Enterprise-risk-management practices: Where’s the evidence?

By Sven Heiligtag, Andreas Schlosser, and Uwe Stegemann

A survey across two European industries.

This paper reports the findings of a 2012 survey conducted by McKinsey & Company and the working group for corporate growth and internationalization of the Schmalenbach Society (the oldest German nonprofit organization for the exchange of ideas among business practitioners and academics).

The goal of the survey was to assess the current state of the art of corporate enterprise risk management (ERM) in Europe and to identify recent developments that promise to bring further change to ERM. More specifically, the survey sought to accomplish several aims:

  • gain a qualitative understanding of ERM objectives and risk-management practices across industries

  • provide a basis for comparison of companies, through the creation of a comprehensive scoring system, so they can improve their risk-management practices

  • provide a perspective on best-practice risk-management approaches across companies and potential sources of value in the discipline

To allow for meaningful comparisons, but also to highlight similarities and differences in practices across industries, the survey was confined to two industries. It considered advanced industries (AI), which includes assembly- and high-tech-intensive industries, and the energy industry, which includes companies involved in the production and distribution of electric power, natural gas, and other fuels.

However, these two industries display relatively distinct approaches to ERM, in particular in the organization and role of the ERM function, and these might highlight decisions that risk managers in other industries need to make as well.

Survey respondents included three AI companies and nine energy companies. Our sample size is small as we elected to go deep rather than wide in this effort, conducting several rounds of interviews and qualitative discussions with respondents to flesh out how risk management is really done rather than relying only on quantitative data and providing statistical comparisons.

This report is structured as follows. We begin with a discussion of companies’ differing objectives for ERM. We then explore in detail one of the biggest differences among the companies studied: the role of the central risk-management function. We conclude with a discussion of the relative performance of the two kinds of companies studied and the ways that they might step up their ERM, highlighting industry-specific and overarching opportunities for improvement.

What companies want from ERM

In discussions with companies, we have often noticed that the term “enterprise risk management” means different things in different industries. To contribute to a common terminology and to foster exchange among them, we asked survey participants to specify the goals of ERM for their company. (For more on the survey, see “Methodology.”) We asked them to rank four potential objectives of ERM, two for internal stakeholders and two for external:

  • protect value, for example, by ensuring a certain target rating, avoiding large losses or default, and avoiding volatility in the P&L
  • drive profitability and growth by using risk-management techniques to generate value, as reflected in a rising P/E multiple, as well as increased profit and return on equity, and encouraging controlled risk taking in innovation or R&D and investments
  • ensure regulatory compliance, protecting the enterprise from negative regulatory intervention and avoiding penalties such as product-liability or safety claims
  • provide stability and continuity, ensuring the independence of the enterprise, avoiding unpleasant surprises for shareholders, providing a sustainable workplace for employees, minimizing negative externalities for society at large, and maintaining the confidence of business partners

As expected, the industries that were the focus of our survey showed significant deviations in their objectives for ERM (Exhibit 1).

Corporates mean different things when they talk about enterprise risk management.

The most important objective for surveyed companies in advanced industries was ensuring compliance. This result was supported by many discussions we’ve had with industry practitioners in which quality risk (that is, a failure to meet internal and external quality standards) and the resulting reputational problems were mentioned as the biggest risks that corporates in these industries face. The focus on quality risk can be explained by taking a closer look at the business model of advanced industries. Typically, these companies make significant up-front investments (in R&D, platform development, and so on) that are paid back only if a sufficient number of goods are sold. As such, these industries focus on sales and other revenues, and risks that might hamper sales are considered the most important ones. Quality risk is chief among these. After all, the damage to a company’s reputation that results from, say, malfunctioning brakes or tires that catch fire is difficult to fix once such an incident has occurred.

Energy companies identified value protection as the most important goal of ERM. Again, this can be explained by taking a closer look at the industry’s business model. One of its biggest risks is regulatory risk (for example, the abolition of nuclear energy in Germany or the passage of renewable-energy laws that encourage decentralized structures and thus limit the competitiveness of the big energy companies). Clearly, regulatory risk has mostly downside potential in current times. Another prominent risk is operational risk (for instance, problems leading to the shutdown of power plants, spills in oil exploration and production, and so on). Looking to ERM for value protection is natural for companies facing these risks.

