Risk management is generally well understood by most levels in an organisation; risk maturity is now fast catching up, particularly among the Board and senior management who understand the dynamic nature of risk. Having set in place the necessary risk management processes and procedures, they and the firm need to move to the next level, as the organisation’s risk management system matures. To do this, they need to thoroughly explore certain areas and gauge the effectiveness of what has been put in place. An organisation may even want to use a risk maturity model that is already available to gauge where they stand as far as the maturity of their risk management processes is concerned.
Most models of this kind categorise the stages of maturity from novice to advanced level; all of them emphasise the need for careful assessment of the organisation’s relevant characteristics at every stage. Among the risk maturity characteristics of organisations is their transparency pertaining to shortfalls or inconsistencies in their systems, and their willingness to address these problems. Because risk management systems may have varying maturity levels, Board and management have to constantly assess the ability of these to manage the risks which may arise in the course of doing business.
They also need to ask if staff know how to handle the risks which confront them, and if existing systems need improvement and, if so, when and how this should be managed. How Board and management respond to this reflects the risk maturity of the organisation. It also indicates the level of skill and competency of the people helming it. More importantly, research has shown that the more mature its risk management practices are, the stronger the firm’s performance is likely to be. Organisations which capably identify, measure, monitor and mitigate their risks, and are adaptable to change, are generally considered as having mature risk management practices and processes.
These firms have risk management processes which are aligned with their strategic objectives, and apply them in an orderly and structured manner. At the other end of the scale, companies which apply risk mitigation on an ad-hoc basis, are considered the least mature, risk management-wise. It cannot be denied that an effective framework for risk maturity relies in great part on the directors’ understanding of it. Boards drive strategic decision-making; frameworks, systems, processes and procedures therefore need to support this. While the Board needs to understand the company’s strategic risks, the organisation as a whole should continuously develop a risk culture that permeates all levels.
The methods of communication which will be effective for this are also useful when it comes to identifying existing and emerging risks as stakeholders provide feedback. Open communication will be crucial to key stakeholders’ participation in the development and policy-setting of the organisation, as stakeholders can provide diverse insights and different viewpoints which sometimes may not even occur to policy makers, or just “slip under the radar” of Board and management. Insights could include information of emerging risk, as well as possible opportunities which could increase the organisation’s value or sustainability.
Firms wanting to increase their risk management capabilities by strengthening their frameworks should look at current risk management benchmarking models and then decide what works for them, after determining their levels of risk maturity. They can then decide what their next, or ultimate objectives are, or should be. Generally, there are a few elements to consider, which include how extensively ERM has been applied throughout the organisation; the organisation’s risk appetite; emerging risks; and if the systems currently in place have effectively mitigated the firm’s risks. In short, the Board and management will be asking themselves what they have done, and what they can do better.
They will be reviewing how operations have been aligned with strategy, and how far the firm’s objectives have been achieved. Evaluations of this kind will determine the risk maturity stages of the firm, and provide direction for subsequent strategy-setting and alignment. Communication, execution and measurement strengths can be compared against its successes; how far it has deviated from its objectives can also be determined, and mitigative measures can be identified. Resources can thus be allocated to improving weak areas, and areas exhibiting strong performance can be tapped for best practices.
Risk maturity models are useful when seeking to understand how sophisticated an organisation’s risk management processes are but subsequent risk maturity assessments will have to incorporate many other elements peculiar to the firm. New risks, continued good governance practices, environmental dynamics and risk management education are a few of the areas that have to be assessed in tandem. There is also the organisation’s own culture to consider: how is risk management permeating the structure? Is there enough education about it? Can staff recognise and manage it? Can they communicate or act on threats in a timely manner?
Sometimes risk maturity assessments may uncover the existence of silos within the organisation; applying ERM principles here will help the smooth execution of risk management and strengthen risk culture – although getting buy-in may initially be tricky. The path to risk maturity is not an easy one. Ideally, an organisation should have a risk-aware culture and be proactive about risks, with everyone accepting it as their responsibility. But this the exception rather than the norm. The purpose of a risk maturity framework is to help the organisation which implements it achieve a risk maturity level which it desires.
The framework will be the basis of the planning, implementation and subsequent development of risk management practices in the organisation. It will also serve as a yardstick against which risk management practices will be measured, so that constant improvements may be made, thus strengthening the organisation’s competitiveness and sustainability, thereby facilitating the enhanced creation of organisational value.
