This article examines the use of enterprise risk management (ERM) by companies in Canada, the characteristics that are associated with the use of ERM, what obstacles companies face in implementing ERM, and what role, if any, corporate governance guidelines have played in the decision to adopt ERM. We obtained our data from the responses to a mail survey sent to Canadian Risk and Insurance Management Society members as well as telephone interviews with 19 of the respondents. The results indicate that 31 percent of the sample had adopted ERM and that reasons for adopting ERM include the influence of the risk manager (61 percent), encouragement from the board of directors (51 percent), and compliance with Toronto Stock Exchange (TSE) guidelines (37 percent). The major deterrents to ERM were an organizational structure that discourages ERM and an overall resistance to change. Although only about one-third of companies indicated that they had adopted an ERM approach, evidence was clear that a larger portion of the sample was moving in that direction, as indicated by what changes they had observed in their companies in the past three years. These include the development of company-wide guidelines for risk management (45 percent), an increased awareness of nonoperational risks by operational risk management personnel and an increased awareness of operational risks by nonoperational risk management personnel (49 percent), more coordination with different areas responsible for risk management (64 percent), and more involvement and interaction in the decision making of other departments. Contrary to what we expected, there was not a significant difference between firms that are listed on the TSE versus those that are not in terms of the propensity to use ERM. However, the fact that 37 percent of firms indicated that the TSE guidelines were influential in their decision to adopt ERM provides some evidence that the guidelines are influencing companies' risk management strategies.
Publicly traded companies in Canada, the United States, and the United Kingdom began to encounter stricter corporate governance rules and guidelines during the 1990s. These changes in expectations regarding corporate governance were motivated, to a large extent, by many large corporate failures. "The corporate landscape is littered with the wreckage of companies whose directors were either asleep at the wheel or overwhelmed-from such notorious cases as Bre-X Minerals Ltd. and Livent Inc. to more recent implosions of Nortel Networks Corp. and Moore Corp" (Gray, 2001, p. 36). One key area addressed by these guidelines is risk management. For example, the Toronto Stock Exchange (TSE) guidelines advocate that boards assume responsibility for "the identification of the principal business risks of the corporation's business, ensuring the implementation of appropriate systems to manage these risks/These new standards for corporate governance have created a need for the development of comprehensive corporate governance strategies that address all risks that a firm faces.
Occurring during the same time as the evolution in corporate governance standards was a greater emphasis on the benefit to companies of engaging in enterprise risk management (ERM).1 In contrast to the traditional "silo" approach to managing risk, the ERM approach requires that a company-wide approach be taken in identifying, assessing, and managing risk. Many authors have written about the expected benefits of an ERM approach and why companies should view risk from an overall corporate perspective rather than in a more narrow, department-by-department perspective. The primary benefit of ERM stems from taking a portfolio approach to risk management. That is, just as holding a diverse portfolio of stocks reduces the volatility of returns, a corporation's offsetting risks should result in a total risk level that is lower than the sum of the individual risks. This in turn can translate into lower risk management costs.
A number of developments in the past decade have contributed to the increased interest in ERM. These include changes in regulation, as mentioned above; investors becoming more sensitive to earnings volatility; an increase in the accountability standards for boards, prompting a greater focus on a company's risk management systems; and the continuing convergence of the traditional capital and insurance markets. This last development has resulted in new ways to manage risks that facilitate integrated risk solutions. Finally, technological advances of computer software and the growing sophistication of statistical and economic analytical models that can measure risks more precisely have also been important in making ERM more viable for those wishing to implement it (Green, 2001).
Despite all of the talk about ERM in the trade press, evidence indicates that it is still not widely practiced. For example, a 2001 study by the Economist Intelligence Unit (EIU, 2001 ) found that 41 percent of companies in Europe, North America, and Asia had implemented some form of ERM, but when looking at just North America, the number drops to 34 percent. Why is ERM not more common in practice? Some reasons may include organizational structures that are not conducive to ERM, individuals who do not want to give up their specific responsibilities, a lack of understanding regarding how to effectively implement ERM and measure its benefits, and difficulties in measuring risk and correlations across risks in the company.
A study by Colquitt et al. (1999) provided evidence that the move toward an ERM approach in U.S. companies was still in its infancy. Their study, however, was based on data obtained in a survey from 1998. Their results indicated that firm-specific characteristics such as industry, size, and background of the individual responsible for risk management affected the utilization of ERM techniques. Since then, interest in ERM has grown, and we expect that if the same survey was conducted today, more companies would be using ERM.