Companies with an emphasis on oil and gas exploration often also mention the importance of stability. This industry has a particularly long-term view—exploration of oil and gas fields can take years and subsequent production can span several decades. If everything goes as planned, these oil fields are profitable. But the value of these projects is dependent on stable revenues, both due to the long-term nature of the projects and the risk adjustment of the interest rate used in the calculation of net present value as these projects are planned.

Overall, it is worth noting that across industries, generating value through ERM was the lowest priority for respondents. While this is understandable given today’s turbulence, more emphasis should be put on value creation. In many discussions with practitioners, we have heard that risk management has risen on the senior-management agenda since the global financial crisis began and consequently that the power of the risk-management function has increased. However, most leaders are unsure whether this change is temporary or permanent. There seems to be a window of opportunity at present to prove the value-creation potential of risk management.

A common framework for ERM

To help risk practitioners develop a shared vocabulary for ERM, we used a framework to assess ERM practices (Exhibit 2). It includes five dimensions: insights and transparency; natural ownership, risk appetite, and strategy; risk-related decisions and processes; risk organization and governance; and risk culture and performance transformation. The framework is versatile—it applies to both ERM practices and the management of individual risk types such as commodity risk, credit risk, and operational risk.

A framework helps in assessing enterprise risk management.

The survey asked respondents roughly 100 questions across the five dimensions. In the next section, we review the survey findings in the dimension of risk organization and governance because it is here that one of the most important points of distinction among companies’ risk practices can be found. Then we review the performance of the two sets of companies, AI and energy, on the full spectrum of ERM activities.

The setup of the ERM function

Through the survey, we found two different archetypes for the organization of the ERM function, driven by the degree of centralization. A company’s dominant archetype typically will not govern all of its ERM activities; some risks may be managed in different ways. Still, the archetypes provide a good way to think about fundamentally different approaches to ERM.

  • Decentralized. In this approach, line management owns all risks and a slim central risk department provides light-touch support and coordination as needed. The central risk department sees itself mainly in a process-coordination role, but it typically lacks the resources and insights to challenge businesses on their risk-management and control practices. The central risk department is, however, accompanied by a broad network of “risk champions” throughout the other departments. In one case, a central risk-management department of fewer than 20 full-time employees was accompanied by a broad risk-champion network composed of several hundred people who spent between 10 and 20 percent of their time on risk topics, collectively representing about 50 to 60 additional full-time positions.

    Many of the corporates that follow a decentralized approach conduct regular surveys (for example, quarterly) and brief polls of the risk-champion network to ensure that business departments think through and identify the most important existing and emerging risks. A strong risk culture is a key ingredient of this approach, since the departments themselves are held responsible for risks that strike.

  • Centralized. Here, the risk function closely controls and owns most of the risks (an arrangement that is often used for foreign exchange (FX) and commodity risk hedging) while remaining risks are overseen by line managers, with double-checking or even close supervision provided by the central risk function. Risk-related models typically reside in the central risk group and are rolled out and updated consistently throughout the company. The risk function challenges the assumptions made by businesses and enters into detailed discussions with them. As a result, the central risk department often also assigns responsibilities for individual risks and business departments to its dedicated employees.

Both decentralized and centralized designs for the risk function have their merits. Each is suited to managing different kinds of risk. A decentralized approach allows greater variety and flexibility in risk-management practices; business departments can tailor models and processes to their specific needs. Operational and technical risks, which rely for their management on expert knowledge that resides in the individual businesses, are usually best managed by a decentralized approach, with supporting tools and best practices supplied by the central department.

Another advantage of the decentralized approach is the close integration of the risk function with the business through the risk-champion network, which ensures a seamless flow of communication on risk-related topics. The central group is frequently updated on topics emerging throughout the company, and embedding risk champions in business departments ensures that risk is an integral part of the decisions made there.

The decentralized approach ensures a strong culture of risk ownership throughout the company, as there is no “third party” (the central risk department) that can be held responsible for risk problems.

