Tag Archives: risk maturity

Claims and Effective Risk Management

The cost of claims has been at the heart of Total Cost of Risk (TCOR) since even before the inception of risk management as a separate function. The sheer magnitude of losses, insurable or not, defines so much of what risk managers focus on and tends to be what they report on most often, as well. The nature of mature and, by inference, effective risk management programs has claim management as a key focus. While risk maturity is directly correlated with risk effectiveness, this latter term encompasses a much broader perspective on things that matter. 

Not surprisingly, many components of risk management maturity have some connection to effective claim management. Accordingly, it is appropriate to understand what these components are and how they dovetail with a more comprehensive view into effective risk management. Admittedly, this perspective relates most to the traditional practice of risk management, focused on hazard risk, but failure in this realm will likely point to failure in other areas of risk management.

Components of Risk Discipline 

To instill risk discipline, and, by extension, maturity into claim management, one must set the tone for effectiveness across the spectrum of risk management activities and significantly feed overall risk management performance. This tone will influence the ability of risk leaders to act as “trusted advisers” to organizational decision makers. This should be a key goal for risk leaders, critical to long-term effectiveness and functional sustainability.

The starting point for this subject is two key things. First, how one defines “risk” and drives a consensus among key stakeholders about that definition. Claims are, of course, the outgrowth of risk and exposure. This direct relationship is the essence of why claims and effective claims management have a direct relationship to effective risk management. Whether this aspect of the discipline gets done by insurers (as part of the insurance contract), insureds (as a part of a self-administered claim operation) or through third parties (independent adjusters, third party administrators etc.) makes little difference. Effective claim management feeds effective risk management.

The second issue is both which risks are your focus and where on the loss curve they fall. This may sound simple, but the reality is that many risk leaders have responsibilities for only a portion of the risks that organizations face; often only the insurable risks. If that’s the case, the need to focus on claim management is clear; one leads to the other.

The Basics of Effective Risk Management Maturity

If you are a risk leader with broad accountability for risks, then the first question of “what is a risk to your firm?” requires total clarity. For the purposes of this article, a good definition of risk is “uncertainty” as it relates to the accomplishment of objectives. This simple definition captures the most central element of concern — uncertainty. However, the real challenge is determining the amount of uncertainty (such as frequency/likelihood), as well as the level of impact or severity. Each risk leader must make this choice and get it validated by his or her organization.

While many leaders focused on hazard risk look at risks at actuarially “expected” levels of loss, the challenge is how far out on the tail one should manage. While the possibility of loss becomes increasingly remote as you move out toward the tail of the curve, the impact of events becomes more destructive. Because the magnitude of loss in this realm can be catastrophic, the importance of both preventing and mitigating these events and their impact becomes critical. Central to after-loss mitigation is the claim management process. Related key questions that every risk leader must answer include:

  • What matters more to your organization: likelihood or impact, or are they equal?
  • What level of investigation should you apply to less likely risks?
  • How do we apply typically limited resources to remotely likely risks?
  • Do you have a consensus among key stakeholders as to what risks to focus on and how?
  • Do you have or need an emerging risk identification process?
  • Do you have a consensus on and clear understanding of how you define risk in your organization?
  • Have you educated your organization on the correlations between losses, claims and risk effectiveness?

These questions are the starting point for ensuring risk management maturity. From your answers to these questions, you can chart your course for what this will mean to your firm. The answers will define the process elements of maturity that will be needed to achieve your desired state. But we need to define what risk maturity is to track progress toward this state and to ensure that stakeholders are aligned around the chosen components necessary to get there. Understanding the attributes of claims and risk maturity includes:

  • Managing exposures to specifically defined appetite and tolerances;
  • Management support for the defined risk culture that ties directly to the organizational culture;
  • Ensuring disciplined risk and claim processes aligned with other functional areas;
  • Creating a process for uncovering the unknown or poorly understood (aka emerging) risks;
  • Effective analysis and measurement of risk and claims both quantitatively and qualitatively; and,
  • A collaborative focus on a resilient and sustainable enterprise, which must include a robust risk and claim strategy.

