IERP® Team No Comments

Tracking Risk Maturity

Although ISO 31000 and ISO Guide 73 talk about Risk, there is no actual guidance about how its maturity should be tracked

Although ISO 31000 and ISO Guide 73 talk about Risk, there is no actual guidance about how its maturity should be tracked. But Risk maturity should be tracked because this bridges the gap between theory and practice and, among other things, benchmarks it against other frameworks. This acts as a guide to incremental improvement over time, and provides a measure of the value of ERM besides building a viable ERM blueprint for the firm. Ultimately, measuring this value can increase shareholder value, and point the way towards enhancing the firm’s competitiveness while it complies with regulatory obligations, as measuring Risk can, to a large extent, also address rating agency requirements.

Five levels of risk maturity
There are, essentially, five levels of risk maturity against which a company can assess its risk management system. At the stage of Risk Naivete, a firm usually has no formal approach to risk management. It could then progress to being Risk Aware, and initially develop a scattered, silo-based approach. As the organisation learns and its awareness grows, it enters a Risk Defined stage where it starts to define its risk more clearly, and begins to put strategies and policies in place. This helps it define its risk appetite, and spurs it to move on to the next level. At the Risk Managed level, the firm practises an enterprise-wide approach to risk management; at the Risk Enhanced level, risk management and internal control will be fully embedded in its operations.

However, while the organisation may embark on this five-level journey as a single entity, it must be noted that the different units within it may achieve different levels of maturity at different points in time. This may be due to differing levels of awareness of the need for risk management among staff, the resources involved and the risk exposure of the respective units. Maturity levels also differ from one industry to another. Some companies are at the Risk Managed level, having even developed their own templates to measure the elements of risk management and assess the effectiveness of governance.

Different companies, different situations
Companies at the Risk Managed level tend to encourage a lot of feedback from as wide a range of stakeholders as possible, for a deeper understanding of how to apply risk management effectively, organisation-wide, so that even the frontline realises its importance. Where companies are the local subsidiaries of larger international groups, senior managers or directors from the (foreign) head office usually conduct training sessions, and local input is sought to determine risk maturity levels. But what about companies that are only just becoming aware of the need for risk management?

Enterprise Risk Management takes resources, time and training, which firms sometimes cannot accommodate. Putting structures in place may be a strain on already-stretched resources. In cases like these, measurements can be simplified, but with an eye to complying with all regulatory requirements – although conversations should continue about how to constantly improve, and how to increase buy-in and support so that the concept of ERM can gain traction and become more relevant across the organisation. Basic workshops can be conducted for operational-level staff to raise awareness of risk, so that they can see how managing risk aligns with corporate strategy, and how this has an impact on the bottom line.

Risk management gets everyone involved
Managing risk and reaching risk maturity involves being proactive but many new firms find themselves being reactive initially because of the lack of institutional experience. In cases like this, where the company desires to put a framework in place but doesn’t know where to start, considering a Risk Maturity model may be useful. At the very least, it will provide an idea of where the company currently stands, and where it needs/desires to move to, to apply risk management effectively. The monitoring aspect of the framework is particularly helpful as it works as a good starting point for the development of an organisational risk culture. Exercises in risk management, feedback, analysis and discussion will inevitably get more people involved and talking about the issues they face.

Risk management is not limited exclusively to senior management, so the more people within the organisation provide feedback, the better it can be customised to align with the requirements of each business unit. This ultimately results in mutual alignment with corporate strategy as the feedback from the bottom informs the tone at the top and vice versa. Where companies are truly serious about developing a culture of risk within the organisation, they need not use overly sophisticated means of getting feedback from their staff. Sometimes the simplest surveys will do; most importantly, the feedback should be honest and on-point, and staff should feel invested in what they are doing.

It has been observed that companies other than financial institutions undertake ERM because they want to, whereas financial institutions tend to view ERM through a compliance lens. For both financial institutions and non-financial institutions however, ERM can be used to spur the firm’s strategic direction. How a company links its business sustainability and strategic efficiency to the practice of ERM is really a matter of how mature it is.