Risk Maturity Assessment: A Critical Tool for Directors

Establishing and embedding sound risk management practices enables organisations to become more resilient, achieve their financial and strategic goals, and take advantage of opportunities that arise. The article outlines the importance of directors assessing the maturity of their respective organisations in the identification, assessment, and management of risk.

When something goes wrong in many organisations, there is a lot of soul-searching and discussion about what may have caused the issues or led to the event or events occurring. Many questions are asked, and often a formal post-mortem is undertaken. Have we previously identified this risk? Did someone or a department have a responsibility to monitor the risk? What could we have done to prevent the risk from materialising?

While a worthwhile activity, it does unfortunately reflect the reality that many businesses or organisations today continue to take a reactive approach to risk management. These businesses or organisations have an undeveloped and immature approach to managing risk. They fail to take a forward-looking and proactive approach to seeking out all risks that may impact them.

The risk management approach may be limited to managing a discrete set of business risks. For example, a food manufacturer may simply focus on food safety. Similarly, a building and construction company may focus solely on workplace accidents and employee safety.

There is, however, a new, structured, and sophisticated approach being adopted by many small, medium, and large organisations, commonly referred to as enterprise risk management, or ERM. ERM consists of implementing a framework to identify, assess, manage, and report all material business risks in a structured manner. ERM brings an organisational discipline that manages risks, identifies new and emerging risks, and assists with strategic and business planning. This supports the stability, growth, and sustainability of an organisation.

Directors of medium – to large-sized organisations may already see foundational enterprise risk management frameworks and practices in place. In some industries, such as banking and financial services, firms are required to have established enterprise risk management policies and procedures in place. This may lead to the belief that all is well and that these practices are embedded and working. Often, this may be far from the truth.

It is important for directors to periodically assess the maturity of the risk management frameworks and practices at their organisations. A Risk Maturity Assessment will measure the sophistication and effectiveness of an organisation’s risk culture and risk management frameworks, resourcing and capability, systems, and processes.

The Risk Management Maturity Curve below outlines the varying stages of maturity in the management of risk, from limited to advance. The level of maturity will primarily be driven by the size of the organisation, the industry it operates in, and the level of resources (financial, personnel, and technology) committed to managing risk.

Notwithoutrisk Consulting has developed a risk maturity assessment methodology to determine an organisation’s overall maturity. The methodology assesses maturity across the following seven dimensions:

1. Risk Culture

2. Risk Strategy, Governance, and Framework

3. Risk Resourcing and Capability

4. Risk Appetite

5. Risk Assessment and Management

6. Risk Reporting, Technology, and Data

7. Operational policies and procedures

Risk Culture

Risk culture is a high-level consideration that refers to the shared values, beliefs, and practices of the organisation in regard to risk and its management. As directors are being held increasingly accountable for risk oversight and governance, establishing a strong and positive risk culture is an important way to ensure that risk management practices are embedded throughout the organisation. This involves ensuring risk management is well understood and articulated as an enabler of organisational planning, strategy, and success.

Infosys highlights the importance of culture to its approach to ERM in the Risk Management section of its most recent annual report, stating that “our values, culture, and commitment to stakeholders—employees, customers, investors, regulatory bodies, partners, and the community around us—are the foundation for our ERM.”

Infosys formally documents risk culture as one of six key components of its ERM approach, stating that “risk culture encourages open and upward communication. Coupled with our belief systems and core values, this drives behaviour, guides daily activities, and guides decision-making throughout the organization. We encourage the sharing of knowledge and best practices, continuous process improvement, and a strong commitment to ethics and integrity.”

In seeking to assess the maturity of the organisation in the area of risk culture, directors can look for examples of this open communication and informed decision-making regarding risk and champion the risk management success stories across the organisation.

Furthermore, a key element of risk culture crucial to organisational success is the continuous allocation of resources to understand risk losses and near misses. Directors should look for and encourage a culture that both anticipates and reflects upon risks to ensure that the organisation can improve its decision-making processes.

Risk Strategy, Governance and Framework

A key role of the board is to establish the overall risk management strategies, frameworks, and processes that govern the management of risk. There are many different approaches to risk governance and the accompanying government documents and framework. The approach needs to be tailored for each organisation, taking into account its size and nature.

The core document is usually a risk management framework (RMF) or risk management strategy (RMS). The RMF, or RMS, is the structure or set of guidelines that an organisation uses to implement its risk strategy. It includes the processes, tools, and procedures for identifying, assessing, managing, and monitoring risks. An RMF or RMS is used to ensure consistent and effective risk management practices across the organisation. Therefore, implementing a comprehensive risk framework that is understood and embedded is vital to enhancing an organisation’s risk maturity. The existence of an RMF or RMS and evidence of its effective use will see an organisation’s maturity move up from limited to initial or defined.