See also: Future Is Already Here in Claims

Examples of Risk Management Maturity Models

One thoroughly developed risk management maturity model (RMM) comes from the Risk Management Society (RIMS). While it was developed some 10 years ago, it remains a simple, yet comprehensive view of the seven most important factors that inform risk maturity. When well implemented, these components should drive an effective approach to managing all risk within your purview. 

The components of the RIMS RMM model include:

  • Adopting an enterprise-wide approach that is supported by executive management and that is aligned well with other relevant functions;
  • The degree to which repeatable and scalable process is integrated in the business and culture;
  • The degree of accountability for managing risk to a detailed appetite and tolerance strategy;
  • The degree of discipline applied to using the elements of good root cause analysis;
  • The degree to which a robust emerging risk process is used to uncover uncertainties to goal achievement;
  • The degree to which the vision and strategy are executed considering risk and risk management; and,
  • The degree to which resiliency and sustainability are integrated between operational planning and risk process.

Like all risk management strategies, no two are exactly the same, and there is no one way to accomplish maturity. Importantly, every risk leader needs to do for his or her organization what the organization needs and will support. 

Of course, RIMS is not the only source of risk maturity measurement. Others, including Aon, offer other criteria. Aon’s model includes these components:

  • Ensuring the board understands and is committed to the risk strategy;
  • Effective risk communications;
  • Emphasis on the ties among culture, engagement and accountability;
  • Stakeholder participation in risk management activities;
  • The use of risk in/formation for decision making; and,
  • Demonstration of value.

This is not to say that the RIMS model ignores these issues, they simply take a different emphasis between the models. 

Another model worth considering is from Protiviti’s perspective on risk maturity as it relates to the board of director’s accountability for risk oversight. A few highlights of the perspective include:

  • An emphasis on the risks that matter most;
  • Alignment between policies and processes;
  • Effective education and use of people and their place in the organization;
  • Ensuring assumptions are supportable and understood;
  • The board’s knowledge of asking the right questions; and,
  • Understanding the relationship to capability maturity frameworks.

Certainly, good governance is critical to ultimate success, and the board’s role in that is the apex of that consideration. If the board is engaged and accountable for ensuring their risk oversight responsibility is effectively executed, the successful execution of the strategy is likely and, by inference, risk and related claims will have been effectively managed, as well.

Another critical aspect of the impact of risk and claims that should not be overlooked is their impact on productivity. If productivity is directly related to people’s availability to work, then we can quickly agree that risks produce losses that affect both people and property, oftentimes together. We can readily agree that impacts to productivity are a frequent result of losses and the claims they generate. Further, productivity impacts are not just limited to on-the-job injury. Every car accident, property loss or general liability loss that includes personal injury has implications for productivity, in either the workplace or outside of the workplace. As a result, it behooves all risk and claim leaders to execute their roles by aligning their interests and driving their focus.

Finally, a few fundamentals that are important to understand in execution of these goals include understanding that:

  • how you handle claims will directly affect not just your TCOR but your overall risk management capability and effectiveness; 
  • there is no one right approach to managing claims or risks; each organization must chart its own course aligned with its culture and priorities;
  • risk and the claims they can generate must be treated as an integral aspect of organizational strategy;
  • risk and claim management should be a focus on additive value; and,
  • risk and claim maturity have shown that better results are achieved as a result.

See also: How Risk Managers Must Adapt to COVID

In its simplest form, risk management is about preventing (or, on the upside, leveraging), financing and controlling risk and loss. Effective risk management is dependent on many elements, not least of which is effective claims management. And while claims are naturally focused on negative events that have already occurred, this activity is centrally critical to comprehensive, effective risk management.

How you prioritize claims and related activities will have significant effects on how you can contribute to organizational success. Doing both well will enable both risk and claim management effectiveness, demonstrated by measurable maturity.

