Trying to determine the value of enterprise risk management (ERM) is a difficult challenge. A quotation frequently attributed to Albert Einstein (although more likely originally said by sociologist William Bruce Cameron) gets to the crux of the issue: “Not everything that can be counted counts, and not everything that counts can be counted.”
Issues with measuring ERM value
Donna Galer, writing for the Insurance Thought Leadership blog, summarizes the reasons why the value of ERM programs are not easily quantified:
- It is extremely hard to know when a loss did not happen because of ERM.
- It is just as hard to quantify the cost of loss that did not happen.
- It is difficult to quantify the “soft” benefits of enhanced reputation because ERM is practiced or because of improved strategic alignment in the organization; ERM requires an understanding of the company’s strategic goals and objectives to identify the risks that might derail their achievement.
- It is often hard to justify the time and expense of measuring something that is not easy to measure.
Determining the objective value of a prevented loss or improved strategic alignment is highly problematic. Despite the very real value associated with those activities, determining a specific value without having an actuary assess probabilities and amounts seems extremely difficult. Not everything that counts can be counted.
Start with the most concrete numbers
While the costs of “what otherwise would have happened without ERM” are difficult to measure, there are more tangible numbers that can be used as a starting point.
Eliminating manual enterprise risk efforts
A Deloitte report prepared for COSO provides insight into why the manual approach of simply throwing bodies at the ERM reporting process is not sustainable. “People aren’t enough. To be efficient, they must be supported by the right technology. Many entities begin their ERM journey in a simple spreadsheet environment. This can be practical in the early stages of development as both risk owners and senior leadership ascertain their analytical and reporting requirements. Later years can be quite challenging without automation, especially if the entity is large, complex, and geographically distributed.”
Identifying the manual costs associated with a process offers a logical starting point when justifying the expense of an ERM system. The Deloitte report concludes that, given the features available in today’s ERM systems and the drain on resources associated with a spreadsheet-based process, “Most systems will quickly pay for themselves in saved labor costs.” Add to this the fact that companies relying on manual reporting processes not only pay for resources dedicated to producing reports, but they also lose the insights, analysis, and context those same resources could be adding if not bogged down in administrative tasks.
Risk control efficiency
Although not at all a comprehensive figure when trying to determine the overall value of an ERM system, improvements in the efficiency of the organization’s risk control measures offers additional hard numbers to point to. This includes the elimination of over-controlled risks identified through ERM.
While these numbers may justify the cost of an ERM solution, expanding this effort further to identify its full value quickly becomes much less clear-cut. For example, factors like a reduction in incident rates can be difficult to attribute to a specific cause. Multiplying this effect across all of the KPIs an organization employs, means that sorting out correlation and causation among a sea of metrics becomes impossible. Not everything that can be counted counts.
Link with strategic goals to widen the discussion of value
The primary goal of any ERM program is to improve decision making. If the enterprise risk data from the program enables the organization to make strategic decisions that help achieve objectives, ERM is fulfilling its promise. To ensure that happens, start with the organization’s goals, and work backwards to the supporting indicators.
Michael Yip, Vice President of Risk Management with DFW International Airport, underscored this point in a recent discussion. “The key is to look at each proposed step and relate it directly back to objectives the executive team is already focused on. Identifying those which most strongly align with organizational targets and goals helps to shortlist the framework elements to those which matter most.”
One of the benefits of this approach is that it considers both enterprise risks and opportunities. For those relying exclusively on traditional methods, including upside opportunities can be difficult. The blog CFO states, “One reason is that the two most widely used tools currently employed in ERM risk assessment are the risk register and risk heat map. The focus of both of these is only the perceived threats to an organization–they provide no consideration of the positive value that could be created by taking risks.”
Amplify strategic connection with leading indicators
EHS Today conducted a survey involving 14 companies with millions of records created over several years to examine the impact and adoption of leading indicators versus lagging indicators. They found that most respondents focused almost exclusively on lagging indicators. The report states, “Lagging indicators are easy to measure, but typically offer insight into the outcome of a process only after an incident has taken place. That means they’re rather tricky to influence.”
According to the study, leading indicators held far more value when aiding strategic decision makers. “You therefore can think of a leading indicator as a form of predictive analysis. Predictive data can go one step further than the “what” and “why” of an incident by giving an indication as to what might happen next.”
In this article, Guilherme Lopes describes how his company used cohort analysis to work backwards from a critical strategic objective (reducing customer churn) to discover critical leading indicators (use of one specific product feature, lack of contact with support services, and leads generated through the product). This made it relatively simple to recommend strategic changes to the onboarding process designed to attack those leading indicators. The approach, while challenging, is replicable across all industries. Having the data in a central system, however, will make the analytic process far easier.
Overcoming the ERM data difficulties
A bottom-up approach to ERM begins with the metrics at hand and tries to push them upward. The hope is that the executive team can somehow mine strategic value from the data. This method often leads to focusing on the metrics most easy to capture, without any context of providing value in the decision-making process.
Nearly two decades ago, Thomas A Stewart provided an excellent viewpoint on how risk management should be thought of when he wrote that “the point of risk management isn’t to eliminate [risk], that would eliminate reward. The point is to manage it—that is, to choose where to place bets, where to hedge bets, and where to avoid betting altogether.” Seen in that context, ERM data should enable better choices for “placing bets.” It should also shine a light on how well hedging and avoidance strategies are working.
Defining a set ROI on an ERM program investment is extremely difficult. Proving that ERM is solely responsible for avoiding an event with a definable cost (or for undertaking an opportunity with a specific payoff) will likely remain a practical impossibility. Justifying the cost of a program by eliminating manual data/report preparation and optimizing the efficiency of controls may be a much easier task. Adding a focus on leading indicators that are tied to the organization’s strategic objectives makes the value added from the program far more self-evident than any ROI analysis could be.