As the new year approaches, we set new goals and focus on those things we’d like to improve. Personal fitness and diet goals are frequently at the top of the list. But if you’re an enterprise risk management professional you’re probably also thinking about ways that you can make your ERM process more effective in 2017. ERM is still a relatively new discipline and most organizations find their ERM processes are still evolving. Some ERM professionals will agree that their ERM process are not fully mature. They admit that there are one or more aspects of their organization’s ERM process that could be changed or refined to become more effective.
A point that cannot be repeated enough is that a measure of risk maturity and growth is to get the ERM program more formally linked to the strategic planning process. This provides greater visibility to the potential value that ERM can add particularly when used to support key strategic initiatives by actively identifying and managing the unique risks each initiative brings. If your organisation’s ERM program is not yet linked to the strategic planning process, the New Year offers a good time to rejig and start anew.
The risk mature organisation is one that is able to clearly articulate its risk appetite and to measure its performance against that risk appetite. It is thereby able to respond positively to new challenges in order to seize the opportunity and maximise efficiency whilst managing the threats and opportunities. It is more likely able to weather the storms of threats as they occur, and more to stay afloat when times get tough. Management are able to switch from a “managing as usual†mode, into a “change management†mode and the capacity is there for staff to make the change happen.
Risk immature organisations are often in constant “fire-fighting†mode. Turnover of staff is often higher than normal because everyone is working in an environment of high tension and working at maximum capacity and incidents of fraud and poor ethics are frequent. Such risk-immature organisations are less likely to be able to respond to change and are slow in being able to seize opportunities when they arise and are less resilient in the longer term.
There are many examples of risk management maturity models that have been used, but it is important to adapt the language and style to fit the organisation in question. A wrong reference to the internal structure, or a question being posed to senior managers or elected officers that should be aimed at operational management, can be infuriating.
Today’s electronic world gives us the wonderful e-survey which is by far the most efficient way of collecting the information about the level of risk management maturity in the organisation, but care must be taken to ensure honesty in the answers, and to word the survey in a way which does not invite an automatic dishonest response. Some organisations will use a combination of e-surveys and interviews, the latter particularly for non-executive directors and possibly other stakeholders.
There is a spectrum for risk maturity from being completely unaware of threats and opportunities (ignorant), to being influential with one’s peers.
The Ignorant organisation is unaware of the need for managing risk, it has no structured approach to dealing with threats and opportunities, management is in crisis mode, always fire-fighting and there is no learning from experience as the organisation lurches from one crisis to another. It may attend to the most important aspects of compliance but tends to try to do the least that it can get away with. Ethics are questionable and there is a high chance that there exists a culture of backhanders and fraud.
The Initiate organisation has started to implement some basic risk management, but this is centred on a small number of individuals who take ownership of the risk management programme and are seen internally as the people who manage risk. There are no formal or structured processes for managing threats and or opportunities apart from perhaps some policies and some risk registers. This organisation is struggling to implement formalised risk management processes as these processes seem to be in addition to the day-to-day crisis management for all in the organisation. Ethics and fraud still exist, but are being talked about and steps are being made to make policies and implement activities to improve the situation.
The Intermediate organisation has streamlined and integrated some aspects of risk management into some of the business practices but not all. The organisation is starting to see definite benefits coming from the risk management areas that are integrated, particularly in areas such as project management and other operational areas. Rarely does risk based decision making actually take place in the board room although there is clear and mainly active support for risk management from the members. The members talk the right words but are not yet leading by example.
In the Integrated organisation, management of threats and opportunities is built into all routine business practices. Formal risk management programmes and processes are integrated into the way in which people manage the business and there is regular reporting of the performance of risk management against the risk appetite. An integrated multi-level programme is used to manage opportunities as well as threats. The organisation uses risk information to actively improve business processes and gain competitive advantage.
The Influential organisation is a leader in their field for their peers who learn from them. Risk management becomes a natural part of good management and the culture of the organisation is one that is of high ethical standards with an open and transparent culture of zero tolerance towards fraud or unethical behaviours.
There is empirical evidence across the globe linking improvement in risk management maturity to greater efficiency, success and better services from both private and public bodies. The higher up the scale of maturity, the less likely are the unwanted surprises and the greater chance that a more ethical culture will pervade.
