Organisational Maturity in Risk Management

7/31/2019 Organisational Maturity in Risk Management

1/14

Version: 30th

January 03 Version 014

ORGANISATIONAL MATURITY

IN BUSINESS RISK MANAGEMENT

The IACCMBusiness Risk Management

Maturity Model(BRM3)


2/14

Version: 30th


CONTENTS

1.0 Introduction ....................................................................................................3

2.0 The Risk Management Working Party............................................................ 4

3.0 How to Use the Model.................................................................................... 5

4.0 High Level Organisational Maturity Characteristics ........................................ 6

5.0 Detailed Level Questionnaire .........................................................................7

6.0 Summary Scores .........................................................................................13

7.0 Business Unit Sizing Questionnaire .............................................................14


3/14

Version: 30th


1.0 Introduction

1.1 General

The IACCM Risk Management working group has attempted to address the question of howan organisation could evaluate, in a quantifiable fashion, its level of maturity in the area ofbusiness risk management.

This document is aimed at providing answers to questions like:

How can I assess whether my organisations approach to risk management is adequate?

How can I compare my organisations approach with best practice or against ourcompetitors?

Is there an accepted benchmark for organisational risk management?

1.2 Process the Group Utilised

In meetings between May-October 2002, the IACCM Business Risk Management Working

Group defined four levels of organisational business risk management maturity (Novice,Competent, Proficient, Expert) against four key attributes (Culture, Process, Experience,Application). Each attribute has been further defined using several diagnostic characteristics,with each characteristic described for each of the four increasing levels of maturity.

The Group has established by reference to steps 1 to 4 as set out in 1.3 below, a model thatprovides a sound basis for individual companies to begin their evaluation cycle.

At some point in the future the Group may establish steps 5 to 12 as set out in 1.3 below,depending upon the sponsorship and direction received both from the Association and the

companies represented by the members of the working party.


4/14

Version: 30th


1.3 Introduction to the Whole Model

To be able to implement a model which allows a company to address the whole evaluate,

change, review assessment cycle, the company should address all 12 steps in the cycleidentified below.

1. Agree maturity model structure (levels and attributes)2. Describe each maturity level in a summary vision statement3. Identify a set of characteristics which comprise each attribute4. Define each characteristic for each maturity level5. Determine how to measure each characteristic6. Create diagnostic tools to measure characteristics7. Create analysis tool to assist in interpretation of data

8. Identify barriers to progressing between maturity levels (1-2, 2-3, 3-4, staying at 4)9. Identify enablers to overcome barriers10. Create generic template development plans for moving between maturity levels11. Perform pilot applications of the model, reviewing and modifying if necessary

following pilot12. Publish

2.0 The Risk Management Working Party

2.1 Members of the Group

Linda Duodu - Siemens Business Services Limited

Rosemary Gott - NNC Limited

Graham Jackson - Best Practice Partnership Limited

Steve Minto - RWE NUKEM Limited

John Pedretti - Logica UK LimitedPhil Phillips - Hewlett Packard

Greg Russell - Blake Newport Associates

Dave Scarbrough - Fujitsu Services

Rachel Wilcock - Energis Communications Limited

The Group would like to give special thanks to Dr David Hillson of Project ManagementProfessional Solutions Ltd. David participated throughout this project and provided aframework for the Group to utilise in this work.


5/14

Version: 30th


3.0 How to Use the Model

The model as it applies to Business Risk Management is shown as a High LevelOrganisational Maturity Model in Section 4.0. It identifies four levels of organisationalcompetence in the area of business risk management:

Novice

Competent

Proficient

Expert

and defines this competence in terms of the organisations approach against four attributes:

Culture

Process

Experience

Application

Thus, it can be seen that for an organisation at the Novice, or nave, stage the attributes aretypically all at the lowest level. The culture is unaware of the need for formal management ofrisk and it therefore follows that there are no processes in place to deal with it, theorganisation has no experience in managing risk, and there is no process to be applied.