In this article, we examine to what extent companies in Canada are using ERM, what characteristics are associated with the use of ERM, what obstacles companies face in implementing ERM, and what role, if any, corporate governance guidelines have played in the decision to adopt ERM. We obtained our data from the responses to a mail survey sent to Canadian Risk and Insurance Management Society (RIMS) members as well as telephone interviews with 19 of the respondents. The results indicate that 31 percent of the sample had adopted ERM, and that reasons for adopting ERM included the influence of the risk manager, encouragement from the board of directors, and compliance with TSE guidelines. The major deterrents to ERM were an organizational structure that discouraged ERM and an overall resistance to change. Contrary to what was expected, there was not a significant difference between firms that are listed on the TSE versus those that are not in terms of the propensity to be using ERM. However, the fact that 37 percent of firms indicated that the TSE guidelines were influential in their decision to adopt ERM provides some evidence that the guidelines are influencing companies' risk management strategies, even for nonlisted firms.
FACTORS AFFECTING THE ADOPTION OF ERM
A company's decision regarding whether to adopt an ERM strategy may be influenced by a number of factors. These include the TSE guidelines for effective corporate governance and company characteristics such as industry, size, and how the risk management function is organized in the company.
One possible explanation for a company's decision to implement ERM is the change in expectations regarding effective corporate governance. Regulators in many countries, including Canada, the United States, the United Kingdom, Australia, and New Zealand, are pressing firms for better risk reporting and for more integrated and comprehensive risk management. In Canada, the report "Where Were the Directors?" often referred to as The Dey Report, was published in 1994.2 The report was the result of the work done by the Committee on Corporate Governance which was established by the TSE in 1993. Following that report, the TSE adopted the Committee's 14 recommendations as best practice guidelines for listed companies. The guidelines suggest that the board should assume responsibility for stewardship, including strategic planning, risk management, and internal control. Recognizing the need for flexibility, since each company is unique, the standards were adopted as recommendations rather than requirements. TSE-listed companies are required to report on differences between their corporate governance practices and those recommended.
In 1999, a follow-up survey was completed entitled "Five Years to the Dey." This report was designed to evaluate developments in corporate governance and evaluate the continued relevance of the recommendations.
The research findings present a complex picture. On one hand, it is clear that most corporations take the TSE guidelines seriously. Many of the largest companies that account for the greatest proportion of Canadian equity investment are leaders in corporate governance. A number of the TSE guidelines are now broadly accepted business practices. On the other hand, important areas remain where general practice falls short of the guidelines' intent. (Report on Corporate Governance, 1999, p. i)
One finding of the 1999 report was that many boards, especially in resource industries, had no formal process for evaluating risk. Thirty-nine percent of participating companies had no formal process, while 55 percent in the gold and precious minerals sector had no formal process. Our interest in this study is to assess how common ERM is in Canada and determine whether the TSE guidelines have affected companies' risk management strategies.
ERM in Practice: United Grain Growers and British Columbia
Two examples of organizations that have responded to the new guidelines by adopting an ERM approach are United Grain Growers (UGG) and the province of British Columbia (BC). "UGG has taken the corporate governance guidelines of the Canadian regulatory agencies which require corporations to have a program in place to identify and manage risks quite seriously" (Green, 2001, p. 73). In 1999, UGG, a grain intermediary, put in place an integrated insurance program that covered all its insurance needs, including drought. Drought (or weather) is one of the key risks for UGG since it relies on a good harvest of grain in order to meet desired revenue levels. UGG sees that one primary benefit of the program is that it will experience less downside volatility in its revenues and, as a result, will enjoy a lower cost of risk (Green, 2001 ).3
BC's provincial government has also embraced ERM. BC requires its Crown corporations to develop their own enterprise risk programs with the aid of a model developed by the Australia/New Zealand Standards Association. "A major impetus behind B.C.'s ERM effort is the emergence of stricter corporate governance rules and guidelines that publicly traded companies in Canada, the U.K. and the U.S. began to encounter during the 1990s" (Lenckus, 2001, p. 6). According to the director of BC's risk management branch, ERM was implemented because it would result in much more information regarding the organization's risks, and this should result in "better management, more informed management, and better decision making" (Lenckus, 2001, p. 1).
