Despite pressures to do so, many companies have yet to implement practices for better risk management. Such practices, whether implementing Enterprise-wide Risk Management or putting better information in the hands of directors, greatly improve corporate governance, these authors discovered. Moreover, they make the risk manager’s job much more important.

The huge losses experienced by Barings Bank and Daiwa bank in the 1990s and the more recent implosions of Enron and WorldCom have underlined the reality that effective risk management and corporate governance go hand in hand. In Canada, this was first made explicit in the Toronto Stock Exchange-commissioned report, Where Were the Directors?, also known as the Dey Report. In response, the TSE adopted 14 recommendations of the report as best-practice guidelines for listed companies. The guidelines suggest that the board of directors should assume responsibility for stewardship, including strategic planning, risk management, and internal control. Specifically, the guidelines recommend that boards assume responsibility for “the identification of the principal business risks of the corporation’s business, ensuring the implementation of appropriate systems to manage these risks.”

In 1999, the TSE completed a follow-up survey, Five Years to the Dey. This report was designed to evaluate developments in corporate governance and the relevance of the previous report’s recommendations. The report stated that:

“The research findings present a complex picture. On one hand, it is clear that most corporations take the TSE guidelines seriously. Many of the largest companies that account for the greatest proportion of Canadian equity investment are leaders in corporate governance. A number of the TSE guidelines are now broadly accepted business practices. On the other hand, important areas remain where general practice falls short of the guidelines’ intent.”

One finding of the 1999 report was that many boards, especially those in resource industries, have no formal process for evaluating risk. Thirty-nine percent of participating companies had no formal process, while 55 percent in the gold and precious minerals sector had no formal process. These results raise the question of whether or not the TSE guidelines are having the intended effect on companies’ behavior.

In this paper, we address an important, related issue: how have the TSE guidelines affected companies’ risk management strategies? How have companies responded to the requirement for more comprehensive risk management practices and according to risk managers, what is the next step in the evolution of their discipline?

Enterprise Risk management

To assess these issues, we surveyed all members of the Canadian Risk and Insurance Management Society (RIMS); we supplemented our survey results with interviews with 21 of the respondents. While our results suggest that the guidelines have influenced risk management practices for many companies, they also reveal that a number of companies have yet to change their practices.

In effect, the TSE guidelines encourage companies to adopt an Enterprise Risk Management (ERM) approach to risk management, that is to manage risk using a more holistic, or strategic, view of risk, rather than the traditional silo approach. However, such a change does not occur easily, nor is there a great deal of experience to show companies how it should be done. Hence, to determine the extent to which Canadian companies have adopted ERM, we sent a survey to all members of the RIMS. We sent out 336 surveys and received 118 back.

The results of the survey show that 37 out of 118 firms have adopted ERM, 34 are currently investigating ERM, and 47 are not considering ERM. Of those that have implemented ERM, 16 are listed on the TSE; 13 have a position called Chief Risk Officer. Of those firms using ERM, 37 percent said that compliance with the TSE guidelines was a driving force behind their decision, while 51 percent said it was due to encouragement from the board of directors. Twenty-eight percent indicated that concern for directors’ and officers’ (D&O) liability was important.

Other evidence that the TSE guidelines are impacting corporate governance practices and risk management strategies is found in the responses to a question that asked: What changes have you observed in your company in the past three years? The responses provide strong evidence that the board is becoming more involved in risk management. Forty-five percent indicated that company-wide guidelines for risk management have been developed, while 59 percent of the risk managers indicated that they have an increased sense of responsibility to provide information to senior officers, the board, or committees of the board. In terms of ERM, the fact that 49 percent of the respondents indicated that there is an increased awareness of nonoperational risks by operational risk management personnel, and vice-versa, also suggests that companies are moving toward an enterprise-wide view of risk. Further evidence from the survey that ERM is becoming more prevalent is seen in the fact that 64 percent indicated that there is more coordination with different areas responsible for risk management, while 58 percent say that there is more interaction and involvement in the decision-making of other departments. With respect to the catalysts for the above-noted changes, 44 percent indicated a desire to comply with the TSE guidelines, 41 percent indicated increased concern regarding D&O liability exposures, 36 percent indicated competition or other industry related pressure, (which suggests that even those firms that are not listed on the TSE may be concerned about the guidelines), and 30 percent indicated the adoption of an ERM strategy by the firm.

Recent changes that were more likely in ERM companies include the development of company-wide guidelines for risk management, increased direct interaction with the board or its committees, and an increased sense of responsibility to provide information to senior officers, the board, or committees of the board. In addition, ERM users exhibited an increased awareness of non-operational risks by operational personnel and vice versa, more coordination with different areas responsible for risk management, and more interaction and involvement in the decision making of other departments. The adoption of an ERM strategy was indicated to be influential in bringing about these changes for companies that used ERM. These results are consistent with behavior that we would expect ERM users to exhibit. Specifically, the results indicate more interaction between departments and more involvement by the board of directors.

Thus, while only about one third of companies have adopted an ERM strategy, there is evidence that companies are moving toward a more enterprise-wide view of risk. Further, it is apparent that the board is becoming more interested and more involved in risk management. Given the benefits to be gained from ERM as well as implementing the TSE’s recommendations, one might expect that more companies would have adopted ERM. To understand why ERM is not more common and what the direct impact of the TSE guidelines has been, we interviewed 21 respondents and asked them about the benefits of ERM, the obstacles to implementing it, the impact of the TSE guidelines on their risk management strategies, and their thoughts on the evolution in risk management will be.