At the next level, Competent, the organisation will have recognised the requirement for riskmanagement, and the evidence of this recognition is shown in the organisations culture, theexistence of a process, its application and the accumulation of experience. Mostorganisations will aspire to and be satisfied with reaching Level 3 Proficient wheremanagement of risk is routine and consistent across all projects. However, the modelidentifies a further, Expert level of maturity where a risk-aware culture drives the organisationinto proactive risk management, seeking to gain the full advantages of employing bestpractice processes.

Using this basic template, the Working Party then developed a full Detailed LevelQuestionnaire in Section 5.0. This can be used by organisations not only as a tool to identifytheir current level of maturity against a number of criteria, but also to set realistic targets forimprovement, and measure progress towards achieving them.

The IACCM Detailed Level Questionnaire is provided as a set of tables with each rowcontaining one characteristic within an attribute. The descriptions of each characteristic in thetable should be considered in turn, and the appropriate maturity level selected, scoring 1, 2, 3or 4 for that characteristic. The characteristic scores for each attribute are then totalled, andthe average attribute score is calculated. The four attribute scores are then averaged to give

an overall level score.

Calculated attribute and level scores will usually not be whole integers (i.e. precisely 1, 2, 3 or4), as organisations will probably lie between the levels of the maturity model. As a result,these scores are usually presented to one decimal place. For example, Level 2.3 representsan organisation whose maturity is generally Competent but which is progressing towardsProficient in some areas.


6/14

Version: 30th


Page 6 of 14

4.0 High Level Organisational Maturity Characteristics

Level of Maturity

Attribute: Novice Competent Proficient Expert

CULTURE Risk averse

Lacking awareness /understanding

Lacking strategy

Lacking commitment

Patchy, inconsistent

Some understanding /awareness

Cautious approach,reactive

Prepared to take appropriaterisks

Good understanding of benefitsacross most of organisation

Strategy mapped into processimplementation

Proactive

Intuitive understanding

Belief, full commitment to bethe best

PROCESS Where present tend to beinefficient informal, ad-hoc

Inconsistent

No learning fromexperience

Standard approach /generic.

Consistent approach butscalable

Tailored to specific needs

Adaptive

Proactively Developed

Fit for purpose

Best of Breed

EXPERIENCE None; nothing relevant Basic competence Proficient

Formal qualifications

Extensive experience

Leading qualifications

Externally recognised highcompetence

APPLICATION Not Used Inconsistent majorprojects only

Process driven

Inadequately resourced

Consistently applied

Adequately resourced

Proactively resourced

Across entire business

Flexible

Measured for improvement


7/14

Version: 30th


Page 7 of 14

5.0 Detailed Level Questionnaire

A B C D

Level of Maturity Score

Attribute Novice Competent Proficient Expert

1-Novice2-Competent

3-Proficient4-Expert

CULTURE

Risk averseLacking awareness /understandingLacking strategyLacking commitment

Patchy, inconsistentSome understanding /awarenessCautious approach,reactive

Prepared to takeappropriate risksGood understanding ofbenefits across most oforganisationStrategy mapped intoprocess implementation

ProactiveIntuitive understandingBelief, full commitment tobe the best

1.1. Senior Management

Attitude to RiskManagement Process

Unsupportive or hostile Passive support Promote and support

concept

Actively champion with

understanding

1.2. OrganisationalCommitments to Policy,Process and People

No commitment Different groups do differentthings. Responseuncoordinated, no cohesionbetween groups

Generally consistentacross all organisation(some deviation)

Consistent across allorganisation with process inplace for continualimprovement

1.3. Belief in Value of RiskManagement

Perception is that riskmanagement is adistraction

Perceived as having limitedvalue by entire organisation

Belief that riskmanagement can help andadd value

Belief can improve businessperformance and include inbusiness targets

1.4. Goal Congruence andAttitude Alignment

Negative alignment Neutral alignment withpersuasion towards goal

congruence

Individuals objectivesmatch company

Striving to make continuousimprovements, active

alignment to create synergy1.5. Approach to Risk Sharing

(external)No sharing at all. Customerpushes all risk to prime /subs

Reasonable risk allocationbut poor reward structure

Open risk / rewardrelationship (customer /prime / subcontractors)

