ERM MATURITY MODEL
ERM programs take time to establish and mature, and building the right foundation is critical.
Patience is not an absence of action; rather it is "timing"; it waits on the right time to act, for the right principles and in the right way.
– Fulton J. Sheen
Enterprise risk management programs are designed to drive identification of risks that may affect a company and management of those risks in order to enable achievement of the company's objectives. As the level of risk management capability matures, the value of ERM becomes more visible and impactful. The stages of risk management maturity can be described in many ways, all of which generally fall into the following levels (see Exhibit 12.1);
• Ad hoc risk management.
Risk Management activities are designed to address a specific problem or task, and not intended to be adapted for wider application.
• Targeted risk management.
Independent risk management activities are focused on a limited set of specific risk areas.
• Integrated risk framework.
A common, repeatable enterprise framework is used for assessment, ownership and accountability, and reporting of risk management performance.
Exhibit 12.1 Enterprise Risk Management Maturity Model
• Risk intelligent.
Established processes are used to continuously measure and monitor risk management effectiveness and drive optimal performance.
• Risk leadership.
Risk management is seamlessly embedded in strategic decision making.
The speed at which a company moves through each level of maturity will vary, as it must be tailored to the individual needs and capacity for change of the company.
BENEFITS OF MEASURING PERFORMANCE IN ERM PROGRAMS
Performance measurement is not new. Measuring performance provides insights into where additional attention may be required or potential opportunities exist. Understanding the risk landscape enables business leaders to formulate and execute strategies informed by potential pitfalls and opportunities. The use of measurements to monitor current significant risks, highlight emerging risks, and understand the impact of both on company strategies and objectives is a key component of any ERM program.
The type of performance measures used varies based on the objective. Key risk indicators (KRIs) can be used to understand how potential emerging risks or trends may impact current risks, business opportunities, and business strategies. Key performance indicators (KPIs) can be used to measure the effectiveness of risk management activities. Both of these types of indicators are important, and using a combination of KRIs and KPIs can increase the value achieved from an ERM program.
