A different approach to risk maturity a simple model

Transcription

1 A different approach to risk maturity a simple model Ayse Nordal, The Municipal Undertaking for Educational Buildings and Property in Oslo and Ole Martin Kjørstad, Bank of Norway 1

2 CONTENTS 1. How do we define risk maturity? 2. Why do we measure risk maturity? 3. What is in it for the organization? 4. Existing risk maturity models a) Examples b) Common features 5. The improvement potential 6. A simple model by Nordal and Kjørstad a) Maturity objectives b) Maturity dimensions c) Spider web chart and on-line assessment 2

3 1. HOW DO WE DEFINE RISK MATURITY? Risk maturity is a benchmarking tool, which measures to what extent an organization has implemented Enterprise Risk Management (ERM), in accordance with prevailing best practice. There is no universally accepted definition of risk maturity nor a common tool for benchmarking. HOWEVER, the draft documents for the new updated versions of COSO, Enterprise Risk Management, Aligning Risk with Strategy and Performance ISO, 31000, Risk Management Guidelines include the concept. 3

4 2. WHY DO WE MEASURE RISK MATURITY? COSO draft framework (181) introduces a relationship between risk maturity and risk appetite. According to the document: Enterprise risk management capability and maturity provide information on how well enterprise risk management is functioning. A mature organization is often able to define enterprise risk management capabilities that provide better insight into its existing risk appetite and factors influencing risk capacity. 4 A less mature organization with undefined enterprise risk management capabilities may not have the same understanding which can result in a broader risk appetite statement.

5 2. WHY DO WE MEASURE RISK MATURITY? ISO draft standard defines a relationship between continuous improvement and risk management maturity. According to the document: As relevant gaps or improvement opportunities are identified, the organization should develop plans and tasks and assign them to those accountable for implementation. Once implemented, these improvements should contribute to advances in risk management maturity. 5

6 2. WHY DO WE MEASURE RISK MATURITY? To be able to make a comprehensive evaluation of the organization s performance against best practice criteria To be able to identify improvement areas and opportunities which will bring the organization to a higher maturity level To be able to plan and initiate appropriate improvement measures 6

7 3.WHAT IS IN IT FOR THE ORGANIZATION? Existing literature often focuses on defining maturity levels and assigning attributes to given maturity levels in organizations. HOWEVER, there are some studies which aim to provide evidence of the benefits from employing risk maturity benchmarking. Examples: Research project by Mark Farrell from Queen s University Management School and Ronan Gallagher from University of Edinburgh Business School. EY study which uses a global survey based on 576 interviews with companies and a review of more than 2750 analysis and company reports. 7

8 3.WHAT IS IN IT FOR THE ORGANIZATION? Farrell and Gallagher s study has evidenced «a clear and significant statistical correlation between mature enterprise risk management practices and a firm s value. Organizations exhibiting mature risk management practices realize a valuation premium of 25%...» EY study has documented «that companies in the top 20% of risk maturity generated 3 times the level of EBITDA as those in the bottom 20%. 8

9 4. EXISTING RISK MATURITY MODELS- examples Many risk maturity models are built on the basic principles of the Capability Maturity Model which was developed by the Software Engineering Institute in Carnegie Melon University in EXAMPLE: David Hillson 1997 Levels & Attributes Natural Normalized Novice Naive Culture Process Experience Application 9

10 4. EXISTING RISK MATURITY MODELS- examples EXAMPLE: RIMS (The Risk Management Socity) s on-line assessment model by Steven Minsky 2006 Source: 10

11 4. EXISTING RISK MATURITY MODELS- examples 7 attributes: Adoption of ERM-based process ERM-Process management Risk appetite management Root cause discipline Uncovering risks Performance management Business resiliency and sustainability 11

12 4. EXISTING RISK MATURITY MODELS-Common features Many risk maturity models assume: A continuous progression to higher and higher maturity levels through time. A step by step development. It is not possible to skip a stage. These models do not: Recognize that different areas in the organization may have different maturity levels Employ a common scale, which enables a universal and homogenous assessment Recognize that the requirements/ expectations of risk management may be different in different organizations (sector, size, transaction volume) Recognize that traditionally, risk maturity has not been an area where the Board and management were expected to formalize and state their ambition levels 12

13 5. IMPROVEMENT POSSIBILITIES ERM programs can start and stop start and stagnate start slowly, react and atrophy evolve steadily and consistently 13

14 6. A SIMPLE MODEL by Nordal & Kjørstad OUR FOCUS MATURITY LEVELS MATURITY OBJECTIVES 14

15 6. A SIMPLE MODEL by Nordal & Kjørstad Dimensions Risk management, strategy and decision making processes Communication, information and reporting Organization, authority and interaction IT tools and analyses Framework and processes 15 Maturity objectives All decisions (strategical, tactical and operational) base on documented assessments of risks and opportunities. The organization ensures continual communication and reporting of relevant information, with appropriate frequency. The risk management function has an appropriate organization and resource allocation. Risk management is based on best available information and is suitable to organization s needs. The organization has implemented an effective and suitable risk management framework.

