By Norman Marks, CPA, CRMA
Very few organizations have what I would call effective risk management systems: robust functions and processes that enable risk-aware decisions at every level to support the realization of key enterprise objectives.
Yet a common goal among risk leaders (practitioners and their managers) is to gauge and measure their organization’s journey to improved, even world-class, risk management. These leaders agree that regardless of the current status of risk management activity, more can and should be done.
Risk management maturity models are an excellent way for organizations to see where they are, compare their current state to where they want and need to be if they are to derive full benefit, and discuss the value and cost of further investment in the management of risk. The more mature the risk management system, the more effective it will be in enabling better decisions, taking the right risks, and achieving better outcomes for the organization. Some view the implementation of risk management, however, as simply taking time.
Describing risk management capabilities based on a maturity curve—instead of labeling the current state of risk management as ineffective—is less discouraging for leaders.
Assessing maturity on a continuum is also logical because every management team is engaged in risk management in some way, even if risk management “systems” are nascent. Similarly, even a world-class risk management system might have room for improvement, especially in the ever-changing environment around us that drives the dynamic, iterative, and responsive nature of risk management.
Below is a risk-maturity model I developed based on a model developed for a local government agency in the state of Washington.
My view is that Level Five of the model represents mature, arguably world-class risk practice. However, many risk leaders seem content to be at Level Four or even Level Three. In Level Three, there may be a risk management policy, and the ways in which risk levels are rated (e.g., high, medium, or low) are standardized. A report is provided to senior management and the board that summarizes the top risks.
When you look at the additional capabilities of Level Five for integrating risk into strategy-setting and every other business process, where reliable information about what might happen and its effect on the achievement of enterprise objectives is an integral part of all important business decisions, you can see the additional value that is created. Level 5 risk management programs provide assurance that the right risks are taken as the organization works to achieve its objectives.
The majority of organizations (based on periodic surveys of auditing and consulting firms) indicate that boards and executive management perceive the management of risk as a compliance activity, something they have to do. They do not see it as something they want to do because it adds value and helps them be successful. They see it only as something that helps them avoid failure.
When an organization reaches maturity Level Five, the focus shifts to making daily decisions that take the right risks for success. The board and top management can understand whether enterprise objectives might or might not be achieved, and why.
In my experience with CEOs and board members, risk management at this level is something they not only want but are willing to invest the time and money to achieve.
For more on advancing your risk maturity, check out our blog, How a RMIS Can Boost Your Risk Maturity. For more insights from Norman Marks, check out our on-demand Risk@Work webinar, Do You Really Need a GRC Solution?