In the past three years, 62% of organizations have experienced a critical risk event. With risk top of mind for many executives, organizations are looking for ways to measure their risk management and better understand how it ties back to overall business strategy. While most companies have an enterprise risk management program in place, they have probably not benchmarked the maturity of the program to understand how they can improve performance.
Before diving into enterprise risk maturity, lets first discuss what enterprise risk management (ERM) is.
ERM brings together an array of different risks from across an organization, whether it’s operational risk, legal risk, financial risk or any other form. In order to effectively manage enterprise risk, companies must be able to see not only the individual risks but also the interconnectedness of risks across the company. Unfortunately, in many organizations risk is managed in siloed departments, leaving room for vast differences between teams in procedures, policies, terms and definitions. To improve a company’s ERM maturity, companies need to define their risk appetite, ensure the right people are taking responsibility, and measure their progress along the way.
Define Your Risk Appetite
Before you can determine whether you want to advance your ERM maturity, you must first define your appetite for risk to make a proper assessment. Not all companies require the same level of risk maturity. In fact, the highest level of maturity does not necessarily equal the best ERM program. Rather than immediately aiming for the highest level of maturity, companies need to take a step back and identify their priorities to understand what is best for their organization’s specific circumstances. Review the following questions to properly assess and advance your ERM maturity:
- How do we assess the current situation?
- How do we gain leadership buy-in?
- How do we set goals for adoption?
- How do we create a roadmap for improvement?
Answering those critical questions will help define your company’s risk appetite and set yourself up for success should you elect to improve your ERM maturity.
Related Article: Identifying, Assessing and Evaluating Risk Is the Easy Part
Establish a Culture of Risk
Effective risk culture is one that empowers business functions to be intellectually honest about the risks they face and encourages them to align risks with strategic objectives. To accomplish this, companies must remain patient. Changing a culture of any sized organization takes time and is not something that can be done by any single meeting or memo to the staff. It takes time to educate team members properly and for leaders to demonstrate the importance of the change.
To change your risk culture, be sure to consider these five steps:
- Understand your current risk culture: consider conducting a survey or workshop to gather feedback and opinions from across the business.
- Enlist strong leadership participation: this type of change must come from the top down in order to be effective.
- Gain alignment among leadership: executives must define and agree upon the type of culture they want to build.
- Update policies and procedures to reflect a culture of risk: take into account potential risks endangering key business objectives.
- Establish ownership: Identify key stakeholders throughout the organization who will serve as your business risk owners. These individuals should be change agents within their team, with a strong understanding of how their department supports the business overall and insight into the key challenges that need to be addressed.
By establishing a risk culture and involving the right representatives from across business units, you will have an easier time understanding your current maturity and what the right “target” level of maturity is for your organization.
Related Article: What Risk Managers Need to Communicate to the Board
Measure Your ERM Progress
Once you determine who should hold primary responsibility for the risk management program and have received the necessary buy-in, you will need to measure your progress towards greater ERM maturity. One way to measure progress is to compare yourself to your peers. How are you in relation to some of your peers? Within your industry? Compared to organizations of similar size?
Additional ways to measure your progress is by:
- Setting targets to strive for.
- Identifying metrics to monitor.
- Validating (or rejecting) assumptions.
- Putting results to good use.
- Striving for continuous improvement.
Every company’s level of enterprise risk maturity will vary. The highest levels of maturity do not always make sense for every company. However, taking the time to define your risk appetite, establish a culture of risk, find your risk champions, and measure your progress along the way will set your company up for success when addressing your enterprise risk management.
Learn how you can join our contributor community.