How to Use Risk Maturity Models

Over the last 10 years of the “risk leader” portion of my career, as the head of enterprise risk management at USAA (2001-10), as well as during my subsequent work as an ERM consultant, I was challenged by several questions that affect risk management results and, by extension, ultimate success. All fell under the header of “risk management maturity,” and focusing on it can provide huge benefits to you and to your organization. To start, we need to get two things straight. First, how are you defining “risk,” and have you driven a consensus among key stakeholders about that definition? Second, which risks are you going to manage, and where on the loss curve do they fall? These questions may sound simple, but the reality is that many risk leaders have responsibilities for only a portion of the risks that organizations face -- often, only the insurable risks. If that’s the case, you have your answer to both questions nailed. See Also: How to Develop Risk Maturity If, on the other hand, you are a risk leader with broader accountability for more or all risks (via enterprise risk management, or ERM) that could affect an organization (both negatively and positively), then the first question -- "how does your firm define risk?” -- requires clear definition. The most commonly accepted definition of risk is “uncertainty.” I like this simple definition, and it captures the most central element of concern. However, the real challenge remains the question about the level of uncertainty (aka frequency/likelihood). To many, even more important is the level of impact or severity. My favorite chart to help illustrate this concept is one where the “tail” of the loss distribution represents where the proverbial “black swans” live. A typical loss curve has as its peak the expected level of loss, and the black swan sits out on the tail of this curve, where the x-axis is impact of severity of loss and the y-axis is the frequency or likelihood of loss. While many hazard-focused leaders put their attention on risks at expected level or to the left along the x-axis where certainty of loss rises, the challenge is where in this region of the curve to the right should one be managing? While the possibility of loss becomes increasingly remote as you move out toward the tail of the curve, the impact of events become more destructive. Key questions that must be answered include:

• Do we care more about likelihood or impact, or are they equal?
• What level of investigation do we apply to risks that are remotely likely?
• How do we apply limited resources to risks that are remotely likely?
• Do we have a consensus among key stakeholders as to what risks we should focus on and how?
• Do have or need a process to manage emerging risks?
• Do we have a consensus on and clear understanding of how we define risk in our organization?

These issues are the starting point to the risk management maturity question, which, if handled well, facilitates organizational success. From these answers, you can chart your course for your firm. The answers will define the process elements of maturity. But we need to define what risk maturity is to track progress toward it and to ensure that stakeholders are aligned around the chosen components. The various components among the numerous risk maturity models tend to overlap considerably. Here’s one generic set of attributes of maturity:

• Risk is managed to specifically defined appetite and tolerances
• There is management support for the defined risk culture and direct ties to the corporate culture
• A disciplined risk process is aligned with other functional areas
• There is a process for uncovering the unknown or poorly understood risks
• Risk is effectively analyzed and measured both quantitatively and qualitatively
• There is collaboration on a resilient and sustainable enterprise

The first, and I think most thoroughly developed, model comes from the Risk and Insurance Management Society (RIMS). It was developed some 10 years ago or so but remains in my opinion a simple yet comprehensive view of the seven most important factors that inform risk maturity and that, when well implemented, should drive an effective approach to managing any risk within your purview. The components of the RIMS model include a focus on:

• The degree to which an enterprise-wide approach is supported by executive management and is aligned with other relevant functions
• The degree to which repeatable and scalable process is integrated in the business and culture
• The degree of accountability for managing risk to a detailed appetite and tolerance strategy
• The degree of discipline applied to using the elements of good root-cause analysis
• The degree to which a robust emerging risk process is used to uncover uncertainties to achieving goals
• The degree to which the vision and strategy are executed considering risk and risk management
• The degree to which resiliency and sustainability are integrated between operational planning and risk process

As with all risk management strategies (no two of which that I’ve seen are exactly the same), there is no one way to accomplish maturity. Every risk leader needs to do for her organization what the organization needs and will support. Another maturity model that is worthy of note is the Aon model. Like RIMS’ model, it enables multiple levels of maturity and methodology for charting progress toward an ideal state. Characteristics of the Aon model include:

• Ensuring the board understands and is committed to the risk strategy
• Establishing effective risk communications
• Emphasizing the ties among culture, engagement and accountability
• Having stakeholder participation in risk management activities
• Using risk information for decision making
• Demonstrating value

This is not to say that the RIMS model ignores these issues. There is simply a different emphasis. Also noteworthy is Protiviti’s perspective on the board of directors' accountability for risk oversight. A few highlights include:

• An emphasis on the risks that matter most
• Alignment between policies and processes
• Effective education and use of people and their place in the organization
• Assumptions that are supportable and understood
• The board’s knowledge of the right questions to ask
• Focus on understanding the relationship to capability maturity frameworks

Certainly, the good governance of organizations is critical, and the board’s role is paramount. If the board is engaged and accountable for ensuring that its risk oversight is effective, the strategy is likely to be executed successfully and, by inference, risk will have been effectively managed, as well. See Also: How to Link Risk and Strategy To complete the foundation for the business case for using a risk maturity model to track progress, consider these key points:

• There is no one right approach; each organization must chart its own course aligned with its culture and priorities
• Risk must be treated as an integral aspect of strategy
• There must be a focus on additive value, as with all corporate processes
• Risk maturity has produced documented valuation premium for studied users

With the effective use of risk maturity models, you should be able to better chart your risk evolution journey, and how a good maturity strategy related to corporate strategy and priorities is the ultimate nexus for success. Risk and risk management should drive performance results and what remains to be done to achieve longer-term aspirations. This approach to managing your risk strategy should allow you to:

• Translate the component of risk maturity into a successful ERM journey
• Refer to ERM results and impacts achieved by others to buttress your efforts
• Understand key tactics to exploit and pitfalls to avoid as you perfect your risk management strategy.

Using a risk maturity model will, if nothing else, provide the guard-rails and discipline that may otherwise be missing from your current attempts to make a difference in the success of your enterprise.