#337 – COMCOVER CHANGES ITS ERM BENCHMARKING PROJECT – JAMES KLINE PH.D.

Posted on by

In my last piece, CERM Risk Insights #324, I mentioned briefly the Comcover maturity model. Comcover is the self-insurance arm of the Australian Commonwealth. It has annually conducted a self-assessment Enterprise Risk Management (ERM) survey of Commonwealth agencies. The purpose of the survey is to determine the level of ERM’s penetration. The basis for the determination is a risk maturity model. The model is incorporated into the survey questions.

In 2021 the self-assessment survey questions were changed. This piece examines the Comcover model and the changes that have been made from the 2018 version.

Why the Model Changed?

The fundamental reasons the model was changed is because it was felt that after five years the agencies needed to be pushed further along the ERM implementation process. It was also decided that agencies needed more time to implement changes. Thus, a biannual instead on an annual survey is being implemented.

2018 Model

The Comcover maturity model has three parts. The first part is a series of four question objectives.  The objectives provide the goals the organization seeks to accomplish with respect to implementing ISO’s 31000 model.  The objectives are linked to nine elements which underpin the ERM effort. The nine elements range from: Element 1 Establishing a risk management policy, to Element 9 Reviewing and continuously improving the management of risk. The elements match closely the ISO 31000 implementation steps.

The second part is the basic (text) questions used to determine the extent to which Australian Commonwealth agencies have implement ERM. There are four text questions. They are:

  1. Does your entity have a risk management policy?
  2. What does your entity’s risk management policy include?
  3. Has your entity defined its risk appetite?
  4. How is risk appetite used in your entity?

The third part is the list of answer options. Thus, under Question 1, the text question is Does your entity have a risk management policy? The responses include:

  • Your entity does not have a risk management policy.
  • The risk management policy is drafted but awaiting senior management sign-off.
  • The risk management policy is communicated to all staff to advise of any updates to the   policy.

Based on the answers a numerical value is determine. This value identifies the agency’s location on the maturity model.

The Comcover model has six maturity levels. These are: Fundamental 0-.99, Developed 1-1.99, Systematic 2-2.99, Integrated 3-3.99, Advanced 4-4.99 and Optimal 5-6.  A 2019 ERM implementation audit, conducted by Deloitte, determined Commonwealth agencies moved from an overall maturity score of 3.28 in 2015 to 3.68 in 2019. (1)

The 2021 changes to the basic model represent a move away from the nine elements. This results in a change to all parts. The 2021 model also reduces the number of maturity levels from six to five. It drops the Optimal level.

Focus change

The most fundamental change is the focus. By moving away from the nine elements, Comcover has moved from an emphasis on the ISO 31000 implementation process to a focus on five specific areas. The areas are:

  • Risk Governance
  • Risk Culture
  • Risk Capability
  • Risk management framework and practices.
  • Organizational resilience and agility.

The first four areas have direct corollaries with the ISO 31000 implementation process. Thus, the core ERM focus remains the same, even though the emphasis is slightly different. The fifth area, while inferred, is not explicitly identified in ISO 31000..

To see how this plays out in the new self-assessment process let us examine the changes to each part.

Part One Question Objectives

Besides the change in the focus, a fifth question objective has been added. Below are the new Question Objectives.

  1. To determine whether roles, responsibilities, and accountabilities for managing risk have been clearly defined and appropriately assigned to ensure that all officials and stakeholders understand their risk management duties.
  2. To determine where risk management roles responsibilities and accountabilities are recorded and communicate to ensure all officials and committees are clearly aware of their risk management duties.
  3. To determine how internal stakeholders to your entity receive relevant and useful risk
  4. To determine the nature of risk information and reported and monitored within your entity.
  5. To determine whether key stakeholders to your entity regularly receive relevant and useful risk information. Key stakeholders can include service providers, third, parties, and relevant community interest groups.

The new question objectives are less focused on the broader aspects of the implementation process such as the presence of a risk management policy. They are more focused on roles and responsibilities.

Part Two: Question Text

Like the Question Objective the Question Text has been changed. Below is the question text for objective 1 in 2018 and 2021 (italic).

2018 Does your entity have a risk management policy?

2021 Which roles, responsibilities, and accountabilities for managing risk in your entity                           are formally defined and documented?

The change moves the self-assessment from a focus on policy to a focus on roles, responsibilities, and accountabilities. Another example of the shift can be seen in the Question Objective 4. In 2018 the Question Text is:

How is risk appetite used in your entity?

In 2021 the Question Text is:

What type of risk information is reported and monitored in your entity?