Although public entities do not have the same profit motive as private companies, public entities still feel the impact of profits and losses arising from the operations they run and some are recognizing the benefit of adopting better governance practices. For example, in 1998 the Ontario Teachers' Pension Plan Board began to comply with the TSE guidelines. Governance guidelines are also evolving for other-than-public companies. In their 1999 report, "Building on Strength: Improving Governance and Accountability in Canada's Voluntary Sector," the Panel on Accountability and Governance in the Voluntary Sector proposed their own "Good Practice Guide for Effective Stewardship." Both the TSE and the voluntary guidelines recommend policies for communication with stakeholders, an independent nominating committee, and an audit committee (McConomy and Bujake, 2000).
In terms of company characteristics, size is one factor that Colquitt et al. (1999) found to be significant in whether a company used integrated risk management tools. We expect that larger firms would be more likely to adopt ERM due to the need for a comprehensive risk management strategy. Both their study and the EIU study (2001) also found industry important. Of the six industries examined in the EIU study, the financial services and utilities/natural resources industries were the most likely to be using ERM to identify risks (2001), consistent with Colquitt et al. (1999).
The placement of the risk management function in the organization may also influence the tendency of a firm to use ERM. The results of Colquitt et al. (1999, p. 47) indicate the following regarding the department or unit handling the pure risk management function:
Risk Management Unit Within the Finance or Treasury Department 36.1 %
Separate Risk Management Department 29.6%
Finance or Treasury Department 22.7%
We expect that firms organized in the first or third categories are most likely to adopt an ERM strategy since they already have some integration of financial expertise in their structure.
The ERM concept is still fairly new and, as a result, there is not consensus on what it means. However, companies that are using ERM are assumed to be taking a more integrated approach to their risk management strategies, and therefore we expect that their risk financing strategies would differ from companies not using ERM. For example, companies that have adopted ERM are expected to make greater use of blended risk contracts, captives, and multitrigger policies and be less reliant on traditional insurance.
METHODOLOGY AND RESULTS
In order to determine the extent to which ERM is practiced in Canada, a survey4 was sent (in June 2001) to all companies listed as members in RIMS.5 The survey was sent to the individual who is primarily responsible for risk management in the company (The survey was sent to all Canadian Primary Deputies-the individual primarily responsible for risk management in the company). The total number of surveys sent out was 336, of which only one was returned as undeliverable. One hundred eighteen valid surveys were returned, for a response rate of more than 35 percent.
The survey consisted of closed-end questions (with the option to write in additional comments) related to four major areas of interest:
1. Company-specific information, including firm size, industry, whether the company was publicly traded, and information about the risk manager, including educational background and experience
2. Organization of the risk management function within the firm, responsibilities of the risk manager, and whether there was a CRO
3. Current and past use of risk financing alternatives for both operational and non-operational risks, and perceived use of these in the future
4. Current or expected use of ERM and factors that affected the adoption of ERM, including corporate governance
The questionnaire design allowed for the comparison of risk management activities and strategies between firms of different sizes and from different industries, including public and private; between firms with varying organizational structures regarding where the risk management function existed; and between risk managers with differing educational and work experience.
Company and Risk Manager Characteristics
Table 1 provides summary data of the firms that responded. The sample of 118 companies provided a good spread by size, as measured by annual revenues. Thirty-four percent were smaller firms (<$500 million), 32 percent were medium-sized firms (between $500 and $2,500 million), and 34 percent were larger firms (>$2,500 million). In terms of industry, 26 percent were in energy, 29 percent were government/not-for-profit entities, 8 percent were in manufacturing, 8 percent were in transportation, 6 percent were in finance, and the remaining 22 percent were spread across a variety of other industries. Forty-nine were listed on the TSE (10 within the past three years), and 24 firms were listed on the New York Stock Exchange (nine within the past three years).
In terms of which department handled the operational risk management function, 40 percent said a separate risk management department, 31 percent said the company had dedicated operational risk management personnel within the finance or treasury department, 22 percent said that risk management was handled entirely by the finance or treasury department (without dedicated personnel), and the remaining included such answers as within a legal department, a division of duties between senior financial controls advisor and internal audit, or decentralized throughout the organization. The most common responses to the question asking to whom the risk manager reported were the chief financial officer (22 percent), the treasurer (29 percent), and the vice president of finance (20 percent).