A centralized risk function, on the other hand, ensures a consistent approach and is often used for comparable risks throughout the organization; similar risks are treated with the same tools and processes. For these reasons, market and credit risk, which are usually quite similar across the enterprise, will typically benefit from a centralized approach. Such an approach increases the efficiency and effectiveness of risk management because it allows for the sharing and refinement of good practices throughout the organization.

To select the right approach, corporates first need to identify the risks inherent in their business model and then decide on the trade-offs between centralization and decentralization of their setup for each risk type. They might consider questions such as the following: Who is responsible for managing and controlling each risk type? Which management approach best fits the company’s context and the nature of the risks? In the future, who should be responsible for the risks, and which processes and policies need to be updated or written anew? How should we deal with the shortcomings of the chosen approach (for example, how can we ensure sound and consistent models using a decentralized approach, and how can we strengthen risk culture in a centralized approach)?

Industry preferences

Our survey revealed that the two industries we studied show different degrees of centralization across different risk types. Generally speaking, corporates in AI follow a decentralized approach, whereas energy companies are much more centralized. This can be explained by reminding ourselves of the core risks laid out earlier.

The quality risks in the AI industry can hardly be managed centrally; they must be taken care of by the line functions themselves (for example, on the production lines). On the other hand, the core risks in the energy industry respond well to centralized management: interaction with regulators and politicians is best dealt with by the regulatory-management group (which often reports directly to the CEO) in close cooperation with the management board.

Within that broad pattern, however, if we look at three main types of risk, the picture becomes more nuanced (Exhibit 3).1

The archetypes of different industries’ risk DNA differ by risk type.

For market risk (that is, commodity, credit, and FX risks), we see different approaches. Consider commodity risk. In the energy industry, commodity-risk management is typically centralized within the trading group, which receives input from risk managers in the trading units. In advanced industries, however, commodity risks often reside with the business departments. For instance, we have seen a global AI corporation that had no central understanding of its exposure to changes in the price of steel. The reason was that product lines and plants typically signed their own contracts with suppliers, and these were not gathered in a central database—and so it was impossible for this company to hedge its steel-price exposure with any accuracy.

For credit risk, the approach used by companies in both industries is inconsistent, both between and within firms. Credit models are not the same in all parts of the organization; some sales teams, for example, do not explicitly consider counterparty risk.

For currency risk, most players in both industries have a central treasury that is responsible for controlling and managing FX risk for the whole organization.

Across industries, operational and technical risk is typically controlled and managed within businesses. This seems a rather natural setup given the diversity of operational risks and the expert knowledge needed to deal with them. However, some companies we observed are now striving to centralize their management of operational risk. This is no doubt due to recent major operational-risk events (such as the Macondo oil spill in the Gulf of Mexico) that appear to have resulted, at least in part, from slack execution of on-site procedures and inadequate risk control by contractors. A more rigorous centralization of operational-risk management will allow companies to identify and define standards of good practice and roll them out throughout the enterprise—and beyond, to contractors.

Management of political and regulatory risks is typically handled in all industries by a specialized department that operates in close contact with the management board and other departments (such as the businesses to understand their needs) and by the compliance function.

Industries’ ERM performance and ways to improve

Across our survey sample, we noticed that advanced industries in general fared better than the energy industry in most parts of the risk framework shown in Exhibit 2. This is particularly evident in two elements: risk insight and transparency, and risk organization and governance, especially with regard to collaboration between risk and other functions (Exhibit 4). AI’s better performance can be explained by the risk-champion networks mentioned earlier, which allow for an unbiased view of exposure across all risk types and involve the whole organization more forcefully than the centralized approach typically favored by energy companies.

Industries show different strengths and weaknesses across the risk framework.

Still, companies in both industries could further improve risk management in selected dimensions. We have compiled some suggestions for AI, energy, and both kinds of companies that can add value for most players.

Advanced industries

Most AI companies use fairly sophisticated models in departments such as logistics and supply-chain management and in managing specific technical risks. In contrast, their risk-management departments often rely on relatively simple models to assess the impact of individual risks. The industry could benefit from a more quantitative approach to assessing the exposures that reside in different parts of the organization. In particular, companies should consider a more robust application of the risk-book approach (that is, the rigorous mapping and aggregation of long and short positions in order to understand net exposure) to improve transparency into core commodity exposures such as steel, aluminum, and energy, as well as a more rigorous application of forward price models and Monte Carlo simulations to quantify risks. Company-wide hedging strategies can then accurately limit and mitigate these risks. However, we would not suggest centralizing specialized models in the risk-management department, because this would detach these models from experts in the line functions.

