Risk Maturity: How Well, Not How Old (II)


Recent studies in Enterprise Risk Management (ERM) report a steady increase in the percentage of organisations that claim to have “complete ERM processes in place,” with larger organisations and publicly traded companies leading the way. Many organisations are embracing ERM due to “somewhat” to “extensive” pressure from external parties to provide information about risks. While the percentage of organisations embracing ERM is on the rise, the level of risk management sophistication still remains fairly immature for most emerging market organisations. The gap remains for organisations to strengthen the connection between risk oversight and strategic planning.

Risk maturity is not a destination that is reached in the business cycle. Rather, it points to the level of risk knowledge, as well as control that is exercised and actions taken in times of need. Maturity in this context does not mean age, it means how and what decisions are taken when faced with a situation of risk. In the public sector, it is about abilities to see beyond the obvious and do the right things for the greater good, and more precisely the instinct of leaders to weigh repercussions before any actions are called upon.

Is your organisation just about surviving? Or is it thriving, growing and beating down barriers? Improving maturity in risk management can elevate an organisation from just about surviving, to being innovative, successful and risk taking in a managed way.

With the knowledge of how well an organisation performs in risk management maturity, it can be instantly understood those aspects of risk (and general) management that are mature – i.e. good, and those that are immature – i.e. bad. Through this understanding, an action plan can be made to improve the weakest areas and thereby get the best out of an ERM programme. Ultimately to the extent where the organisation can actively take more managed risk in order to succeed and transcend and from growing to winning.

ERM is still a relatively new discipline and most organisations will find their ERM process evolve over time.
Using The UK Institute of risk Management (IRM) four (4) level Risk Maturity scale – Elementary; Reactive; Proactive and Optimised. Each level is based on different criteria measured against several aspects of the risk management programme and infrastructure such as; leadership or tone from the top; resources that are provided to enable risk management to happen; the framework and structure for governing risk management; risk management processes; people involved in risk management and their level of training and attainment; processes in place for responding to risks and risk appetite; and finally the outputs that show that risk management is making a difference.

Is your organisation in chaos? Or is it thriving, growing and beating down barriers? Improving maturity in risk management can elevate it from being in the chaotic corner, to being innovative, growing and successfully taking risks.

If a study of the levels of risk management maturity is conducted, the results will show those aspects of risk management that are really good (mature), and those that are really bad (immature). This is how an action plan can be made to improve the weakest areas.

By way of contrast, those organisations where there is a culture of witch hunting when things go wrong with little or no perception of personal responsibility are at the bottom of the risk management maturity spectrum. This is where many organisations sit in most emerging markets. Elementary levels of risk management maturity are evidenced by projects and business delivery that is at best basic and possibly even chaotic. Organisations at this level typically lurch from one crisis to another, have a high turnover of people and face cash flow problems. Senior management are barely aware of the need for managing risk apart from some discrete silos. There is no structured approach to dealing with threats and opportunities, management is in crisis mode, always fire-fighting and there is no learning from experience. Such businesses might attend to the most important aspects of compliance but tend to try to do the least that they can get away with.

When you start to see that something is starting to happen in order to introduce risk management to the organisation, then progress is being made.

Moving from a reactive to a “proactive” and towards an “optimised” basis requires the organisation to streamline and integrate risk management into most business practices.
The proven way is to shine a light on the current areas of strength and weakness and enable a clear pathway to be established and followed in order to elevate the organisation from just about surviving to winning and expanding in a sustainable way. That proven way is to start measuring where on the scale your risk management maturity is, and get moving towards success.

If your ERM process has not been resulting in timely, meaningful action that drives business value, consider directly involving an ERM specialist to conduct a critical overhaul and review.

As the year rolls to an end, there is no better time than the present to focus on those personal, corporate and governance goals we’d like to improve in the coming year. Business and government leaders should be thinking about ways to make ERM more impactful in 2018.