Help other parties managetheir risks and share /amend rewards

1.6. Approach to Risk Sharing(internal)

No sharing at all Discussions documentedoccasionally

Open communicationsbetween departments

Proactively helps otherparties manage their riskand share / amend rewards


8/14

Version: 30th


Page 8 of 14

CULTURE Novice Competent Proficient Expert

1-Novice2-Competent3-Proficient4-Expert

1.7. Risk Appetite Either risk averse or takesrisk without knowledge /understanding of risksinvolved

Some understanding andawareness of need to takerisks

Understands wantsmanages and takes risksappropriate to thecompany

Understands the need forand actively manages aportfolio of risks

1.8. Risk Response Strategies

(ways of avoiding orreducing risk)Turndown, Transfer, Treat,Tolerate

Accepts risks without

strategy or turndown, noknowledge of availableoptions or decision takenon inappropriateinformation

Tendency to choose

standard response withoutdue consideration of allpossible options

Considers every risk and

chooses an appropriateresponse applyingconsidered strategies

Highly developed set and

range of strategies appliedappropriately. Considersrisks on their merits andchooses / makes mostappropriate response

1.9. Risk Awareness No shared criteria Commonality in discretegroups. Risk defining termsare used consistentlyacross company. Mostemployees are aware ofrisk pertaining to their roles

Risk glossary existsdefining terms which areused consistently acrosscompany. All employeesaware of risk pertaining totheir role.

All employees are aware ofimpact of risks in context ofcompany

1.10. Communication of RiskStrategy

Little or adhoccommunication

Strategy communicatedbetween departmentsoccasionally, howeverinformation is not clear orconcise

Strategy and process inplace and communicatedbetween individualsprojects departmentsand organisation

Strategy and process inplace and used betweenindividuals projects departments organisation.Feedback flowing up anddown organisation

CULTURE Total = x (Maximum = 40)

Ave Score = x

(Total divided by number ofattributes)


9/14

Version: 30th


Page 9 of 14



PROCESS

Where present tend tobe inefficient informal,ad-hoc

InconsistentNo learning fromexperience

Standard approach /generic

Consistent approach butscalableTailored to specific

needs

AdaptiveProactively DevelopedFit for purpose

Best of Breed

2.1. Risk Response Strategy No strategy Strategy is inconsistentlyapplied

Strategy is consistentlyapplied

Strategy proactivelymodified to reflect changesin environment

2.2. Formality No formality Adhoc and inconsistent Well structureddocumented andconsistently implemented

Right level of formality forthe type of risk. Users canproactively modify andformalise the existingprocesses to suit thesituation

2.3. Effectiveness Not effective Works in specific areas(partially effective)

Works consistently at / forall levels in theorganisation

Adapts pro actively tointernal and externalchanges

2.4. Durability Breaks / fails often Process is tried and testedand based on past /historical business

Process is relevant tocurrent business needs

Relevant, evolves to meetchanging needs ofbusiness maturity

2.5. Scope Little or nothing available Available in a few areas Common across thecompany

Fit for purpose by businesstransaction and modified tomeet business needs

2.6. Knowledge Management Poor, either information is

frequently lost and toolsavailable are inadequate ornon existent

Tools available used on

adhoc basis, consequentlyinformation is captured andapplied inconsistently

System is maintained,

populated and used,information is captured andused to modify workingpractices

System is comprehensive

and available, includesexternal data, knowledge iscaptured, discussed andcommunicated as part ofthe organisations culture


10/14

Version: 30th


Page 10 of 14

PROCESS Novice Competent Proficient Expert


2.7. Integration with OtherBusiness Processes

None Insular (Functionallyorientated)

Part of the businessprocess (cross functional)

Across total supply chain(supplier/ prime / customer)

2.8. Scalability Nothing to scale Fixed scale Scalable in few steppedincrements by division /unit. Small number of fixed

options (small / medium /large)

