Whenever there is a discussion about improving risk management, the subject of risk management maturity is often raised. The presumption is that the more mature a process is, the more effective it is. This article explores what that really means in the risk management realm.
Effective enterprise risk management (ERM) enables timely responses to the risks that matter. There are six elements of risk management infrastructure: (1) policies, (2) processes, (3) people and organization, (4) reports, (5) methodologies and assumptions and (6) systems and data. An effective risk response considers all of these elements. Once the six elements are in place for a given risk (or for a group of related risks), they pave the way for advancing the maturity of risk management.
A capability maturity framework assists management in thinking more clearly about such questions as:
- Do we rely on a few well-qualified individuals to manage a particular risk in an ad hoc manner, or do we improve our internal capabilities continuously?
- How effective do we want our risk management to be as we improve our infrastructure for each of our priority risks?
- Should we vary the rigor and robustness of our risk responses and related control activities by risk type or treat all risks as equivalent in terms of applying mature risk management capabilities?
There are conscious choices to be made when aligning the organization’s capabilities with its desired risk responses, and vice versa. Given finite resources, risk management capabilities must be selectively improved by considering expected costs and benefits. The goal of ERM is to identify the organization’s most significant exposures and uncertainties and to focus efforts to improve the capabilities for managing them. That’s why an emphasis on infrastructure (the six elements discussed above) is important.
The following discussion illustrates five levels of maturity:
At the initial state of maturity, risk management is fragmented and ad hoc. Individual risks are managed in silos, and the organization is often reactive to events. The organization generally lacks policies and formal processes; therefore, the entity is dependent on seasoned managers acting on their own initiative to manage risk. There is very little accountability due to the absence of clearly designated risk owners. When personnel leave the organization, the enterprise cannot replicate what they do. While the initial state can be rationalized for insignificant risks, the lack of direction is a breeding ground for a crisis in areas requiring more discipline.
At the repeatable state of maturity, basic risk management policy structures and processes, including risk assessment, are in place to achieve stated objectives and requirements. Human resources are allocated to risk management, with responsibilities and authorities defined for specific individuals. Accountability may still be an issue at this stage because reporting is not rigorous enough to hold specific individuals accountable for results. Thus, there is still heavy reliance on people. However, when someone leaves, the void or disruption is not as great now that there is repetition taking place as a result of increased process discipline and established guidelines for managing risks.
At the defined state, policies and processes are further refined and documented, resulting in more uniform risk mitigation activities and risk oversight across units and functions. For example:
- A risk committee structure may be in place, along with a designated executive responsible for aggregating enterprise risks and ensuring cross-unit and cross-functional coordination.
- Robust controls documentation and verification mechanisms are in place to ensure policies are followed and processes are performing as intended.
- Roles and responsibilities are clearly defined, and robust management reports, supported by rigorous methodologies, add more value by integrating appropriate key performance and risk indicators into decision-making processes.
- Systems are more stable and scalable, with improved functionality, as technology lays a foundation for all of the other infrastructure elements.
- There is evidence of risk-sensitive and risk-aware decision-making, as exceptions and near-misses are reported in a timely manner and lessons learned and control deficiencies drive improvement initiatives.
At the managed state, we see improved quantification, time-tested models and data analytics assisting decision-makers with forecasting, scenario planning and trend analysis to identify emerging risks and anticipate the potential for disruptive change. A formal lines-of-defense framework is implemented, risk measures are linked to performance goals, early-warning systems are in place and capital allocation techniques are effectively deployed. A risk appetite framework is established and decomposed into risk limits allocated to individual operating units; when predefined limits are approached or exceeded, corrective action is taken. Objectives, targets and performance metrics are integrated into enterprisewide systems that provide dashboard reporting and drill-down capabilities. These enhanced capabilities facilitate the integration of risk considerations into strategy setting, business planning and performance management, positioning the organization as an early mover to recognize and act on emerging risks (and opportunities).
