How Mature Are Your Risk Management Capabilities?
“How mature is our risk management?” Chances are good that you have been asked this question at least once. At Protiviti, we hear it frequently. The common presumption is that the more mature a process, the more effective it is. But what does that really mean, and how does the concept of maturity apply to risk management?
Effective enterprise risk management (ERM) enables timely responses to the risks that matter most to an organization. An effective risk management infrastructure is constructed using the following six elements:
- People and organization
- Methodologies and assumptions
- Systems and data
Once in place for a given risk, these six elements pave the way for advancing the maturity of risk management. The more mature an organization’s risk management, the stronger its culture will be in balancing the inevitable tension between creating enterprise value through strategy and driving performance, and protecting enterprise value through a risk appetite framework and effective risk management capabilities.
A capability maturity framework assists management in thinking more clearly about questions such as:
- Do we rely on a few well-qualified individuals to manage a particular risk in an ad hoc manner, or do we have robust capabilities that we improve continuously?
- How effective do we want our risk management capabilities to be as we improve our infrastructure over time for each of our priority risks?
- Should we vary the rigor and robustness of our risk responses and related control activities by risk type or, alternatively, treat all risks the same in terms of applying mature risk management capabilities?
When aligning the organization’s capabilities with its desired risk responses, choices must be made. Given that every organization has a finite amount of resources, risk management capabilities must be selectively improved by considering expected costs and benefits. The goal of ERM is to identify the organization’s most significant exposures and uncertainties and focus on improving the capabilities for managing them. That’s why an emphasis on risk management infrastructure is important. Risk management processes can advance through five levels of maturity which are defined as follows:
- Initial State. Risk management is fragmented and ad hoc. Individual risks are managed in silos, and the organization is often reactive to events. There is a general lack of policies and formal processes; therefore, the entity is dependent on seasoned managers acting on their own initiative to manage risk.
There is also very little accountability due to the absence of clearly designated people charged with overseeing specific risks. When personnel leave the organization, the organization has difficulty replicating what they do. While the initial state can be rationalized for insignificant risks, the lack of direction is a breeding ground for a crisis in areas requiring more rigor and discipline.
- Repeatable State. Basic risk management policy structures and processes, including risk assessment, are in place to achieve stated objectives and requirements. Human resources are allocated to risk management, with responsibilities and authorities defined for specific individuals. Accountability may still be an issue at this stage because reporting is not rigorous enough to hold specific individuals accountable for results. Thus, there is still heavy reliance on people to “take care of things.” However, when someone who saddles these responsibilities leaves, the void is not as great now that “repetition” is taking place as a result of increased process discipline and established guidelines for managing risks.
- Defined State. Policies and processes are further refined and documented, resulting in more uniform risk mitigation activities and risk oversight across units and functions. For example:
- A risk committee structure may be in place, along with a designated executive responsible for aggregating enterprise risks and ensuring cross-unit and cross-functional coordination.
- Robust controls documentation and verification mechanisms are in place to ensure policies are followed and processes are performing as intended.
- Roles and responsibilities are clearly defined. Robust management reports, supported by rigorous methodologies, add more value by integrating appropriate key performance and risk indicators into decision-making processes.
- Systems are more stable and scalable with improved functionality because technology lays a foundation for all of the other infrastructure elements.
- There is evidence of risk-sensitive and risk-aware decision-making, as exceptions and “near misses” are reported in a timely manner, and lessons learned and control deficiencies drive improvement initiatives.
- Managed State. Organizations functioning at the defined state are building the foundation for a strong risk governance culture. At the managed state, we see improved quantification, time-tested models and data analytics assisting decision makers with forecasting, scenario-planning and trend analysis to identify emerging risks and anticipate the potential for disruptive change. A formal lines-of-defense framework is implemented, risk measures are linked to performance goals, early warning systems are in place, and capital allocation techniques are effectively deployed.
At this stage, a risk appetite framework is also established and decomposed into risk limits allocated to operating units. When predefined limits are approached or exceeded, the situation is evaluated and corrective action, if needed, is taken. Objectives, targets and performance metrics are integrated into enterprise-wide systems providing dashboard reporting and drill-down capabilities. These enhanced capabilities facilitate the integration of risk management activities into strategy-setting, business planning, and performance management. They also position the organization as an early mover to recognize and act on emerging risks—as well as opportunities.
- Optimizing State. Here, the organization has a commitment to continuously improve the capabilities at the managed state, keeping all elements of risk management infrastructure fully aligned as the business environment changes. Risk policies are evaluated on an enterprise-wide basis to achieve the desired risk/ reward balance, as well as to understand and exploit the effects of diversification across multiple risks.
In the optimizing state, best practices are routinely identified and shared across the organization, suggesting that the journey of enhancing risk management capabilities never ends because external and internal conditions are constantly changing. Corporate improvement initiatives that are established and applied enterprise-wide are integrated with risk management.
The above criteria show how each successive stage of maturity reflects further enhancements in managing risk. The more mature a company’s capabilities, the greater its prospects for success in managing risk and the lower its potential for failure. A consistent and fact-based use of a capability maturity framework by risk owners allows for a focused understanding and articulation of the current and desired states of risk management capabilities across the organization.
To illustrate, a maturity framework works as follows:
- For each risk (e.g., regulatory, health and safety, or supply chain risk), the risk owner or internal audit should evaluate the current state of the entity’s risk management capabilities. The current stategenerally refers to capabilities that are present and functioning, but it may take into account planned initiativescurrently funded and underway to improve capabilities.
- The risk owner then decides how much added capability is needed to achieve the desired state of risk response.When making this determination, be as realistic as possible. The objective is to select capabilities that provide the best fit with the core competencies that would be reasonably expected of an organization executing the enterprise’s business model.
- Both management and the board should recognize that the desired state’s capability may vary by risk. For example, some operational risks, such as operating a nuclear power plant, may drive management to choose processes at the optimizing state of maturity because there is little margin for error in operation. Windstorms, flooding, and other environmental hazards may only warrant periodic analysis and procurement of insurance with little need for intricate risk reporting, in which case a response system at the repeatable state of maturity might be appropriate. For cyber risks involving “crown jewel” information assets and systems, a response matured to the managed statemay be desired.
- Once the gap between the current state and desired state is identified, the risk owner must then evaluate the expected costs and benefits of increasing capabilities to close the gap. The actionable steps resulting from a gap analysis become an integral part of the business plan. What constitutes “best practice” in managing a particular risk at one company may seem either insufficient or overdone in the context of managing the same risk at another company. Not only is it unnecessary to deploy the most advanced techniques for all risks, no organization has the resources—or a viable business reason—to do that. Thus, thinking in terms of capability maturity can facilitate the resource allocation process.
Questions for Boards
The following are some suggested questions that boards may consider, based on the risks inherent in the entity’s operations:
- At what stage of maturity are our organization’s risk management capabilities, both for the enterprise as a whole and for each of our most critical risks?
- Do our organization’s risk responses to address individual risks reflect a careful assessment of the appropriate capabilities needed to reduce risk to an acceptable level?
- If our risk management capabilities require improvement, do we have a plan to take them to the next level of maturity?
- Are we over-reliant on our people to manage some of our critical risks and, therefore, exposed in the event of an unexpected departure or termination?
Jim DeLoach is a managing director with Protiviti, a global consulting firm.