take things for granted and this also applies to ERM. In the case of ERM, this would mean identifying feedback mechanisms about the effectiveness of ERM to provide assurance to boards about the value generated. This should also generate further insights to enhance ERM’s value added.
This connection between ERM and value has not escaped supervisors. On a company level, EU directives covering prudential regulation of banks and insurers include requirements that aim to formalise these feedback mechanisms.
While boards and regulators may be interested in the effectiveness of ERM in specific companies, there seems to be less evidence at an industry level. Wouldn’t it be useful to understand the link between ERM effectiveness and the role and experience of the CRO? How does board oversight contribute to ERM effectiveness?
These are challenging questions, which are considered in a recent working paper by Cristina Bailey, assistant professor at the University of New Hampshire, using data for publicly traded US insurers.* There is a fair amount of statistics and econometrics in this paper which would have been covered through peer review. There are differences between regulatory requirements on the two sides of the Atlantic, which could challenge the ability to infer from US data for Europe. However, it would seem that ERM effectiveness is driven by the underlying business rather than regulatory requirements and that the lessons should be transferable.
So what can we learn from this paper? There are a number of measures of ERM effectiveness and benefits. The effectiveness of risk management can be gauged by reference to the ratings awarded by S&P for risk management. There are five possible ratings: very strong, strong, adequate with strong risk control, adequate and weak. In the paper, ERM is defined as holistic risk management and is associated with the top two S&P ratings. ERM benefits can be considered by referring to the volatility in stock returns. ERM benefits can also be inferred using a measure of strategic industry positioning defined as the difference between the return on assets for the insurer and the top quartile.
Normally, it is important to consider the experience that the CRO brings to the role. A number of experiences are specifically identified: oversight (e.g. prior experience as CEO or COO), financial (e.g. accountancy qualification or prior role as CFO or financial controller), industry (previous employment in the insurance industry) and risk (previous experience as a CRO or a senior risk management position).
The analysis suggests that the breadth of the CRO’s experience is positively related to ERM effectiveness after controlling for a wide range of relevant factors. However, this logic does not seem to apply to the expertise of the risk or audit committee. But before you despair about the value of effective risk governance provided by a board committee, consider the impact on ERM benefits mentioned earlier by reference to volatility or strategic industry positioning. The breadth of expertise of the committee members turns out to be a significant determinant of the ERM benefits.
This result is a useful reminder of the difference between outputs (effective ERM) and business outcomes (e.g. risk reduction). A potential way of pulling together these results is as follows: a CRO with broad expertise can successfully shape the effectiveness of ERM. However, the wider ERM benefits depend on shaping the overall direction of the company which requires, amongst others, board committee members with a similar breadth of experience to act on the outputs that the CRO leading an effective ERM system would generate. The above points to the importance of the qualities of CROs.
Headhunters Hedley May have also published an interesting paper on the role of the CRO – and the risk function – based on discussions with CROs in banking, insurance, investment management and other stakeholders.** Their analysis seems to support the above hypotheses about the difference between an effective ERM system and delivering business benefits such as lower volatility. The qualities of a good CRO were found to include relationship building, influence and an ability to synthesise. These would provide the CRO with appropriate credibility in front of the board to go beyond an effective ERM and affect business decisions.
* ‘The Effect of Chief Risk Officer and Risk Committee Expertise on Risk Management', (forthcoming, www.ssrn.com)
If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here. My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox.