Aon Risk Solutions Section Name

2013 Risk Maturity Index Report

Building a Robust Framework and
Realizing Value from Risk Management
April 2013

Risk.
AonReinsurance.
Risk Solutions |Human
Risk Maturity: Building a Empower
Resources. Results
Robust Risk Framework ®
and Realizing Value from Risk Management 1
Table Contents

Executive Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Accentuating the Upside, Smoothing the Downside. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
The Link between Risk Management and Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
What’s Your Organization’s Risk Maturity Rating? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Purpose and Value of the Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Designing and Developing the Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Driving Results: Organizational Culture, Financial and Risk Management Practices. . . . . . . . . . 12
Awareness of the Complexity of Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Developing Risk-Adjusted Return Expectations
Documenting Core Assumptions in the Development of Forecasting / Projections
Supporting Forecasting / Projections with Historical Data and Ranges of Values
Agreement on Strategy and Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Re-Evaluating Existing Risk Management Strategies Based on Lessons Learned
Reviewing & Validating Risk Tolerances Based on Changes to External Conditions
Evaluating Strategic Decisions with Reference to Quantified Risk Tolerances
Alignment to Execute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Communicating Negative Results and Predictions
Developing Cross-Functional Risk Understanding
Incorporating Risk-Return Approaches into Strategy
Global Insights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Demographics of Risk Maturity Index Participants. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Average Risk Maturity Ratings by Industry
Average Risk Maturity Ratings by Revenue
Distribution of Risk Maturity Ratings by Region
Average Risk Maturity Ratings by Respondent Title
Global Development of Risk Management Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Self-Perceptions of Risk Maturity
Success of Global Risk Management Strategy by Region
Barriers to Implementation of Global Risk Management Strategy by Region
Concluding Remarks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Acknowledgements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
About Aon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Aon Risk Solutions  |  Risk Maturity: Building a Robust Risk Framework and Realizing Value from Risk Management 3
Executive Summary
“How robust is my organization’s risk management framework?”
and “How can my company drive value by implementing stronger
risk management practices?”
Responding to the needs of a growing number of clients voicing
concerns like those above, Aon plc has developed the Aon Risk
Maturity Index, an innovative diagnostic tool that allows risk and
finance leaders to efficiently self-assess their organizations’ risk
management frameworks, receiving immediate feedback and
suggestions for advancing their capabilities. The Risk Maturity
Index objectively assesses observable practices and structures
related to corporate governance, management decision making
processes and risk management. This tool improves upon previous
surveys and similar resources of a more subjective nature and
supplements published standards and other reference tools with
practical recommendations for improvement.
Aon has partnered with the Wharton School at the University
of Pennsylvania to conduct pioneering research into the link
between risk management and financial performance. Using data
from over 100 publicly-traded companies around the world,
researchers at Wharton and Aon identified a strong link between
Risk Maturity Rating and stock price indicators. Organizations
scoring at the top of the Risk Maturity Rating scale enjoy, on
average, up to 50 percent lower stock price volatility than
organizations scoring at the low end of the scale. Not only is strong
risk management associated with more stable performance over
time, it also appears to bolster financial performance and cushion
organizations from negative external pressures. In a comparison
of stock price returns during a period of challenging market
conditions, only those organizations with higher Risk Maturity
Ratings posted positive returns. These exciting initial results
illustrate the importance of risk management best practices
as organizations seek to derive and demonstrate financial value
from their risk management frameworks.
4 Risk Maturity: Building a Robust Risk Framework and Realizing Value from Risk Management  |  Aon Risk Solutions
To promote improved awareness of the value of risk management
within the industry and its client base, Aon has conducted
additional research into the key characteristics of an organization
with advanced risk maturity. Based on responses from more than
500 organizations, three key themes emerge - awareness,
agreement and alignment.
The first differentiator of an organization with advanced risk
maturity is its awareness of the complexity of risk. Organizations
adept at gathering high-quality risk information from a variety of
sources, analyzing that information using both quantitative and
qualitative techniques and leveraging their analysis to understand
the correlations between key risks will be best able to drive value
through their improved understanding of risk. Those that are
successful in promoting more stable financial performance
incorporate risk information into the development of realistic
performance expectations and accurate forecasts, better enabling
the achievement of those financial goals.
Having developed a strong awareness of risk, an organization with
advanced risk management practices will then work to build
agreement on strategy and action. Board and management
communication and consensus on risk management strategy
is key, along with the development of guiding risk appetite
and tolerance statements and clear, consistent communication
to the organization about overall risk management goals and
expectations. In order to reduce performance volatility,
organizations with advanced risk maturity ensure that this
agreement and consensus remains dynamic. These organizations
continually re-evaluate strategies and activities based on lessons
learned, conduct post-mortems on key initiatives and incorporate
of data around underlying assumptions into their strategy,
applying existing guiding risk management policies to all major
strategic decisions.
 Executive Summary

Finally, organizations with advanced risk maturity deploy elements practices. Differences in average Risk Maturity Ratings reported
of their organizational architecture to support and promote by respondents at various leadership levels and within different
alignment to execute on risk management strategy. Human capital, functional areas point to the importance of cross-functional risk
a key resource in any strategic initiative, is used effectively to understanding and lateral collaboration in risk management.
support risk management by ensuring that employees understand As participation increases in key regions, such as Asia, the Middle
their risk management roles and responsibilities, are held East and South America, Aon and Wharton will continue to track
accountable for executing on the same and are properly and investigate best practices around the world.
incentivized to do so. Information flows transparently and
 
consistently, including information regarding negative predictions
and outcomes, which are discussed proactively to drive learning
and future improvements. Cross-functional understanding of risks
extends across the organization, reducing duplicative work and
promoting further efficiency. Finally, risk management has a place
in strategic approaches at the highest level of the organization.
Senior leaders at organizations with advanced risk maturity
view the discipline not simply as a means to avoid negatives or
reduce total cost of risk but as a tool to optimize the approach
to managing risks, including identifying situations where the
organization, as a natural owner of the risk, may have opportunities
to capture additional returns by taking on added exposure rather
than reducing or transferring the risk.

The Aon Risk Maturity Index database is global and continues to

grow. Currently, senior leaders from organizations of all sizes have
responded from countries around the world, representing a wide
variety of industries. Relative sizes of various demographic groups
vary, but initial data points to potential emerging global patterns
that will provide the basis for future research. Differences in
average Risk Maturity Rating across industries indicate that some
groups, such as the non-profit, education and public entity sectors,
may lag their corporate counterparts in implementing advanced
risk management practices, while companies in highly regulated,
complex, high loss severity industries, such as marine, aviation and
insurance, may be leaders in developing and implementing these

Aon Risk Solutions  |  Risk Maturity: Building a Robust Risk Framework and Realizing Value from Risk Management 5
Accentuating the Upside, Smoothing
the Downside

The Link between Risk Management and Performance

As a leading global risk advisor, Aon plc has long understood that more robust practices in risk
management contribute to more stable enterprise-wide performance over time. Implementation of risk
management best practices by industry and geography has also evolved over time, driven by the need
to adapt to and perform in the face of regional or sector-specific regulatory changes, occurrence of
major risk events and shifts in the competitive environment.

The Aon Risk Maturity Index was developed to allow senior risk and finance leaders to assess, benchmark
and track the development of their organizations’ risk management frameworks over time as well as to
provide a platform for the collection of global data on risk management practices across a set of
consistent parameters. The growing database of responses has allowed for empirical analysis of the
relationship between these practices and the financial performance of organizations that implement
them. Aon’s partnership with the Wharton School at the University of Pennsylvania has produced
pioneering research on this link, confirming a strong and significant relationship between more mature
risk management practices and stronger financial results.

Working with annual financial results for close to 200 publicly-traded companies around the world,
researchers at Wharton and Aon have identified a statistically significant link between a higher Risk
Maturity Rating and lower volatility in stock price. During the two-year period from 2010 to 2012,
organizations with the highest Risk Maturity Rating of 5.0 (Advanced) as a group exhibited a stock price
volatility 50 percent lower than the group of organizations with the lowest Risk Maturity Rating of 1.0
(Initial). Researchers have identified a strong negative relationship between Risk Maturity Rating and
volatility, as the Risk Maturity Rating increases, the data will predict a decrease in stock price volatility.

Stock Price Volatility1 by Risk Maturity Rating

60% 2 year volatility

Volatility 2011
50%
Volatility 2012
40%

30%

20%

10%

0
1 1.5 2 2.5 3 3.5 4 4.5 5

1
Volatility – A measure of the risk of price moves for a security calculated from the standard deviation of the day-to-day
logarithmic historical price changes. The 260-day price volatility equals the annualized standard deviation of the relative
price change for the 260 most recent trading days closing price, expressed as a percentage.

6 Risk Maturity: Building a Robust Risk Framework and Realizing Value from Risk Management  |  Aon Risk Solutions
 Accentuating the Upside, Smoothing the Downside

Additionally, the data show that a higher Risk Maturity Rating is associated with higher relative stock
price returns in periods of uncertainty and volatile markets. Aon/Wharton researchers examined the
relationship between Risk Maturity Rating and stock price return during two key historical periods:
2010-2011 and 2011-2012.

Yearly Stock Price Return2 by Risk Maturity Rating

40% 2010/2011 2011/2012

30%
20%
10%
0%
-10%
-20%
-30%
-40%
1 1.5 2 2.5 3 3.5 4 4.5 5

2
Return on Stock Price – Yearly return as of first of June.

During the 2010 to 2011 period, markets overall performed well and almost all organizations except
those with the most basic Risk Maturity Rating of 1.0 (Basic) saw positive returns of varying strength. It
appears that companies with weaker risk management practices may still enjoy the benefits of strong
financial markets, achieving results comparable to those of their more mature peers when the market
overall performs well. However, the protection afforded by strong markets to organizations with weaker
risk management is misleading. When markets turn down, the difference between organizations with
mature risk management practices and those without is apparent and meaningful. During the period of
May 2011 to May 2012, markets overall were more volatile and performed at a lower level than during
the previous 12 months (SP500 was down 4 percent in 2012 in contrast to a 20 percent upside in 2011).
During this period organizations with more sophisticated risk management practices performed
significantly better. Only those companies with the two highest Risk Maturity Rating levels of 4.5
(Operational to Advanced) and 5.0 (Advanced) closed the year with a positive return as a group, while
organizations with the three lowest Risk Maturity Rating levels of 1.0 (Basic), 1.5 (Basic to Initial) and 2.0
(Initial) ended the period with between a 17 percent and 30 percent loss. These statistics support the
conclusion that risk management policies are most beneficial when facing an actual or expected threat;
in this case, that strong risk management contributes to higher returns even under uncertainty and
volatile market conditions.

Aon Risk Solutions  |  Risk Maturity: Building a Robust Risk Framework and Realizing Value from Risk Management 7
Accentuating the Upside, Smoothing the Downside

The data underlying these findings include Risk Maturity Index responses and public financial results for
publicly-listed companies in more than 20 distinct industries of all sizes, representing countries in the
Americas, Europe, Asia and Australia. Building on the assumption that the market rewards organizations
that are well-managed, the strength of the results based on factors related to stock performance
suggests that strong risk approaches are a key element of strong management and execution on strategy.
Although organizations that are not publicly listed cannot measure their performance via stock price, the
overall finding that risk management supports and stabilizes financial performance is significant for these
firms as well, to the extent that they operate under the same performance expectations that publicly-
traded companies do.

The insights developed by Wharton and Aon illustrate the significance of key characteristics of advanced
risk management to organizations seeking to capture tangible value from their risk frameworks and
approaches. These important findings empirically confirm the importance of a robust, holistic risk
management approach in predicting stronger and more consistent financial results over time.

8 Risk Maturity: Building a Robust Risk Framework and Realizing Value from Risk Management  |  Aon Risk Solutions
What’s Your Organization’s
Risk Maturity Rating?

