Ms. Fox–who is senior director of risk management with Convergys Corp. in Cincinnati, which bills itself as “a leader in relationship management” that “provides solutions that optimize the everyday interactions between customers and employees”–explained that “more than anything,” the ERM survey offers risk managers a “message of hope.”

“Companies that have done this well are going to be in a better position competitively–and have a better competitive advantage–because they have a better way of thinking about risk that's consistent across the organization,” she said.

A correlation between ERM and better business performance is proven by the study, she added.

“Interestingly, when a project manager went back and looked at companies that scored high, they actually did possess higher credit ratings,” she said. “Low-scoring companies typically possess lower credit ratings. This should show senior leadership that there is a value in ERM.”

She added that there are key affirmations with the study. “The organizations with ERM have a concrete advantage in risk management competency,” she noted, pointing out that a full “93 percent of organizations with formalized ERM programs make better risk-informed decisions.”

However, she noted, “the 'ah ha' was that the organizations with ERM still fall significantly short of achieving a managed or better level of risk maturity.”

Based on guidelines, Ms. Fox said, only 4 percent with ERM programs reported they have achieved a managed or better level of risk management competency in all of the risk competencies that are in the maturity model.

That was not a surprise, she noted, because ERM isn't as easily embedded in an organization “as people might think. It takes a lot of work to get it embedded into all of the business areas. It's more than just doing a risk list. It's about managing those risks.”

The result, Ms. Fox observed, is that a number of organizations have a false sense of security, “meaning that while they may feel they have embedded their programs, they may not have. They may be very leading-edge and doing some great things, but in terms of encompassing the entire enterprise or having owners for those risks, it's not as comprehensive as they might believe.”

She noted also that many risk managers are “in the same boat. Truly practicing ERM takes time, it doesn't happen overnight.”

In an ERM program, she said, there are always emerging risks to deal with. “From that perspective, it's something we struggle with. The other side is that to do this at a leadership level across the enterprise is quite an undertaking, and it is turning that theory into a practical how-to.”

To help risk managers, she said RIMS has focused on helping them understand what other practitioners are doing.

“Going through the different competencies is more than having a process in place,” she said. “If you think of competencies as a behavior, it deals with culture and understanding an organization's risk appetite–imbedding the process of uncovering risk and who owns it–to make the business more resilient and sustainable.”

According to the study, formalized infrastructures in well-managed ERM programs embody the 68 best practice guidelines for efficient and effective risk management programs, as presented in the RIMS Risk Maturity Model for ERM.

Direct, extensive involvement in ERM by front-line management at all levels is the competency driver most strongly correlated with higher credit ratings, the study found.

Three other strong correlated competency drivers are:

o The degree to which risk assessments are effectively conducted by all business areas and aggregated;

o The extent to which corporate goals and risk management issues are clearly understood at all levels;

o The depth to which ERM is woven into strategy and planning.

The study concludes that better managed companies in terms of ERM practices benefit from better business performance.