How Risk Produces Financial Success

The evolving environment across economics, demographics and geopolitics, paired with the continuing pace of technological change, is creating an increasingly complex risk landscape for all types of businesses.

We are continuing to witness increased connections of potential risk impact on organizations. Never has it been more critical for organizations to consider the relationship between building sustainable competitive advantages and adopting risk management best practices.

It is incumbent on organizational executives and key leaders to take steps to increase their understanding of the risks they face to adapt to the changing environment. In addition, technology offers tremendous growth opportunities in the form of operational performance, automation, new products and services, new and enhanced distribution channels and improved business intelligence. However, the use of technology also increases exposure to cyber risk, which is a key concern.

The impact of connected risk has been felt by many organizations. Increasingly, boards are being obligated, in the case of regulated entities, or challenged to be acutely aware of and understand the key risks their organizations face and how they are being managed. The ability to understand, manage and develop effective organizational governance and processes that encourage improved risk-based decision-making is imperative to an organization’s financial and operational well-being.

In pursuit of the strategic objective to deliver value back to stakeholders, most organizations seek to grow their revenue or drive operational performance and efficiencies within their operating model. Invariably, in today’s complex and evolving environment, there is a level of uncertainty created in the tactical pursuit of such initiatives. Understandably, a greater level of uncertainty equates to a greater level of volatility in financial performance.

See also: How to Use Risk Maturity Models  

Researchers at Aon continue to identify correlations between advanced risk management capabilities and higher stock price performance for publicly traded organizations. Reducing volatility via the implementation of robust risk management practices should be a core objective for organizational leaders, as research repeatedly shows that higher levels of risk maturity correlate to lower stock price volatility.

Factors That Distinguish Organizations With Higher Levels of Risk Maturity

Risk professionals have long recommended a structured enterprise-wide risk identification and assessment process for organizations to tackle current and emerging risks. The Aon Risk Maturity Index Insight Report, developed by Aon in close collaboration with the Wharton School of the University of Pennsylvania, identifies three key factors to successfully understanding and managing risk:

  • Awareness of the complexity of risk
  • Agreement on strategy and action
  • Alignment to execute

Increasing performance along these dimensions requires a robust process that focuses on:

  • the identification of strengths and weaknesses
  • strong communication of risks and risk management across functions and at all levels of the organization
  • building consensus regarding the steps to be taken

Having different functions and levels involved and integrated into an organization’s risk maturity assessment process provides the foundation for determining an organization’s current status along these dimensions and provides the foundation for identifying continuing improvement activities.

Aon and Wharton researchers found continued positive impacts on stock price performance and company profitability from higher risk maturity, underscoring the positive internal and external benefits that a robust and sustainable risk management program can deliver.

In addition to a cross-functional understanding of risk, the use of sophisticated quantification methods is another key characteristic exhibited by organizations with advanced risk maturity. Aon and Wharton research shows that organizations with higher levels of risk maturity successfully integrate the use of advanced risk quantification techniques and the utilization of those outputs in the risk decision-making process.

The Relationship Between Risk Maturity and Directors and Officers (D&O) Insurance Premium

Reductions in insurance premiums are another potential financial benefit from more mature risk management processes. This can occur through two channels. First, insurance providers are likely to lower insurance premiums for firms they view as less risky, as reflected in lower volatility. Second, better understanding of risk exposures and their drivers, together with the consistent development and application of risk appetite and risk tolerance concepts to decision-making, provides the information needed to make more informed decisions about which risks to avoid, mitigate or accept and which risks to insure.

By optimizing their insurance portfolio through more mature application of risk management processes, firms can potentially reduce premiums by avoiding or mitigating the most costly risks, choosing only the level of coverage that is necessary given the firm’s risk appetite and tolerances, and improving its bargaining position with insurers.

