March 1, 2012 Posted by Peter Moore 3 Comments
All organisations manage risks in their day-to-day operations. Some do it formally and some informally. The degree of maturity of business risk management processes, systems and procedures is based on the overall maturity of the business itself. Attempting to design and implement a sophisticated risk management system into an unsophisticated business is bound to fail. Equally, misalignment of risk processes and business process is likely to produce less than desirable business outcomes. This article explores Risk Management Maturity and how the Risk Management Maturity Model (RMM) can assist organisations design and develop risk management frameworks, processes and systems to support the business and add value to its operations.
In commencing the discussion, one needs to consider how the enterprise is structured and operated. An organisation with few formalised business processes and systems operates quite differently from an enterprise with documented business processes, work instructions, procedures and embedded quality management mechanisms. The former may be considered an “Immature” business and the latter a “Mature” business (with regard to formalised repeatable business processes).
A business with some systems documented with some degree of repeatability may be considered an “Early Starter”. A business with many systems documented with repeatable successful outcomes may be described as, “Progressive”. A business with documented processes and a quality management framework to provide successful repeatability of business outcomes may be considered to be, “Semi-Mature”. These terms are called “Parameters of Implementation”.
Such terminology can also be applied to the degree to which formal risk management is being undertaken in the business. Businesses with little knowledge of the risk management discipline may be considered Immature, whereas a business with a high degree of organisational awareness and knowledge of risk management may be considered to be Mature with regard to the Knowledge of the risk management discipline.
In developing the RMM Model, Risk Point has developed four Parameters of implementation for risk management maturity. The first has been addressed above and the remaining three parameters are: Understanding of the benefit and value of risk management, Risk management activities, and Use of Standards, tools and techniques.
The RMM Model contains descriptors for the degree of maturity across four risk management parameters aligned with business processes and systems. The aim is to gain an understanding of how a business operates and the degree to which is understands risk management so that appropriate risk management frameworks, procedures and systems can be developed and implemented. Alignment of the parameters will provide guidance on how risk management can be incorporated into the business. It also provides a “road map” in setting out the path the organisation can take in building its risk management framework, system and processes over time.
The RMM Model assists in developing appropriate and relevant risk management strategies for the business, as well as assisting in planning and decision making in establishing short, medium and long-term goals for developing, integrating and embedding risk management into the business.