The Valuation Implications of Enterprise Risk Management Maturity

• Date: 01 September 2015
• Author: Ronan Gallagher,Mark Farrell
• Published date: 01 September 2015
• DOI: http://doi.org/10.1111/jori.12035

THE VALUATION IMPLICATIONS OF ENTERPRISE RISK

MANAGEMENT MATURITY

Mark Farrell

Ronan Gallagher

ABSTRACT

Enterprise Risk Management (ERM) is the discipline by which enterprises

monitor, analyze,and control risks from across the enterprise, with the goal of

identifying underlying correlations and thus optimizing the risk-taking

behaviorin a portfolio context. This study analyzes the valuation implications

of ERM Maturity. We use data from the industryleading Risk and Insurance

Management Society RiskMaturity Model over the period from 2006 to 2011,

which scores firms on a five-point maturity scale. Our results suggest that

firms that have reached mature levels of ERM are exhibiting a higher firm

value, as measured by Tobin’s Q. We find a statistically significant positive

relation to the magnitude of 25 percent.Upon decomposition of the maturity

score, we find that the most important aspects of ERM from a valuation

perspective relate to the level of top–down executive engagement and the

resultant cascade of ERM culture throughout the firm. Firms that have

successfullyintegrated the ERM process into both their strategicactivities and

everyday practices display superiorability in uncovering risk dependencies

and correlations across the entire enterprise and as a consequenceenhanced

value when undertaking the ERM maturity journey ceteris paribus.

INTRODUCTION

While the tools of portfolio theory are ubiquitous in the practice of finance, the same

cannot be said of risk management practice at the enterprise level. Over the past

decade, attention has turned to this very issue. Enterprises are subject to risks in many

forms and the ultimate goal of Enterprise Risk Management (ERM) is to model,

measure, analyze, and respond to these risks in a holistic manner, treating each risk

exposure not in isolation, but rather in a portfolio context (Gordon, Loeb, and

Tseng, 2009). It is now widely recognized that for a firm to control its risk taking, it is

necessary to set risk budgets among the various firm divisions and thus aggregate all

Mark Farrell is at the Management School, Queens University, Belfast. Ronan Gallagher is at the

Business School, University of Edinburgh. The authors can be contacted via e-mail: mark.

farrell@qub.ac.uk and ronan.gallagher@ed.ac.uk, respectively. The authors declare that no

potential conflicts of interest arise in this work with respect to the research, authorship, and/or

publication of this article.

© 2014 The Journal of Risk and Insurance. 82, No. 3, 625–657 (2015).

DOI: 10.1111/jori.12035

625

the types of risk it is exposed to into one consistent framework (Lleo, 2010). The

portfolio-based approach to risk management helps reduce inefficiencies caused by a

lack of coordination between different risk management departments as well as

exploiting natural hedges that may occur across the enterprise. As a consequence,

ERM programs can lead to significant enterprise cost savings through avoidance of

duplication of risk management expenditure (Hoyt and Liebenberg, 2011). Imple-

mentation of a comprehensive risk management framework such as an ERM program

will be subject to material costs,

1

in terms of both monetary expenditure and

opportunity sacrifice, which must therefore be weighed against the benefits of the

program to the firm, to ensure the undertaking of ERM is a value-additive

economically justified activity.

The Casualty Actuarial Society (2003) highlights the ultimate value increasing goal of

ERM by defining ERM as “the discipline by which an organization in any industry

assesses, controls, exploits, finances and monitors risks from all sources for the purpose

of increasing the organization’s short and long-term value to its stakeholders.” If ERM

maturity improves risk–return optimization at the enterprise level in a cost-effective

manner, it is reasonable to conjecture that it should indeed be value additive. The

purpose of our study is to address this very question. We seek to ascertain whether firms

with more mature ERM programs, experience enhanced value. Moreover, we examine

which aspectsand attributes ofERM enhancement are mostvalue additive. Analysis of

the relative importance of ERM facets is particularly important given that the concept is

nascent and generally found to be broadly defined.

2

Heterogeneity in the valuation

implications across ERM attributes provides important information for firm risk

management as the discipline itself evolves and matures.

