a different approach to risk maturity – a simple model · a different approach to risk maturity...
TRANSCRIPT
A different approach to risk maturity – a simple model
Ayse Nordal, The Municipal Undertaking for Educational Buildings and Property in Oslo
and Ole Martin Kjørstad, Bank of Norway
October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad1
CONTENTS1. How do we define risk maturity?
2. Why do we measure risk maturity?
3. “What is in it” for the organization?
4. Existing risk maturity models
a) Examples
b) Common features
5. The improvement potential
6. A simple model by Nordal and Kjørstad
a) Maturity objectives
b) Maturity dimensions
c) Spider web chart and on-line assessmentOctober 20172 Y. Ayse B. Nordal and Ole Martin Kjørstad
1. HOW DO WE DEFINE RISK MATURITY?
October 20173
Risk maturity is a benchmarking tool, which measures to what extent an organization has implemented Enterprise Risk Management (ERM), in accordance
with prevailing best practice.
• There is no universally accepted definition of risk maturity nor a common tool for benchmarking.
HOWEVER, the draft documents for the new updated versions of • COSO, Enterprise Risk Management, Aligning Risk with Strategy and Performance• ISO, 31000, Risk Management –Guidelines include the concept.
Y. Ayse B. Nordal and Ole Martin Kjørstad
2. WHY DO WE MEASURE RISK MATURITY?
According to the document:
• Enterprise risk management capability and maturity provide information on how well enterprise risk management is functioning.
• A mature organization is often able to define enterprise risk management capabilities that provide better insight into its existing risk appetite and factors influencing risk capacity.
• A less mature organization with undefined enterprise risk management capabilities may not have the same understanding which can result in a broader risk appetite statement.
October 20174
COSO draft framework (181) introduces a relationship between risk maturity and risk appetite.
Y. Ayse B. Nordal and Ole Martin Kjørstad
2. WHY DO WE MEASURE RISK MATURITY?
According to the document:
• As relevant gaps or improvement opportunities are identified, the organization should develop plans and tasks and assign them to those accountable for implementation.
• Once implemented, these improvements should contribute to advances in risk management maturity.
October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad5
ISO 31000 draft standard defines a relationship between continuous improvement and risk management maturity.
2. WHY DO WE MEASURE RISK MATURITY?
October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad6
To be able to make a comprehensiveevaluation of the organization’s
performance against best practice criteria
To be able to identify improvement areas and opportunities which will bring theorganization to a higher maturity level
To be able to plan and initiate appropriateimprovement measures
3.WHAT IS IN IT FOR THE ORGANIZATION?
HOWEVER, there are some studies which aim to provide evidence of the benefits from employing risk maturity benchmarking. Examples:
• Research project by Mark Farrell from Queen’s University Management School and Ronan Gallagher from University of Edinburgh Business School.
• EY study which uses a global survey based on 576 interviews with companies and a review of more than 2750 analysis and company reports.
October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad7
Existing literature often focuses on defining maturity levels and assigning attributes to given maturity levels in organizations.
3.WHAT IS IN IT FOR THE ORGANIZATION?
• Farrell and Gallagher’s study has evidenced
• EY study has documented
October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad8
«…a clear and significant statistical correlation between mature enterprise risk management practices and a firm’s value. Organizations exhibiting mature risk
management practices realize a valuation premium of 25%...»
«…that companies in the top 20% of risk maturity generated 3 times the level of EBITDA as those in the bottom 20%.
4. EXISTING RISK MATURITY MODELS- examples
• Many risk maturity models are built on the basic principles of the Capability Maturity Model which was developed by the Software Engineering Institute in Carnegie Melon University in 1993.
EXAMPLE: David Hillson 1997
October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad9
Levels & Attributes
Culture Process Experience Application
Natural
Normalized
Novice
Naive
4. EXISTING RISK MATURITY MODELS- examples
October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad10
EXAMPLE: RIMS (The Risk Management Socity)’s on-line assessment model by Steven Minsky 2006
Source: https://www.rims.org/resources/ERM/Pages/RiskMaturityModel.aspx
4. EXISTING RISK MATURITY MODELS- examples
7 attributes:
• Adoption of ERM-based process
• ERM-Process management
• Risk appetite management
• Root cause discipline
• Uncovering risks
• Performance management
• Business resiliency and sustainability
October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad11
4. EXISTING RISK MATURITY MODELS-Common featuresMany risk maturity models assume:
• A continuous progression to higher and higher maturity levels through time.