In general, the risk-management department in AI companies could often take more of a leading role in harmonizing risk assumptions and approaches throughout the enterprise—for example, in defining limits, developing scenarios, and linking these scenarios to strategic and annual plans.

In other dimensions, the central risk function could move toward a stronger role as a sparring partner for the businesses and other groups. This will require the assignment of dedicated individuals within the central risk-management department to certain risk types; these people must then develop stronger capabilities. This would allow the risk group to challenge and double-check the identification and assessment of individual risks made by the businesses. Even better, the group can develop recommendations for individual businesses and better support other departments in tracking and controlling mitigation measures.

Energy

In the energy industry, we typically see strong transparency on core commodity exposures (via risk books) and sophisticated models used to define and execute hedging strategies. However, we also observe a bias toward focusing on those risks that are relatively easy to quantify (such as trading-related risks) while treating other risks (such as operational risk) in a comparatively superficial way. To counteract this bias, energy companies should foster a dedicated network of risk practitioners and ensure common risk-management standards throughout the organization. This would allow the central risk function to stay in the loop on risks emerging throughout the enterprise and foster the involvement of individual departments with risk topics. In turn, this moves companies closer to an integrated view of the various risk types and allows them to make educated trade-offs.

Overarching

For both kinds of companies, a number of moves could help extract more value from ERM. Five will be most powerful:

  1. developing a better definition of risk appetite and limit setting

  2. improving stress testing

  3. developing a strong risk culture

  4. deploying the “three lines of defense”

  5. improving the management of credit risk

Risk appetite and limit setting. Many of the companies we spoke to consider the most crucial elements of risk to be risk appetite (that is, the definition of the nature of risks the company wants to take, along with quantitative limits to the amount of those risks it assumes) and risk strategy (that is, the implications of risk appetite on corporate strategy). However, they often struggle with implementation. Companies sometimes fail to develop limits for each relevant risk type; in other cases, the chosen risks can seem to users to have been pulled out of thin air, with no consistency among them.

An integrated view is necessary because risks are often strongly interdependent. Consider the case of a derivative deal that is done for hedging purposes; it can be struck “over the counter” or executed through a clearinghouse. In the first case, the corporate bears the full counterparty credit risk; if the counterparty defaults, the company may never receive any payment due under the derivative contract. In the second case, the company suffers no counterparty credit risk (its counterparty is the clearinghouse, which protects itself through margin agreements with its members) but instead faces liquidity risk; the company will need to post collateral with the clearinghouse if the derivative moves against it. In both cases, the size of the exposure is driven by market risk, since market prices determine whether and by how much the derivative is in the money.

In order to bring the concepts of risk appetite and risk strategy to life, companies must first define measurable key performance indicators (KPIs) for all essential risks. Naturally, these will differ by risk type. Importantly, management needs to agree on “severity thresholds” for each risk type: for example, what extent of negative media coverage would qualify a reputational-risk event as severe? What kind of gap in the liquidity profile makes a severe event for liquidity risk? Which price fluctuations would do the same for market risk?

After having agreed on the KPIs and their thresholds, the company needs to decide where it is the natural owner of particular risks. A natural owner of a risk can achieve competitive advantages from taking it on and can generate attractive returns from it. The company should keep such risks, but it must also decide how to deal with those risks of which it is not the natural owner. Should it pass them on? Avoid them? Insure against them? Additionally, the company should decide how much of each risk it can bear.

These decisions ultimately need to be made by the board since they are intrinsically linked to corporate strategy. However, we often see boards struggle in the absence of a framework for meaningful discussions of their risk appetite. A matrix such as the one shown in Exhibit 5 can be a useful tool to facilitate the discussion by allowing board members to prioritize which risks to take and to decide in which parts of the company to take them.

The board should link risk appetite for individual risk types and units to the overal strategy.

After undertaking this qualitative prioritization exercise, companies should translate the “moons”—the low, medium, and high indicators of risk appetite—into thresholds for the KPIs they defined earlier.

