Edinburgh Research Explorer
The Valuation Implications of Enterprise Risk Management
Maturity
Citation for published version:
Farrell, M & Gallagher, R 2015, 'The Valuation Implications of Enterprise Risk Management Maturity',
Journal of Risk and Insurance, vol. 82, no. 3, pp. 625-657. https://doi.org/10.1111/jori.12035
Digital Object Identifier (DOI):
10.1111/jori.12035
Link:
Link to publication record in Edinburgh Research Explorer
Document Version:
Peer reviewed version
Published In:
Journal of Risk and Insurance
Publisher Rights Statement:
© Gallagher, R., & Farrell, M. (2014). The Valuation Implications of Enterprise Risk Management Maturity.
Journal of Risk and Insurance. 10.1111/jori.12035
General rights
Copyright for the publications made accessible via the Edinburgh Research Explorer is retained by the author(s)
and / or other copyright owners and it is a condition of accessing these publications that users recognise and
abide by the legal requirements associated with these rights.
Take down policy
The University of Edinburgh has made every reasonable effort to ensure that Edinburgh Research Explorer
content complies with UK legislation. If you believe that the public display of this file breaches copyright please
contact openaccess@ed.ac.uk providing details, and we will remove access to the work immediately and
investigate your claim.
Download date: 09. Aug. 2022
This is the author’s accepted manuscript of the article:
Gallagher, R., & Farrell, M. (2014). The Valuation Implications of Enterprise Risk Management
Maturity. Journal of Risk and Insurance. 10.1111/jori.12035
Abstract
Enterprise Risk Management (ERM) is the discipline by which enterprises monitor, analyze and
control risks from across the enterprise, with the goal of identifying underlying correlations and thus
optimizing the risk taking behavior in a portfolio context. This study analyses the valuation
implications of ERM Maturity. We use data from the industry leading Risk and Insurance
Management Society Risk Maturity Model over the period from 2006 to 2011 which scores firms on
a 5 point maturity scale. Our results suggest that firms that have reached mature levels of ERM are
exhibiting a higher firm value, as measured by Tobin’s Q. We find a statistically significant positive
relation to the magnitude of 253 percent. Upon decomposition of the maturity score we find that
the most important aspects of ERM from a valuation perspective relate to the level of top down
executive engagement and the resultant cascade of ERM culture throughout the firm. Firms that
have successfully integrated the ERM process into both their strategic activities and everyday
practices display superior ability in uncovering risk dependencies and correlations across the entire
enterprise and as a consequence enhanced value when undertaking the ERM maturity journey
ceteris paribus.
1. Introduction
Whilst the tools of portfolio theory are ubiquitous in the practice of finance, the same cannot be said
of risk management practice at the enterprise level. Over the past decade, attention has turned to
this very issue. Enterprises are subject to risks in many forms and the ultimate goal of Enterprise Risk
Management (ERM) is to model, measure, analyze and respond to these risks in a holistic manner,
treating each risk exposure not in isolation, but rather in a portfolio context (Gordon et al, 2009). It is
now widely recognized that for a firm to control its risk taking it is necessary to set risk budgets
amongst the various firm divisions and thus aggregate all the types of risk it is exposed to into one
consistent framework (Lleo, 2010). The portfolio based approach to risk management helps reduce
inefficiencies caused by a lack of co-ordination between different risk management departments as
well as exploiting natural hedges that may occur across the enterprise. As a consequence, ERM
programs can lead to significant enterprise cost savings through avoidance of duplication of risk
management expenditure (Hoyt and Liebenberg, 2011). Implementation of a comprehensive risk
management framework such as an ERM program will be subject to material costs,
1
in terms of both
monetary expenditure and opportunity sacrifice, which must therefore be weighed against the
benefits of the program to the firm, to ensure the undertaking of ERM is a value additive
economically justified activity.
The Casualty Actuarial Society (2003) highlights the ultimate value increasing goal of ERM by defining
ERM as “the discipline by which an organization in any industry assesses, controls, exploits, finances
and monitors risks from all sources for the purpose of increasing the organization’s short and long-
term value to its stakeholders”. If ERM maturity improves risk-return optimization at the enterprise
level in a cost effective manner, it is reasonable to conjecture that it should indeed be value additive.