16 6. A SIMPLE MODEL by Nordal & Kjørstad Maturity is assessed separately in each dimension, by counting the number of criteria met by the organization. Maturity level Criteria 5 The organization satisfies all the criteria (all 10 requirements) 4 The organization satisfies 8 or more requirements 3 The organization satisfies 6 or more requirements 2 The organization satisfies 4 or more requirements 1 The organization satisfies 2 or more requirements 16

17 Risk management, strategy and decision making processes 6. A SIMPLE MODEL by Nordal & Kjørstad All decisions (strategic, tactical and operational) are based on a documented assessment of risks and opportunities. Criteria The organization s risk appetite is clearly defined and quantified through appropriate dimensions. This includes both financial and operational uncertainty. There exists documentation which evidences that decisions are made within the boundaries of approved risk appetite. The work on strategies and business plans includes risk assessment, which takes uncertainties in the internal and external context into account. Assessments of risks/uncertainties form the basis for the organization s resource allocations and budgeting. The head of the risk management function is invited to and involved in relevant decision making forums. Achievement of objectives is measured in a way that allows for the evaluation of the degree of achievement against the degree of uncertainty. Assessment of uncertainty is a factor for resource allocation. The costs and benefits of improvement tasks and actions are quantified and compared with quantified uncertainty. Risk assessment is an integrated part of the strategic decision making process. Documented decisions and minutes include an explicit assessment of risks and opportunities. 17 Achievement of objectives is reported in a manner that it can be compared to the initial risk assessments prior to undertaking those activities.

18 Communication, information and reporting The organization ensures regular communication and reporting of relevant information, with appropriate frequency. 6. A SIMPLE MODEL by Nordal & Kjørstad Criteria The organization has a plan and a policy for communication with external stakeholders. The head of risk management has access to external reporting regarding regulatory and administrative requirements. Internal communication mechanisms have been established. These ensure information is communicated to all relevant employees about the underlying principles, framework and processes of risk management. 18 Managers and decision makers have continual access to updated information about risks as well as status of improvement actions and work, through reporting and through continual communication. Quality assurance of risk reporting, including reporting by managers, has been established. This process ensures truthful, relevant, accurate and comprehensible reporting. The organization maintains a documented and accessible overview of risk-, action- and process owners. Information channels, forums and mechanisms have been established. These facilitate the distribution of risk information to line management and administrative functions. The organisation has in place processes and guidelines which take care of ethical principles, confidentiality and integrity in connection with internal and external communication. The organization enables transparency and cross industry co-operation when dealing with risks related to ITsecurity and financial crime. The head of risk management reports directly to the Board on a periodic basis and has a direct reporting line when needed.

19 Organization, authority and interaction The risk management function has an appropriate organization and resource allocation. 6. A SIMPLE MODEL by Nordal & Kjørstad Criteria The management ensures an appropriate risk management organization and supports its work. The role and responsibility for risk management is clearly anchored with management across the organisation. The risk management function has a mandate. It is rooted in the organization s strategy and it backs up the strategy. The head of risk management is either a member of top management or reports directly to it. The risk management function has the necessary resources to accomplish its tasks. The risk management organization and resources are appropriate to the size and complexity of the organization. The organization has developed a risk culture and a common terminology for risk management. The head of risk management has the necessary authorizations as well as the authority to be able to perform her/his responsibilities. The job description of the head of risk management contains requirements about risk management performance indicators, competence and integrity. Tasks are not allocated to the head of risk management which can hinder the execution of an effective risk management function. The head of risk management has established good relations with the rest of the organization. Appropriate cooperation forums have been established which ensure effective interaction between various functions and lines of defence. 19 The head of risk management can not be hired or fired without the approval of the Board of Directors.

20 IT-tools and analyses Risk management is based on the best available information and is suitable to organization s needs 6. A SIMPLE MODEL by Nordal & Kjørstad Criteria The organization has appropriate tools to facilitate and document risk management tasks, i.e. risk identification, risk analysis, the follow-up of the actions and improvement measures. Users of IT-tools understand the assumptions, limitations and possibilities of these tools. Decision makers have been informed about the possible limitations of models and systems which are used. The use of models and tools is not fragmented. The models and tools include parameters which allow comparisons across the organization. Risk analyses are verifiable and they satisfy the requirements of reliability, completeness and traceability. The systems which are in use are flexible and can produce reports required by the authorities and external stakeholders (HSE reports, financial reporting etc.). The systems which are in use can handle sensitive data in compliance with prevailing requirements. The organization can monitor the quantifiable risk parameters continuously. The organization has appropriate channels and tools for the reporting of events. There exists an overview of IT-applications, interfaces between these as well as the criticality of the operations. 20

21 Framework and processes The organization has implemented an effective and suitable risk management framework. Y 6. A SIMPLE MODEL by Nordal & Kjørstad Criteria The organization has established mechanisms which take into account knowledge of the internal and external context. The method and framework are built on a clear mandate and risk management policy with clearly defined authorityand resource allocations. Risk management is embedded and integrated in all processes, business and administrative. No area, level or process is excluded in the design of the risk management framework. The framework is evaluated on a regular basis and is subject to continual improvement. Risk management is an inclusive process which enables feedback and input from the whole organization. Risk management is an iterative process. The process responds to changes in the environment, organization, systems and structures. There is a defined and readily apparent connection between calculated risks and the measurement of value creation. Assessment models for likelihood and consequence, parameters and criteria are defined as components of the framework and are evaluated on a regular basis. The framework includes a system for setting priorities and for monitoring actions and improvement measures. The framework includes periodic assessments of effectiveness as well as cost benefit of all key processes, controls and actions. 21

22 6. A SIMPLE MODEL by Nordal & Kjørstad Available online via IIA Norway s website interaction 22