Enterprise Risk Management Benchmarking Study: A Focus on Financial Institutions

Digital image of charts and graphs


The Global Risk Institute, in partnership with the Conference Board of Canada and the Chartered Professional Accountants of Canada, has conducted a benchmarking survey of enterprise risk management (ERM) practices across different industries. In this foreword, we highlight ERM practices in the financial services industry and discuss how they compare to other industries’ practices. It is important to keep in mind that there is no one-size-fits-all approach to ERM. A firm should invest in ERM in proportion to the size and complexity of the risks to which it is exposed. As such, the goal of this comparison is not to determine which practices are ‘best’ but merely to showcase some key differences.


According to the survey, 54% of financial institutions (FIs) have fully integrated ERM programs, compared to 20% in other industries (Figure 1). Given the complexity of their risk profiles and the stringency of their regulatory environment, it is unsurprisingly that FIs tend to have more integrated ERM practices. 64% of FIs have Chief Risk Officers who are responsible for ERM functions, while 16% of companies in other industries have CROs who oversee these tasks.

Figure 1: Graph outlining percentage of organizations who have adopted ERM


For financial services respondents, reputational, financial, and technological risks were the highest priorities (Figure 2). Similarly other industries prioritized reputational and financial risks, but placed less emphasis on technological and legal risks and more emphasis on operational risk. Although reputational risk was identified as the highest priority risk, the majority of the respondents noted that ERM is not fully integrated in the marketing and sales process. (Figure 3) This is particularly interesting when considering that many recent reputational mishaps (e.g. Wells Fargo) have been driven by imprudent sales and marketing practices.

Figure 2: Chat showing level of priority organizations put on various risks.                   Figure 3: Chart showing how ERM is integrated into marketing and sales


According to our survey, 36% of FIs have more than five employees completely dedicated to ERM, while 53% of firms in other industries at most one employee devoted to ERM (Figure 4a). Further, 78% of firms in other industries have five or fewer employees that spend at least 20% of their time on ERM, whereas 44% of FIs have at least six employees who devote this much time to ERM (Figure 4b). Across all industries, respondents listed regulatory pressure, stakeholder expectations, and program upgrades as the most important factors in determining how to appropriately allocate their resources (Figure 5).

Figure 4a: Chart showing how much full time is pent on ERM                Figure 4b: Chart showing how much time is spent on ERM              Figure 5: Factors influencing your firm's ERM resourcing


Technological progress is revolutionizing all aspects of the financial services sector, and ERM is no exception. Many of our respondents indicated that they have begun to investigate or have made plans to implement new technologies to help automate their ERM functions. 75% of respondents, in fact, have started to investigate the usage of advanced analytics, and one third of this group have already begun to implement it. Data visualization was the next most-used technology, with 33% of respondents having begun to investigate it. Lastly, 19% of financial institutions have begun to investigate the use of Artificial Intelligence in ERM, although only 2% have already started to use it (Figure 6).Figure 6: Graph outlining organizations who have adopted ERM with automated tools


There are a significant number of studies that have demonstrated the effectiveness of ERM frameworks. Interestingly, however, 33% of FIs in our survey responded that ERM fosters little resilience to, or fast recovery from, risk failures (Figure 7). This suggests that there remains a greater need to raise the profile of ERM programs and demonstrate the value that can be derived from increasing ERM capabilities.

Figure 7: Chart from Enterprise Risk Management benchmarking report