Colquitt, Hoyt, and Lee (1999)

The objective of this study was to assess the characteristics and extent of integrated risk management. The aspects of risk management that were evaluated are:

• The extent to which risk managers are involved in managing pure financial risks facing their firms.
• The nonoperational types of risks handled by risk managers and techniques being used to handle a broader set of risks.
• The effect of factors such as firm size, the industry characteristics, and the background and training of the risk manager have on participation in integrated risk management activities.

The data was collected from a questionnaire sent in October 1997 to firms found in the Business Insurance 1995-96 Directory of Insurance Buyers of Insurance, Benefit Plans & Risk Management Services. Only those firms with a dedicated employee in charge of risk management were included in the sample. As a result, many smaller firms were not included in the sample. A sample of 1,780 questionnaires was sent and 379 responses (21 percent response rate) were received. Fifty percent of the responses came from the manufacturing industry and only 9 percent of the responses came from the finance, insurance, and real estate industries.

Regarding the background and training of the risk manager, some of the key findings are: the number of risk managers without a college degree was minimal; the majority of risk managers reported that they hold an undergraduate degree; 40 percent of the risk managers held a master’s degree; the Associate in Risk Management (ARM) is the most favored professional designation obtained by risk managers; risk management is the most common background (66 percent of respondents); risk managers with a legal background interacted more frequently with the finance or treasury department, which suggests that risk managers with a legal background relied heavily on financially trained employees; risk managers in smaller firms and those with finance, accounting, or legal backgrounds are likely to be involved in the decision to use derivatives as a risk management tool; lack of qualified personnel, educating management, and resistance from the board of directors are the most cited barriers to integrated risk management.

Regarding the structure and operation of risk management within the company, the authors found that risk management formed part of the finance and/or treasury department, with 36 percent of respondents and 29 percent of companies having separate risk management departments. For 22 percent of companies, the operational risk management function was handled entirely by the finance and treasury department. Political risk, exchange rate risk, and interest rate risk were the three most common nonoperational risks handled by the risk management department. Among derivative instruments used for risk management, swaps and forwards were the most common. Options and futures were used by 45.8 percent and 39.5 percent of the respondents, respectively. Finally, the authors found that multiyear contracts were the favorite alternative risk management, with captives coming in at a distant second.

The study concluded by saying that the role of the risk manager was evolving and that the risk manager was getting involved in the management of a wider spectrum of risks faced by the firm. The trend toward integrated risk management was expected to continue.

Kleffner, Lee, and McGannon (2003)

The authors motivate their study by pointing out that public companies worldwide are facing ever-increasing scrutiny of their corporate governance policies and practices. ERM evolved as a result of this scrutiny, and also as a fallout of the accounting debacles such as Enron and WorldCom. According to a 2001 study by Economist Intelligence Unit (EIU), only 41 percent of companies in Europe, North America, and Asia had implemented ERM, but when U.S. and Canadian companies are analyzed, the number of firms that had implemented ERM drops to 34 percent. The researchers hypothesize that increased scrutiny of companies by various agencies, and the Toronto Stock Exchange (TSE) guidelines, will urge more companies to adopt ERM.

The researchers pose the following questions:

• To what extent do companies in Canada use ERM?
• What are the characteristics associated with ERM?
• What obstacles do companies face in implementing ERM?
• What role have corporate governance guidelines played in the decision to adopt ERM?

The data was obtained through a survey to the members of the Canadian Risk and Insurance Management Society as well as telephone interviews with 19 of those respondents.

The results indicate that of the 118 firms in the sample, only 37 used an ERM approach, 34 were investigating an ERM approach, and 47 companies were not considering ERM. Of those companies that implemented ERM, 37 percent said that TSE guidelines were a driving force behind the decision, 51 percent said that it was due to the encouragement of the directors, 28 percent said concern for directors’ and officers’ liability was important, and 61 percent said that the presence of a risk manager influenced the decision to implement ERM.

