What Is Mature Risk Management?

Research increasingly indicates that mature risk management programs are those that support enhanced decision-making by integrating effective risk identification and assessment approaches into an organization's governance structures and management processes. To identify which risk management programs are mature, Aon researchers focused on four fundamental and foundational areas:

• governance and infrastructure, which includes committees, policies, and supporting systems such as technologies that are used to support the risk management process;
• process, which encompasses the tools and techniques that an organization uses to identify, analyze, quantify, respond to, and monitor risk;
• integration, which includes the techniques used to take the risk information obtained and utilize it in key decisions such as planning, merger and acquisition (M&A) transactions, new market/product decisions, supply chain, etc.; and
• culture and communication, which is the organization's culture and ways of discussing risk.

After rating organizations' maturity in these four areas, the researchers were able to determine that companies with a higher-than-average risk maturity typically differentiate themselves in three ways: awareness, agreement, and alignment.

Awareness of the complexity of risk is key to understanding the range of potential scenarios and outcomes related to strategic goals and objectives. Thus, it's vital to defining realistic performance expectations. Organizations with higher levels of risk maturity achieve a comprehensive understanding of the risks to their performance and strategic objectives as they set goals, ensuring that they are well-positioned to respond to those risks. This risk management approach enhances their ability to achieve objectives and enjoy steady performance over time.

In particular, mature organizations exhibit an understanding of the interrelationships between risks, and they may have begun to study risk correlation via analysis of common risk drivers, among other methods. They are adept at incorporating information from both internal and external sources into their risk management analyses, taking a view of risk that extends beyond their own immediate operational sphere. Finally, they supplement anecdotal and qualitative knowledge of risk with quantitative analysis to increase the accuracy of their understanding.

Organizations with higher levels of risk management maturity typically work around three key fundamental statistical modeling concepts relating to risk for their organization: understanding the organization's ability to take risks; understanding the organization's underlying risk profile through stochastic modeling; and evaluating the efficiency of various risk transfer strategies for the organization. In companies that have successfully incorporated these statistical modeling concepts into organizational decision-making, this approach supports financial objectives and helps with management of volatility in key risk areas. On average, these organizations identify savings of approximately 5 percent of their total cost of risk, or premiums plus retained loss.

Agreement and formal consensus on risk management strategy and expectations. Mature organizations establish formal structures such as risk committees to act as a forum to facilitate the development of a consensus on the organization's risk management strategy. The risk committee tends to be an embedded subset of the executive management structure, but for those organizations with the highest levels of risk management maturity the risk committee tends to be a committee of the board of directors. In such cases, organizations with the most sophisticated risk management practices tend to have their risk committee chaired by a non-executive director, together with a balanced composition of other non-executive and executive directors.

Effective risk committees assist the board in assessing the different types of risks to which the organization is exposed. They also support the board and executive management team in establishing the organization's risk management strategy. They define and set risk appetite and tolerance levels and then exercise strong oversight of management's execution of the overall risk management strategy for the organization. However, achieving initial agreement on strategy is not the end of the process for risk-mature organizations.

Leadership teams at organizations with higher levels of risk management maturity regularly and consistently communicate their expectations about the execution of risk management activities to the organization. Then, after reaching consensus and communicating key tolerances and guidelines to the organization, leadership teams at more mature organizations tend to review and refine their approach on an ongoing basis, outside of an annual review process or other defined cadence. Rather than allowing the consensus to remain static, they continuously re-evaluate the conditions and assumptions underlying the agreed-upon strategy to ensure that the approach is based on the most recent information and current circumstances.

To achieve stable performance over time, an organization must not only set appropriate expectations, but also understand outcomes and how the drivers of those outcomes may impact future performance results. These practices support an organization in its ability to recognize and react to drivers of less-than-ideal outcomes, thus contributing to more stable performance over time.

Alignment of organizational architecture with risk management objectives. Organizations with higher levels of risk management maturity are distinguished by elements of their organizational architecture that contribute to an overall alignment of their workforce to an understanding and execution of risk management roles and responsibilities. These companies use risk metrics to guide employees' behavior and communicate results, incorporate risk management responsibilities into performance reviews, and link incentive structures to risk management outcomes.

Further, organizations at a sophisticated level of risk management maturity are structured to encourage transparency and consistent flow of information regarding negative or unexpected results. More than 80 percent of risk-mature organizations have a culture in which negative predictions are typically shared with appropriate parties on a proactive basis to drive action and learning. In contrast, when less-mature organizations share negative predictions, it's often done on a reactive basis or only at the request of leadership. Best practice is generally considered to be a culture in which employees are encouraged to share negative feedback with their managers, and in which leaders actively seek negative predictions for review and incorporation into improvement efforts and discussion of alternatives. Organizations in which these practices are standard also tend to have reduced barriers to communication and heightened understanding between corporate silos, which encourages cross-functional collaboration.

