Organizations employing mature risk management practices–as assessed with the RIMS Risk Maturity Model–realize a valuation premium of 25 percent, the Risk Management Society said.
“Anecdotal evidence of the business value of ERM is abundant, but organizations of all types and their management teams, committees and regulators have been looking for value measurements verified by independent research,” RIMS said in a report. It cited a 2014 valuation study by Mark Farrell and Ronan Gallagher using RMM data on publicly traded companies.
While enterprise risk management studies have focused on the financial and insurance industries, which lead in adoption, the valuation study is the first to include other sectors, such as manufacturing (accounting for 38.7 percent of companies included in the study), transportation, communications, electric, gas and sanitary services (19.6 percent) and services (16.9 percent).
Of the 225 companies sampled from the RMM data collected between 2006 and 2011, 76 percent were based in the US.
“We find that the most important aspects of ERM from a valuation perspective relate to the level of top-down executive engagement and the resultant cascade of ERM culture throughout the firm,” the study said.
It also noted a “clear and significant statistical correlation between mature enterprise risk management practices and a firm’s value.”
Mature practices exhibit established routines throughout the enterprise, with engagement from top levels, according to RMM. The majority of firms sampled in the study fell at the “repeatable” or third level of a five-level scale, where the top three are considered mature.
The lowest two levels apply to practices that lack discipline, especially enterprise-wide coordination. “Silo-based risk activities are dominant,” the study said.
“Our results suggest that firms that have reached mature levels of ERM exhibit a higher firm value, as measured by Tobin’s Q,” it said. The Q ratio is the total price of the market divided by the replacement cost of all its companies–hence the sampling of public companies from the RMM data.
The study used statistical regression to analyze drivers of firm value, with Tobin’s Q as a proxy. The overall ERM maturity score for each enterprise was included as a possible driver of value, along with other variables.
“When we drilled down to look at the marginal valuation impact by ERM attribute we found that the highest marginal valuation impacts are associated with attributes 6 (Performance Management) and 2 (ERM Process Management), contributing to around 23 percent and 20 percent respectively to the firms value as measured by Tobin’s Q,” it said.
Other core attributes of mature risk management identified by RMM are root cause discipline, uncovering risks, risk appetite management, and business resilience and sustainability.
The study also found that each of the individual ERM attributes is highly correlated with the others (with correlations generally in the range of 70 percent to 80 percent).
“This highlights the point that ERM maturation is not a matter of piecemeal improvements to one or two individual attributes at particular points in time,” the study said. “ERM maturity depends on evolving practices in concert with all of the seven attributes over time.”
RMM, developed with LogicManager, is a tool with which managers identify the interrelationships of risks and improve related decision making throughout their organizations.
Participants assess their organizations’ ERM activities on the five-level maturity scale, with responses scored against 25 risk management competency drivers and their underlying 68 “readiness” indicators. They also rate effectiveness of ERM activities, degree of proactivity and pervasiveness throughout the organization.