Purpose and Value of the Index

How robust are my organization’s risk management practices? How does my company measure up
against our competitors and peers? Do we understand our existing and emerging risks, and have we
allocated resources to manage them appropriately? Are we positioned to pursue opportunities
successfully, with an understanding of the risks they present? How can we identify the gaps we need to
close in order to optimize our approach to risk given our industry and competitive environment?

In recent years, senior risk and finance leaders at organizations of all sizes have asked themselves and
their advisors such questions more and more frequently. Responding to pressure from customers,
shareholders, regulators and lenders as well as from their own need and that of their Boards to improve
risk management approaches, management teams have increasingly sought ways to evaluate risk
frameworks in an objective, practical and actionable manner.

To this end, practitioners often reference published standards of Enterprise Risk Management, or criteria
provided by ratings agencies such as Standard & Poor’s, as they evaluate their risk management
activities. These standards and guidelines may inform an organization’s approach but do not support
benchmarking against peers nor are they designed to provide feedback and assessments that translate to
actionable recommendations for improvement. Working in partnership with the Wharton School at the
University of Pennsylvania, Aon created the Risk Maturity Index to fill this void.

The Aon Risk Maturity Index is an online diagnostic tool designed to evaluate an organization’s self-
reported risk management practices against 10 characteristics of advanced risk maturity. The tool
calculates an organization’s Risk Maturity Rating based on responses to a focused, comprehensive set of
125 questions covering 40 key components of risk management and provides high-level commentary for
improvement. The objective nature of the question set and the scoring detail provided allow risk leaders
to better understand their areas of strength and quickly identify specific opportunities for improvement
in a targeted, purposeful manner.

Since the Aon Risk Maturity Index launched in April of 2011, more than 500 organizations have
participated. The current global average is a 3.0 (Defined) and the distribution of ratings globally is
slightly skewed toward lower scores.

Aon Risk Solutions  |  Risk Maturity: Building a Robust Risk Framework and Realizing Value from Risk Management 9
What’s Your Organization’s Risk Maturity Rating?

Designing and Developing the Index

To build the Risk Maturity Index, Aon united a global team of subject matter experts, many
with deep experience on the corporate side. Drawing on this knowledge and on input from
hundreds of responses to the 2010 Aon Enterprise Risk Management Survey, the team developed
10 statements of best practice, covering corporate governance, management decision making
processes and risk management practices.

The Risk Maturity Index covers a variety of specific activities and structures, and measures
their observable execution and implementation, rather than management’s perception of their
robustness. Objective questions support a scoring methodology that allocates points based on
the frequency, consistency, formality and integration of those practices, structures and qualities.
Self-reported responses produce scores from 1.0 to 5.0 on 40 detailed components of best
practice, from Board understanding of risk and risk management to the development of risk
assessment criteria to the incorporation of risk information into strategic planning processes.
These scores result in a Risk Maturity Rating that classifies an organization along a continuum
of risk maturity and is comparable across sectors, geographies and other demographic
characteristics. Participants also receive immediate, high-level commentary on approaches
to improve their Rating. With or without additional analysis and interpretation by Aon, this
feedback alone is valuable to an organization seeking to identify its existing strengths and
opportunities for improving its risk management framework. (See model on page 9)

Below are several brief overviews of how clients have leveraged Index results to drive
action and results.

Healthcare Organization: Leadership Collaborates in Index Completion

u The organization’s risk leader and finance leader met to answer the Risk Maturity Index

questions together, resulting in a more informed assessment of existing capabilities through

discussion and sharing of perspectives as well as identification of immediate opportunities for
improvement (“quick wins”)

Private Equity Company Evaluates Capabilities in Portfolio

u Portfolio company leaders participated to help identify differences across industries, such as

energy, manufacturing, financial services and real estate, resulting in a baseline understanding of
capabilities for setting objectives as well as improved understanding and sharing of internal best
practices

Manufacturer Uses Index to Guide Deep Dive Discussions

u Risk management leader requested industry benchmarking analysis; Aon presented the results

and facilitated a discussion, resulting in an improved understanding of internal and industry

capabilities and identification of four areas for immediate improvement

Agricultural Cooperative Reviews Progress in Framework Implementation

u Board of Directors and senior leadership team completed the Risk Maturity Index as a group,

using the results to assess the organization’s progress in implementing a sustainable risk
management framework
u Results were analyzed to identify specific areas lagging the implementation plan developed in

2009 when risk management was identified as a strategic initiative for the cooperative

10 Risk Maturity: Building a Robust Risk Framework and Realizing Value from Risk Management  |  Aon Risk Solutions
 What’s Your Organization’s Risk Maturity Rating?

Aon’s Risk Maturity Index is used by 550+ Respondents globally,

28+ Industries, 25 Countries and 6 Languages

Current stage of development of organization’s risk strategy and framework

Aon Risk Maturity Index

25% Distribution of Risk Maturity Ratings

21.5%
20% 19.1%

16.1%
15% 14.5%

10.5% 10.3%
10%

5%
3.4% 3.8%

0.8%
0%

Initial Initial to Basic Basic to Defined Defined to Operational Operational Advanced

Basic Defined Operational to Advanced

Initial/Lacking Basic Defined Operational Advanced

Component and
associated activities are
very limited in scope and
may be implemented
on an ad-hoc basis to
address specific risks
Limited capabilities to
identify, assess, manage
and monitor risks
Sufficient capabilities
to identify, measure,
manage, report and
monitor major risks;
policies and techniques
are defined and utilized
(perhaps inconsistently)
across the organization
Consistent ability to
identify, measure,
manage, report and
monitor risks; consistent
application of policies
and techniques across
the organization
Well-developed ability
to identify, measure,
manage and monitor
risks across the
organization; process
is dynamic and able
to adapt to changing
risk and varying
business cycles; explicit
consideration of risk
and risk management in
management decisions