Other factors that deterred the implementation of ERM were an organizational culture that discouraged ERM, an overall resistance to change, and the lack of qualified personnel to implement ERM. The overall results indicate that an increasing number of companies were aware of the importance of ERM and more companies were moving in the direction of implementing ERM as a result of TSE guidelines and other agencies.

Liebenberg and Hoyt (2003)

Liebenberg and Hoyt state that the appointment of a chief risk officer (CRO) signals to the world the importance attached to ERM by a company and assume that the appointment of a CRO also says that the company is ready to reap the benefits associated with ERM.

The objective of the research was to investigate the differences between a sample of firms that have signaled the appointment of CROs and a closely matched control sample that have not appointed a CRO. The authors highlight the difficulty in obtaining data, since public companies are not mandated to disclose the presence of an ERM system or the appointment of a CRO.

The authors investigate the following research hypotheses:

• Firms with higher volatility in terms of earnings and stock price are likely to appoint a CRO.
• Highly leveraged firms are more likely to appoint a CRO.
• Growing firms are more likely to appoint a CRO.
• Financially opaque firms are more likely to appoint a CRO.⁵
• Firms that have a higher percentage of institutional holding are more likely to appoint a CRO.
• Firms that have subsidiaries in Canada or the United Kingdom are more likely to appoint a CRO.

The sampling population is defined as those U.S. firms that announced the appointment of a CRO between 1997 and 2001. The article concludes that there is no systematic difference between firms that signal their use of ERM by the appointment of a CRO and similar firms. However, the research did find that large firms and highly leveraged firms are more likely to appoint a CRO.

Beasley, Clune, and Hermanson (2005a)

By the time of this study and the following study (Beasley, Clune, and Hermanson 2005b), there had been a rising interest in ERM and added interest in ERM by many internal auditors. The data used in both of these studies was funded by the IIA Research Foundation to examine internal auditing’s involvement in ERM. A survey was administered to more than 1,170 Institute of Internal Auditors (IIA) who were members of the Global Auditing Information Network (GAIN) service. Completed survey responses were received by 175 respondents (response rate of 10.3 percent) and approximately 90 percent of those respondents were chief audit executives (CAEs). The CAEs were the primary intended targets for the survey.

Most of the respondents were from the United States, with representation from other countries including Canada, the United Kingdom, and Australia. No one industry represented more than 15 percent of the respondents. A majority of the respondents were from government, manufacturing, financial, and education industries. Most of the responding companies were large, with median 2003 revenues of $1.3 billion. The respondents were familiar with Committee of Sponsoring Organizations (COSO) guidelines. Eleven percent of the surveyed firms have a complete ERM framework, 37 percent of the responding firms have a partial ERM framework, and 17 percent of the firms have no plans to implement ERM.

As an indicator of the organization’s commitment to risk management, respondents were asked about the existence and nature of the CRO. Of the responding firms, 33 percent have a formally designated CRO and 15 percent believe they have someone fulfilling the role of CRO. In companies with a formally designated CRO, they found that there is a great deal of interaction between the CRO and CAE. Among firms with partial ERM implementation, there is significant interaction between the audit department and the risk management department.

The survey reveals wide diversity in the adoption of ERM and in the internal auditing department’s role in ERM. There was optimism regarding ERM’s impact on the company and on internal auditing. The authors state that ERM adoption is likely to gain traction and will demand more involvement with internal auditing.

Beasley, Clune, and Hermanson (2005b)

This study is the second in a series that the authors conduct. The first study summarized above (see Beasley, Clune, and Hermanson 2005a) describes the survey results. This second article is a more advanced analysis employing regression analysis to more deeply explore factors associated with the extent of implementation of ERM. The authors note that there is little research on what factors affect the stages of ERM implementation, including board of director characteristics. Stages of ERM, which form the dependent variable of this research paper, refer to the level of ERM implementation in an organization. ERM 1 suggests that no plans exist to implement ERM and ERM 5 suggests that a complete ERM is in place.

As described above, the data for this research was collected in 2004 through survey responses from members of GAIN. Responses were received by 175 respondents but 52 observations had to be dropped because applicable data was not available for the regression analysis. The final sample consisted of 123 organizations.

