This paper explores the implications of a relatively recent organizational development, enterprise risk management (ERM), for the management of strategic risks. Since ERM has not been fully implemented in the majority of companies, little academic research exists about its drivers, obstacles, or impact, especially those processes that identify and mitigate risks to the company’s strategy as well as the integration of different types of risks across the company into strategic planning. Which forces are behind this push for a more organized and integrated management of significant risks, including strategic? What obstacles are firms encountering as they implement ERM? How does ERM impact the company’s ability to implement its strategy?
The study uses data collected from a survey of 271 risk and financial executives in North American and European companies as well as current examples of company practice to investigate why enterprise risk management has become a priority. Descriptive statistics identify what the drivers and challenges are in implementing ERM. Chi-square analyses pinpoint which benefits early ERM adopters are reporting, and which tools and techniques they prefer.
ERM is first defined and illustrated with specific examples of strategic risk management. Its prevalence and stages of implementation are documented. The primary drivers of ERM, ranked in order of importance, are shown to be as corporate governance requirements; gaining a greater understanding of strategic and operating risks; and regulatory pressures, including pressures from credit rating agencies. Case examples from BP and a round-table of board audit committee members illustrate how stronger corporate governance requires greater focus on risk management, including strategic risks. The most significant obstacles to implementing ERM, ranked in order of importance, are competing priorities, insufficient resources, and lack of consensus about ERM’s benefits. Chi-square results show significantly less challenges for companies with advanced ERM systems than those with less advanced ERM systems, especially concerning the lack of consensus of ERM’s benefits. Case examples from Bristol-Myers Squibb and Henkel illustrate how ERM can be integrated with other company-wide processes such as strategic planning.
The benefits of full ERM implementation, ranked in order of importance, are better-informed decisions, greater management consensus, increased management accountability, and smoother governance practices. Chi-square analyses show that these benefits were significantly higher for companies with fully implemented ERM systems than for those companies that did not yet complete ERM implementation. Two Canadian companies, Terasen and Hydro One, illustrate the benefits of having an ERM process completely in place. The tools and techniques to measure the impact of strategic risks were shown to differ depending on the stage of ERM implementation. For advanced ERM companies, the most frequently used tools and techniques were key risk indicators, individual self assessments, and scenario analysis.
This paper also identifies issues for ERM effectiveness depending on whether the process owner is an auditor, chief risk officer or strategic planner. It concludes with a research agenda to study how strategic risks will be incorporated into ERM and its impact on strategy implementation.