Aon Risk Solutions  |  Risk Maturity: Building a Robust Risk Framework and Realizing Value from Risk Management 11
Driving Results: Organizational Culture, Financial and Risk
Management Practices
Which specific cultural characteristics, financial analysis methods
and risk management practices contribute to advanced risk
maturity and more stable financial performance? What makes a
score of 5.0 (Advanced)?
Confirming the link between strong risk management practices
and superior financial results highlights the need for a better
understanding of the practical measures an organization should
take to effectively implement and support a sustainable risk
management framework. Identifying high-value practices related
to corporate governance, decision making and risk management
may help organizations focus their resources more strategically as
they develop that framework.
Currently, the global average Risk Maturity Rating of organizations
of all sizes and sectors is a 3.0 (Defined), with the average Risk
Maturity Rating for most industries also falling at or near 3.0.
However, analysis of the differences in scoring patterns between
organizations with higher than average and lower than average
Risk Maturity Ratings reveals a collection of differentiating practices
in three key areas: awareness of the complexity of risk, agreement
on strategy and action and alignment to execute.
Awareness of the Complexity of Risk
The first group of key differentiating practices reflects an
organizational awareness of the complexity of risk. More mature
organizations exhibit an understanding of the interrelationships
between risks and may have begun to study risk correlation via
analysis of common risk drivers, among other methods. They are
also adept at incorporating information from both internal and
external sources, taking a view of risk that extends beyond their
own immediate operational sphere. Finally, they supplement
anecdotal and qualitative knowledge of risk with quantitative
analysis to increase the accuracy of their understanding.
In order to achieve stable performance against expectations,
an organization must first understand what kind of results it
can achieve and what obstacles it might expect to encounter.
Organizations with strong risk management practices incorporate
their holistic understanding of risk into the development of
financial goals and expectations at all levels, from strategic
planning to the supervision of individual business units to the
evaluation of specific investment decisions. Formulating and
communicating expectations rooted in a clear understanding
12 Risk Maturity: Building a Robust Risk Framework and Realizing Value from Risk Management  |  Aon Risk Solutions
of the contributors to and detractors from good performance
supports successful execution on plans and objectives.
Developing Risk-Adjusted Return Expectations
An enterprise’s overall performance may at times be considered
the sum of its parts. Almost all organizations with higher risk
maturity have an understanding of the different risk profiles
faced by individual business units and departments, and develop
adjusted return expectations for those entities. Half of those
organizations go further and incorporate these expectations into
budget and resource allocation decisions. The less risk-mature
organization is more often unaware of the need to develop such
risk-adjusted expectations, potentially contributing to
inappropriate assessments of outcomes across business units and
departments and a clouded view of enterprise-level performance.
Documenting Core Assumptions in the Development
of Forecasting / Projections
Organizations with a more mature risk management framework
also exhibit consistency in setting broad, enterprise-level
expectations. Over 85 percent of more risk mature organizations
document and apply core business and market assumptions in the
development of enterprise-level forecasts and projections, while
over 60 percent of organizations scoring below the global average
of 3.0 (Defined) do not. Effectively assessing these external
influences on key conditions, such as availability of key inputs or
demand for outputs, enables an organization to arrive at more
accurate forecasts and projections to guide key activities such as
production, in turn supporting better performance over time.
Supporting Forecasting / Projections with Historical
Data and Ranges of Values
Organizations with a higher Risk Maturity Rating distinguish
themselves further in their practices for developing enterprise-
level projections by incorporating more detailed information into
their analysis than less mature entities. More than two-thirds of
higher-scoring respondents reported that their organizations
explicitly incorporate historical data when developing ranges or
distributions of values for use in forecasting activity, while three-
quarters of less mature organizations’ management teams
reference historical data only informally or have not even begun
to develop values for this application.