Of all respondents, 37 percent of the risk managers were "new" (less than 8 years of experience), 31 percent were "seasoned" (more than 16 years of experience), and the remaining 32 percent had between 8 and 16 years of experience. Almost half of respondents had the CRM designation, 15 percent had the Chartered Insurance Professional (CIP) designation,6 and 13 percent had CMA/CGA designations. Regarding work experience, 65 percent said the majority was in risk management or insurance, 14 percent in finance, 9 percent in accounting, 9 percent in general management, and 3 percent in legal. Table 2 reports complete details of risk managers' characteristics.
Use of Enterprise Risk Management
Our main hypothesis is that the increased scrutiny of companies by regulators and shareholders, made explicit by the TSE guidelines, will result in more companies adopting an ERM approach. Of the 118 firms in our sample, 37 used an ERM approach (31 percent), 34 were investigating adopting an ERM approach (29 percent), and 47 companies were not considering ERM (40 percent). Of the 37 firms that had implemented ERM, 16 were listed on the TSE and 13 had a person in the organization with the title of chief risk officer. We also found evidence that firms used ERM in the responses to question 15, which asked about the changes that had occurred in the company's operational risk management program over the past five years. Fifty-eight percent said higher retentions and 77 percent said there was more interaction with other departments, while 23 percent said they had more responsibility for nonoperational risks. Although these responses could also be caused by other factors, the use of ERM is consistent with such changes.
In order to assess what factors are important in encouraging ERM, question 18 asked what the driving force behind adopting ERM was. For those firms who had adopted ERM or were thinking about it, 37 percent said that compliance with TSE guidelines was a driving force behind the decision. Fifty-one percent said that it was due to encouragement from the board of directors, 28 percent said concern for directors' and officers' (D&O) liability was important, and 61 percent said it was due to the influence of the risk manager.7 Also of interest is what factors deterred the use of ERM, which was addressed in question 19. The major deterrents to the implementation of ERM were an organizational structure or corporate culture that discouraged ERM (48 percent) and an overall resistance to change (42 percent). Lack of qualified personnel to implement ERM was also important (32 percent), as was the need for internal control and review systems (25 percent).
When asked what changes the risk manager had observed in the company in the past three years, strong evidence suggested that the board of directors was becoming more involved in risk management, which we expected given the TSE guidelines. Forty-five percent indicated that company-wide guidelines for risk management had been developed, while 59 percent indicated that they had an increased sense of responsibility to provide information to senior officers, the board, or committees of the board. Sixty-two percent noted that the amount of information disclosure had increased, while 64 percent said there was more timely dissemination of information through using the Internet. In terms of ERM, the fact that 49 percent of the respondents indicated that there was an increased awareness of nonoperational risks by operational risk management personnel, and vice-versa, also suggested that companies are moving toward an enterprise-wide view of risk. Other evidence that ERM is becoming more prevalent included that 64 percent indicated that there was more coordination with different areas responsible for risk management, and 58 percent said that there was more interaction and involvement in the decisionmaking of other departments. In terms of what caused the changes noted above, 44 percent indicated compliance with TSE guidelines, 41 percent indicated increased concern regarding D&O liability exposures, 36 percent indicated competition or other industry-related pressures (which would suggest that even those firms that are not listed on the TSE would be concerned about its guidelines), and 30 percent indicated the adoption of an ERM strategy by the firm.
Evidence Regarding the State of the Market
To ascertain how companies' risk financing strategies are expected to evolve from current practice, questions 20 and 21 asked respondents to indicate what risk financing methods were being used currently for managing operational and nonoperational risks, and what they expected to be using in the next five years. The results, shown in Table 3, indicate that the hardening market of 2001, even before September 11, was pushing companies toward risk-financing mechanisms that were less dependent on market capacity. For example, there was a significant difference between firms' current and future use of blended contracts and multiyear contracts. Firms expected to use both types of contracts less in the future, presumably because insurers were less likely to lock in to low prices and less likely to underwrite coverage for blended contracts with a lower combined price. By contrast, companies indicated that they would more likely in the future use securitization, multitrigger policies, and derivatives for operational risks and finite reinsurance, captives, and securitization for nonoperational risks. These results provide evidence that companies are moving away from traditional insurance and are increasingly interested in risk financing strategies that facilitate ERM.