• A step by step development. It is not possible to skip a stage.
These models do not:
• Recognize that different areas in the organization may have different maturity levels
• Employ a common scale, which enables a universal and homogenous assessment
• Recognize that the requirements/ expectations of risk management may be different in different organizations (sector, size, transaction volume)
• Recognize that traditionally, risk maturity has not been an area where the Board and management were expected to formalize and state their ambition levels
October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad12
5. IMPROVEMENT POSSIBILITIES
October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad13
ERM programs can
• start and stop• start and stagnate• start slowly, react and atrophy• evolve steadily and consistently
6. A SIMPLE MODEL by Nordal & Kjørstad
OUR FOCUS
October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad14
MATURITY LEVELS MATURITY OBJECTIVES
6. A SIMPLE MODEL by Nordal & Kjørstad
October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad15
Dimensions Maturity objectives
Risk management, strategy and decision making processes
All decisions (strategical, tactical and operational) base on documented assessments of risks and opportunities.
Communication, information and reporting The organization ensures continual communication and reporting of relevant information, with appropriate frequency.
Organization, authority and interaction The risk management function has an appropriate organization and resource allocation.
IT –tools and analyses Risk management is based on best availableinformation and is suitable to organization’s needs.
Framework and processes The organization has implemented an effective and suitable risk management framework.
6. A SIMPLE MODEL by Nordal & Kjørstad
• Maturity is assessed separately in each dimension, by counting the number of criteria met by the organization.
October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad16
Maturity level Criteria
5 The organization satisfies all the criteria (all 10 requirements)
4 The organization satisfies 8 or more requirements
3 The organization satisfies 6 or more requirements
2 The organization satisfies 4 or more requirements
1 The organization satisfies 2 or more requirements
6. A SIMPLE MODEL by Nordal & Kjørstad
October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad17
Criteria
Ris
k m
anag
emen
t, s
trat
egy
and
dec
isio
n m
akin
g p
roce
sses
All
dec
isio
ns
(str
ateg
ic, t
acti
cal a
nd
op
erat
ion
al)
are
bas
ed o
n a
do
cum
ente
d a
sses
smen
t o
f ri
sks
and
op
po
rtu
nit
ies.
The organization’s risk appetite is clearly defined and quantified through appropriate dimensions. This includes both financial and operational uncertainty.
There exists documentation which evidences that decisions are made within the boundaries of approved risk appetite.
The work on strategies and business plans includes risk assessment, which takes uncertainties in the internal and external context into account.
Assessments of risks/uncertainties form the basis for the organization’s resource allocations and budgeting.
The head of the risk management function is invited to and involved in relevant decision making forums.
Achievement of objectives is measured in a way that allows for the evaluation of the degree of achievement against the degree of uncertainty.
Assessment of uncertainty is a factor for resource allocation. The costs and benefits of improvement tasks and actions are quantified and compared with quantified uncertainty.
Risk assessment is an integrated part of the strategic decision making process.
Documented decisions and minutes include an explicit assessment of risks and opportunities.
Achievement of objectives is reported in a manner that it can be compared to the initial risk assessments prior to undertaking those activities.
6. A SIMPLE MODEL by Nordal & Kjørstad
October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad18
CriteriaC
om
mu
nic
atio
n,i
nfo
rmat
ion
an
d r
epo
rtin
g
The
org
aniz
atio
n e
nsu
res
regu
lar
com
mu
nic
atio
n
and
rep
ort
ing
of
rele
van
t in
form
atio
n, w
ith
ap
pro
pri
ate
freq
uen
cy.
The organization has a plan and a policy for communication with external stakeholders.
The head of risk management has access to external reporting regarding regulatory and administrative requirements.
Internal communication mechanisms have been established. These ensure information is communicated to all relevant employees about the underlying principles, framework and processes of risk management.
Managers and decision makers have continual access to updated information about risks as well as status of improvement actions and work, through reporting and through continual communication.
Quality assurance of risk reporting, including reporting by managers, has been established. This process ensures truthful, relevant, accurate and comprehensible reporting.