The purpose of our study is to address this very question. We seek to ascertain whether firms with
more mature ERM programs, experience enhanced value. Moreover, we examine which aspects and
attributes of ERM enhancement are most value additive. Analysis of the relative importance of ERM
facets is particularly important given that the concept is nascent and generally found to be broadly
defined.
2
Heterogeneity in the valuation implications across ERM attributes provides important
information for firm risk management as the discipline itself evolves and matures.
1
A key finding from the 1776 participants of The Professional Risk Managers’ International
Association (PRMIA)’s 2008 “ERM: A Status Check on Global Best Practices” survey found that 51% of
respondents said that their firm spends under 2% of its operational costs on its ERM program on an
ongoing basis, with 27% in the 2–5% range and 22% choosing 5–7%.
2
Some of the more popular definitions put forward for ERM include those from The Committee of
Sponsoring Organizations of the Treadway Commission (COSO) (2004), The Casualty Actuarial
Society (2003), The Institute of Internal Auditors (IIA) (2004) and The Risk and Insurance
Management Society (RIMS).
This study contributes to the emerging field of research on ERM by analyzing the valuation
implications of ERM using a detailed ERM maturity assessment score, obtained from the widely
utilized Risk and Insurance Management Society Risk Maturity Model (RIMS RMM).
3
The RIMS RMM
ranks the overall ERM maturity of enterprises from many sectors. Our study utilizes these composite
scores and we have been able to decompose the overall scores to observe the relative maturity of
important attributes that drive overall ERM maturity (hitherto described in section 3).
Current research on ERM firm value implications is relatively limited. This is not surprising given that
the formalized discipline of ERM has only been in existence for just over a decade. Furthermore, as a
result of a lack of ERM disclosure requirements, research to date has been limited in terms of the
lack of an appropriate measurement of the extent of ERM engagement at the firm level. The
relevant research has typically utilized a binary proxy variable (such as the appointment of a Chief
Risk Officer (CRO) or public ERM related announcement) to indicate whether the firm is currently
undertaking an ERM program (see Pagach and Warr, (2010);, Hoyt and Liebenberg, (2011); and Lin
et al, (2012)). Since 2008 the rating agency, Standard and Poor’s, has included an ERM analysis as
part of its global corporate credit rating process for insurance companies (Standard and Poor’s, May
2008). Use of this rating allowed for a more sophisticated ‘extent of ERM implementation’ construct
variable to be used (see McShane et al, (2011)). To date analyses have been limited to US and
Bermudian insurance companies and suffer from small sample sizes and inability to investigate the
constructs of the overall rating, which this study seeks to overcome (as discussed in section 3). To
our knowledge this study is the first to decompose an ERM maturity rating and examine the specific
aspects of ERM which are adding value to the firm.
Consistent with prior research (Hoyt and Liebenberg, (2011)) we find a highly significant valuation
premium is associated with firms that have undertaken an ERM program (in our case measured by a
maturity score as discussed in section 3) as part of their corporate strategy. Furthermore our study
highlights that the valuation premium is being driven by the embedding of risk culture and
integration of ERM processes within the organization as well as the degree to which the ERM
process is viewed as an integral element in strategy and planning activities.
This article is structured as follows. First, we discuss the evolution of risk management from the
traditional approach to the modern-day holistic based ERM approach. We examine the theoretical
underpinning of ERM and why it is proposed to add value above the traditional risk management
approach. Subsequently we describe the data and model used and we then empirically examine the
relationship between ERM maturity attributes and firm value. Finally, we present our empirical
results followed by discussion of the results and concluding sections.
2. Theoretical Background
2.1 From Traditional Risk Management to Enterprise Risk Management
The Miller and Modigliani (1958) seminal contribution on the irrelevance of an organization’s capital
structure implies that in perfect capital markets risk management activities also do not create value.