The optimizing state is the highest level of capability, in which the organization has a commitment to continuously improve the capabilities at the managed state, keeping all elements of risk management infrastructure fully aligned as the business environment changes. Risk policies are evaluated on an enterprisewide basis to achieve the desired risk/reward balance as well as understand and exploit the effects of diversification across multiple risks. Best practices are routinely identified and shared across the organization, suggesting that the journey of enhancing risk management capabilities continues over time as external and internal conditions change. Corporate improvement initiatives established and applied enterprisewide (e.g., Six Sigma) are integrated with risk management.
These are the five stages of a capability maturity framework. The illustrative criteria above show how each successive stage of maturity reflects further enhancements in managing risk. The higher a company’s capabilities, the greater its prospects for success in managing risk and the lower its potential for failure. A consistent and fact-based use of a capability maturity framework by risk owners allows for a focused articulation and understanding of the current and desired states of risk management capability across the organization for different risks.
To illustrate, a maturity framework works as follows:
- For each risk (say, regulatory, health and safety or supply chain risk), evaluate the current state of the entity’s risk management capabilities. The current state generally refers to capabilities that are present and functioning but may take into account planned initiatives currently funded and underway to improve capabilities (to which some refer as the improved state).
- Decide how much added capability is needed to achieve the appropriate risk response (i.e., the desired state). When assessing the desired state, be as realistic as possible. The objective is to select capabilities that provide the best fit with the core competencies that would be reasonably expected of an organization executing the enterprise’s business model.
- Recognize that the desired capability may vary by risk. For example, significant exposure to changes in foreign exchange rates may require capabilities at least at the managed state. Some operational risks, like operating a nuclear power plant, may drive management to choose the optimizing state because there is little margin for error in operation. Windstorms, flooding and other hazard risks may warrant only periodic analysis and procurement of insurance with little need for intricate risk reporting – a repeatable state. For cybersecurity risks involving “crown jewel” information assets and systems, a managed state may be desired.
- Once the gap between the current state and desired state is identified, evaluate the expected costs and benefits of increasing capabilities to close the gap. The actionable steps resulting from a gap analysis become an integral part of the business plan.
Improvements in capability are often staged. To illustrate, assume that the current state of a company’s credit risk management capabilities lies at the repeatable state. Assume further that management decides that these capabilities should operate at the managed state. In closing this gap, a staged approach to the design and implementation of improved capabilities may begin by advancing capabilities first to the defined state and then to the managed state.
This approach may be preferable to closing the gap all at once, because it reduces disruption to the organization, as it may be more in line with the change readiness of the entity’s personnel and may even increase the chances of a successful implementation. Thus, the capability maturity framework facilitates careful thought and judgment by knowledgeable personnel in planning the organization’s transition from the current state to the desired future state, as well as the speed of that transition.
What constitutes best practice in managing a particular risk at one company may be insufficient or overdone in the context of managing the same risk at another company. For example, sophisticated modeling applications may represent best practice for managing market risk in a trading organization. However, in another business, where just a handful of transactions are exposed to price risk because of the negligible exposure, such sophistication is unnecessary.
The point is clear: It is unnecessary to deploy the most advanced techniques for all risks, as no organization has the resources to do that, nor is there a viable business reason to do so. Thus, thinking in terms of capability maturity can facilitate the allocation of resources.
The following are some suggested questions that directors and executives may consider based on the risks inherent in the entity’s operations:
- At what stage of maturity are our organization’s risk management capabilities, both for the enterprise as a whole and for each of its most critical risks?
- Do our organization’s risk responses to address individual risks reflect a careful assessment of the appropriate capabilities needed to reduce risk to an acceptable level?
- If our risk management capabilities require improvement, do we have a plan to take them to the next level of maturity?
- Are we over-reliant on our people to manage some of our critical risks and, therefore, exposed in the event of an unexpected departure or termination?
The topic of maturity is important in risk management because the business environment is constantly changing. Therefore, it stands to reason that risk management must be improved continuously. The more mature an organization’s risk management capabilities, the stronger its culture is in balancing the inevitable tension between creating enterprise value through the strategy and driving performance on the one hand, and protecting enterprise value through a risk appetite framework and managing risk on the other hand.