This study analyzes the valuation implications of ERM Maturity. ERM (Enterprise Risk Management) is defined as the discipline by which enterprises monitor, analyze, and control risks from across the enterprise, with the goal of identifying underlying correlations and thus optimizing the risk-taking behavior in a portfolio context. The study is conducted in the German market.
The results suggest that firms that have reached mature levels of ERM are exhibiting a higher firm value. The scholars in particular find that the most important aspects of ERM from a valuation perspective relate to the level of top–down executive engagement and the resultant cascade of ERM culture throughout the firm. Firms that have successfully integrated the ERM process into both their strategic activities and everyday practices display superior ability in uncovering risk dependencies and correlations across the entire enterprise and as a consequence enhanced value when undertaking the ERM maturity journey ceteris paribus.
Especially the emphasis on the top down support and leadership and the implementation in everyday management practices in order to realize maximum value of ERM is of great importance. This also stresses the need for efficient non-bureaucratic instruments and approaches, such as agile process improvement, that employees can increasingly relate to, based on their experience in other projects that seek to improve processes and/or IT systems.
Farrell, M. and Gallagher, R. (2015), The Valuation Implications of Enterprise Risk Management Maturity. Journal Risk and Insurance, 82: 625–657. doi:10.1111/jori.12035. http://onlinelibrary.wiley.com/doi/10.1111/jori.12035/abstract
Expert Opinion by Patrick Oudhuis
“No, we work Agile so controls are no longer relevant. They don’t add value ...”
We hear this more and more often in organizations that adapt to Agile process improvement. This statement stems from the idea that Agile is mainly focused on responding to the market and on the self-learning structure of teams, assuming that when risks manifest themselves they are quickly detected and can then be responded to.
An Agile way of working offers good opportunities to reduce the impact of events exposing an organization to a number of risks. Through short sprints and the continuous delivery of small changes, problems in processes can be quickly detected and solved.
However, this is only a small part of managing all the risks that you run as an organization. There are also risks that you want to prevent (reduce the likelihood of events before they have occurred) or transfer / insure or (consciously) accept. It is essential to determine these risks and to define a strategy to mitigate them. There is a good chance that as a part of this strategy control activities still need to be in place to assure that risk appetite is not exceeded. But of course, only if it adds value.
As an example, the GDPR came into force on 24 May 2016 and will apply from 25 May 2018. This is a tightening of the existing laws and regulations in the area of data and privacy protection, especially focusing on how private digital information is collected, processed, stored, shared and destroyed. It is pivotal that all organizations working with such sensitive data are able to proof that they are in control. This is not only about being able to recover quickly, but especially about implementing controls to prevent privacy incidents.
How to do this effectively? Following the research results, I support an approach in which operational risk management is closely connected with the primary processes of an organization. No unfocussed workshops and unnecessary paperwork, but to-the-point risk management that follows a lean vision of process improvement. This could be summarized as Agile Risk Management.
An approach like this assures a fit to the organizational objectives, as well as efficiency in determining, prioritizing and implementing the required controls.