Key Takeaway: Awareness
Awareness of the complexity of risk is key to understanding
the range of potential scenarios and outcomes related to
strategic goals and objectives and thus vital to defining realistic
performance expectations. Organizations with higher risk maturity
achieve a comprehensive understanding of the risks to their
performance and strategic objectives as they set goals, ensuring
that they are well positioned to respond to those risks and
therefore more likely to achieve objectives and enjoy more stable
performance over time.
Agreement on Strategy and Action
The second overarching best practice displayed by organizations
with more mature risk frameworks is the development of broad
agreement on risk management strategy and action. More mature
organizations succeed in developing strong consensus between
management and the board on risk management strategy as well
as developing statements of appetite and tolerance for key risks.
Additionally, leadership teams at organizations scoring above the
global average of 3.0 (Defined) regularly and consistently
communicate expectations for the execution of risk management
activities to the organization.
However, reaching initial agreement on strategy is not the end
of the process for more risk mature organizations. After reaching
consensus on strategy and communicating key tolerances and
guidelines to the organization, leadership teams at more mature
organizations tend to review and refine the approach on an
on-going basis, outside of an annual review process or other
defined cadence. Rather than allowing the consensus to remain
static, they continually re-evaluate the conditions and assumptions
underlying the agreed-upon strategy to ensure that the approach
is based on the most recent information and current circumstances.
To achieve stable performance over time, an organization must
not only set appropriate expectations but must also understand
outcomes and how the drivers of those outcomes may affect future
performance results. These practices support an organization in its
ability to recognize and react to drivers of less than ideal outcomes,
contributing to more stable performance over time.
Re-Evaluating Existing Risk Management Strategies
Based on Lessons Learned
At the project or investment level, nearly 100 percent of Risk
Maturity Index respondents with an above average score conduct
post-mortems on major decisions, and many respondents have
formalized a process to do so even on outcomes in line with or
exceeding expectations. These practices are much less common
among the less mature group of participants. The more advanced
group takes it a step further, applying the information and lessons
Aon Risk Solutions  |  Risk Maturity: Building a Robust Risk Framework and Realizing Value from Risk Management 13
Driving Results: Organizational Culture, Financial and Risk Management Practices
learned from post-mortems to assess and potentially revise current
risk management strategies. Assuming that effective risk
management smoothes volatility, those organizations whose risk
management strategies change dynamically based on lessons
learned will be most successful in achieving steady performance.
Reviewing & Validating Risk Tolerances Based on
Changes to External Conditions
While only about a one-quarter of the organizations in the current
Risk Maturity Index sample set have not yet begun to develop
quantified statements of risk appetite and tolerance, the methods
for maintaining those statements are much more varied and show a
clear difference in practice between more mature and less mature
enterprises. Eighty percent of organizations scoring above a 3.0
(Defined) maintain practices for re-evaluating and revising risk
appetite and tolerance statements when experiencing shifts in
their internal or overall financial position and external or business /
market conditions assumptions. If risk appetite and tolerance
statements are to guide decision making that will result in strong
and steady financial results, they must be based in assumptions
that accurately reflect the amount of risk the organization can and
might expect to take on.
Evaluating Strategic Decisions with Reference to
Quantified Risk Tolerances
The success or failure of a significant strategic initiative may
have major implications for an organization’s financial and market
performance. Developing and communicating realistic predictions
about the outcomes of such initiatives is therefore vital. However,
more than 60 percent of organizations scoring below 3.0 (Defined)
do not explicitly leverage an understanding of risk to guide
evaluation of major strategic decisions. In contrast, more than
90 percent of organizations that out-performed the global average
of 3.0 (Defined) explicitly reference quantified statements of risk
appetite or tolerance when evaluating a significant project or
investment. This practice not only supports informed decision
making about whether to execute on the initiative but also
provides credible data to communicate internally and externally
on how the initiative is expected to impact performance.
Key Takeaway: Agreement
Having developed and communicated performance goals and
objectives, organizations must achieve consensus on their risk
management strategy, appetite and tolerance and communicate
the same to support achievement of those goals. Those that
differentiate themselves at a higher level of risk maturity not only
achieve consensus but are able to ensure that it is dynamic,
reflecting changing assumptions and conditions, rather than
remaining static after the initial agreement is reached.
Driving Results: Organizational Culture, Financial and Risk Management Practices
Alignment to Execute
Finally, organizations with scores greater than 3.0 (Defined) are
distinguished by elements of their organizational architecture that
contribute to an overall alignment supporting the execution of risk
management strategy. Organizations with better than average Risk
Maturity Ratings engage in a number of practices to ensure
understanding and execution of risk management roles and
responsibilities. They use risk metrics to guide employees’ behavior
and communicate results, incorporate risk management
responsibilities into performance reviews and link incentive
structures and risk management outcomes.
Further, organizations with a Risk Maturity Rating greater than
3.0 (Defined) are structured to encourage transparency and
consistent flow of information regarding negative or unexpected
results. These advanced organizations also tend to have reduced
barriers to communication and understanding between silos,
encouraging cross-functional understanding. Finally, organizations
at a sophisticated level of Risk Maturity have incorporated concepts
around risk and return into their strategy at the highest level.
Communicating Negative Results and Predictions
Regardless of how openly and transparently organizations discuss
and learn from less than ideal outcomes, it is always better to
prevent such outcomes in the first place. Unsurprisingly, over 80
percent of organizations with a score above the global average
of 3.0 (Defined) share negative predictions upward with the
appropriate parties on a proactive basis to drive action and
learning. Discussion of negative predictions at supervisory and
management levels may help avoid or mitigate future negative
outcomes, reducing volatility in the long-term.
Further, when expectations are not met or negative performance
outcomes occur, nearly three-quarters of above average
respondents to the Risk Maturity Index reported that their culture
allows for negative results to be formally reported upward to
leadership. Formal documentation and transparent reporting
on negative results (versus the informal discussions that occur
at about two-thirds of less mature organizations) may be an
indication that there is a cultural lack of fear regarding disclosure
and acknowledgement of negative results. This type of culture
is also more conducive to proactive examination of the root causes
of negative results so that future negative outcomes may be
prevented or mitigated, supporting stable performance over time.
14 Risk Maturity: Building a Robust Risk Framework and Realizing Value from Risk Management  |  Aon Risk Solutions
Developing Cross-Functional Risk Understanding
Organizations at an advanced level of Risk Maturity have
successfully established consistent risk communication practices
laterally across functions, processes and teams. About three-
quarters of organizations with an above average Risk Maturity
Rating communicate consistently across the organization, sharing
information across the enterprise on strategic direction,
performance and results. Only 1 in 5 organizations with below
average risk maturity have begun to achieve this type of
consistency in management communication beyond individual
departments or silos. Almost without exception, management-level
employees of organizations with advanced risk maturity
understand how their activities relate to the organization’s
overall risk management strategy and framework, at least within
key functions or units. Almost half of respondents from more
advanced organizations reported that this understanding is
consistent across the enterprise. In contrast, about 40 percent of
respondents from less mature organizations report that their
management level employees have not begun to understand the
link between their activities and the organization’s enterprise level
risk management strategy.
Incorporating Risk-Return Approaches
into Strategy
To fully leverage risk management and access the value that
it can provide as a management tool, executive leaders must
understand its benefits and acknowledge its role in contributing
to organizational performance. Organizations with less mature risk
management frameworks tend to focus on the avoidance of
negative outcomes, but those with above average Risk Maturity
Ratings have recognized the upside of risk. The management teams
of nearly 70 percent of the organizations with a Risk Maturity
Rating greater than 3.0 (Defined) leverage risk management to
identify conditions under which an organization’s ownership and
understanding of a risk may enable more risk to be taken and
higher returns generated. Over 80 percent of management teams
at organizations with a Risk Maturity Rating below the global
average have not developed this capability and continue to focus
only on risk management’s role in preventing losses within a set
budget and minimizing the total cost of risk.
Key Takeaway: Alignment
Those organizations that realize the most benefit from their
risk management frameworks are able to extend awareness
of risk and consensus on strategy to support internal and external
alignment of information and action. Finally and most essentially,
organizations with more advanced risk management practices
have aligned their views of risk management as a discipline
to drive value.
Global Insights

Demographics of Risk Maturity Index Participants

The Aon Risk Maturity Index is building a global database of information on risk management practices at
organizations of many sizes across all industries and sectors. Regional participation continues to grow as
the Risk Maturity Index becomes available in more languages. Currently, the Risk Maturity Index
respondent group includes organizations on all five continents, representing 25 countries and more than
28 distinct industries.