The organization maintains a documented and accessible overview of risk-, action- and process owners.
Information channels, forums and mechanisms have been established. These facilitate the distribution of risk information to line management and administrative functions.
The organisation has in place processes and guidelines which take care of ethical principles, confidentiality and integrity in connection with internal and external communication.
The organization enables transparency and cross industry co-operation when dealing with risks related to IT-security and financial crime.
The head of risk management reports directly to the Board on a periodic basis and has a direct reporting line when needed.
6. A SIMPLE MODEL by Nordal & Kjørstad
October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad19
CriteriaO
rgan
izat
ion
, au
tho
rity
an
d in
tera
ctio
n
The
risk
man
agem
ent
fun
ctio
n h
as a
n a
pp
rop
riat
e o
rgan
izat
ion
an
d r
eso
urc
e al
loca
tio
n.
The management ensures an appropriate risk management organization and supports its work. The role and responsibility for risk management is clearly anchored with management across the organisation.
The risk management function has a mandate. It is rooted in the organization’s strategy and it backs up the strategy.
The head of risk management is either a member of top management or reports directly to it.
The risk management function has the necessary resources to accomplish its tasks. The risk management organization and resources are appropriate to the size and complexity of the organization.
The organization has developed a risk culture and a common terminology for risk management.
The head of risk management has the necessary authorizations as well as the authority to be able to perform her/his responsibilities.
The job description of the head of risk management contains requirements about risk management performance indicators, competence and integrity.
Tasks are not allocated to the head of risk management which can hinder the execution of an effective risk management function.
The head of risk management has established good relations with the rest of the organization. Appropriate cooperation forums have been established which ensure effective interaction between various functions and lines of defence.
The head of risk management can not be hired or fired without the approval of the Board of Directors.
6. A SIMPLE MODEL by Nordal & Kjørstad
Criteria
IT-t
oo
ls a
nd
anal
yses
Ris
k m
anag
eme
nt
is b
ased
on
th
e b
est
avai
lab
le
info
rmat
ion
an
d is
su
itab
le t
o o
rgan
izat
ion
’s n
eed
s The organization has appropriate tools to facilitate and document risk management tasks, i.e. risk identification, risk analysis, the follow-up of the actions and improvement measures.
Users of IT-tools understand the assumptions, limitations and possibilities of these tools.
Decision makers have been informed about the possible limitations of models and systems which are used.
The use of models and tools is not fragmented. The models and tools include parameters which allow comparisons across the organization.
Risk analyses are verifiable and they satisfy the requirements of reliability, completeness and traceability.
The systems which are in use are flexible and can produce reports required by the authorities and external stakeholders (HSE reports, financial reporting etc.).
The systems which are in use can handle sensitive data in compliance with prevailing requirements.
The organization can monitor the quantifiable risk parameters continuously.
The organization has appropriate channels and tools for the reporting of events.
There exists an overview of IT-applications, interfaces between these as well as the criticality of the operations.
October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad20
6. A SIMPLE MODEL by Nordal & KjørstadY Criteria
Fram
ewo
rk a
nd
pro
cess
es
The
org
aniz
atio
n h
as im
ple
men
ted
an
ef
fect
ive
and
su
itab
le r
isk
man
agem
ent
fram
ewo
rk.
The organization has established mechanisms which take into account knowledge of the internal and external context.
The method and framework are built on a clear mandate and risk management policy with clearly defined authority-and resource allocations.
Risk management is embedded and integrated in all processes, business and administrative. No area, level or process is excluded in the design of the risk management framework.
The framework is evaluated on a regular basis and is subject to continual improvement.
Risk management is an inclusive process which enables feedback and input from the whole organization.
Risk management is an iterative process. The process responds to changes in the environment, organization, systems and structures.
There is a defined and readily apparent connection between calculated risks and the measurement of value creation.
Assessment models for likelihood and consequence, parameters and criteria are defined as components of the framework and are evaluated on a regular basis.
The framework includes a system for setting priorities and for monitoring actions and improvement measures.
The framework includes periodic assessments of effectiveness as well as cost benefit of all key processes, controls and actions.
October 201721 Y. Ayse B. Nordal and Ole Martin Kjørstad
6. A SIMPLE MODEL by Nordal & Kjørstad
October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad22
Available online
via IIA Norway’s website
interaction