A different approach to risk maturity – a simple model

Ayse Nordal, The Municipal Undertaking for Educational Buildings and Property in Oslo
and Ole Martin Kjørstad, Bank of Norway

1 October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad

 CONTENTS
1. How do we define risk maturity?
2. Why do we measure risk maturity?
3. “What is in it” for the organization?
4. Existing risk maturity models
a) Examples
b) Common features
5. The improvement potential
6. A simple model by Nordal and Kjørstad
a) Maturity objectives
b) Maturity dimensions
c) Spider web chart and on-line assessment
2 October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad
 1. HOW DO WE DEFINE RISK MATURITY?

Risk maturity is a benchmarking tool, which measures to what extent an

organization has implemented Enterprise Risk Management (ERM), in accordance
with prevailing best practice.

• There is no universally accepted definition of risk maturity nor a common tool for
benchmarking.

HOWEVER, the draft documents for the new updated versions of

• COSO, Enterprise Risk Management, Aligning Risk with Strategy and Performance
• ISO, 31000, Risk Management –Guidelines
include the concept.
3 October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad
 2. WHY DO WE MEASURE RISK MATURITY?
COSO draft framework (181) introduces a relationship between risk maturity and
risk appetite.

According to the document:

• Enterprise risk management capability and maturity provide information on how
well enterprise risk management is functioning.
• A mature organization is often able to define enterprise risk management
capabilities that provide better insight into its existing risk appetite and factors
influencing risk capacity.
• A less mature organization with undefined enterprise risk management capabilities
may not have the same understanding which can result in a broader risk appetite
statement.
4 October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad
 2. WHY DO WE MEASURE RISK MATURITY?

ISO 31000 draft standard defines a relationship between continuous improvement

and risk management maturity.

According to the document:

• As relevant gaps or improvement opportunities are identified, the
organization should develop plans and tasks and assign them to those
accountable for implementation.
• Once implemented, these improvements should contribute to advances in
risk management maturity.
5 October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad
 2. WHY DO WE MEASURE RISK MATURITY?
To be able to make a comprehensive
evaluation of the organization’s
performance against best practice criteria

To be able to identify improvement areas

and opportunities which will bring the
organization to a higher maturity level

To be able to plan and initiate appropriate

improvement measures

6 October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad

 3.WHAT IS IN IT FOR THE ORGANIZATION?

Existing literature often focuses on defining maturity levels and assigning

attributes to given maturity levels in organizations.

HOWEVER, there are some studies which aim to provide evidence of the
benefits from employing risk maturity benchmarking. Examples:
• Research project by Mark Farrell from Queen’s University Management
School and Ronan Gallagher from University of Edinburgh Business School.
• EY study which uses a global survey based on 576 interviews with
companies and a review of more than 2750 analysis and company reports.
7 October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad
 3.WHAT IS IN IT FOR THE ORGANIZATION?
• Farrell and Gallagher’s study has evidenced

«…a clear and significant statistical correlation between mature enterprise risk
management practices and a firm’s value. Organizations exhibiting mature risk
management practices realize a valuation premium of 25%...»

• EY study has documented

«…that companies in the top 20% of risk maturity generated 3 times the level of
EBITDA as those in the bottom 20%.

8 October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad

 4. EXISTING RISK MATURITY MODELS- examples
• Many risk maturity models are built on the basic principles of the Capability
Maturity Model which was developed by the Software Engineering Institute
in Carnegie Melon University in 1993.
EXAMPLE: David Hillson 1997

Levels & Culture Process Experience Application

Attributes
Natural
Normalized
Novice
Naive
9 October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad
 4. EXISTING RISK MATURITY MODELS- examples
EXAMPLE: RIMS (The Risk Management
Socity)’s on-line assessment model by Steven
Minsky 2006

Source: https://www.rims.org/resources/ERM/Pages/RiskMaturityModel.aspx
10 October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad
 4. EXISTING RISK MATURITY MODELS- examples
7 attributes:
• Adoption of ERM-based process
• ERM-Process management
• Risk appetite management
• Root cause discipline
• Uncovering risks
• Performance management
• Business resiliency and sustainability
11 October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad
 4. EXISTING RISK MATURITY MODELS-Common features
Many risk maturity models assume:
• A continuous progression to higher and higher maturity levels through time.
• A step by step development. It is not possible to skip a stage.
These models do not:
• Recognize that different areas in the organization may have different maturity levels
• Employ a common scale, which enables a universal and homogenous assessment
• Recognize that the requirements/ expectations of risk management may be different
in different organizations (sector, size, transaction volume)
• Recognize that traditionally, risk maturity has not been an area where the Board and
management were expected to formalize and state their ambition levels
12 October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad
 5. IMPROVEMENT POSSIBILITIES
ERM programs can

• start and stop

• start and stagnate
• start slowly, react and atrophy
• evolve steadily and consistently

13 October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad

 6. A SIMPLE MODEL by Nordal & Kjørstad
OUR FOCUS

MATURITY LEVELS MATURITY OBJECTIVES

14 October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad

 6. A SIMPLE MODEL by Nordal & Kjørstad

Dimensions Maturity objectives

Risk management, strategy and decision making All decisions (strategical, tactical and operational)
processes base on documented assessments of risks and
opportunities.
Communication, information and reporting The organization ensures continual communication
and reporting of relevant information, with
appropriate frequency.
Organization, authority and interaction The risk management function has an appropriate
organization and resource allocation.
IT –tools and analyses Risk management is based on best available
information and is suitable to organization’s needs.
Framework and processes The organization has implemented an effective and
15 October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad suitable risk management framework.
 6. A SIMPLE MODEL by Nordal & Kjørstad
• Maturity is assessed separately in each dimension, by counting the number
of criteria met by the organization.

