Over the last ten years of my “risk leader” portion of my career, as the head of enterprise risk management at USAA (2001-10), as well as my work as an ERM consultant subsequent, I was challenged by several questions that impact risk management results and by extension, effectiveness and ultimate success, all under the header of “risk management maturity.”
The starting point for this subject needs to be two key things to get straight. First, how are you defining “risk” and have you driven a consensus among key stakeholders about that definition. The second is both which risks are you going to manage and where on the loss curve do they fall? This may sound simple and straight forward but the reality is that many risk leaders have responsibilities for only a portion of the risks organizations face; often only the insurable risks. If that’s the case, you have your answer to both concerns nailed.
"Certainly the good governance of organizations is critical to ultimate success and the board’s role in that is the apex of that consideration"
If on the other hand, you are a risk leader/stakeholder with broader accountability for more or all risks (enterprise-wide risk management) that could impact an organization (both negatively and positively), then the first question of “what is a risk?” requires clear definition. The most commonly accepted definition of risk is “uncertainty.” I like this simple definition and it captures the most central element of concern. However, the real challenge remains the question about the level of uncertainty (aka frequency/likelihood) and to many, even more important, the level of impact or severity. My favorite chart to help illustrate this concept is one where the “tail” of the loss distribution represents where the proverbial “black swans” live.
A typical loss curve has as its peak, the expected level of loss and the black swan sits out on the tail of this curve, where the x-axis is impact of severity of loss and the y-axis is the frequency or likelihood of loss. While many hazard focused leaders put their attention on risks at expected level or to the left along the x-axis where certainty of loss rises, the challenge is where in this region of the curve to the right should one be managing? While the possibility of loss becomes increasingly remote as you move out towards the tail of the curve, the impact of events become more destructive. Key questions that must be answered include:
■ Do we care more about likelihood or impact or are they equal?
■ What level of investigation do we apply to remotely likely risks?
■ How do we apply limited resources to remotely likely risks?
■ Do we have a consensus among key stakeholders as to what risks we should focus on and how?
■ Do have or need an emerging risk management process?
■ Do we have a consensus on and clear understanding of how we define risk in our organization?
These issues are the starting point to the risk management maturity question, one that if executed well, facilitates organizational success. From these answers, you can chart your course for what this will mean to your firm. The answers will define the process elements of maturity that will be needed to achieve your target state. But we need to define what risk maturity is in order to track progress towards it and to ensure that stakeholders are aligned around the chosen components.
This concept of maturity is one applicable to most functional areas, including information technology. It is an effective way to chart a course of continuous improvement guided by best practices, the result of which should improve the chances that your functional performance will meet or exceed expectations but also enable other organizational leaders to better understand your contribution to organizational success.
The various components among the numerous risk maturity models tend to overlap considerably. Here’s one generic set of attributes of maturity that are as good as any:
■ Managing risk to specifically defined appetite and tolerances
■ Management support for the defined risk culture and direct ties to the corporate culture
■ Ensures disciplined risk process aligned with other functional areas
■ A process for uncovering the unknown and/or poorly understood risks
■ Effective analysis and measurement of risk both quantitatively and qualitatively
■ A collaborative focus on a resilient and sustainable enterprise
One of the better models comes from the Risk Management Society (RIMS). It was developed some ten years ago, but remains in my opinion a simple yet comprehensive view of the seven most important factors that inform risk maturity and that when well implemented should drive an effective approach to managing any risk within your purview.
The components of the RIMS model include:
■ Adopting an enterprise-wide approach supported by executive management and which is aligned well with other relevant functions
■ The degree to which repeatable and scalable process is integrated in the business and culture
■ The degree of accountability for managing risk to a detailed appetite and tolerance strategy
■ The degree of discipline applied to using the elements of good root cause analysis
■ The degree to which a robust emerging risk process is used to uncover uncertainties to goal achievement
■ The degree to which the vision and strategy are executed considering risk and risk management
■ The degree to which resiliency and sustainability are integrated between operational planning and risk process
Like all risk management strategies, no two of which I’ve seen are exactly the same and there is no one way to accomplish maturity. Importantly, every risk leader needs to do for his or her organization, what the organization needs and will support.
Certainly the good governance of organizations is critical to ultimate success and the board’s role in that is the apex of that consideration. If the board is engaged and accountable for ensuring their risk oversight responsibility is effectively executed, the successful execution of the strategy is likely and by inference, risk will have been effectively managed as well.
To complete the foundation for the business case for using a risk maturity model to track progress, consider these key points:
■ There is no one right approach; each organization must chart their own course aligned with their culture and priorities
■ Risk must be treated as an integral aspect of strategy
■ Like all corporate processes, there should be a focus on additive value
■ The documented valuation premium, risk maturity has helped secure for studied users
With the effective use of a risk maturity model, you should be enabled to better chart your risk evolution journey, and how a good maturity strategy related to corporate strategy and priorities is the ultimate nexus for success. Risk and risk management should drive performance results and what remains to be done to achieve longer term aspirations.
Using functional maturity models will, if nothing else, provide the guard-rails and discipline that may otherwise be missing from your current attempts to make a difference in the success of your enterprise.