See also: Why Risk Management Certifications Matter  

What’s more, Aon and Wharton research finds that firms with higher overall risk maturity scores paid significantly lower premiums for D&O insurance. Just a 10% increase in overall risk maturity scores is associated with D&O premiums that are 2.6% lower than the premiums paid by similar firms. This direct benefit does not take into account the indirect premium benefits that also arise from lower volatility — and thus lower premiums in firms with higher risk maturity. When we calculate the total effects of higher risk maturity on D&O premiums, including the benefits from lower volatility, the premium reduction associated with a 10% improvement in risk maturity scores increases to 3.9%.

Conclusion

The implementation of enhanced risk management practices represents a tremendous opportunity for all types of businesses to reduce the volatility associated with the evolving risk landscape while also leveraging the associated benefits to their D&O insurance programs.

How to Use Risk Maturity Models

Over the last 10 years of the “risk leader” portion of my career, as the head of enterprise risk management at USAA (2001-10), as well as during my subsequent work as an ERM consultant, I was challenged by several questions that affect risk management results and, by extension, ultimate success. All fell under the header of “risk management maturity,” and focusing on it can provide huge benefits to you and to your organization.

To start, we need to get two things straight. First, how are you defining “risk,” and have you driven a consensus among key stakeholders about that definition? Second, which risks are you going to manage, and where on the loss curve do they fall?

These questions may sound simple, but the reality is that many risk leaders have responsibilities for only a portion of the risks that organizations face — often, only the insurable risks. If that’s the case, you have your answer to both questions nailed.

See Also: How to Develop Risk Maturity

If, on the other hand, you are a risk leader with broader accountability for more or all risks (via enterprise risk management, or ERM) that could affect an organization (both negatively and positively), then the first question — “how does your firm define risk?” — requires clear definition. The most commonly accepted definition of risk is “uncertainty.” I like this simple definition, and it captures the most central element of concern. However, the real challenge remains the question about the level of uncertainty (aka frequency/likelihood). To many, even more important is the level of impact or severity. My favorite chart to help illustrate this concept is one where the “tail” of the loss distribution represents where the proverbial “black swans” live.

A typical loss curve has as its peak the expected level of loss, and the black swan sits out on the tail of this curve, where the x-axis is impact of severity of loss and the y-axis is the frequency or likelihood of loss. While many hazard-focused leaders put their attention on risks at expected level or to the left along the x-axis where certainty of loss rises, the challenge is where in this region of the curve to the right should one be managing? While the possibility of loss becomes increasingly remote as you move out toward the tail of the curve, the impact of events become more destructive. Key questions that must be answered include:

  • Do we care more about likelihood or impact, or are they equal?
  • What level of investigation do we apply to risks that are remotely likely?
  • How do we apply limited resources to risks that are remotely likely?
  • Do we have a consensus among key stakeholders as to what risks we should focus on and how?
  • Do have or need a process to manage emerging risks?
  • Do we have a consensus on and clear understanding of how we define risk in our organization?

These issues are the starting point to the risk management maturity question, which, if handled well, facilitates organizational success. From these answers, you can chart your course for your firm. The answers will define the process elements of maturity. But we need to define what risk maturity is to track progress toward it and to ensure that stakeholders are aligned around the chosen components.

The various components among the numerous risk maturity models tend to overlap considerably. Here’s one generic set of attributes of maturity:

  • Risk is managed to specifically defined appetite and tolerances
  • There is management support for the defined risk culture and direct ties to the corporate culture
  • A disciplined risk process is aligned with other functional areas
  • There is a process for uncovering the unknown or poorly understood risks
  • Risk is effectively analyzed and measured both quantitatively and qualitatively
  • There is collaboration on a resilient and sustainable enterprise

The first, and I think most thoroughly developed, model comes from the Risk and Insurance Management Society (RIMS). It was developed some 10 years ago or so but remains in my opinion a simple yet comprehensive view of the seven most important factors that inform risk maturity and that, when well implemented, should drive an effective approach to managing any risk within your purview.

