By Norman Marks, CPA, CRMA
Very few organizations have what I would call effective risk management systems: robust functions and processes that enable risk-aware decisions at every level to support the realization of key enterprise objectives.
Yet a common goal among risk leaders (practitioners and their managers) is to gauge and measure their organization’s journey to improved, even world-class, risk management. These leaders agree that regardless of the current status of risk management activity, more can and should be done.
Risk management maturity models are an excellent way for organizations to see where they are, compare their current state to where they want and need to be if they are to derive full benefit, and discuss the value and cost of further investment in the management of risk. The more mature the risk management system, the more effective it will be in enabling better decisions, taking the right risks, and achieving better outcomes for the organization. Some view the implementation of risk management, however, as simply taking time.
Describing risk management capabilities based on a maturity curve—instead of labeling the current state of risk management as ineffective—is less discouraging for leaders.
Assessing maturity on a continuum is also logical because every management team is engaged in risk management in some way, even if risk management “systems” are nascent. Similarly, even a world-class risk management system might have room for improvement, especially in the ever-changing environment around us that drives the dynamic, iterative, and responsive nature of risk management.
Below is a risk-maturity model I developed based on a model developed for a local government agency in the state of Washington.
My view is that Level Five of the model represents mature, arguably world-class risk practice. However, many risk leaders seem content to be at Level Four or even Level Three. In Level Three, there may be a risk management policy, and the ways in which risk levels are rated (e.g., high, medium, or low) are standardized. A report is provided to senior management and the board that summarizes the top risks.
When you look at the additional capabilities of Level Five for integrating risk into strategy-setting and every other business process, where reliable information about what might happen and its effect on the achievement of enterprise objectives is an integral part of all important business decisions, you can see the additional value that is created. Level 5 risk management programs provide assurance that the right risks are taken as the organization works to achieve its objectives.
|Maturity Level||Description||Key Attributes|
|One||Ad hoc||The management of risk is undocumented and in flux; the management and taking of risk depends on individual heroics.|
|Two||Preliminary||Risk is defined in different ways and managed in silos. Process discipline is unlikely to be rigorous.|
|Three||Defined||A common risk assessment/response framework is in place. An organization-wide view of risk is provided to executive leadership and the board in the form of a list of so-called ‘top’ risks. Action plans are implemented in response to high priority risks.|
|Four||Integrated||Risk management activities are coordinated across business areas. Common risk management tools and processes are used where appropriate, with enterprise-wide risk monitoring, measurement, and reporting. Alternative responses are analyzed with scenario planning and other techniques, such as Monte Carlo simulation. Process metrics are in place. But the emphasis remains on managing a list of risks. Discussion of risk at executive committee and board levels is separate from the discussion of strategy and performance.|
|Five||Optimized||The focus shifts from managing a list of risks outside the context of enterprise objectives to managing success: the achievement of objectives. The consideration of what might happen (where possible, business language is used instead of the technical language of risk) is embedded in strategic planning, capital allocation, and other processes, as well as in daily strategic and tactical decision-making. There is a reasonable level of assurance that decision-makers are taking the right level of the right risks necessary for success and not just avoiding failure. Early-warning systems exist to notify board and management both of specific risks above established risk appetite or risk-capacity thresholds – and where the likelihood of achieving enterprise objectives is less than acceptable. Reporting to management and the board integrates performance reporting (where we are now) and risk (what might happen) to project the likelihood of achieving each enterprise objective. Discussion of risk at top management and board levels (what might happen) is not separate from the discussion of strategy and performance.|
The majority of organizations (based on periodic surveys of auditing and consulting firms) indicate that boards and executive management perceive the management of risk as a compliance activity, something they have to do. They do not see it as something they want to do because it adds value and helps them be successful. They see it only as something that helps them avoid failure.
When an organization reaches maturity Level Five, the focus shifts to making daily decisions that take the right risks for success. The board and top management can understand whether enterprise objectives might or might not be achieved, and why.
In my experience with CEOs and board members, risk management at this level is something they not only want but are willing to invest the time and money to achieve.
For more on advancing your risk maturity, check out our blog, How a RMIS Can Boost Your Risk Maturity. For more insights from Norman Marks, check out our on-demand Risk@Work webinar, Do You Really Need a GRC Solution?
Norman Marks is a globally recognized thought leader in internal auditing and risk management. He works with individuals and organizations around the world, advising them on risk management, internal audit, corporate governance, enterprise performance, and the value of information. Norman is the author of nine celebrated books on risk management, internal audit, and Sarbanes-Oxley compliance.