Risk appetite does not appear specifically in any of the Question Text in 2021. Instead, it is included in a general response. For example, Question 3 states: “Risk information is shared when updates are made to key risk documents (e.g., policy, framework, risk appetite).

Part Three Answer Options

Perhaps the most dramatic change is in the Answer Options. For example, below are selected answer options for Question 1 of the 2018 and 2021 (italics) surveys.

Does your entity have a risk management policy?

Your entity does not have a risk management policy.

The risk management policy is drafted but awaiting senior management sign-off.

The risk management policy aligns with relevant better practice standards.

Which roles, responsibilities, and accountabilities for managing risk in your entity are formally defined and documented?

Accountable authority

            Senior executive

            Management

            Chief risk officer or equivalent who reports to a member of the Executive Team

            Internal Audit

            Risk Champion

            Dedicated risk manager

The differences in focus between the two questions and answer selections are clear. The 2021 responses for Question 1 seem geared toward Risk Capability. The 2021 answer selection for questions 4 and 5 show the focus on different areas.

The answers for Question 4 seemed geared toward Framework and Practice.

How is risk information formally communicated and shared internally within your entity?

Operational Risks

            Enterprise Risks

            Program and Project Risks

            Strategic Risks

            Risk levels against risk tolerance and appetite

            Risk culture maturity

            Risk performance information (e.g., risk training metrics, loss event data, near – miss                               analysis, achievement of strategic objectives)

Question 5 seems geared towards Risk Management Framework and Practices. Question 5 and several of the Answer Options are below.

Who does your entity report and communicate risk information to and what is the frequency?

Risk Information is reported to your entity’s accountable authority:

  • Never
  • On an ad hoc basis (infrequently)
  • Annually
  • Every 3-6 months
  • At least monthly
  • Dynamically (in accordance with the risk landscape)

Risk information is reported to risk owners at the operational, program or project level:

  • Never
  • On an ad hoc basis (infrequently)
  • Annually
  • Every 3-6 months
  • At least monthly
  • Dynamically (in accordance with the risk landscape)

What is difficult to identify in both the above answer options and the rest contained in the survey, are those related to organizational agility and resilience. Organizational agility and resilience are a key emphasis under the revision. Therefore, responses related to that emphasis should be obvious. The fact that they are not, is a problem. But it is not the only problem.

Problems

As I noted in my earlier piece, Comcover has been on the forefront in the use of a risk management maturity index in government. Until the 2021 revision, the basic structure of the Risk Management Maturity Index was like all the others, the OECD approach being one example. The 2021 change makes the Comcover approach unique in in that it shifts from the emphasized away from the ISO 31000 implementation steps to more directed items like Chief Risk Officer and Risk Champion. This departure means that Comcover will not be able to continue historical comparison begun in 2015. While much of the emphasis is the same, the answer options are significantly different.

Another problem relates to the specificity of positions in Questions 1. To score higher on the maturity index an agency must respond positively to as many items as possible. However, agency size varies, and some may not be able to afford to support a Chief Risk Officer or a Risk Champion. This level of specificity in positions may disadvantage smaller agencies, even though, their risk implementation processes are as good as larger ones.

Conclusion

The Commonwealth of Australia is a leader in ERM implementation. The implementation process has been facilitated by the Comcover ERM self-assessment survey. Until 2021, the focus of the survey was consistent with ISO 31000 implementation. The revision has moved away from this direct linkage. It has also separated the Comcover self-assessment approach from that used in other risk maturity models. This uniqueness means that in 2023, when the result of the next self-assessment takes place, there will have an opportunity to see how well the new emphasis works. It might also answer an important question. As organizations mature in ERM implementation, should the emphasis remain on the ISO 31000 implementation steps, or should modification like those being implement in the Australian Commonwealth be considered?

End Notes

  1. Deloittee, 2019,” Comcover Risk Management Benchmarking Program 2019 Key Findings Report”, June 2019, https://www.finance.gov.au/sites/default/files/2019-11/2019-key-fomdomgs-report.pdf.

James J. Kline is a Senior Member of ASQ, a Six Sigma Green Belt, a Manager of Quality/Organizational Excellence, and a Certified Enterprise Risk Manager.  He has work for federal, state, and local government. He has over ten year’s supervisory and managerial experience in both the public and private sector.  He has consulted on economic, quality and workforce development issues for state and local governments.  He has authored numerous articles on quality in government and risk analysis. His book “Enterprise Risk Management in Government: Implementing ISO 31000:2018” is available on Amazon.  He is the principle of JK Consulting. jeffreyk12011@live.com

Leave a Reply

Your email address will not be published.