Quality assurance for the risk appetite and strategy is essential. Companies can periodically challenge these documents and compare them with the risks that competitors take when this information is available. Moreover, they can detect breaches of the risk appetite and trigger predesigned contingency and escalation measures, thus making the risk appetite and strategy a meaningful tool for steering the company.

Stress testing. Most companies that participated in our survey make sure that they not only calculate the expected trajectory of their strategic plan but also consider upside and downside scenarios related to it. However, for many, the calculation of downside scenarios—that is, the stress testing of the business plan—does not have real impact on the decisions that are made. Specifically, we see four main areas where modifications to current stress-testing approaches could increase the relevance of the activity.

  • Stress-testing goals and scenario definition. Often, corporates are not explicit on the objectives of calculating downside scenarios. In particular, they often are not specific about the probabilities they attach to each scenario. This obviously makes it difficult for management to use stress-test results as the basis for decisions—how can you gauge the trade-offs among benefits and costs of risk-mitigation measures if you don’t know with what probability certain negative effects might materialize?

    In defining their downside scenarios, corporates should ensure a balanced mix between severe but very improbable events (such as major natural disasters) and more moderate, but more probable, scenarios (such as a further tightening of macroeconomic conditions).

    It is worthwhile to include senior management in defining the scenarios early on so that their opinions and insights are taken into account. That also makes it more likely that they will deem the stress-testing results relevant.

  • Technical stress testing and scenario calculation. We typically see corporates focus only on the “first order” effects of shocks. Often, however, the dynamic that evolves after a shock needs much more thorough modeling. How might supply and demand change, and what are the dynamics until they reach a new equilibrium? How would the company and its competitors react to shocks? What might the midterm effects be on the sector? The trick to approaching such questions lies in the combination of thorough multiperiod modeling and the employment of complementary tools, such as the Delphi methodology or war-gaming exercises.

  • Derivation of implications. Once the model is set up and parameterized correctly, it is essential to highlight implications for the balance sheet and the P&L and to break these down to individual business units or product lines. Discussion of stress-testing results at this level of detail moved one company, for example, to keep a product line despite its general low profitability due to the resilience it adds in crises.

    Moreover, stress-testing scenarios should come with a set of predefined contingency plans (actions and responsibilities) that allow for a swift reaction if crisis hits. To ensure resilience, corporates should develop a dashboard containing the most important business-plan drivers and ensure their timely and convenient tracking (for example, using a traffic-light system).

  • Alignment throughout the company. Overall, it is important that stress testing is not an exercise that is simply performed by the risk-management group. It should involve the entire organization. This includes senior management being involved in scenario definition, but it also means coordinating experts throughout the company (for example, experts in macroeconomic forecasting, technical areas, and strategic planning) to ensure the stress-testing exercise is relevant—and to encourage a sound understanding of the discipline’s limitations. A stress-testing model will almost certainly not give “the ultimate correct result.” But it can serve as a powerful communication device to structure the discussion on business-plan assumptions and strategic options.

Risk culture. Many corporates recognize that risk culture is one of the most essential pillars of a comprehensive risk-management approach. As discussed earlier, this holds true in particular for a decentralized approach, but many that follow a centralized approach also recognize the necessity of ensuring a sound risk culture permeates all departments. However, most of the companies we talked to continue to struggle with dedicated measures to build and continuously improve their risk culture; it is seen more as something that just happens than as a topic that can be actively shaped and built.

A systematic approach to risk culture can be established, and it’s not rocket science. The first step is to obtain transparency on the current state of risk culture throughout the enterprise. For this, it is useful to run a risk-culture survey, either via in-depth interviews of selected respondents or through a broader web-based survey. Typically, we assess ten key dimensions of risk culture (Exhibit 6).

Risk culture can be qualied in ten dimensions.

After identifying the current status and potential shortcomings, the company can articulate target risk norms and any necessary mind-set shifts, then implement these through a variety of processes. Potential measures include a dedicated communication program and visible actions, the review of training programs, the revision of compensation programs and promotion mechanisms, the modification of risk-governance structures (for example, escalation mechanisms and rewards for accountability), the harmonization and specification of guidelines, or the reinforcement of values and professional standards.

