Kezia Farnham

Senior Manager

Measuring ERM performance: 7-step process (with KPIs)

Measuring enterprise risk management (ERM) performance can feel like trying to hit a bullseye with a blindfold on. But that bullseye isn’t just industry-leading risk management. It’s a security infrastructure that helps businesses achieve their most critical objectives.

That means that understanding ERM performance isn’t just about mastering ERM for ERM’s sake. It’s about quantifying the relationship between a solid ERM strategy and organizational performance so that chief risk officers and other risk management leadership have the data they need to set a strong risk management agenda. To do that, risk teams must understand:

• The many benefits of measuring ERM performance
• The link between ERM and firm performance
• How an ERM model helps measure performance
• The KPIs to start measuring today

The benefits of measuring performance in ERM

Much of the success modern businesses enjoy is a result of ERM. After all, at its most simple, ERM protects systems, data, assets and even an organization’s competitive edge. That’s why, when it works, ERM has myriad benefits beyond the ERM function itself.

• Align risk with performance: High-performing businesses typically face high levels of risk, whether that’s climate change or cybersecurity. ERM helps businesses mitigate that risk so performance isn’t encumbered by undue threats.
• Weigh risk versus returns: ERM is also the best tool businesses have to understand whether risks are worth taking. Risk managers can transform ERM performance into a roadmap for achieving key objectives.
• Strengthen the competitive advantage: Risk is a given. What makes a business successful has less to do with whether it faces risk and more with how it handles that risk. Businesses with solid ERM practices are more resilient and can weather any changes the risk landscape may bring.
• Drive value beyond risk: Good ERM can be a value driver for businesses because it can identify opportunities that are less plagued by risk and equally likely to hit business objectives.

ERM and firm performance

According to a recent study, firms with higher levels of ERM maturity outperform their industry peers. While the study has limitations — it relies on self-reported internal audit survey data and archival data on firm performance — it is a notable exploration into the “reasonable assurance” the Committee of Sponsoring Organizations (COSO) says ERM provides.

More specifically, the study states that “the adoption of ERM processes and enhanced maturity of ERM processes are positively associated with industry median-adjusted operational performance based on return on assets and equity.”

Key Performance Indicators in ERM

While measuring ERM performance is critical, it’s also quite challenging. Less mature ERM organizations may not know which KPIs to measure, while those with higher ERM maturity may have difficulty tracking the many metrics their ERM program involves.

In either case, it’s essential to start with defining the KPIs and then build a measurement program around them. KPIs can include:

1. Risks identified: First and foremost, an ERM program should successfully identify risks. If the number of risks identified increases, that would signal a stronger ERM performance.
2. Risks mitigated: ERM should also mitigate any risks that arise. This KPI is a proportion of risk relative to the total number identified. The more risks mitigated, the more effective the program.
3. Risks realized: On the flip side, some organizations may track the number of risks that come to fruition. A good ERM strategy will see this number fall over time.
4. Risk frequency: Chief Risk Officers also want to know how often risks arise. The less often risks develop, the better the ERM performance.
5. Risk costs: Because ERM should be value-producing, the cost of risk is of particular interest to boards. Organizations can develop KPIs around financial, legal and reputational costs.
6. Time to mitigation: The longer a risk goes unmitigated, the more damaging it can be. Swift responses to risks of all kinds indicate a more mature risk management approach.

Measuring performance using an ERM model

While organizations can measure their KPIs, it’s important to contextualize those KPIs within an accepted ERM model or framework. Because these models are standardized, they act as an objective measurement tool that prevents organizations from — accidentally or otherwise — misrepresenting their ERM performance by reporting only the metrics they’re successful at.

The COSO ERM Framework, for example, focuses on performance, specifically how effective the risk management program is at mitigating risks that threaten the organization’s objectives. Organizations using the COSO Framework should track and measure activities like risk identification, prioritization and mitigation to understand ERM performance.

Other frameworks like the Casualty Actuarial Society ERM Framework and The ISO 31000 ERM Framework include their own approach for assessing ERM success.

7 steps to measure ERM performance

Measuring ERM performance is an important part of an ERM strategy, but it requires its own well-defined process. Here’s how to get a clearer picture of how successful your ERM really is:

1. Set objectives: You can’t accurately measure performance unless you know what the program should achieve. Consider the organization’s mission and vision as well as its risk tolerance. Your objectives — what the program will work toward — should help the organization achieve its mission while keeping risk exposure manageable.
2. Define metrics: The next step is choosing KPIs. The KPIs you choose should be specific, measurable and objective indicators of how successfully your ERM reaches the objectives you’ve set. Reference the KPIs listed above or lean on your ERM framework to find the right KPIs for your strategy.
3. Create reporting processes: What information do you need to verify whether you’re meeting KPIs? The process you create should supply you with that information — and plenty of it. Consider the infrastructure you’ll need to collect, process and display accurate, centralized and useful data across the organization.
4. Document processes: Take time to record processes so that you can communicate them not only within the risk team but across the organization. Documentation should be accessible and easy to follow so team members in any department can buy into the importance of ERM performance.
5. Incorporate technology: Though the aforementioned steps can be done manually, the larger the organization and the more mature the ERM program, the more complex it will become. ERM tools are an end-to-end solution, helping more clearly articulate the strategy, set evidence-based objectives, and continuously report on them.
6. Build a culture around ERM: Even the best ERM plan can collapse if the organization’s culture doesn’t prioritize risk management. This is particularly important in ERM, given that the “e” for “enterprise” requires organization-wide compliance. The Chief Risk Officer should advocate for ERM at the board level, setting a tone from the top down that ERM should be taken seriously.
7. Monitor and adapt: 57% of organizations say they’re facing more frequent or farther-reaching cyberattacks. As the risk landscape intensifies, the ERM performance must evolve along with it. Truly effective ERM strategies will monitor the risk landscape and proactively adapt so the organization’s overall performance doesn’t come into question.

Turn ERM into a growth driver

Though ERM can easily slip into a reactive tactic, in reality, it should embody the adage that the best offense is a good defense. When an organization is consistently secure, it can pivot to pursue new opportunities and even find gaps in the market — both of which are key to solidifying the competitive advantage.

That’s where the ERM framework comes in. It’s an ERM framework that gives risk teams the guardrails to communicate ERM performance. With risk communication in hand, chief risk officers can guide the board toward making bold moves that don’t overexpose the business to risk. Learn more about ERM frameworks and how to create your own.