The risk manager and ERM

The benefits of ERM

When asked to list the greatest benefits of implementing ERM, respondents discussed such issues as the importance of consistency in risk retention limits, having a better handle on the transactional aspects of their risk management program–allowing them to see if they were over/underinsured–and the benefit of coordinating risk management decisions, permitting an overall reduction in risk. The bottom line was that risk managers saw ERM as an effective way to reduce overall costs by managing better and reducing risk.

A second benefit was the move toward a companywide philosophy regarding risk management. Adopting an ERM approach was one way to align everyone with the same objective. As one person indicated, “Everyone becomes a risk manager.” This proactive mindset results in risk management permeating the entire company. Furthermore, if everyone buys in, better results are expected. A third benefit, one that results from a better understanding of the risks, is improved decision-making and greater comfort at the board level. This aspect of ERM is likely to become even more important as the focus on corporate governance continues to increase and the role of directors is put under the spotlight. Improved communication was another benefit that risk managers described. ERM “forces divisions to talk and communicate” and helps to breakdown individual silos-each managing a different aspect of the company’s risk profile. This contributes both to a better understanding of risk overall and facilitates the flow of information to senior management and the board.

Deterrents to implementing ERM

To gain a greater understanding of why only one-third of respondents had implemented ERM, we asked the 21 interviewees to list the three greatest deterrents to implementing ERM. A primary obstacle cited by many of the risk managers was the existence of a silo mentality and people’s desire to protect their turf. Respondents described how difficult it is to talk about risk across departments and the challenge that stems from a general lack of coordination between areas. One respondent indicated that middle management perceived ERM as a threat, while another described the difficulty in dealing with internal politics and personal agendas in the firm, especially with middle management. Related to corporate culture is the issue of organizational structure. For those companies that are decentralized and have delegated the responsibility for risk management to each unit, it is difficult to achieve consistency across regions.

A second major obstacle is the lack of “buy-in” from senior management and the board. This is a critical component since it demonstrates the need for a company-wide risk management philosophy; without the buy-in of the entire staff, it will be impossible to achieve one of the most important aspects of ERM: getting people to think outside their areas. A third obstacle is related to resources-time, money, and people. Some are reluctant to implement ERM because of the cost involved, which is both hidden and hard to establish, and the difficulty in measuring the benefit. Further, ERM requires a commitment of staff, raising the issues of both competing demands (people are already busy) and identifying people with the skills and expertise to implement the process. More generally, the effects of business downturn and recession often translate into curbed expenditures in the risk management area, partly because it is not a profit center. Management change, retirement, and downsizing can result in overburdening those who remain, forcing the management team to focus on immediate problems and issues, and making it difficult to engage in more strategic, longer-term planning.

Impact of the TSE guidelines

The TSE guidelines for effective corporate governance have been in place since 1995. However, the 1999 report found that many boards, especially those in resource industries, have no formal process for evaluating risk. In order to assess the specific impact of the TSE guidelines on risk management strategies, we asked: “Have the TSE guidelines affected how your firm handles the risk management function?” In their responses, risk managers discussed three main effects. First, risk management has become more of a focus for committees of the board. This development has been accompanied by an increase in accountability. Risk management is generally monitored by the audit, finance, or risk management committee. Regardless of which committee examines risk management, it is now being considered from an overall strategic standpoint rather than more narrowly as a single silo.

A second, related issue is the board’s heightened interest in risk management. This is demonstrated by an increased awareness of risk management, greater participation by the board in terms of asking questions about risk management, greater appreciation for the importance of risk management, and an increase in concern regarding directors’ and officers’ liability issues.

A third area relates to the effect the TSE guidelines are having in emphasizing and supporting earlier initiatives such as those put forth by the Canadian Comprehensive Auditing Foundation (CCAF), the Canadian Institute of Chartered Accountants (CICA), and the Blue Ribbon guidelines. All of these provide guidance for improving risk management, and the TSE guidelines have helped to reiterate the importance of these initiatives and provided risk managers with some ammunition for heightening the profile of risk management in their companies. This issue has also been important for not-for-profit organizations, but only indirectly, as they are still concerned about governance issues in general even though the guidelines do not apply to them.

The “new” risk manager

The current initiatives to strengthen corporate governance and risk management have largely been motivated by large corporate failures. Although progress has been made in improving corporate governance, there is still substantial room for improvement. Risk management has evolved a great deal over the past four decades and risk managers themselves have gone from being primarily insurance buyers to being, in some instances, a critical player in a company’s decision to implement ERM.

What will the next phase of risk management look like? According to our interviews, the next evolution, or major revolution, that will occur in the field of risk management will see insurance becoming less important, especially for large firms, and risk management itself becoming much broader in scope and embedded in the corporate philosophy. There will be a greater emphasis on loss prevention, alternative risk financing options, risk communication, and accountability. Disciplined management of risk will become a core requirement for all management in the future. It can no longer be compartmentalized, but must become part of everything the company does because, as one respondent stated, “the more you know about threats and opportunities, the better you will do.”

The role of the traditional risk manager will likewise change. The new risk manager will be expected to have a broader skill set, greater competency in a variety of fields, and better education. Some went so far as to say that, “risk managers may die as top management questions their worth” or “the traditional role of the risk manager will not continue to exist.” These responses suggest that unless risk managers can demonstrate that they are adding value, their positions could disappear.

The next generation of risk management will focus less on insurance buying, and more on developing a strategic, enterprise-wide approach to risk. The implications of such a shift for directors is clear: They will become instrumental in asking questions, demanding answers, and making sure that potential risks have been identified, quantified, and managed.