Risk Maturity Models: Realise Real Benefits
9th August 2016 | Domenic Antonucci
My new book Risk Maturity Models opens the opportunity for organizations to realize real benefits from using tailored risk maturity models. How so?
ERM and risk maturity both deliver measurable ‘hard’ as well as ‘soft’ benefits.
Boards and CxO’s expect to see tangible measures and success metrics – often termed ‘hard’ from ‘soft’ benefits - for Enterprise Risk Management (ERM). Many are familiar with ‘soft’ benefits (such as improved overall management, better financial performance, enhance reputation, respect laws and regulations, reduced losses and improved governance and internal controls). Fewer are familiar with the wealth of ‘hard’ data supporting ERM, such as 23% market capitalization gains, stock-fall recovery and stock price protection and various revenue and financial gains.
Even fewer are familiar with the proven benefits in ERM maturity models to implement sustainable risk management system maturity capabilities. Of these, probably the first of ten ‘hard’ quantitative benefits that meets the most surprise is that risk maturity triples the bottom line. Yes, EBITDA profit tripled. But there are so many more benefits: 2) Higher revenue growth 3) firm valuation 25% increase 4) Better stock price and lower volatility 5) Stock price volatility cut by 34% 6) Return on equity performance improved 7) Return on asset performance improved 8) Key project costs (-23%) and schedule (-48%) savings 9) Credit ratings, business performance and operational risk improvements 10) Better operational results such as a 28% operating margin.
Internal Audit mandates assessment of risk management effectiveness.
Whilst the practice of ‘assessing risk management effectiveness’ is widely recognized by the risk management discipline, it is also a mandate by the peak professional body Institute of Internal Auditors (IIA). Various IIA publications flag a risk maturity model as the solution as the ‘how to’. Probably the best is the IIA IPPF Mandatory Practice Guidelines ‘Assessing the Adequacy Of Risk Management Using ISO 31000’ Dec 2010. It states explicitly that a risk maturity model is one solution and links it to ISO 31000 for capability content for that model.
Risk maturity model benefits backed by other key influencers.
Apart from the assurance space, many key influencers in the corporate governance and risk management space also actively support using risk maturity models. Apart from the IIA, the model is supported and promoted by some of the world’s largest risk management institutes such as RIMS and FERMA. All the leading insurance broking and accounting firms risk consulting arms use them as tools and there are least 48 ERM-specific models on the market, let alone 30+ non-ERM risk maturity models. Some government Treasury departments even issue guides to using them (Canada, UK, NSW Australia). Many Chief Risk Officers will admit they would be lost without the ‘roadmap’ that only a risk maturity model provides them.
Most powerful tool to assess risk management system effectiveness.
To reduce uncertainty, the board and stakeholders need to feel confident that management are delivering effective enterprise risk management (ERM). Two ERM program outputs that are critical to ERM success - and by implication organization success – are a) assessing the maturity strategy and performance of the risk management system, that then delivers b) more reliable understanding and reporting of risks and the risk profile(s).
The higher the level of risk management system maturity, the higher the level of reliability and confidence enjoyed by the Board and senior management in the way the organization reports and manages its risks effectively. That confidence may be shared with a positive knock-on effect for all key stakeholders including the board, customers, supply chain, investors, credit rating agencies and market analysts.
Summary: taking the right risks to achieve objectives.
A risk maturity model sustainably improving the right mix of organization capabilities in the risk management system will be more likely to deliver the effective risk management that gives an organization the confidence to take the right risks. Risk management system maturity and continual gap-improvement by assessing risk management effectiveness work in tandem to provide reasonable assurance that an organization is taking the right risks to achieve its objectives.