Earlier this week at the annual RIMS conference, I partnered with Iman H. Al-Gharabally, Team Leader ERM, from the Kuwait Petroleum Corporation (KPC) to delve into the nature of mature and, by inference, effective risk management programs. My partner, in case study format, shared the details that defined the journey she has been on to instill risk discipline and maturity into this Fortune 100-sized state-owned oil and gas concern. After ten years, she has accomplished almost all that she set out to do. Yet, because as I like to say, risk management should never be labeled a “project,” the job is never done. In fact, as she shared, some big, aspirational goals remain that are critical to long-term effectiveness and sustainability.
As a prelude to her case presentation, and based on my tenure as the head of enterprise risk management (ERM) at USAA (2001-10), as well as my subsequent work as an ERM consultant, I spent time delving into the more generic questions that surround risk management maturity and, by extension, effectiveness and ultimate success.
The starting point for this discussion should be two key questions. First, how are you defining “risk” and have you driven a consensus among key stakeholders about that definition? The second and related issue is both which risks are you going to manage and where on the loss curve do they fall? This may sound simple and straightforward, but the reality is that many risk leaders have responsibilities for only a portion of the risks organizations face – often only the insurable risks. If that’s the case, you have your answer to both concerns nailed.
If, on the other hand, you are a risk leader with broader accountability for more or all risks (ERM) that could impact an organization (both negatively and positively), then the first question of “what is a risk to your firm?” requires clear definition. The most commonly accepted definition of risk is “uncertainty.” I like this simple definition and it captures the most central element of concern. However, the real challenge remains the question about the level of uncertainty (aka frequency/likelihood) and, to many, even more important is the level of impact or severity. Here’s my favorite chart to help illustrate this concept:
Do we care more about likelihood or impact or are they equal? If the above is a typical loss curve, then the dotted line represents what most would call the “expected” level of loss and the black swan sits out on the tail of this curve, where the x-axis is impact of severity of loss and the y-axis is the frequency or likelihood of loss. While many hazard-focused leaders put their attention on risks at expected and to the left of the dotted line, the challenge is where to the right of the dotted line should one be managing? While the possibility of loss becomes increasingly remote as you move out towards the tail of the curve, the impact of events become more destructive. Key questions that must be answered include:
- What level of investigation do we apply to remotely likely risks?
- How do we apply limited resources to remotely likely risks?
- Do we have a consensus among key stakeholders as to what risks we should focus on and how?
- Do we have or need an emerging risk management process?
- Do we have a consensus on and clear understanding of how we define risk in our organization?
These issues are the starting point to the risk management maturity question. From these answers, you can chart your course for what this will mean to your firm. The answers will define the process elements of maturity that will be needed to achieve your target state. But we need to define what risk maturity is in order to track progress towards it and to ensure that stakeholders are aligned around the chosen components.
In our RIMS session, I reviewed the common components among the numerous risk maturity models that are most often used. Here’s one generic set of attributes of maturity:1
- Specifically defined appetite and tolerances for managing risk
- Management support for the defined risk culture and direct ties to the corporate culture
- Disciplined risk process aligned with other functional areas
- Process for uncovering unknown and/or poorly understood risks
- Effective analysis and measurement of risk, both quantitatively and qualitatively
- Collaborative focus on a resilient and sustainable enterprise
The first, and I think most thoroughly developed model, comes from the Risk and Insurance Management Society (RIMS).2 It was developed some ten years ago or so, but remains in my opinion a simple yet comprehensive view of the seven most important factors that inform risk maturity and that, when well-implemented, should drive an effective approach to managing any risk within your purview.
The components of the RIMS model include:
- Adopting an enterprise-wide approach, supported by executive management, which is aligned well with other relevant functions
- Determining the degree to which repeatable and scalable process is integrated in the business and culture
- Determining the degree of accountability for managing risk to a detailed appetite and tolerance strategy
- Determining the degree of discipline applied in using the elements of good root cause analysis
- Determining the degree to which a robust emerging risk process is used to uncover uncertainties to goal achievement
- Determining the degree to which the vision and strategy are executed considering risk and risk management
- Determining the degree to which resiliency and sustainability are integrated between operational planning and risk process
Like all risk management strategies, no two models I’ve seen are exactly the same and there is no one way to accomplish maturity. Importantly, every risk leader needs to do for his or her organization what the organization needs and will support.
During our session, I touched on two other maturity models and concepts and contrasted them with the RIMS model. The first of those other models is the Aon model3 which, like RIMS’ model, enables multiple levels of maturity and methodology for charting progress towards an ideal state sought. Unique characteristics of the Aon model include:
- Assurance that the board understands and is committed to the risk strategy
- Effective risk communications
- Emphasis on the ties among culture, engagement and accountability
- Stakeholder participation in risk management activities
- Use of risk information for decision-making
- Demonstration value
This is not to say that the RIMS model ignores these issues; simply, a different emphasis is made between the models.
The third model we discussed is from Protiviti4 on risk maturity as it relates to the board of directors’ accountability for risk oversight. A few highlights of their perspective include:
- Emphasis on the risks that matter most
- Alignment between policies and processes
- Effective education and use of people and their place in the organization
- Assurance that assumptions are supportable and understood
- Board’s knowledge of asking the right questions
- Understanding of the relationship to capability maturity frameworks
Certainly the good governance of organizations is critical to ultimate success and the board’s role in it is the apex of that consideration. If the board is engaged and accountable for ensuring their risk oversight responsibility is effectively executed, the successful execution of the strategy is likely and, by inference, risk will have been effectively managed as well.
This background information provides the foundation for the KPC case, summarizing key considerations for addressing a risk maturity strategy:
- There is no one right approach; each organization must chart their own course aligned with their culture and priorities
- Risk must be treated as an integral aspect of strategy
- Like all corporate processes, there should be a focus on additive value
- Risk maturity has helped secure documented valuation premium for studied users
My colleague from KPC illustrated the key tactics of her plan, how her maturity strategy related to corporate strategy and priorities, the specifics of what KPC accomplished over ten years of development and implementation, how risk and risk management drove performance results and what remains to be done to achieve their longer term aspirations. By listening to her insights, hearing about her ERM results, and learning more about the impact that has been achieved for her major, complex, corporate entity, risk managers we spoke with this week took a step toward being able to translate a successful ERM journey into a plan for their own and understanding key tactics to exploit and pitfalls to avoid as they craft risk management strategy.
I hope this insight helps you gain perspective, as well. To continue the ERM discussion, please join me and other influencers in our industry as we collaborate in the Enterprise Risk Management group on LinkedIn.
Chris Mandel SVP, Strategic Solutions, Sedgwick Director, Sedgwick Institute
1 Source: How Can Risk Maturity Model Benefit Your Risk Management, www.RiskMethods.net
2 Source: Why a Mature ERM Effort is Worth the Investment, RIMS, www.rims.org
3 Source: Aon, Inc., Risk Maturity Index, aon.com/rmi
4 Source: Protiviti Inc., Board Perspectives: Risk Oversight, www.protiviti.com