Their claim that that the Risk Management Index fills the current "void" which prevents interested parties from benchmarking their risk management frameworks against those of their peers, and indeed reaching recommendations on how to further enhance them has a whiff of bolshiness about it, but nevertheless, the output is valid for practitioners in all industries.
Fundamentals behind the research, conducted in conjunction with Wharton Business School, are;
- Aon's "Risk Maturity Index" is an online self assessment of risk management practices.
- It asks 125 questions regarding 40 "key components" of risk management - all tied in to the following 10 characteristics of risk maturity:
1. Board Understanding & Commitment to Risk Management
2. Executive Level Risk Management Stewardship
3. Risk Communication
4. Risk Culture: Engagement & Accountability
5. Risk Identification
6. Stakeholder Participation in Risk Management
7. Risk Information & Decision Making Processes
8. Integrating Risk Management & Human Capital Processes
9. Risk Analysis & Quantification to Understand Risk & Demonstrate Value
10.Risk Management Focus on Value Creation
- Allows for a ranking between 1-5 across various sub-cuts of the data collected, and an assessment in aggregate of each firms "risk maturity"
- Data was then analysed against over 100 listed companies from 20 industries, geographically spread, to see if "risk maturity", or a lack of it, translated into anything measurable
- Over 500 companies have responded to the survey since 2011, this being its second periodic summarisation (results from first one summarised here).
The headline news was that a correlation was identified between organisations with superior risk maturity and stock price volatility, with a reduction of up to 50% potentially up for grabs between the 'best' and the 'worst' - a particularly visceral way to "derive and demonstrate financial value from...risk management frameworks" which, let's face it, is a hard sell for the best of us!
I observed some more general points from the white paper, namely;
- The insurance industry was third only to Aviation and Consumer Goods in the assessment of risk maturity - something to be learnt from these industries (in particular around Op Risk maturity in Aviation)?
- Only 15% of respondents were rated at 4+ out of 5, or "operational/advanced" in Aon's terminology
- Lower revenues seem to translate into lower risk maturity on the whole
- Responses from CRO's resulted in the best aggregate maturity scores, while Internal Auditor/CFO responses resulted in the worst aggregates - expected biases nicely exhibited
Of particular note though were the three areas of common differentiation between higher and lower rated firms which are worthy of more attention than might otherwise come from reviewing average maturity scores.
Awareness of the complexity of risk - more mature organisations are able to demonstrate:
- Risk adjusted return expectations by business unit/department
- Documented and applied assumptions in forecasts/projections
- Supporting forecasting ranges with applicable historical data
- Re-evaluating risk management strategy based on experience
- Reviewing and validating risk tolerances based on external conditions
- Evaluating strategic decisions with reference to quantified risk tolerances
- Communicating negative results and predictions (nicely tied into Risk Culture by Aon)
- Developing cross-functional risk understanding, and how organisational activity relates to overall risk management strategy
- Incorporating risk/return approaches into strategy, in particular recognising up-side potential in decision making, rather than loss minimisation
These are particularly interesting findings for the EU insurance industry, who will be waddling into Live ORSA territory in the coming weeks and months. Fair to say that Solvency II Pillar II accommodates much of what is covered here, so worth thinking about leveraging this benchmarking work in one's 2013 activities.