The researchers probed the following research questions:

• Is the presence of a Chief Risk Officer positively associated with an enterprise’s stage of ERM deployment?
• Is a higher percentage of board of director (BOD) members who are independent positively associated with enterprise’s stage of ERM deployment?
• Are explicit calls from the chief executive officer (CEO) or chief financial officer (CFO) for internal audit involvement in ERM positively associated with an enterprise’s stage of ERM deployment?
• Is the presence of a Big Four auditor positively associated with an enterprise’s stage of ERM deployment?
• Are larger firms more likely to have further-developed ERM deployments?
• Are entities in the banking, education, or insurance industries more likely to have further-developed ERM deployments?
• Are non-U.S. enterprises more likely to have further-developed ERM deployments?

The results show that variables such as CRO presence, more independent BOD, explicit calls from CEO or CFO for internal audit involvement in ERM, are positively associated with a company’s extent of ERM deployment. Large firms and those audited by Big Four audit firms are further into their ERM deployment stage. Also, firms in the banking, education, and insurance fields are found to be further into their ERM deployment stages. Finally, the results indicate that U.S. firms are not advanced in their ERM implementations.

Desender (2007)

Desender points out that given the increased attention and scrutiny on risk management practices, little research has been performed to explore why some firms adopt ERM and why some do not. The paper explores the link between ERM implementation and board composition. The author claims that the paper makes significant contributions to corporate governance research by establishing a relationship between board composition and ERM.

The hypotheses tested are as follows:

• There is a positive relation between the percentage of outside directors on the board and degree of ERM.
• There is a positive relation between the separation of CEO and chairman, and ERM.
• The relationship between board independence and ERM is stronger when there is a separation of CEO and chairman.

One hundred randomly selected firms from the pharmaceutical industry in 2004 were chosen for the study. To assess the degree of ERM, the author uses publicly available information such as 10-K reports, proxy statements related to fiscal year 2004, and the company web site. All other data was collected through Worldscope. One unique aspect of this study is that the author coded the ERM efforts by the COSO ERM component.

The pharmaceutical industry was chosen for the following three reasons: (1) this industry has been used in previous corporate governance research; (2) this industry is competitive and has been known to take shortcuts to perform; and (3) the pharmaceutical industry is faced with multiple risks and should display sufficient variation in the implementation of ERM.

The results suggest that board independence in isolation has no significant relation with ERM quality. Firms that have a different chairman and CEO favor more elaborate ERM and show the highest level of ERM implementation. The author takes a bold step to postulate that CEOs do not favor ERM implementation and, therefore, withstand pressure from the board to adopt ERM when the CEO is also the chairman of the company.

Beasley, Pagach, Warr (2008)

At the time of this study, there has been little empirical research on the costs and benefits of ERM adoption. Proponents of portfolio theory would argue against ERM because it is costly and idiosyncratic risks can be diversified away by investors at a low cost. On the other hand, it can be argued that markets are never perfect and there are benefits to the adoption of ERM by firms with certain characteristics, whereas ERM adoption by firms with certain other characteristics might destroy value.

This study aims to provide empirical evidence on the value of hiring a senior risk executive. The authors measure the equity market response to the hiring announcements of senior executives in charge of risk management.

The research hypotheses are that the market reaction to firm announcements of appointments of CROs will be positively associated with the firm’s:

• Growth options.
• Amount of intangible assets.
• Financial slack.
• Variance in earnings per share (EPS).
• Leverage.
• Size.

The data was obtained through the keyword search of terms such as “announced,” “named,” or “appointed” in conjunction with position descriptions of “chief risk officer” or “risk management” through Lexis-Nexis during 1992 to 2003. The final sample consisted of 126 observations. The data was split into two groups—financial firms and nonfinancial firms. Multivariate analysis on separated samples indicate that among the financial firms, only the slack variable is found to be significantly associated with the market reaction to announcements of appointments of senior executive officers supervising risk. For nonfinancial firms, there is no statistical association between the announcement period returns and growth. However, announcement period returns are positively associated with a firm’s extent of intangible assets, prior EPS volatility, and size (while negatively associated with the slack and leverage).