Differences in Firm Characteristics Based on ERM Utilization
To test for any characteristic differences between firms that used ERM (hereafter referred to as USERS) versus those that did not,8 we ran Wilcoxon rank-sum tests on a number of variable interactions. The following discussion describes some of the more interesting significant results from this analysis:
* Energy firms were more likely to be USERS than all other industries. This result is consistent with what other studies have found (see Colquitt et al., 1999, and EIU, 2001). Energy companies, facing deregulation and volatile markets, would appear to have a clear incentive to adopt ERM and attempt to realize the benefits.
* Firms whose risk management function was organized with dedicated personnel in the finance or treasury department were less likely to be USERS than all other functional organizations. This result is counter to what one would expect. Companies that had a completely separate risk management department would seem to be at a comparative disadvantage in terms of employing ERM, yet this is not what the evidence indicates.
* Companies in which the risk manager reports to the vice president of finance were more likely to be USERS.* The direct interaction between operational personnel with this officer appeared to make it more likely that the company would adopt ERM.
* Firms that, in the past five years, had more reliance on outside resources and greater responsibility for nonoperational risks* were more likely to be USERS. The fact that firms that relied more on outside resources were more likely to be USERS may be an indication that ERM was being introduced by outside parties such as consultants or auditors. Consistent with the definition of ERM, the results indicate that companies who were USERS had greater responsibility for nonoperational risks.
* Recent changes that were more likely in firms that were USERS included more timely dissemination of information via the Internet;* the development of company-wide guidelines for risk management;* increased direct interaction with the board or its committees;* an increased awareness of nonoperational risks by operational personnel and vice-versa;* more coordination with different areas responsible for risk management; more interaction and involvement in the decision making of other departments; increased sense of responsibility to provide information to senior officers, the board, or committees of the board; and an increase in the proportion of external directors. An adoption of an ERM strategy was indicated to be influential in bringing about these changes for companies that were USERS. These results are consistent with behavior that we would expect USERS to exhibit. Specifically, the results indicate more interaction between departments and more involvement by the board of directors.
* Risk financing instruments that USERS were more likely to be using included blended risk contracts for their operational risks, and in the next five years, USERS anticipated using securitization and blended risk contracts. For financial risks, USERS were more likely to be using blended risk contracts and multitrigger policies currently and anticipated using blended risk contracts, finite risk insurance, securitization, multiyear policies, multitrigger policies, and pooling arrangements in the next five years. Such risk financing strategies for USERS were consistent with what would be expected for firms that have adopted an ERM strategy.
TSE Versus Non-TSE Firms
The emphasis on risk management in the TSE guidelines was expected to be an important influence in encouraging companies to adopt ERM. Although there was not a significant difference between firms that were listed and not listed on the TSE regarding whether they were using ERM, evidence still existed that the TSE guidelines affected companies' risk management strategies. For example, more than one-third of the respondents indicated that compliance with TSE guidelines was an important consideration in adopting ERM. The fact that there was not a significant difference between firms using ERM and those that were not may be an indication that even nonlisted firms have some incentive to abide by the guidelines, perhaps for competitive reasons.
There were also differences in terms of the risk financing options used by TSE firms compared to those used by nonlisted firms. For example, TSE-listed firms were more likely to use derivatives for managing operational and nonoperational risks and were more likely to be using captives and other pooling arrangements. In addition, TSE-listed firms were more likely to indicate that in the previous three years they had more requests from the board for information and more direct interaction with the board. They were also more likely to indicate that the TSE guidelines were influential in causing these changes. As expected, these results provide evidence that the TSE guidelines influence company decisions and behavior.
RISK MANAGER PERSPECTIVES ON ERM
To gain more insight into companies' views on ERM and whether the TSE guidelines affected their risk management strategies, we asked respondents if they would be willing to participate in an in-depth interview regarding these issues. Below, we discuss common themes from 19 interviews based on the following four questions:
1. In your opinion, what does it mean to be practicing ERM?
2. What are the three greatest problems or deterrents your firm faced, or is likely to face, in implementing an ERM strategy?
3. What are the three greatest benefits your firm can gain, or has already gained, from implementing an ERM strategy?
4. How have the TSE guidelines regarding corporate governance affected how your firm handles the risk management function?
What Is ERM?