The most mature organizations typically incorporate concepts around risk and return into their strategic decision-making at the highest levels. A great example is how organizations continue to evolve the extent of risk analysis they apply to capital investment decisions. The basic concepts of risk and return have been around for many years, but we see organizations with higher levels of risk management maturity having greater awareness of the quantitative modeling techniques available to them to support analysis of risks and returns. Simple, rule-of-thumb approaches were long ago replaced by more complex models. Techniques such as sensitivity and scenario analysis, risk adjusted discount rate, and probability analysis are increasingly used by organizations to support key capital investment decisions. In many cases, organizations use a multiplicity of techniques in a complementary fashion.

Correlation Between Risk Maturity and Returns

Using these definitions of risk management maturity, Aon rated 361 publicly traded companies across five continents on a risk maturity index from 1 to 5. Then we evaluated the share price performance of organizations at each level of maturity. The full results appear in the November 2013 edition of the "Aon Risk Maturity Index Insight Report."

In short, this study found that there is a direct relationship between a higher risk management maturity rating and higher relative stock price returns. In the year ending March 2013, companies with a maturity rating of 5 experienced an average 18 percent increase in their share price, while companies with a maturity rating of 1 experienced an average 10 percent decline in share price.

There is also an inverse relationship between a higher risk management maturity rating and lower stock price volatility. As a group, the companies with advanced risk management maturity exhibited 38 percent less stock price volatility than companies with the lowest maturity rating.

Perhaps most notable, the study found evidence of a direct relationship between higher risk management maturity and companies' relative return on equity. During the year ending March 2013, organizations with the highest level of risk maturity had a 37 percent return on assets, while those with the lowest risk maturity score had a negative return on assets, of -11 percent. (See Figure 1, below.)

Organizational Resilience

The report also finds a direct correlation between a higher risk maturity rating and the relative resilience of an organization's stock price in the immediate aftermath of a significant event in the financial markets. Aon's researchers used the Bloomberg Scenario function to subject each company to stress testing around a significant market event, including the 2008 Lehman Brothers collapse, the 2010 Greek fiscal crisis, and the 2011 Japanese earthquake. This analysis indicated a direct relationship between higher levels of risk management maturity and the relative resilience of an organization's stock price.

In each case, the organizations with more mature risk management functions experienced significantly lower negative shocks to their share prices than did companies with less mature risk management. The external market events reduced stock prices of mature companies by 30 percent to 91 percent less than they reduced stock prices of other organizations.

These findings provide evidence for the view that organizations' external stakeholders are leveraging insights into their risk management frameworks and are incorporating them into assessments of the potential financial performance and resilience of organizations. Companies seeking to achieve superior sustainable financial performance are proactively looking to achieve higher levels of risk management maturity and enhanced decision-making by integrating effective risk management practices into their existing governance structures, management processes, and overall culture.

Where to Start

Organizations that actively wish to improve their risk management practices and are wondering where to begin should consider some fundamental starting points. They should consider using a risk maturity tool to gain a baseline understanding of their current capabilities and to help identify specific areas for improvement. Risk maturity tools that specifically help organizations benchmark their strengths and weaknesses in comparison with their industry peers can provide additional insights into competitive advantages and disadvantages.

Once organizations have benchmarked their risk management practices, they should take time to assess and prioritize their ongoing risk management activities based on the insights they've gleaned. These insights can be very advantageous to decision-making around strategy, investment, and allocation of resources.

Companies may also consider conducting a risk framework review, typically using a scorecard-based process, to evaluate their current capabilities. This approach can be easily aligned with COSO and ISO standards, and it is generally considered to be a best practice. A risk framework review provides the strong advantage that it lays the foundation for building new capabilities and provides a roadmap for achieving advanced risk management maturity. After establishing a framework, a company will find that additional risk processes can be implemented, integrated, measured, and communicated throughout the organization to create a continuous, sustainable model for risk management.

Disclaimer: This article is for general informational purposes only and is not intended to provide individualized business or legal advice. The information contained in this article was compiled from sources that Aon considers to be reliable; however, Aon does not warrant the accuracy or completeness of any information herein. Should you have any questions regarding how the subject matter of this article may impact you, please contact your Aon team member or other appropriate advisor.

——————————————–

Kieran Stack, managing director of operations and strategy at Aon Global Risk Consulting, provides risk advisory services to multinationals and large corporates with a focus on optimization of cost of risk. Kieran also leads Aon's enterprise risk management and business continuity risk management teams in the U.S. and has global project lead responsibility for the Aon Risk Maturity Index.

Jenna Cavanaugh is a consultant with Aon Global Risk Consulting's enterprise risk management team. In addition to supporting organizations in various risk governance projects, Jenna is also the U.S. lead for the Aon Risk Maturity Index.