The overall results of the study indicate that the shareholders of firms with little financial slack welcome ERM. Shareholders of large nonfinancial firms with volatile earnings, greater amounts of intangible assets, low leverage, and low amounts of slack also act positively toward ERM. The authors conclude that a well-implemented ERM program can create value when it restricts the likelihood of significant downside risks such as financial distress.

Pagach and Warr (2008a)

At the time of this study, published research has focused on the benefits accrued as a result of ERM implementation but few studies have investigated the characteristics of the firms that adopt ERM. This working paper explores the link between ERM implementation and firm characteristics. Appointment of a chief risk officer (CRO) is used as a proxy for ERM implementation. The objectives of this paper follow closely from Liebenberg and Hoyt (2003), the differences being in the sample size, methodology, and the use of a larger set of variables, including the stock options of managers.

The research hypotheses are:

• Firms with more leverage and less financial slack will more likely implement ERM.
• Firms with more opaque assets, greater R&D expense, and more growth options are more likely to benefit from ERM.
• Firms with relatively more volatile stock prices are likely to benefit from ERM.

The data was collected by performing a search for key terms in the Lexis-Nexis library. For a period between 1992 and 2005 there were 138 announcements of senior risk officers. Data was also collected from Compustat and CRSP.

The results corroborate previous findings regarding firm size and leverage. Firms that are larger and those with higher leverage tend to hire CROs. Firms that have growth options are less likely to hire a CRO and conversely firms that hire CROs tend to have fewer growth options. (Note: A plausible explanation for the result is that stable firms tend to favor the adoption of ERM as a means to boost their bottom lines.) A negative relation is found between CRO hiring and change in the size of the firm. Higher CEO risk-taking incentives increase the likelihood of ERM adoption. When financial firms are considered in isolation, banks with lower Tier 1 Capital are more likely to hire a CRO.

Pagach and Warr (2008b)

The authors point out that the introduction of ERM in the rating process by Standard & Poor’s is a source of motivation for companies to implement ERM. However, the cost associated with ERM adoption is nontrivial; hence, ERM should be value enhancing in some manner. The working paper focuses on the impact of ERM implementation on financial, asset, and market characteristics.

The research hypotheses are:

• Do firms experience a change in earnings volatility around ERM adoption?
• Do firms adopting ERM improve financial performance relative to past performance and after controlling for industry performance?
• Do firm financial characteristics, such as leverage, growth, and asset opacity change after ERM implementation?

CRO appointment is used as a proxy for ERM implementation. The business library of Lexis-Nexis was searched for search words such as “announced,” “named,” or “appointed,” in conjunction with words such as “chief risk officer” or “director of risk management.” The search produced 138 announcements of senior risk officer between the 1992 and 2004 period. The appointment of a CRO is assumed to be the commencement of an ERM program.

The results suggest that there is no support for the position that ERM is value-creating. Firms hiring a CRO, when compared to non-CRO firms, exhibited increased asset opacity, a decreased market to book ratio, and decreased earnings volatility. The authors find a negative relationship between the change in the firm’s market to book ratio and earnings volatility. The study also notes that banks increased leverage after ERM adoption and that firms adopting ERM exhibit reduced stock price volatility.

Gates, Nicolas, and Walker (2009)

Up until this point, previous work on ERM has looked at the determinants of ERM adoption and those factors that explain the appointment of a chief risk officer, which some studies have used as a proxy for ERM implementation. This working paper attempts to extend the work performed earlier by examining ERM’s value inside the company, measured by better decision making and increased profitability.

The COSO framework on ERM provides a list of components that should be in place to help a company manage risk and provide reasonable assurance about meeting its objectives. However, it is not clear whether these components add value or which of these components add the most value. The authors surveyed audit and risk management executives to obtain data related to ERM deployment and organizational characteristics.

