A different approach to risk maturity – a simple model · A different approach to risk maturity...

A different approach to risk maturity – a simple model

Ayse Nordal, The Municipal Undertaking for Educational Buildings and Property in Oslo

and Ole Martin Kjørstad, Bank of Norway

October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad1

CONTENTS1. How do we define risk maturity?

2. Why do we measure risk maturity?

3. “What is in it” for the organization?

4. Existing risk maturity models

a) Examples

b) Common features

5. The improvement potential

6. A simple model by Nordal and Kjørstad

a) Maturity objectives

b) Maturity dimensions

c) Spider web chart and on-line assessmentOctober 20172 Y. Ayse B. Nordal and Ole Martin Kjørstad

1. HOW DO WE DEFINE RISK MATURITY?

October 20173

Risk maturity is a benchmarking tool, which measures to what extent an organization has implemented Enterprise Risk Management (ERM), in accordance

with prevailing best practice.

• There is no universally accepted definition of risk maturity nor a common tool for benchmarking.

HOWEVER, the draft documents for the new updated versions of • COSO, Enterprise Risk Management, Aligning Risk with Strategy and Performance• ISO, 31000, Risk Management –Guidelines include the concept.

Y. Ayse B. Nordal and Ole Martin Kjørstad

2. WHY DO WE MEASURE RISK MATURITY?

According to the document:

• Enterprise risk management capability and maturity provide information on how well enterprise risk management is functioning.

• A mature organization is often able to define enterprise risk management capabilities that provide better insight into its existing risk appetite and factors influencing risk capacity.

• A less mature organization with undefined enterprise risk management capabilities may not have the same understanding which can result in a broader risk appetite statement.

October 20174

COSO draft framework (181) introduces a relationship between risk maturity and risk appetite.

Y. Ayse B. Nordal and Ole Martin Kjørstad


According to the document:

• As relevant gaps or improvement opportunities are identified, the organization should develop plans and tasks and assign them to those accountable for implementation.

• Once implemented, these improvements should contribute to advances in risk management maturity.


ISO 31000 draft standard defines a relationship between continuous improvement and risk management maturity.



To be able to make a comprehensiveevaluation of the organization’s

performance against best practice criteria

To be able to identify improvement areas and opportunities which will bring theorganization to a higher maturity level

To be able to plan and initiate appropriateimprovement measures

3.WHAT IS IN IT FOR THE ORGANIZATION?

HOWEVER, there are some studies which aim to provide evidence of the benefits from employing risk maturity benchmarking. Examples:

• Research project by Mark Farrell from Queen’s University Management School and Ronan Gallagher from University of Edinburgh Business School.

• EY study which uses a global survey based on 576 interviews with companies and a review of more than 2750 analysis and company reports.


Existing literature often focuses on defining maturity levels and assigning attributes to given maturity levels in organizations.

3.WHAT IS IN IT FOR THE ORGANIZATION?

• Farrell and Gallagher’s study has evidenced

• EY study has documented


«…a clear and significant statistical correlation between mature enterprise risk management practices and a firm’s value. Organizations exhibiting mature risk

management practices realize a valuation premium of 25%...»

«…that companies in the top 20% of risk maturity generated 3 times the level of EBITDA as those in the bottom 20%.

4. EXISTING RISK MATURITY MODELS- examples

• Many risk maturity models are built on the basic principles of the Capability Maturity Model which was developed by the Software Engineering Institute in Carnegie Melon University in 1993.

EXAMPLE: David Hillson 1997


Levels & Attributes

Culture Process Experience Application

Natural

Normalized

Novice

Naive



EXAMPLE: RIMS (The Risk Management Socity)’s on-line assessment model by Steven Minsky 2006

Source: https://www.rims.org/resources/ERM/Pages/RiskMaturityModel.aspx


7 attributes:

• Adoption of ERM-based process

• ERM-Process management

• Risk appetite management

• Root cause discipline

• Uncovering risks

• Performance management

• Business resiliency and sustainability


4. EXISTING RISK MATURITY MODELS-Common featuresMany risk maturity models assume:

• A continuous progression to higher and higher maturity levels through time.