Commentary below reflects the current data set. Although participation in the Risk Maturity Index is
diverse, some respondent groups are larger than others. The findings below are initial; as participation
grows over time response patterns may change. Finally, the Risk Maturity Index respondent population
does not represent a randomly chosen sample and may reflect certain biases or characteristics of those
organizations that have chosen to participate.

Average Risk Maturity Ratings by Industry

• Industry averages overall mirror the global average Risk Maturity Rating of 3.0 (Defined)
• Slightly higher/lower industry scores may reflect skewness related to a small sample size or may be
indicative of underlying differences in risk management practices in those sectors
– Public/government entities, education organizations and non-profits scored slightly lower than 3.0
(Defined), perhaps reflecting differing objectives and timelines facing these groups
– Several sectors, including aviation, marine and the oil and gas industry tended to score slightly higher
than 3.0 (Defined), perhaps reflecting the unique risk profiles faced by these highly regulated,
complex, high loss severity sectors

Average Risk Maturity Index by Industry

Non-Profit
Education
Public Entity
Hospitality
Mining
Media/Entertainment
Professional Services
Food Processing & Distrib
Pharma/Biotech
Chemical
Wholesale Trade
Telecom
Agribusiness
Real Estate
Financial Services
Technology
Healthcare
Retail
Manufacturing
Utilities
Oil & Gas
Trans/Logistics
Other
Marine
Construction
Insurance
Consumer Goods
Aviation

1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0

Risk Maturity Rating

Aon Risk Solutions  |  Risk Maturity: Building a Robust Risk Framework and Realizing Value from Risk Management 15
Global Insights

Average Risk Maturity Ratings by Revenue

• Average Risk Maturity Rating is slightly higher among higher revenue bands, but differences
are not large

• Overall, size (measured by annual revenues) does not appear to play a major role in influencing
risk maturity

Average Risk Maturity Rating by Annual Revenue

5.0

4.5

4.0

3.5

3.0

2.5

2.0

1.5

1.0
Less than $500M- $2.5- $10BN- $25BN- Greater than
$500M $2.5BN $10BN $25BN $50BN $50BN

Distribution of Risk Maturity Ratings by Region

• Risk Maturity Index participants represent four major regions of the world – Asia Pacific (APAC),
Australia, the Americas and the EMEA region

• Each of the regions presents a bell-curve distribution similar to the histogram of global ratings

• Slight differences may be observed in the level of concentration around the middle range of Risk
Maturity Ratings (2.5, 3.0, 3.5) but are not especially pronounced

• At present, the Americas sample size is larger than those of the other three regions and it is difficult
to draw firm conclusions about overall level of risk maturity in various parts of the world

Distribution of Maturity Ratings by Region

Americas APAC EMEA Australia

35%

30%

25%

20%

15%

10%

5%

0%
1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0
Risk Maturity Rating

16 Risk Maturity: Building a Robust Risk Framework and Realizing Value from Risk Management  |  Aon Risk Solutions
 Global Insights

Average Risk Maturity Ratings by Respondent Title

• Participants in the Risk Maturity Index represent a wide variety of roles within their organizations

• No respondent group significantly leads or lags the other groups, but there are small variations worth
exploring and reviewing in future research

• Chief Financial Officers scored slightly lower on average than other respondent groups; this may reflect
the increased insight of a senior leader into risk and governance processes, or focus on the financial
impact of risk

• Chief Risk Officers scored slightly higher on average than other respondent groups; this may reflect
the level of risk management maturity at an organization that has established a titular CRO role

Average Risk Maturity Ratings by Respondent Title

CFO

Internal Audit

GC

Risk Mgr / Dir. of ERM

Treasurer / VP Finance

HR

Other

CEO

COO

CRO

1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0

RMI Score

Aon Risk Solutions  |  Risk Maturity: Building a Robust Risk Framework and Realizing Value from Risk Management 17
Global Insights

Global Development of Risk Management Practices

Self-Perceptions of Risk Maturity
In addition to the main set of Risk Maturity Index questions regarding specific risk management activities
and structures, respondents were also asked a series of non-scored questions that provide additional
insight into global and regional practices.

A comparison of respondents’ self-perceptions of their organizations’ maturity level relative to peers

against their Risk Maturity Ratings as calculated based on their responses to Risk Maturity Index questions
show that the two measures are generally well aligned.

Self-Perceptions of Risk Maturity vs. Global Industry Peers by Risk Maturity Rating

Better/More Mature Comparable Worse/Less Mature

100%

80%

60%

40%

20%

0%
1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0
Risk Maturity Rating

The majority of all respondents perceived their organizations’ Risk Maturity as “Comparable” to that
of their industry peers around the world, but the proportion of participants assessing themselves
as “Less Mature” than their peers increases continuously as the Risk Maturity Rating decreases below
3.0 (Defined), which is the global average. Similarly, the percentage of respondents that perceived
their risk management practices to be more advanced than those of their global peers increases steadily
as Risk Maturity Rating rises above the global average. Very few respondents with a rating above
3.0 (Defined) assessed their maturity as being lower than that of their peers.

Examining responses to questions regarding self-perceptions of Risk Maturity by region may provide
further insight into regional differences in practice as well as differences in the demographics of the
regional respondent groups. In addition to rating themselves against their global peer group,
respondents were also asked to assess their risk management practices versus their regional industry
peer group, as well as versus organizations in their region of a similar size (as measured by revenue).

By region, the response patterns are similar to what is observed globally by Risk Maturity Rating.
Respondents were most likely to assess themselves as comparable to their peers, this time evaluating
themselves against regional peer organizations in their industry. Below are graphs showing how
organizations headquartered in each major region and at each level of Risk Maturity tended to rate
themselves against industry peers in their own region.