The research questions the authors pose are:

• Which components of the ERM framework lead to better decisions?
• Which component of the ERM framework leads to increased profitability?

The study finds that the ERM stage, a good ERM environment, better top-down and bottom-up communication of ERM missions, and explicit risk tolerance levels, positively influenced better decision making. A better ERM environment, explicit risk tolerance levels along with the number of employees devoted to ERM process appear to have an impact on profitability. Although companies perceive they are making better decisions, the results may not necessarily show up as increased profitability, which highlights the difficulty in bridging the value of ERM and internal control, and financial reports.

Harrington, Niehaus, and Risko (2002)

United Grain Growers (UGG), a Winnipeg, Manitoba–based agricultural company was one of the first companies in Canada to embrace ERM. Although UGG managed risk by hedging currency and commodity exposures as well as purchasing insurance against potential losses, the company’s earnings continued to exhibit significant volatility.

UGG is comprised of four main business segments: (1) Grain Handling Services, (2) Crop Production Services, (3) Live-stock Services, and (4) Business Communications. Increased disclosure requirements, Toronto Stock Exchange (TSE) guidelines, the emphasis placed on risk management by credit rating agencies, and UGG’s perception that equity analysts’ views were based on earnings results were some of the reasons that prompted UGG to explore ERM.

UGG started by forming a risk committee, which consisted of the CEO, CFO, risk manager, treasurer, compliance manager, and manager of corporate audit services. The committee appointed a major insurance company to analyze the risks faced by UGG. They established a relationship between weather and UGG’s gross profit by linking weather to crop yields, crop yields to grain volume, and grain volume to profit.

UGG’s business is a low-margin, high-volume business with heavy fixed costs. If anything goes wrong with the volume, then profits are deeply affected. UGG focused on hedging its grain risk and bundled other risks such as property and liability risks along with the hedging strategy.

The benefits accrued to UGG by embracing ERM were:

• The risk costs did not increase significantly, even when a comprehensive risk strategy was put in place.
• Provided a better understanding of ERM and improved communications about risk.
• Improved cooperation from top management and better coordination between different departments.

Insights for other firms:

• Companies in high-volume low-margin industries such as retailing and stock broking are prime targets for implementation of ERM.
• ERM does not increase the overall cost of managing risk.
• ERM is time-consuming, yet a learning experience.
• Technical expertise in the form of statistical and financial knowledge is important for successful implementation of ERM.

Aabo, Fraser, and Simkins (2005)

This case study is published in Chapter 28 of this book and is titled: “The Rise and Evolution of the Chief Risk Officer: Enterprise Risk Management at Hydro One.” Please refer to this chapter for a full discussion on this case.

This case describes the successful implementation of ERM at Hydro One Inc. over a five-year period. Hydro One is a Canadian electric utility company that has experienced significant changes in its industry and business. The company is the largest electricity delivery company in Ontario, Canada, and one of the 10 largest such companies in North America. Hydro One has been at the forefront of ERM for many years, especially in utilizing a holistic approach to managing risks, and provides a best practices case study for other firms to follow.

This case describes the process of implementation ERM at Hydro One beginning with the creation of the chief risk officer position, the deployment of a pilot workshop, and the various tools and techniques critical to ERM (e.g., the Delphi Method, risk trends, risk maps, risk tolerances, risk profiles, and risk rankings).

The case presents the following key benefits of ERM at Hydro One:

• Achieve lower cost of debt.
• Focus capital expenditures process on managing/allocating capital based on greatest mitigation of risk per dollar spent.
• Avoid “land mines” and other surprises.
• Reassure stakeholders that the business is well managed—with stakeholders defined to include investors, analysts, rating agencies, regulators, and the press.
• Improve corporate governance via best practices guidelines.
• Implement a formalized system of risk management that includes an ERM system (a required component of the 1995/1999/2004 Australian Standard for Risk Management).
• Identify which risks the company can pursue better than its peers.