The survey posed the question "Is your firm using an ERM approach to managing risk?" We provided a definition of ERM-specifically, "ERM is the management of operational and financial risks simultaneously in order to maximize the cost-effectiveness of risk management within the constraints of the organization's tolerance for risk." However, evidence from the survey seemed to indicate that respondents' own definition of ERM may differ from the definition of ERM provided in the survey. As such, during the interviews the first question posed was "What does it mean to be practicing ERM (i.e., what are the basic tools or practices that are essential for any company doing ERM)?"
As anticipated, the responses were varied; however, a few main points did emerge. First, the majority believed that ERM involves an enterprise-wide assessment of risks. This includes operational, hazard, and financial risks. Second, the majority believed that to be successful, ERM must have management buy-in and proper communication flow between management and the risk management function. A smaller group indicated that ERM should also be backed by a corporate risk philosophy or strategy and possibly be overseen by a corporate risk committee. This firm-wide plan for managing risks would work across the typical silo structure of risk management and give managers of the different risk functions a standard by which to manage their specific risks.
Problems or Deterrents in Implementing an ERM Strategy
The second issue we explored with the interviewees was obstacles to implementing ERM. One of the main obstacles was the existence, and in some cases the reemergence, of the silo mentality. Thinking across the corporation and looking collectively at all of the risks it faces proved to be one of the most difficult challenges in implementing an ERM program. In addition, risk analysis was also a key barrier as companies attempted to quantify all of their risks and realized the enormity of the task.
A second obstacle stemmed from the effects of recession and business downturn. Such slowdowns generally curbed expenditures in the risk management area, partly because it is too difficult to measure the cost to implement risk management and equally difficult to measure the return on the investment. In addition, management change, retirement, downsizing, and the overburden of those who remain forced the management team to look after immediate problems, and they were often unable to engage in more strategic, longer-term planning.
Finally, there was uncertainty regarding ERM, how it creates value, and how it encompasses the company's goals and vision. ERM needs to be accompanied by a fundamental risk management culture in the company in order to be successful and to achieve the desired benefits. Devising simple strategies that "bring(s) discipline and consistency to what you are already doing" is necessary, as opposed to making ERM an "add-on" that is seen as simply one more thing that people have to do.
For those companies for whom risk management was not part of their culture or for whom risk management was stated as a separate discipline, the potential for adopting an ERM strategy would seem extremely unlikely. Still, education continues to be emphasized at the same time that ERM as a strategy is being reviewed, and perhaps with time, ERM may be a more realistic goal.
Benefits of Adopting ERM
The benefits of ERM, as described in the trade or academic press, arise from taking a portfolio approach to managing risk, thereby capitalizing on less than perfect correlation across risks in the company and benefiting from natural hedges. By asking risk managers what they saw as the benefit of ERM, we wanted to assess whether this was a primary motivator in adopting ERM. Not surprisingly, one of the most common benefits cited was a coordinated and consistent approach to risk management, resulting in lower costs and better communication across the company. Companies also saw this coordination as an important way to avoid very large losses since the company had a better handle overall on its risks and was doing a better job of communicating with individual departments. A second benefit seen by many of the risk managers was a company-wide philosophy regarding risk management. Adopting an ERM approach was a way to align everyone to the same objective. When risk management permeates the entire company, and if everyone buys in, better results can be expected. Finally, a number of companies saw ERM as a much more strategic approach to managing risk. Rather than the company simply buying insurance, ERM is a way to increase risk awareness, and this increase in awareness and knowledge allows for more sound decision making. Companies saw this as an important way to increase the comfort level of the board of directors.
Impact of the TSE Guidelines on Risk Management
The TSE guidelines regarding effective corporate governance have had three main impacts on risk management strategies. First, risk management has become more of a focus for committees of the board. The audit, finance, or risk management committee of the board generally considers risk management. Regardless of which committee examines risk management, it is now being considered from an overall strategic standpoint rather than more narrowly as a single silo. Second, the board is more interested in risk management than in the past. This is demonstrated by an increased awareness of risk management, greater participation by the board in terms of asking questions about risk management, and in general, greater appreciation for the importance of risk management. Finally, the TSE guidelines have helped emphasize and support earlier initiatives such as those put forth by the Canadian Comprehensive Auditing Foundation (CCAF), the Canadian Institute of Chartered Accountants (CICA), and the Blue Ribbon guidelines. All of these provide guidance for improving risk management, and the TSE guidelines have helped reiterate the importance of these initiatives and provided risk managers with some ammunition for heightening the profile of risk management in their companies.
