Many companies and organizations with enterprise risk management programs are having difficulty determining their actual value, according to an annual survey by Towers Watson & Co.

While the survey released last week found that 57% of respondents had ERM programs in place—a slight increase from last year—40% said that no one in the organization had been able to articulate their program's value.

Thirty-seven percent said they regularly quantify key risks and use those metrics in making business decisions, and 35% have integrated risk metrics into the budgeting and planning process.

“A lot of companies still just struggle to get beyond the qualitative side,” said Corey Gooch, Chicago-based senior ERM consultant at Towers Watson. “Many of them have really good processes for identifying risk on an ongoing basis, but they haven't gotten over that hump yet of generating real value.”

Articulating the value of an ERM program may be difficult due to various regulatory requirements that have caused ERM to become a compliance-driven activity, Mr. Gooch said.

“Audit shouldn't own it,” he said. “It should be owned by the risk and finance side, and audit has to be a critical part of that, but I think that's where a lot of that disconnect comes from.”

%%BREAK%%

Among other findings, nearly two-thirds of survey participants were seriously concerned or moderately concerned about a hardening of property/casualty pricing. More than 60% said they are marketing their property/casualty insurance programs.

“Clients are in a position now that they need to differentiate their risks from what's going on in the rest of the marketplace. That's some of the value that analytics can provide,” Mr. Gooch said.

One-third of the respondents with property programs are using broker-provided catastrophe modeling and 44% with casualty programs are using actuary-provided retained loss analytics, according to the survey.

A company or organization that uses analytics will have a better understanding of its loss exposure and risk-bearing capacity, which can be leveraged during insurance contract renewal negotiations, Mr. Gooch said.

“It changes the entire dynamic of who has the control of that negotiation,” he said.

When it comes to network security and privacy liability policies, however, nearly three-quarters of the finance and risk managers surveyed said they did not purchase such coverage—roughly the same as last year.

When asked why a cyber insurance policy was not purchased, 41% of the respondents said controls within their organization's information technology department were sufficient, and 25% indicated a lack of significant data exposure.

“That was one of the most surprising findings for us,” Mr. Gooch said, despite the spate of high-profile data security breaches during the past year.

“Cyber security risk is not one where IT is the end-all be-all of the ways to mitigate that risk, nor is insurance,” he said. However, “there are some really valuable benefits to the network security and privacy liability policies that provide coverages for things like defense cost coverages and paying for credit monitoring.”

Survey respondents said limits for data security and privacy liability coverage were driven by established benchmarks or insurance brokers, at 68% and 50%, respectively.

The report, “2012 Risk and Finance Manager Survey,” surveyed 153 risk and finance managers in the manufacturing, financial services and health care industries.