In Part 1: Decoding The RIMS Risk Management Maturity Model, I introduced the first of seven key attributes of the RIMS Risk Management Maturity Model, which was ERM-Based Approach. Here, in Part 2 of Decoding The RIMS Risk Management Maturity Model, I will discuss the attribute number two – ERM Process Management.
Key Terms:
Attributes: These are fundamental characteristics of an effective ERM program. These core competencies measure how well the enterprise risk management is embraced by management and ingrained within the organization.
Competency Drivers: These describe the ability of an organization to successfully and efficiently execute an enterprise risk management program. Competency drivers help in understanding and differentiating maturity levels within an attribute.
Key Readiness Indicators: These are statements of a cause or driver for a strong risk management program that helps in improving business value. The key readiness indicators help in understanding and differentiating maturity levels within a competency driver.
The “State of ERM Report 2015” highlighted the differences in maturity levels of risk management competency drivers between organizations with and without ERM. The maturity level for the ERM Process Management attribute scored the highest among organizations with ERM. Why does this matter? Well, the higher competency ranking on this attribute demonstrates better integration of ERM processes into various day-to-day business processes resulting in more functional ERM Program.
Attribute # 2: ERM Process Management
Proficiency and competency of ERM process management can be measured by assessing five competency drivers. They are:
- ERM Program Oversight
- Risk Culture, Accountability & Communication
- ERM Process Steps
- Repeatability & Scalability
- Risk Management Reporting
When fully implemented at the level of proficiency that is repeatable or above (as defined in the RIMS Risk Maturity Model), this attribute individually contributes as much as 20% towards the overall value creation for the organization. The utilization or internalizing of this attribute is reflected by the organization’s ability to scale and repeat its ERM successes from business unit to business unit, regardless of geographical boundaries, differences in process operations, markets or product types and leadership changeovers. Imagine your organization, its managers and its leaders without having to do any firefighting each Monday morning or for that matter any day of the week! The value of a focused effort to provide services and goods to your customers, clients or patients without any interruption and risk are enormous. The Risk Management Maturity Model allows the organization to get one-step closer to a state of control.
Competency #1: ERM Program Oversight
There are three key readiness indicators that allow organizations to measure their level of proficiency in their desire to become competent in ERM program implementation. The three key readiness indicators, explore participation by various levels of the organization, (including middle management) in the ERM processes, the organization’s ability to clearly identify risk ownership, and its ability to set clear accountabilities at all levels of the organization in working towards a collaborative risk assessment.
Competency #2: Risk Culture, Accountability & Communication
It is not surprising to find a risk culture (e.g. shared preferences toward risk and uncertainty from executives to front line) as one of the drivers behind the ERM process management attribute. It is the ingrained nature of the ERM process within the organizational culture that makes risk culture valuable and effective. The proficiency on this competency is measured through two key readiness indicators. Of these two, the first indicator relates to the clarity with which the risk management is defined and practiced at all levels of the organization. Second indicator describes the habit or frequency with which risks and opportunities are evaluated and documented in risk management plans. It is important to note that when documenting in risk management plans, attention is given to strategic opportunities and the evaluation criteria. It is most useful when the risks are evaluated on multiple dimensions such as impact, timing and confidence level of expected outcome.
Competency #3: ERM Process Steps
There are three key readiness indicators that can help us gauge the proficiency and compliance level with this competency driver. The first indicator relates to the consistency with which all processes within the organizations are mapped for its risks. Considerations should include critical resources, upstream and downstream process dependencies. The second readiness indicator for this competency looks into the thoroughness of risk assessments. Three critical dimensions of risk assessment it focuses on are impact, likelihood and control assurance. The third and final indicator looks into monitoring activities associated with identified risks. In order for the ERM process to work, the monitoring data should remain up-to-date, complete and appropriately authorized.
Competency #4: Repeatability & Scalability
Repeatability and scalability competency is evaluated by assessing three key readiness indicators. These indicators assess: how regularly the Board or ERM committee meets, what proportion of the committee members are regularly active and engaged, and how the performance management is linked to key risks within the organization at all levels.
Competency #5: Risk Management Reporting
The three key readiness indicators that assess this competency involve looking into organization metrics for coverage, completeness and timeliness of reporting to various levels of an organization and its key stakeholders. The assessment also looks into an organization’s ability to dive into details in real-time based on the needs of its stakeholders (e.g. Board of Directors) and the flexibility of reports with regard to ever changing internal or external context and market conditions.
When it comes to change management or implementation of a program such as ERM, we often hear the phrase “WIFM” – What is in it for me? Going from chaos to tranquility in the boardroom is a much-appreciated benefit that is practical in the form of effective enterprise-wide risk performance. Another major benefit that becomes clear is the moving away from random, uncoordinated and subjective decision making to more coordinated, risk-based and data-driven decision-making process. The initial benefits of ERM process implementation often help in supporting further implementation and scalability of ERM processes in all parts of the organization. This focus and attention of ERM process integration ensures that risks are identified and analyzed in each business unit, risk oversight is clear and consistent, and decision-making and performance management is linked and interwoven into ERM processes.
I would love to hear from you on your pet peeves about risk maturity assessment and best practices that has worked for you and your organizations. If you know of a good risk maturity model, I am interested in learning more about that too.
References:
5-Step plan for any Enterprise Risk Management (ERM) Program!
HOW TO BE A GOOD RISK MANAGER – CHIEF RISK OFFICER (CRO)!
Operational Risk Management and Compliance Management in Emergency Department
Enterprise Risk Management Governance
Part 1: Decoding The RIMS Risk Management Maturity Model
BIO
Jignesh is a consultant specialized in managing change involving Lean, Quality Improvement and Healthcare information technology. He has worked for Fortune 500 organizations, public sector as well as led start-ups in healthcare and biotech sector. Jignesh has developed a reputation as a dynamic, innovative, and motivational leader with over 15 years of experience as a champion of quality, safety and risk in diverse organizations. His ability to ask the right questions, and think creatively & strategically gives those he works with a “competitive advantage” in developing winning strategies for their future and the future of their organizations.
Contact: Jignesh.padia@gmail.com