The components of the RIMS model include a focus on:

  • The degree to which an enterprise-wide approach is supported by executive management and is aligned with other relevant functions
  • The degree to which repeatable and scalable process is integrated in the business and culture
  • The degree of accountability for managing risk to a detailed appetite and tolerance strategy
  • The degree of discipline applied to using the elements of good root-cause analysis
  • The degree to which a robust emerging risk process is used to uncover uncertainties to achieving goals
  • The degree to which the vision and strategy are executed considering risk and risk management
  • The degree to which resiliency and sustainability are integrated between operational planning and risk process

As with all risk management strategies (no two of which that I’ve seen are exactly the same), there is no one way to accomplish maturity. Every risk leader needs to do for her organization what the organization needs and will support.

Another maturity model that is worthy of note is the Aon model. Like RIMS’ model, it enables multiple levels of maturity and methodology for charting progress toward an ideal state. Characteristics of the Aon model include:

  • Ensuring the board understands and is committed to the risk strategy
  • Establishing effective risk communications
  • Emphasizing the ties among culture, engagement and accountability
  • Having stakeholder participation in risk management activities
  • Using risk information for decision making
  • Demonstrating value

This is not to say that the RIMS model ignores these issues. There is simply a different emphasis.

Also noteworthy is Protiviti’s perspective on the board of directors’ accountability for risk oversight. A few highlights include:

  • An emphasis on the risks that matter most
  • Alignment between policies and processes
  • Effective education and use of people and their place in the organization
  • Assumptions that are supportable and understood
  • The board’s knowledge of the right questions to ask
  • Focus on understanding the relationship to capability maturity frameworks

Certainly, the good governance of organizations is critical, and the board’s role is paramount. If the board is engaged and accountable for ensuring that its risk oversight is effective, the strategy is likely to be executed successfully and, by inference, risk will have been effectively managed, as well.

See Also: How to Link Risk and Strategy

To complete the foundation for the business case for using a risk maturity model to track progress, consider these key points:

  • There is no one right approach; each organization must chart its own course aligned with its culture and priorities
  • Risk must be treated as an integral aspect of strategy
  • There must be a focus on additive value, as with all corporate processes
  • Risk maturity has produced documented valuation premium for studied users

With the effective use of risk maturity models, you should be able to better chart your risk evolution journey, and how a good maturity strategy related to corporate strategy and priorities is the ultimate nexus for success. Risk and risk management should drive performance results and what remains to be done to achieve longer-term aspirations. This approach to managing your risk strategy should allow you to:

  • Translate the component of risk maturity into a successful ERM journey
  • Refer to ERM results and impacts achieved by others to buttress your efforts
  • Understand key tactics to exploit and pitfalls to avoid as you perfect your risk management strategy.

Using a risk maturity model will, if nothing else, provide the guard-rails and discipline that may otherwise be missing from your current attempts to make a difference in the success of your enterprise.

How to Develop ‘Risk Maturity’

This is Paper 4 in a series of five on risk appetite and associated questions. The author believes that enterprise risk management (ERM) will remain locked in organizational silos until boards comprehend the links between risk and strategy. This is achieved either through painful crises or through the less expensive development of a risk appetite framework (RAF). Understanding of risk appetite is in our view very much a work in progress for many organizations, but RAF development and approval can lead boards to demand action from executives.

Paper 1, the shortest paper, makes a number of general observations based on experience in working with a wide variety of companies. Paper 2 describes the risk landscape, measurable and unmeasurable uncertainties and the evolution of risk management. Paper 3 answers questions relating to the need for risk appetite frameworks and describes in some detail the relationship between risk appetite frameworks and strategy. This article, Paper 4, answers further questions on risk appetite and goes into some detail on the questions of risk culture and risk maturity. Paper 5 describes the characteristics of a risk appetite statement and provides a detailed summary of how to operate based on the links between risk and strategy.