Three lines of defense. A typical approach to risk management in financial industries is to establish three lines of defense (Exhibit 7). Although elements of this concept exist implicitly in many corporates, a more formal approach might further improve risk management by clarifying roles and responsibilities. This would help to avoid a “blame game” arising when risks materialize.

A ‘lines of defense’ risk-governance framework can help in managing risk throughout the organization.

The three lines typically include the following:

  • Frontline management. In nonfinancial companies, frontline management is typically closest to most risks, including operational, project, or counterparty risks. Consequently, it plays a key role in managing risk, both with respect to which risks to take and the amount of risk to assume. This almost always includes trade-off decisions that go hand in hand with managing these risks (for example, the cost of risk-mitigation measures). Assessing these and deciding on the path forward is one of frontline management’s core competencies, though the front line often thinks of these decisions as entrepreneurship rather than risk management. These trade-off decisions can be clearer in some areas (for example, production of high-quality products with almost no margin for error) and more blurry in others (for instance, risks taken on when signing a large and complex sales contract with a customer), but it is frontline management’s duty to make these decisions with a conscious consideration of the risks involved.

  • Risk-management experts and internal audit. The second line of defense usually encompasses two key tasks: setting the frame for frontline management and monitoring compliance using this frame. The first task is typically performed by the risk function. It strives to identify key elements to build the company’s risk-management framework (for example, quantitative measures and qualitative guidance), supports the risk committee in establishing this framework in the form of policies and standards, and monitors frontline management in several ways. Depending on the risk type and the corresponding risk-management archetype, a variety of tools can help. Examples include the calculation of qualitative metrics, the derivation of a limit system, and engagement in an active dialogue with frontline management on risks taken. Internal audit is fully focused on compliance with company’s internal policies and standards and with external guidelines (for example, regulation and laws).

  • Executive risk committee and business-unit leadership. The third line of defense bears the ultimate responsibility for risk management across a company. Its responsibility is to guarantee the proper functioning of the risk wheel, ensure that the company is aware of its key risks, define the appetite with respect to these risks, and cascade this down into the organization via an appropriate framework to promote sound implementation of processes, organization, and culture. It must also ensure through the internal-audit function that this framework is adhered to properly.

Credit risk. Credit risk arises in many areas, such as in treasury (deposits with banks, short- and long-term investments), business units (advance payments with suppliers, accounts receivable from customers), or the trading department (the counterparty credit risk of uncleared over-the-counter derivatives deals for hedging purposes).

A comprehensive approach to credit risk requires the combination of central standards (for limit setting, reporting, and methodology development) and decentralized management. The key body is the credit-risk committee, which should include participants from various departments such as ERM, treasury, sales, control, trading, and origination. Typically, the credit-risk committee convenes at least quarterly, though organizations should be able to call ad hoc meetings within one week. Among the responsibilities of the credit-risk committee are the definition of limits, remediation of conflicts among departments (for example, if deals by different units with the same counterparty in aggregate exceed individual exposure limits), review and authorization of individual large-exposure cases, and evaluation of overall performance in credit-risk management and potential decisions on credit-risk policy adaptations.

However, the actual management of credit risk (in accordance with limits) should be done by the units where credit risk arises. These units should hold responsibility for managing their counterparties, as well as for choosing the right instruments for their purposes (for example, the mix of unsecured, collateralized, and cleared deals for the trading department) because they typically know the peculiarities of their counterparties much better than a central risk department.


There is no single approach to ERM that can be considered the holy grail for all companies in all sectors. The application of risk management must take into account the biggest risks a company faces alongside specifics such as its current risk culture. By carefully tailoring the approach to a company’s individual characteristics, however, risk management can become an extremely powerful tool to help senior management reach its objectives.

About the author(s)

Sven Heiligtag is a principal in McKinsey’s Hamburg office, Andreas Schlosser is a consultant in the Munich office, and Uwe Stegemann is a director in the Cologne office.

The authors would like to acknowledge the significant contribution to this paper made by Konrad Richter.

More on Risk
Report

Remaking the bank for an ecosystem world

Interactive - McKinsey Quarterly

Five Fifty: The digital effect

Commentary - McKinsey Quarterly

Wellness at work: The promise and pitfalls