18 Risk Maturity: Building a Robust Risk Framework and Realizing Value from Risk Management  |  Aon Risk Solutions
 Global Insights

Asia Pacific North America

Self-Perceptions of Risk Maturity vs. Regional Industry Peers Self-Perceptions of Risk Maturity vs. Regional Industry Peer

Better/More Mature Comparable Worse/Less Mature Better/More Mature Comparable Worse/Less Mature
100% 100%

80% 80%

60% 60%

40% 40%

20% 20%

0% 0%
1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0
Risk Maturity Rating Risk Maturity Rating

Europe South America

Self-Perceptions of Risk Maturity vs. Regional Industry Peers Self-Perceptions of Risk Maturity vs. Regional Industry Peers

Better/More Mature Comparable Worse/Less Mature

Better/More Mature Comparable Worse/Less Mature 100%
100%

80%
80%

60%
60%

40%
40%

20%
20%

0%
0% 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0
1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0
Risk Maturity Rating
Risk Maturity Rating

Aon Risk Solutions  |  Risk Maturity: Building a Robust Risk Framework and Realizing Value from Risk Management 19
Global Insights

The response patterns vary slightly among the different regions. For example, only respondents
headquartered in Asia who scored at the lower end of the spectrum (and below the regional and global
averages of 3.0 – Defined) were more likely to rate themselves as less mature than their localized peers.
In each other major region, even those respondents who scored between 1.0 (Initial) and 2.-5 (Basic) to
Defined were more likely to assess themselves as being comparable to their peers, despite the fact that
regional averages (with the exception of South America) aligned with the global average of 3.0 – Defined.
Based on responses to date, Asian respondents’ perceptions of their organizations’ risk maturity relative
to their peers and the regional average appear to be more accurate than those of respondents in the
other major regions.

Focusing on the light gray bar, indicating the percentage of respondents who perceive themselves as
being at a comparable level of maturity relative to their peers, it appears that globally organizations may
see an average level of maturity as being closer to 2.5 (Basic to Defined), slightly lower than the current
calculated global average Risk Maturity Rating of 3.0 (Defined).

Respondents from South America, currently the smallest of the regional sample sets, display unusual
rating patterns that are likely the result of the size of the sample set and the influence of unique biases of
a few outlying organizations within that small group, including potential concentrations of respondents
within a particular industry.

Observations on relative differences in Risk Maturity and perceptions of risk management practices
between regions are drawn from the current data set only and may not account for all possible influences
or biases. However, initial analysis points to potential future areas for research and investigation as the
response set grows and more detailed data are collected.

20 Risk Maturity: Building a Robust Risk Framework and Realizing Value from Risk Management  |  Aon Risk Solutions
 Global Insights

Success of Global Risk Management Strategy by Region

To support further research into and understanding of the challenges faced by multinational
organizations as they seek to develop, implement and sustain a risk management framework and
strategy across the globe, the Index includes a series of questions on the obstacles and outcomes
of implementing risk management activities across multiple regions.

First, respondents were asked to assess the relative consistency of risk management activities in
the various global operations where their organizations operate against the overall global risk
management strategy. Using a five point scale, each applicable region’s risk management framework
was evaluated as being Inconsistent, Somewhat Consistent or Consistent with the global strategy
and processes.

Consistency with Global RM Strategy: By Region

APAC EMEA North America South America

50%

40%

30%

20%

10%

0%
Inconsistent Somewhat Consistent Consistent

Consistency appears to be fairly uniform across each of the four major regions, with operations in Asia
Pacific and South America tending to be slightly less consistent with the average respondent’s global
risk management strategy than any operations in North America or the EMEA region.

When respondents are grouped by the region in which they are headquartered, responses show that
proximity to the organization’s central offices seems to support improved consistency, perhaps
resulting from better communication regarding risk management and strategy.

Aon Risk Solutions  |  Risk Maturity: Building a Robust Risk Framework and Realizing Value from Risk Management 21
Global Insights

Asia Pacific Operations North American Operations

Consistency with Global RM Strategy Consistency with Global RM Strategy

All organizations globally Organizations in North America

All organizations globally Organizations headquartered in APAC 50%
50%

40%
40%

30%
30%

20%
20%

10%
10%

0%
0%
Inconsistent Somewhat Consistent Consistent
Inconsistent Somewhat Consistent Consistent

European Operations South American Operations

Consistency with Global RM Strategy Consistency with Global RM Strategy

All organizations globally Organizations headquartered in South America

All organizations globally Organizations headquartered in Europe 50%
50%

40%
40%

30%
30%

20%
20%

10%
10%

0%
0%
Inconsistent Somewhat Consistent Consistent
Inconsistent Somewhat Consistent Consistent

22 Risk Maturity: Building a Robust Risk Framework and Realizing Value from Risk Management  |  Aon Risk Solutions
 Global Insights

There appears to be little difference of in the level of consistency of North American and EMEA
region operations with their organizations’ global risk management strategy, regardless of whether
the organization is headquartered in either of those regions. However, responses from organizations
headquartered in Asia-Pacific and in South America indicate that they have less difficulty achieving
this consistency than their counterparts headquartered in other parts of the world. Given the smaller
number of respondents from these two regions, it is possible that the perceived lower level of consistency
in Asia-Pacific and South America is not due to any inherent difficulties in those regions but rather to the
fact that the majority of respondents are not headquartered there. These organizations may experience
difficulty in implementing a consistent risk management framework simply due
to geographic and logistical factors.

Respondents were also asked to evaluate each major global operating region against expectations for
performance and execution on risk management objectives.

Global
Expected Performance / Execution of RM Strategy

Better/More Mature Comparable Worse/Less Mature

100%

80%

60%

40%

20%

0%
1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0
Risk Maturity Rating

Similar results emerge on a global basis. North American operations tend to meet expectations more
frequently than operations in other areas of the world, but the differences are generally marginal and
overall most respondents were satisfied with regional performance. In contrast to perceptions of
consistency with global strategy, respondents did not appear to be more or less satisfied with the
performance of their risk management activities in their home region vs. other regions.