How are risk appetite, risk tolerance and risk limits related to one another? A range of differences in philosophy are influencing the gradual determination of internationally accepted definitions. Notwithstanding, we recommend the definitions and the sequence of diagrams and explanations given in the Institute of Risk Management’s (IRM) guidance, which are

peardy1

A number of models exist that seek to describe the relationship between risk appetite, tolerance and risk; for instance, the Ernest and Young Risk Pyramid below:

peardy2

How are organizations using risk limits and risk tolerances around those limits? Our experience in working with clients shows that organizations are continuing to struggle with basic risk concepts, definitions, language, responsibilities, reporting and delivery. Accordingly, while risk limits are set to contain risk-taking practices, lack of common language and loose interpretation of concepts is causing confusion within organizations and leading to limits being seen as negotiable within the context of risk tolerances. As a corporate discipline, risk management is in its infancy, and the quality of risk practitioners is generally poor. Risk limits are perceived negatively by business practitioners, who use their limited knowledge of risk tolerances to argue for greater flexibility in applying limits.

How do organizations facilitate early warning of potential breaches of risk appetite? In practice, we find that there is limited facilitation. Rather, business people see the concept of risk as limiting practices that drive value and, thus, adopt the business school mantra of “seeking forgiveness rather than permission.” This is made easier in organizations where risk is seen as a nuisance and impediment to business and where appreciation of quality risk management is not apparent at senior levels. Business generators tend to view risk as friendly and flexible, designed to support business generation. Thus, risk limits are treated like speed limits on the public highway, more for observation than observance. Accordingly, we find few cases where early warnings are seen as anything other than flashing lights on the dashboard. In many cases, early warnings result in a case’s being presented to the risk committee for raising limits, rather than resulting in severe braking to ensure conformity in risk management.

Much of the foregoing represents the cultural challenge of embedding risk as a serious discipline rather than a faux science treated as an add-on. This reflects the nascent nature of risk management and its failure to be seen at board level as front and central to strategy and its effective and safe execution. Culture and “tone from the top” are critical here. So is strong support for risk executives at senior management level and an appreciation that risk management is akin to the medical profession, where hygiene is embedded in all procedures and provides a safe and secure means of conducting business, rather than being an impediment. The absence of good-quality risk officers and of universally accepted definitions of risk also undermine the discipline in organizations where there are few effective sanctions against limits being broken.

How do organizations assess risk culture? Optimal risk culture is designed and nurtured on building blocks practically described as blocks ABC:

peardy3

The building blocks are briefly summarized as follows:

  1. Training, values and beliefs, reporting and continuous improvement directed at outcomes driving attitudes displayed by people, which
  2. Influence their behaviors and thus the quality of their discussions and decision making, thereby
  3. Manifesting as demonstrably credible risk culture.

Other than retrospective analysis of poor risk culture following various corporate crises, there is a limited body of reliable knowledge, and experience, on assessing “existing risk culture” and successfully navigating to a “target risk culture.” The IRM’s “Risk Culture, Under the Microscope: Guidance for Boards” describes multiple interactions:

peardy4

Diagnostic tools are available to track the components described within the framework above. In our experience, however, such is the poor state of risk maturity in very many organizations that they are not sufficiently advanced to practically determine how they might chart a course from the existing to the target state of risk culture.

In 2011, the Financial Reporting Council produced the report: “Boards and Risk: A Summary of Discussions with Companies, Investors and Advisors.” In the section on risk and control culture, the report said:

  • It was recognized that risk and control culture was one of the issues on which it was most difficult for boards to get assurance, although boards appeared to be making more efforts to do so.
  • The risk management and internal audit functions could play an important role, as could reports from and discussions with senior management, but some directors felt that there was no substitute for going on to the shop floor and seeing for themselves. It was otherwise very difficult to judge whether risk awareness was truly embedded or whether it was seen as a compliance exercise. This, in turn, assumed that non-executive directors had a sufficient understanding of the business, which some participants noted may not always be the case.
  • One common approach was to ensure that responsibility for managing specific risks was clearly allocated to individuals at all levels of the organization, with their performance measured and reflected in how they were rewarded.
  • In some companies, the remuneration committee had been given responsibility for considering how to align the company’s approach to risk and control with its remuneration and incentives. Examples were also given of the head of the risk management or internal audit function submitting reports to that committee, for example on how the company was performing against certain key risks, or being invited to comment on the details of proposed incentive schemes. More recently, the Financial Stability Board (FSB) in its “Peer Review Report on Risk Governance,” published in February 2013, identified ‘’business conduct’’ as a new risk category and said, “One of the key lessons from the crisis (GFC) was that reputational risk was severely underestimated; hence, there is more focus on business conduct and the suitability of products, e.g., the type of products sold and to whom they are sold. As the crisis showed, consumer products such as residential mortgage loans could become a source of financial instability.” In consulting and developing guidance for regulators, the FSB emphasizes the importance of risk culture as a principal influencer reducing the risk of misselling financial services products that can end up in the wrong hands with detrimental prospects for consumers in particular and society in general. Clearly, conduct risk is systemic, and inherently so when considered in the context of big data; that is to say, conduct risk is very unlikely to exist in isolation within an organization.

Separately, the FSB has articulated what it considers to be the foundation elements of a strong risk culture in its publications on risk governance, risk appetite and compensation. It has broken down the indicators into four parts, which need to be considered collectively and as mutually reinforcing. The four parts are:

  1. Tone from the top: The board of directors and senior managers are the starting point for setting the financial institution’s core values and risk culture, and their behavior must reflect the values being espoused. The leadership of the institution should systematically develop, monitor and assess the culture of the financial institution.
  2. Accountability: Successful risk management requires employees at all levels to understand the core values of the institution’s risk culture and its approach to risk, be capable of performing their prescribed roles and be aware that they are held accountable for their actions in relation to the institution’s risk-taking behavior. Staff acceptance of risk-related goals and related values is seen as essential.
  3. Effective challenge: A sound risk culture promotes an environment of effective challenge in which decision-making processes promote a range of views, allow for testing of current practices and stimulate a positive, critical attitude among employees and an environment of open and constructive engagement.
  4. Incentives: Performance and talent management should encourage and reinforce maintenance of the financial institution’s desired risk management behavior. Financial and non-financial incentives should support the core values and risk culture at all levels of the financial institution.

Clearly, there is consistency in thinking as to the importance of risk culture and its core attributes. Monitoring risk culture is, however, very challenging, indeed. To the particular question of communicating risk culture to stakeholders, we question whether this can be done credibly in the absence of finding proxies for attitudes and behaviors described in the ABC risk culture building blocks described above. Our experience tells us that risk maturity capability requirements are today well-understood, reliable and credible proxies for risk culture. On this basis, we recommend that organizations travel the better known road of “risk maturity,” for which there are a number of capable maturity models in existence.

peardy5

We believe there to be a demonstrably credible correlation between full maturity (optimizing value through aligning risk and strategy with corporate objectives) and board ownership of the risk appetite framework, building resilience (defending operations, business model and reputation) and risk culture. The RMI Risk Maturity Index correlates:

  1. Level of alignment of risks to strategy, objectives and execution,
  2. Risk role affirmations at each maturity level,
  3. Risk culture affirmations (practices confirmed by internal and external attestors),
  4. Risk defense affirmations (practices confirmed by internal and external attestors),
  5. Board and organizational processes, and
  6. Value realized at three levels: a) the investor, b) the organization and c) stakeholders.

Progression from one level to the next requires a blend of internal and external independent attestations, which are facilitated with the aid of a database containing structured question sets. Risk maturity scores are weighted according to the:

  1. Quality of answers provided to questions,
  2. Availability of demonstrably credible evidence supporting answers,
  3. Rigor and consistency of risk data,

We believe that risk maturity attestation by seasoned practitioners will provide evidence-based assurance as to organizational risk culture.