Risk Maturity: Are You On The Right Journey?

Across risk management functions in organisations of all sizes, there has been a gradual but steady shift in the way risk is understood and managed. We are seeing organisations move away from the static risk register and traditional process-driven approach, to give greater focus on integrating risk management into business processes, forming something of a decision-guiding tool at all levels of the business.

THE EMERGENCE OF RISK MATURITY 

Most standards and textbooks have traditionally focused on process and reporting, often depicting risk management as another element of compliance or internal audit. 

The concept of risk maturity is therefore one that has largely developed outside of the academic realm. It has come to be understood as the measure adopted by organisations to help them better understand their overall risk position including the value created from risk management initiatives. Despite lacking a clear or universal definition, risk maturity is a concept that is becoming better understood (and ultimately finding favour) amongst senior management. 

Companies develop their risk maturity over time by building on the origins of their risk framework and experience to evolve to where they need to be. This journey typically embraces the 11 principles of risk management outlined in ISO 31000, the international standard for risk management. 

During a recent presentation at the 2017 RIMS Risk Forum in Sydney, Marsh offered a view on the four key pillars that we believe ultimately underpin an organisation’s risk maturity: 

• Culture – Defined by organisational behaviours and actions, particularly behaviours that are rewarded versus those that are not tolerated.

• People – Overall ability and competency of people and how risk management is integrated into the organisational structure.

• Process – Textbook approach which has historically been over-represented in risk management standards; has its place and purpose but has also been the basis of some companies’ limited approach to risk management.

• Application – Measuring how well risk management is applied and the value it creates. 

TRENDS 

A global study showed that companies in the top 20% of risk maturity generated three times the level of EBITDA as those in the bottom 20%. 

Although it was traditionally lacking in risk maturity conversations, we are starting to see the “application” element of the four pillars become more prominent as companies begin to appreciate the value of investing in ERM. With evidence that financial performance is tightly correlated to the level of integration and coordination across risk, control and compliance functions, many organisations are now actively working to embed a risk culture throughout their business. While the ultimate aim is to fuel better performance and achieve a competitive advantage, along the road, many are developing ways to measure the value and benefit created from risk management initiatives.              

MEASUREMENT 

Because risk maturity is relative, its measure is also variable. For some organisations, risk maturity is about increased simplicity and invisibility of risk management, and for others it’s an immersive integration of risk management into all core business processes. Ultimately, risk maturity needs to be measured against an organisation’s own operating environment. 

The measure of risk maturity becomes a function of ascertaining any return on investment (ROI) from current ERM initiatives, as well as assessing potential impact of future initiatives. As risk advisors, Marsh typically approaches this task by addressing risk in three dimensions: 

1. Presenting a global view of risk via external risk perception studies to challenge an organisation’s own understanding of risk in a broader business/stakeholder/environmental context.

2. Providing tools and advice that allow an organisation to assess its maturity based on their own context and goals. Internal risk initiatives, performance and ROI can be tracked and used to design how an organisation can incentivise and reward risk management performance.

3. Utilising global database to benchmark an organisation’s risk maturity against its peers. 

How a company should approach enterprise risk management to create value and drive strategic benefit can take a variety of forms. It will depend on how advanced an organisation is within its own journey to risk maturity, and where it ultimately wants to be. 

Disclaimer: The information contained in this publication provides only a general overview of subjects covered, is not intended to be taken as advice regarding any individual situation, and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. LCPA No: 17/0124