The authors conclude by stating that: “As a result, the management of Hydro One feels that the company is much better positioned today than five years ago to respond to new developments in the business environment, favorable as well as unfavorable.”

Stroh (2005)

The article describes the implementation of ERM at UnitedHealth Group and the success factors. The author states that ERM is quickly becoming the minimum expected of any corporation and is also the key to survival for many companies.

The following definition for ERM, used by the author, is one among many definitions provided for ERM: “ERM is meant to identify risk factors in a business, then assess their severity, quantify the magnitude, and mitigate the downside exposures while capitalizing on the upside opportunities.” The author notes that ERM approaches differ by industry and that ERM is quantifiable in highly regulated industries such as banking and energy.

At UnitedHealth Group, Business Risk Management (BRM) precedes the ERM and BRM evolves into ERM. BRM is a corporate-driven process that is expected to achieve the following objectives:

• Consistently achieve business objectives and improve shareholder value.
• Enable confidence in decision making.
• Avoid operational and financial surprises.

After implementing BRM, the managers at UnitedHealth Group turned their attention to enterprise portfolio views and aggregations. The BRM philosophy evolved into ERM and resulted in more business risk transparency and value creation.

The critical success factors identified in the implementation of BRM are as follows:

• Strong top management support.
• A planned and staged implementation methodology.
• Clear and established accountabilities.
• Facilitating and administering reconciliation of views.
• Diverse team.
• Culture accustomed approach.
• Integration of internal audit and BRM discipline.
• Continuous persistence for improvement.

The author calls for the move beyond Sarbanes-Oxley and external compliance activity to promote more value-added services.

Acharyya and Johnson (2006)

The article is based on a study of four major European insurers. The authors investigate the understanding, evolution, design, and performance of ERM in these organizations, and the challenges they faced while implementing ERM.

The researchers conducted face-to-face interviews with the respondents in two insurance companies, while a structured survey was administered to the other two companies. Although theoretical literature calls for a holistic approach and implementation of ERM, the reality is far from expectation. These four companies approach ERM in parts, adopting no holistic view.

Sixty-two face-to-face interviews were conducted and through these interviews data was collected using semi-structured interviews. However, for the other two companies a highly structured questionnaire was administered. The questionnaire involved a series of “Yes” or “No” questions. To bring comparability, the researchers used judgment in filing the responses of the face-to-face interviews.

The research questions are:

• What is the understanding of the nature of ERM within the insurance industry?
• What motivates insurance companies to develop ERM?
• How do they structure ERM?
• What challenges do they face in implementing ERM?
• How do they measure the performance of ERM?

The results revealed that there exists an inconsistent understanding of ERM within insurance companies. CEO leadership and regulations appear to be the most important motivating factors for developing ERM. The design of ERM is customized and it depends on many factors such as the business model and geographical presence. Communication and cultural barriers are found to be the most important challenges to implementing ERM. There is no effective ERM performance measurement matrix. Overall, the case studies revealed that there are numerous differences between the models of ERM suggested by theory and those in place at leading insurance companies.

Nocco and Stulz (2006)

In this article,⁶ Nocco and Stulz discuss the theory and practice of ERM and a few examples for Nationwide Insurance. The authors explain how ERM can give companies a competitive advantage and add value for shareholders. The article discusses the process and challenges involved in implementing ERM such as how a company should assess its risk appetite, how companies should measure their risks, ways to lay off “noncore” risks, and the major difficulties that arise in practice when implementing ERM.

The authors discuss the following main challenges involved in implementing ERM:

• Inventory of risks.
• Economic value versus accounting performance.
• Aggregating risks.
• Measuring risks.
• Regulatory versus economic capital.
• Using economic capital to make decisions.
• Governance of ERM.

The authors conclude that more academic research is needed to help companies to have a better understanding of risks and how to quantify them reliably. They point out that: “Companies find that some of their most troubling risks—notably, reputation and strategic risks—are the most difficult to quantify. At this point, there is little research that helps practitioners in assessing these risks, but much to gain from having a better understanding of these risks even if they cannot be quantified reliably.”