• A step by step development. It is not possible to skip a stage.

These models do not:

• Recognize that different areas in the organization may have different maturity levels

• Employ a common scale, which enables a universal and homogenous assessment

• Recognize that the requirements/ expectations of risk management may be different in different organizations (sector, size, transaction volume)

• Recognize that traditionally, risk maturity has not been an area where the Board and management were expected to formalize and state their ambition levels


5. IMPROVEMENT POSSIBILITIES


ERM programs can

• start and stop• start and stagnate• start slowly, react and atrophy• evolve steadily and consistently

6. A SIMPLE MODEL by Nordal & Kjørstad

OUR FOCUS


MATURITY LEVELS MATURITY OBJECTIVES



Dimensions Maturity objectives

Risk management, strategy and decision making processes

All decisions (strategical, tactical and operational) base on documented assessments of risks and opportunities.

Communication, information and reporting The organization ensures continual communication and reporting of relevant information, with appropriate frequency.

Organization, authority and interaction The risk management function has an appropriate organization and resource allocation.

IT –tools and analyses Risk management is based on best availableinformation and is suitable to organization’s needs.

Framework and processes The organization has implemented an effective and suitable risk management framework.


• Maturity is assessed separately in each dimension, by counting the number of criteria met by the organization.


Maturity level Criteria

5 The organization satisfies all the criteria (all 10 requirements)

4 The organization satisfies 8 or more requirements






Criteria

Ris

k m

anag

emen

t, s

trat

egy

and

dec

isio

n m

akin

g p

roce

sses

All

dec

isio

ns

(str

ateg

ic, t

acti

cal a

nd

op

erat

ion

al)

are

bas

ed o

n a

do

cum

ente

d a

sses

smen

t o

f ri

sks

and

op

po

rtu

nit

ies.

The organization’s risk appetite is clearly defined and quantified through appropriate dimensions. This includes both financial and operational uncertainty.

There exists documentation which evidences that decisions are made within the boundaries of approved risk appetite.

The work on strategies and business plans includes risk assessment, which takes uncertainties in the internal and external context into account.

Assessments of risks/uncertainties form the basis for the organization’s resource allocations and budgeting.

The head of the risk management function is invited to and involved in relevant decision making forums.

Achievement of objectives is measured in a way that allows for the evaluation of the degree of achievement against the degree of uncertainty.

Assessment of uncertainty is a factor for resource allocation. The costs and benefits of improvement tasks and actions are quantified and compared with quantified uncertainty.

Risk assessment is an integrated part of the strategic decision making process.

Documented decisions and minutes include an explicit assessment of risks and opportunities.

Achievement of objectives is reported in a manner that it can be compared to the initial risk assessments prior to undertaking those activities.



CriteriaC

om

mu

nic

atio

n,i

nfo

rmat

ion

an

d r

epo

rtin

g

The

org

aniz

atio

n e

nsu

res

regu

lar

com

mu

nic

atio

n

and

rep

ort

ing

of

rele

van

t in

form

atio

n, w

ith

ap

pro

pri

ate

freq

uen

cy.

The organization has a plan and a policy for communication with external stakeholders.

The head of risk management has access to external reporting regarding regulatory and administrative requirements.

Internal communication mechanisms have been established. These ensure information is communicated to all relevant employees about the underlying principles, framework and processes of risk management.

Managers and decision makers have continual access to updated information about risks as well as status of improvement actions and work, through reporting and through continual communication.

Quality assurance of risk reporting, including reporting by managers, has been established. This process ensures truthful, relevant, accurate and comprehensible reporting.

The organization maintains a documented and accessible overview of risk-, action- and process owners.

Information channels, forums and mechanisms have been established. These facilitate the distribution of risk information to line management and administrative functions.

The organisation has in place processes and guidelines which take care of ethical principles, confidentiality and integrity in connection with internal and external communication.