For not-for-profit companies specifically, the TSE guidelines have affected them only indirectly by conversations with other risk managers (in the private sector) and, as mentioned above, they have increased the motivation for following through on initiatives such as CCAF and CICA.
CONCLUSIONS AND FUTURE RESEARCH
ERM is a concept that has drawn a great deal of attention in the trade press, yet conflicting evidence exists regarding what it means and how common it actually is. This study has provided evidence regarding the use of ERM in Canada and the impact of the TSE guidelines on companies' risk management strategies. Although ERM is still not widely practiced, evidence is clear that even those companies that have not adopted ERM are taking a more integrated approach to risk management than in the past. Our results have also produced a variety of research questions to be addressed in the future.
First, given the large proportion of public and governmental respondents to the survey, the issue of public versus private use of ERM will be studied. Our analysis suggests that although public firms are not driven to ERM utilization by the corporate governance guidelines issued by the TSE, the TSE guidelines on risk management may have other effects.
Second, broadening our perspective to the global market, we know that the introduction of new corporate governance standards has varied across countries, and we would expect that the timing, and differences in corporate cultures, have led to differences in the adoption of ERM in these different markets. As such, we would like to internationalize this study to the various world sectors that have introduced corporate governance standards for their corporations.
Finally, we also plan to further investigate whether consensus exists on what ERM truly is. Given the results of this survey and the extensive use of the term, we believe that an internationally accepted definition of ERM would be useful in gaining a better understanding of its use, or lack thereof, in the risk management community.
(C)Risk Management and Insurance Review, 2003, Vol. 6, No. 1, 53-73
1 Previously, the terms holistic or integrated risk management have also been used.
2 Corresponding reports in other countries include the Turnbull report (United Kingdom), September 1999 (requirements for derivative instruments and hedging activities); and the Blue Ribbon Commission Report (NYSE), 1999.
3 For a more thorough discussion of UGG's application of ERM, please see Harrington et al. (2002).
4 A copy of the survey is included in Appendix A.
5 We are grateful to RIMS for providing to us an updated list of all Canadian members.
6 The Chartered Insurance Professional is similar to the Chartered Property-Casualty Underwriter (CPCU) designation in the United States, and the CA designation is similar to the CPA designation.
7 Respondents could choose as many of these reasons as applied.
8 This analysis excludes those respondents that answered yes to question 18 in the survey. This group of firms was currently investigating ERM and was statistically similar to both USERS and non-USERS of ERM. Our analysis did not have conclusive evidence to align these firms with either group. These results are available upon request from the authors.
Colquitt, L. L., R. E. Hoyt, and R. B. Lee, 1999, Integrated Risk Management and the Role of the Risk Manager, Risk Management & Insurance Review, 2: 43-61.
Economist Intelligence Unit Limited and MMC Enterprise Risk, Inc., 2001, Enterprise Risk Management: Implementing New Solutions (New York).
Gray, J., 2001, A Matter of Trust. Canadian Business, October 29: 36-37.
Green, P., 2001, Risk Managers Cover Enterprise Exposure, Global Finance, 15: 72-74.
Harrington, S. E., G. Niehaus, and K. J. Risko, 2002, Enterprise Risk Management: The Case of United Grain Growers, Journal of Applied Corporate Finance, 14: 71-81.
Lenckus, D., 2001, Enterprising Risk Manager, Business Insurance, 35: 1-6.
Toronto Stock Exchange, 1994, Where Were the Directors? December (Toronto Stock Exchange Committee on Corporate Governance in Canada).
Toronto Stock Exchange and Institute of Corporate Directors, 1999, Report on Corporate Governance, 1999: Five Years to the Dey (Toronto Stock Exchange).
Anne Kleffner is an Associate Professor of Risk Management and Insurance at the Haskayne School of Business, University of Calgary; phone: 403-220-8596; fax: 403-284-7903; e-mail: email@example.com. Ryan Lee is an Assistant Professor of Risk Management and Insurance at the Haskayne School of Business, University of Calgary; phone: 403-220-4350; fax: 403-284-7903; e-mail: firstname.lastname@example.org. Bill McGannon is a consultant with Risky Business, Calgary, Canada.…