Risk Resourcing and Capability

The level of maturity an organisation can achieve is ultimately a function of the resources devoted to risk management, particularly the number and calibre of risk management personnel. A well-resourced and dedicated enterprise risk management function is essential for the operation of an RMF or RMS.

The board and CEO should seek to hire the best, industry-leading talent and expertise to continuously improve risk management practices. If there is not a decided Chief Risk Officer, it is important to identify a senior risk officer in the organisation and task them with bringing to life the management of risk.

Sound governance also involves the oversight of the resourcing of key risk management functions and roles. It is also critical for a board or risk management subcommittee to periodically assess whether risk management functions are adequately resourced and undertake the duties they are assigned to support the implementation of the RMF or RMS.

Risk Appetite

Risk appetite is an activity that determines the level of risk an organisation is willing to take on in pursuit of its goals and objectives. This is done for a wide range of material risk categories. It is an important aspect of risk management that is communicated to all levels of employees and lines of business, thus guiding day-to-day decision-making.

The diagram below illustrates how risk appetite can be cascaded through an organisation.

Directors and executives need to consider factors such as organisation size, financial stability, market position, and overall business objectives in defining appetite for material business risks.

Once appetite is defined and described, the next step is to clearly define and document the qualitative and quantitative metrics in a Risk Appetite Statement.

For banks and larger financial institutions, this process is well-embedded and a key requirement of prudential regulation. The State Bank of India (SBI) notes this in its corporate governance documents. In its 2023 annual report, it stated that “Enterprise Risk Management aims to put a comprehensive framework to manage and align risk with strategy at your Bank level. It encompasses global best practices such as establishing a Risk Appetite Framework, Risk Culture Assessment Framework, and Material Risk Assessment Framework.” It goes on to note that the “Risk Appetite Framework incorporates limits for significant risks with monitoring parameters” and that “the risk limits are reviewed periodically based on the risk appetite of the Bank.” This highlights that as circumstances or objectives change, it is important to consider any necessary changes to risk appetite statements, ensuring that future decisions reflect any new business direction.

Organisations will only be at the Limited or Initial phase of risk maturity without establishing a risk appetite framework. For larger organisations this may also involve the development of both functional areas (Finance and Information Technology, for example) and business unit risk appetite statements.

Risk Assessment and Management

Another key aspect of risk maturity is how a business assesses and manages risk. Directors should be vigilant in ensuring their business regularly assesses past, present, and future risks and devises action plans to mitigate them should they arise.

Olam Group, the Singapore-based food and agri-business group, has a well-developed approach to risk assessment and management, overseen by the Chief Risk Officer and its Board Risk Committee. It notes in its 2022 Annual Report that the group “has a risk management framework that has been designed to identify and rigorously assess the likelihood and impact of risks and to manage any actions required to mitigate these. Risks are identified both from a top-down strategic perspective and from a bottom-up business perspective.”

Assessing risk can involve reviewing historical data to identify any patterns or trends in risk events, engaging stakeholders such as employees, customers, suppliers, and partners to gather their perspectives on potential risks, and monitoring external factors such as market trends, regulatory changes, and technological advancements. As noted Olam Group noted, risks need to be identified from both a top-down and bottom-up perspective.

A well-developed and structured approach to risk management is also critical to identifying emerging risks and opportunities. This will inform directors on matters such as macroeconomic and geopolitical threats and risks, strategic shifts in their market, and changes in the operational and financial risk profile of the organisation.

Risk Reporting, Technology and Data

Risk reporting relies on strong governance and integrated management information systems. Clear risk reporting standards should be outlined in a comprehensive risk management framework, specifying reporting responsibilities and reporting frequency. Key risk metrics and indicators should also be established to measure and report performance. Any tools or technologies used to streamline or automate the risk reporting process should be understood and managed effectively.

Mature organisations invest heavily in data analytics and emerging technologies, enabling them to undertake advanced analytics, scenario planning, and stress testing. This information is communicated to relevant business lines and helps managers make informed, risk-based decisions.

Operational Policies, Procedures and Processes

Operational policies, procedures, and processes are the foundations that enable everyday risk management. They are the essential guidelines that cascade to all employees within the organisation and promote a standardised approach to risk assessment and management.

Comprehensive policies, procedures, and processes that are well understood are essential for ensuring the stability, security, and continuity of operations and helping organisations achieve their goals and objectives while managing potential risks.

Next Steps

Risk maturity assessments can be done by individual directors, management, internal auditors, or another third party, such as an external auditor or a risk management consultant. It will be important to ensure there is sufficient independence and critical thinking to gain the most objective outcome and recommendations.

Assessing the maturity of the seven factors above will inform directors of the overall risk maturity of the organisation. The outcome of the risk maturity assessment will often include a detailed road map of initiatives to get the organisation closer to the desired maturity. By identifying gaps in risk practices and taking meaningful steps to address them, an organisation will be better prepared to manage potential risks now and in the future.