This study contributes to the emerging field of research on ERM by analyzing the

valuation implications of ERM using a detailed ERM maturity assessment score,

obtained from the widely utilized Risk and Insurance Management Society Risk

Maturity Model (RIMS RMM).

3

The RIMS RMM ranks the overall ERM maturity of

enterprises from many sectors. Our study utilizes these composite scores and we have

been able to decompose the overall scores to observe the relative maturity of

important attributes that drive overall ERM maturity (hitherto described in the third

section).

1

A key finding from the 1,776 participants of the Professional Risk Managers’ International

Association’s (PRMIA) 2008 “ERM: A Status Check on Global Best Practices” survey found

that 51 percent of respondents said that their firm spends under 2 percent of its operational

costs on its ERM program on an ongoing basis, with 27 percent in the 2–5 percent range and 22

percent choosing 5–7 percent.

2

Some of the more popular definitions put forward for ERM include those from the Committee

of Sponsoring Organizations of the Treadway Commission (COSO) (2004), the Casualty

Actuarial Society (2003), the Institute of Internal Auditors (IIA) (2004), and the Risk and

Insurance Management Society (RIMS).

3

The authors would like to acknowledge and thank Carol Fox of The Risk and Insurance

Management Society Inc. and Steven Minsky of Logic Manager Inc. for providing access to the

data for this study.

626 THE JOURNAL OF RISK AND INSURANCE

Current research on ERM firm value implications is relatively limited. This is not

surprising given that the formalized discipline of ERM has only been in existence for

just over a decade. Furthermore, as a result of a lack of ERM disclosure requirements,

research to date has been limited in terms of the lack of an appropriate measurement

of the extent of ERM engagement at the firm level. The relevant research has typically

utilized a binary proxy variable (such as the appointment of a chief risk officer [CRO]

or public ERM-related announcement) to indicate whether the firm is currently

undertaking an ERM program (see Pagach and Warr, 2010; Hoyt and Liebenberg,

2011; Lin, Wen, and Yu, 2012). Since 2008, the rating agency, Standard & Poor’s, has

included an ERM analysis as part of its global corporate credit rating process for

insurance companies (Standard & Poor’s, 2008). Use of this rating allowed for a more

sophisticated “extent of ERM implementation” construct variable to be used (see

McShane, Nair, and Rustambekov, 2011). To date, analyses have been limited to U.S.

and Bermudian insurance companies and suffer from small sample sizes and inability

to investigate the constructs of the overall rating, which this study seeks to overcome

(as discussed in the third section). To our knowledge, this study is the first to

decompose an ERM maturity rating and examine the specific aspects of ERM, which

are adding value to the firm.

Consistent with prior research (Hoyt and Liebenberg, 2011), we find a highly

significant valuation premium is associated with firms that have undertaken an ERM

program (in our case measured by a maturity score as discussed in the third section)

as part of their corporate strategy. Furthermore, our study highlights that the

valuation premium is being driven by the embedding of risk culture and integration

of ERM processes within the organization as well as the degree to which the ERM

process is viewed as an integral element in strategy and planning activities.

This article is structured as follows. First, we discuss the evolution of risk

management from the traditional approach to the modern-day holistic-based ERM

approach. We examine the theoretical underpinning of ERM and why it is proposed

to add value above the traditional risk management approach. Subsequently, we

describe the data and model used and we then empirically examine the relationship

between ERM maturity attributes and firm value. Finally, we present our empirical

results followed by discussion of the results and concluding sections.

THEORETICAL BACKGROUND

From Traditional Risk Management to Enterprise Risk Management

The Miller and Modigliani (1958) seminal contribution on the irrelevance of an

organization’s capital structure implies that in perfect capital markets risk

management activities also do not create value. Furthermore, the capital asset

pricing model (Sharpe, 1964) asserts that well-diversified investors are able to hold

portfolios that will have already eliminated the idiosyncratic-specific risks of the firm,

thus rendering risk management efforts irrelevant in terms of value creation.

However, there are various counter arguments suggesting that risk management can

and does indeed add value to the firm. First, as highlighted by Grace et al. (2010), the

commercial environment has many market imperfections in terms of taxes (Miller and

Modigliani, 1963), bankruptcy costs (Kraus and Litzenberger, 1973), external capital

VALUATION IMPLICATIONS OF ERM 627