The organization enables transparency and cross industry co-operation when dealing with risks related to IT-security and financial crime.

The head of risk management reports directly to the Board on a periodic basis and has a direct reporting line when needed.



CriteriaO

rgan

izat

ion

, au

tho

rity

an

d in

tera

ctio

n

The

risk

man

agem

ent

fun

ctio

n h

as a

n a

pp

rop

riat

e o

rgan

izat

ion

an

d r

eso

urc

e al

loca

tio

n.

The management ensures an appropriate risk management organization and supports its work. The role and responsibility for risk management is clearly anchored with management across the organisation.

The risk management function has a mandate. It is rooted in the organization’s strategy and it backs up the strategy.

The head of risk management is either a member of top management or reports directly to it.

The risk management function has the necessary resources to accomplish its tasks. The risk management organization and resources are appropriate to the size and complexity of the organization.

The organization has developed a risk culture and a common terminology for risk management.

The head of risk management has the necessary authorizations as well as the authority to be able to perform her/his responsibilities.

The job description of the head of risk management contains requirements about risk management performance indicators, competence and integrity.

Tasks are not allocated to the head of risk management which can hinder the execution of an effective risk management function.

The head of risk management has established good relations with the rest of the organization. Appropriate cooperation forums have been established which ensure effective interaction between various functions and lines of defence.

The head of risk management can not be hired or fired without the approval of the Board of Directors.


Criteria

IT-t

oo

ls a

nd

anal

yses

Ris

k m

anag

eme

nt

is b

ased

on

th

e b

est

avai

lab

le

info

rmat

ion

an

d is

su

itab

le t

o o

rgan

izat

ion

’s n

eed

s The organization has appropriate tools to facilitate and document risk management tasks, i.e. risk identification, risk analysis, the follow-up of the actions and improvement measures.

Users of IT-tools understand the assumptions, limitations and possibilities of these tools.

Decision makers have been informed about the possible limitations of models and systems which are used.

The use of models and tools is not fragmented. The models and tools include parameters which allow comparisons across the organization.

Risk analyses are verifiable and they satisfy the requirements of reliability, completeness and traceability.

The systems which are in use are flexible and can produce reports required by the authorities and external stakeholders (HSE reports, financial reporting etc.).

The systems which are in use can handle sensitive data in compliance with prevailing requirements.

The organization can monitor the quantifiable risk parameters continuously.

The organization has appropriate channels and tools for the reporting of events.

There exists an overview of IT-applications, interfaces between these as well as the criticality of the operations.


6. A SIMPLE MODEL by Nordal & KjørstadY Criteria

Fram

ewo

rk a

nd

pro

cess

es

The

org

aniz

atio

n h

as im

ple

men

ted

an

ef

fect

ive

and

su

itab

le r

isk

man

agem

ent

fram

ewo

rk.

The organization has established mechanisms which take into account knowledge of the internal and external context.

The method and framework are built on a clear mandate and risk management policy with clearly defined authority-and resource allocations.

Risk management is embedded and integrated in all processes, business and administrative. No area, level or process is excluded in the design of the risk management framework.

The framework is evaluated on a regular basis and is subject to continual improvement.

Risk management is an inclusive process which enables feedback and input from the whole organization.

Risk management is an iterative process. The process responds to changes in the environment, organization, systems and structures.

There is a defined and readily apparent connection between calculated risks and the measurement of value creation.

Assessment models for likelihood and consequence, parameters and criteria are defined as components of the framework and are evaluated on a regular basis.

The framework includes a system for setting priorities and for monitoring actions and improvement measures.

The framework includes periodic assessments of effectiveness as well as cost benefit of all key processes, controls and actions.

October 201721 Y. Ayse B. Nordal and Ole Martin Kjørstad



Available online

via IIA Norway’s website

interaction

A different approach to risk maturity – a simple model · A different approach to risk maturity...

Documents

Transcript of A different approach to risk maturity – a simple model · A different approach to risk maturity...