Furthermore the Capital Asset Pricing Model (Sharpe, 1964) asserts that well-diversified investors
are able to hold portfolios that will have already eliminated the idiosyncratic specific risks of the
firm, thus rendering risk management efforts irrelevant in terms of value creation.
3
The authors would like to acknowledge and thank Carol Fox of The Risk and Insurance Management
Society and Steven Minsky of Logic Manager for providing access to the data for this study.
Formatted: Indent: First line: 0 cm
Formatted: Font: 11 pt, English (United States)
Formatted: Font: 11 pt, English (United States)
Formatted: Font: 11 pt, English (United States)
Formatted: English (United Kingdom)
However, there are various counter arguments suggesting that risk management can and does
indeed add value to the firm. Firstly, as highlighted by Grace et al (2010), the commercial
environment has many market imperfections in terms of taxes (Miller and Modigliani, 1963),
bankruptcy costs (Kraus and Litzenberger, 1973), external capital costs (Froot et al, 1993) and agency
costs (Jensen and Meckling, 1976) which can be exploited allowing risk management to add value
within the organization. This view is also echoed by Pagach and Warr (2011) who again highlight that
attempting to reduce idiosyncratic risk is not a negative net present value project, due to the
numerous market frictions and imperfections that exist within the corporate world. Other
arguments include recognition of the fact that well diversified investors in fact do not exist (Shimko,
2001) and that risk management enhances firm value by improving the value of expected cash flows
(Shapiro and Titman, (1998;) and Nocco and Stulz, (2006)). Various studies have also statistically
shown that risk management appears to be adding value in the presence of these market
imperfections (for example see Smith and Stulz, (1985;) and MacKay and Moeller, (2007)).
The world has, however, changed at a rapid rate over the last two decades and with it the role that
risk management plays within the organization. An increasingly complex layer of connected risks has
called for the adoption of an integrated approach to risk management. Corporate risk management
has expanded beyond financial and hazard risk mitigation practices such as using insurance and
financial hedging instruments to now include the consideration of a multitude of other risk types
such as operational risk, reputational risk and strategic risk. Risk is also no longer being viewed as an
activity that can be carried out within the traditional silos of operation that may have existed in the
past. Whereas historically risk management activities were compartmentalized and uncoordinated
with a focus on using insurance and derivative instruments to protect the firm against hazard and
financial risks, a holistic approach has emerged which instead aims to achieve a coordinated
management of all significant risk exposures the organization faces (McShane et al, 2011). This
emerging integrated approach, to the aggregation of risk, is generally referred to as Enterprise Risk
Management.
2.2 ERM and Firm Value
It is generally recognized that ERM attempts to create shareholder value by allowing firms to achieve
a more optimized risk-return trade-off. This view is shared by Meulbroek (2002) who argues that
“The goal of risk management is not to minimize the total risk faced by a firm per se, but to choose
the optimal level of risk to maximize shareholder value”. Taking an integrated framework approach
to managing risk aids the goal of optimal risk-taking. Nocco and Stulz (2006) contend that an
evaluation of risk and return at the project level does not allow for optimization at the corporate
level as risk diversification and correlations are ignored, thus leading to suboptimal decision making.
As a key component of ERM is the examination of the risk interactions and their aggregation it is
therefore posited that ERM improves internal decision making and hence ultimately contributes to
firm value through more efficient capital allocation (Myers and Read, 2001). Furthermore Nocco and
Stulz (2006) argue that ERM can lead to a reduction in the probability of large detrimental cash flow
shortfalls (which are economically burdensome to the firm in terms of future growth implications),
costly capital acquisition and relinquishing of profitable investments.
A key aspect of ERM (and difference from the traditional risk management approach) is that the
firm’s major risks, from all sources, are aggregated together in a ‘portfolio’ of risks, thus embracing a
holistic approach to risk management. Rosenberg and Schuermann (2006) use a copula-based
method to show that a firm’s total amount of risk differs from the sum of the enterprise’s individual
risks. McShane et al (2011) emphasize the benefits of the ERM risk aggregation approach, attesting
that hedging residual risk, rather than independent risks, maximizes value by allowing the
organization to benefit from a risk diversification effect or recognition of natural risk hedges. Thus,