North American-headquartered organizations tended to have a very similar view of the performance
of their operations in that region to the full global respondent group. This is likely due to the relative
number of North American companies that have participated in the Risk Maturity Index versus those in
other areas. Asia-Pacific, EMEA and South American respondents based in those regions showed some small
differences in their evaluations of operations in those regions versus the global group, but it is difficult to
draw any hard conclusions from the current data. As regional response groups grow, more concrete
insights may emerge into relative regional performance.

Aon Risk Solutions  |  Risk Maturity: Building a Robust Risk Framework and Realizing Value from Risk Management 23
Global Insights

Barriers to Implementation of Global Risk Management Strategy by Region

In addition to evaluating the relative success of each of each operating region, respondents were also
asked to identify the key barriers to implementing a sustainable risk management framework across eight
distinct regions, including Asia, Australia / New Zealand, Central America / Caribbean, Eastern Europe,
Western Europe, Middle East / North Africa (MENA), North America and South America.

Key Barriers to Risk Management Implementation

Asia Pacific Australia / Central Eastern Western Middle East / North South
New Zealand America / Europe Europe North Africa America America
Caribbean

Logistics /
Human
Cultural Geographic Cultural Cultural Cultural Economic Cultural
Capital
Distance

Logistics / Logistics /
Human Human Legal / Human Legal /
Geographic Economic Geographic
Capital Capital Regulatory Capital Regulatory
Distance Distance

The key themes emerging from these data are the cultural and human capital challenges to implementing
robust risk management frameworks. At least one of these factors was highlighted as a top issue in all
of the regions. Asia Pacific, Australia / New Zealand and MENA, being the regions most geographically
remote from the majority of the Risk Maturity Index respondents (North America) at time of print
highlighted logistical and geographic distance challenges as the most challenging barriers. Respondents
in regions, such as Western Europe and North America, where risk management and disciplines such
as ERM are considered to be more developed , highlighted legal / regulatory and economic factors as
barriers to successful risk management implementation.

One potential conclusion from these data is that risk management faces a series of shifting challenges as
it progresses and advances in a region. In regions where risk management is less advanced and less well
known, cultural and human capital factors may present the biggest obstacles to implementing and
achieving value from a framework. As risk management grows into a more widely accepted management
discipline and regional awareness grows, these factors may become less critical and other challenges,
such as economic or legal / regulatory constraints, shift to the foreground.

24 Risk Maturity: Building a Robust Risk Framework and Realizing Value from Risk Management  |  Aon Risk Solutions
Concluding Remarks

The Aon Risk Maturity Index is growing weekly and continues to evolve into an industry-leading, global
database on risk management best practices. Results to date have already yielded valuable findings
around the correlation between advanced risk management practices and financial performance, as well
as insights into the specific behaviors, practices and cultural characteristics of those organizations that
have developed a mature risk management framework in support of sustainable, stable financial results.

Aon will continue to conduct research as the database grows with increased emphasis on identifying key
risk management practices and processes that contribute to improved financial performance as well as
deeper understanding of industry-specific best practices in risk management.

The Aon Risk Maturity Index is a free, open and online tool. For more information or to participate, please
visit aon.com/riskmaturityindex or email risk.maturity.index@aon.com.

Contact Information
Theresa W. Bourdon, FCAS
Group Managing Director
Aon Global Risk Consulting
+1.410.381.2407
theresa.bourdon@aon.com

Laurie Champion
Managing Director, Enterprise Risk Mangement
Aon Global Risk Consulting
+1.404.264.3220
laurie.champion@aon.com

Kieran Stack
Director, Operations & Strategy
Aon Global Risk Consulting
+1.312.381.4778
kieran.stack@aon.com

Aon Risk Solutions  |  Risk Maturity: Building a Robust Risk Framework and Realizing Value from Risk Management 25
Acknowledgements
Researchers
The following researchers conducted analysis using Aon Risk
Maturity Index data and developed findings and insights related
to the link between risk maturity and financial performance that
provided the foundation for this paper.
Barry Dillon, Aon Centre for Innovation and Analytics
Chris Ittner, Ernst & Young Professor of Accounting
at The Wharton School, University of Pennsylvania
Contributors
The following colleagues contributed key subject matter
expertise and commentary to this paper as well as editorial
review and feedback.
About Aon
Aon plc (NYSE:AON) is the leading global provider of risk
management, insurance and reinsurance brokerage, and human
resources solutions and outsourcing services. Through its more
than 62,000 colleagues worldwide, Aon unites to empower results
for clients in over 120 countries via innovative and effective risk and
people solutions and through industry-leading global resources
and technical expertise. Aon has been named repeatedly as the
world’s best broker, best insurance intermediary, reinsurance
intermediary, captives manager and best employee benefits
consulting firm by multiple industry sources. Visit www.aon.com
for more information on Aon and www.aon.com/manchesterunited
to learn about Aon’s global partnership and shirt sponsorship with
Manchester United.

Jenna Cavanaugh, Aon Global Risk Consulting

Sid Feagin, Aon Global Risk Consulting

Rudy Koenig, Aon Global Risk Consulting

Peter Prunty, Aon Centre for Innovation and Analytics

Emanuel van Zandvoort, Aon Global Risk Consulting

26 Risk Maturity: Building a Robust Risk Framework and Realizing Value from Risk Management  |  Aon Risk Solutions
All data sourced from the Aon Risk Maturity Index, Copyright 2012 Aon plc.

The information presented herein is provided for informational purposes

only and is not intended to provide individualized business or legal advice.
The information was compiled from sources that Aon considers to be reliable;
however, Aon does not warrant the accuracy or completeness of any
information herein. Should you have any questions regarding how the
subject matter of this Alert may impact you, please contact your Aon team
member or other appropriate legal or business advisor.

#10913 01/13