Fully scalable andmanaged with flexibleapproach to meet all

business requirements

PROCESSTotal = x (Maximum = 32)

Ave Score = x(Total divided by number ofattributes)


11/14

Version: 30th


Page 11 of 14



EXPERIENCENone; nothing relevant Basic competence Proficient

Formal qualificationsExtensive experienceLeading qualificationsExternally recognised

high competence3.1. Access to Qualified Staff in

OrganisationNo access to people withrelevant risk managementqualifications

Access to people withcurrent qualification whichincludes a risk managementmodule

Access to people withcurrent risk managementqualifications

Fellow of Institute of RiskManagement or MSc inRisk Management

3.2. Range and Depth ofExperience of People inRisk Management

None relevant to riskmanagement

Worked in risk managementcapacity on a range ofprojects but less than 5years experience

Worked on several similarprojects for more than 5years

Worked on / led riskmanagement aspect onextensive range of projects

3.3. Attitude Alignment of RiskManagement Team to

Organisation

Negative alignment Neutral alignment Positive alignment Active alignment

3.4. Skills and Capabilities ofPeople Responsible forRisk Management

None relevant to riskmanagement

Basic skills able toparticipate in riskmanagement issues

Can lead and is able to takeinitiative

Trains / mentors and ableto tackle unexpected issues

3.5. Corporate ResourceAllocation

Resource is allocated asavailable no planning /forecasting involved

Limited resources poorlypublicised Roles coveredbut not all by appropriateresources

Comprehensive, relevantand available

Active dissemination of bestpractices Able to apply bestresources at any time

3.6. Training / PersonalDevelopment

None Minimum training Formal organised andupdated programme

Incentivised training planand training activelyencouraged

EXPERIENCE Total = x (Maximum = 24)



12/14

Version: 30th


Page 12 of 14



APPLICATION Not UsedInconsistent majorprojects onlyProcess driven

Inadequately resourced

Consistently appliedAdequately resourced

Proactively resourcedAcross entire businessFlexible

Measured forimprovement

4.1. Adequacy of RiskManagement Resources inrelation to an activity orevent

None Limited Adequate Sufficient and proactive

4.2. Use of Policies / Standards Not used Not consistently used orfully adhered to

Used and adhered to Used appropriately andadhered to

4.3. Use of AppropriateProcesses / Systems forProject

None or inappropriate Not consistently used orfully adhered. Roles aredefined and allocated

Used and adhered toOrganisation is adequatelystructured and regularly

reviewed and understood

Used appropriately andadhered to. Organisation isflexible, current and clearly

understood4.4. Effective Implementation of

Response to RiskNo responses actioned Selected responses not

effectively employedSelected responses areeffectively employed for allidentified risks

Selected responses areeffectively employed forrisks including emergentrisks. Responses can copewith anything. Ability tohandle emergent risks

4.5. Quality of Reporting toStakeholders

None Routine non filtered riskreporting

Stakeholders aware ofrelevant risks

Interactive risk reporting

4.6. Feed forward to futureProjects

None Routine non filteredanalysis

Managed and lessonslearned communicated

Strategic review (includingexternal data) and lessons

learned implemented4.7. Use of Metrics /

Performance ManagementNone or detrimental Generic measures Project specific to

determine successIncentivised to encouragecontinued improvement

APPLICATION Total = x (Maximum = 28)



13/14

Version: 30th


Page 13 of 14

6.0 Summary Scores

Total ScoreAvailable

Actual Score AverageScore

CULTURE 40

PROCESS32

EXPERIENCE24

APPLICATION 28

OVERALL SCORE

FOR THE ORGANISATION:


14/14

Version: 30th


Page 14 of 14

7.0 Business Unit Sizing Questionnaire

In order to allow us to undertake some analysis we would appreciate knowing more about the operating element of your company for which you will completethe business risk maturity model. This could be your entire company or, preferably, the individual operating unit which is reasonably self contained andoperates as a business entity.

Turnover?

Organisational Maturity in Risk Management

Documents

Transcript of Organisational Maturity in Risk Management