Maturity level Criteria

5 The organization satisfies all the criteria (all 10 requirements)

4 The organization satisfies 8 or more requirements

3 The organization satisfies 6 or more requirements

2 The organization satisfies 4 or more requirements

1 The organization satisfies 2 or more requirements

16 October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad

 6. A SIMPLE MODEL by Nordal & Kjørstad
Criteria

are based on a documented assessment of risks

Risk management, strategy and decision making

All decisions (strategic, tactical and operational) The organization’s risk appetite is clearly defined and quantified through appropriate dimensions. This includes
both financial and operational uncertainty.
There exists documentation which evidences that decisions are made within the boundaries of approved risk
appetite.
The work on strategies and business plans includes risk assessment, which takes uncertainties in the internal
and external context into account.
and opportunities.

Assessments of risks/uncertainties form the basis for the organization’s resource allocations and budgeting.
processes

The head of the risk management function is invited to and involved in relevant decision making forums.
Achievement of objectives is measured in a way that allows for the evaluation of the degree of achievement
against the degree of uncertainty.
Assessment of uncertainty is a factor for resource allocation. The costs and benefits of improvement tasks and
actions are quantified and compared with quantified uncertainty.
Risk assessment is an integrated part of the strategic decision making process.

Documented decisions and minutes include an explicit assessment of risks and opportunities.

Achievement of objectives is reported in a manner that it can be compared to the initial risk assessments prior
17 October 2017 to undertaking
Y. Ayse B. Nordal those
and Ole Martin Kjørstad activities.
 6. A SIMPLE MODEL by Nordal & Kjørstad
Criteria
The organization ensures regular communication The organization has a plan and a policy for communication with external stakeholders.

The head of risk management has access to external reporting regarding regulatory and administrative
Communication, information and reporting

and reporting of relevant information, with

requirements.
Internal communication mechanisms have been established. These ensure information is communicated to all
relevant employees about the underlying principles, framework and processes of risk management.
appropriate frequency.

Managers and decision makers have continual access to updated information about risks as well as status of
improvement actions and work, through reporting and through continual communication.
Quality assurance of risk reporting, including reporting by managers, has been established. This process
ensures truthful, relevant, accurate and comprehensible reporting.
The organization maintains a documented and accessible overview of risk-, action- and process owners.

Information channels, forums and mechanisms have been established. These facilitate the distribution of risk
information to line management and administrative functions.
The organisation has in place processes and guidelines which take care of ethical principles, confidentiality and
integrity in connection with internal and external communication.
The organization enables transparency and cross industry co-operation when dealing with risks related to IT-
security and financial crime.
The head of risk management reports directly to the Board on a periodic basis and has a direct reporting line
18 October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad
when needed.
 6. A SIMPLE MODEL by Nordal & Kjørstad
Criteria
The management ensures an appropriate risk management organization and supports its work. The role and responsibility
The risk management function has an appropriate
for risk management is clearly anchored with management across the organisation.
Organization, authority and interaction

The risk management function has a mandate. It is rooted in the organization’s strategy and it backs up the strategy.
organization and resource allocation.

The head of risk management is either a member of top management or reports directly to it.

The risk management function has the necessary resources to accomplish its tasks. The risk management organization and
resources are appropriate to the size and complexity of the organization.
The organization has developed a risk culture and a common terminology for risk management.

The head of risk management has the necessary authorizations as well as the authority to be able to perform her/his
responsibilities.
The job description of the head of risk management contains requirements about risk management performance indicators,
competence and integrity.
Tasks are not allocated to the head of risk management which can hinder the execution of an effective risk management
function.
The head of risk management has established good relations with the rest of the organization. Appropriate cooperation
forums have been established which ensure effective interaction between various functions and lines of defence.

19 October 2017 The head

Y. Ayse of risk
B. Nordal management
and Ole Martin Kjørstad can not be hired or fired without the approval of the Board of Directors.
 6. A SIMPLE MODEL by Nordal & Kjørstad
Criteria
The organization has appropriate tools to facilitate and document risk management tasks, i.e. risk identification, risk
information and is suitable to organization’s needs
Risk management is based on the best available

analysis, the follow-up of the actions and improvement measures.

Users of IT-tools understand the assumptions, limitations and possibilities of these tools.
IT-tools and analyses

Decision makers have been informed about the possible limitations of models and systems which are used.
The use of models and tools is not fragmented. The models and tools include parameters which allow comparisons across
the organization.
Risk analyses are verifiable and they satisfy the requirements of reliability, completeness and traceability.
The systems which are in use are flexible and can produce reports required by the authorities and external stakeholders
(HSE reports, financial reporting etc.).
The systems which are in use can handle sensitive data in compliance with prevailing requirements.
The organization can monitor the quantifiable risk parameters continuously.
The organization has appropriate channels and tools for the reporting of events.
There exists an overview of IT-applications, interfaces between these as well as the criticality of the operations.

20 October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad

 6. A SIMPLE MODEL by Nordal & Kjørstad
Y Criteria
The organization has established mechanisms which take into account knowledge of the internal and external
effective and suitable risk management context.
The organization has implemented an

The method and framework are built on a clear mandate and risk management policy with clearly defined authority-
and resource allocations.
Framework and processes

Risk management is embedded and integrated in all processes, business and administrative. No area, level or process
is excluded in the design of the risk management framework.
The framework is evaluated on a regular basis and is subject to continual improvement.
framework.

Risk management is an inclusive process which enables feedback and input from the whole organization.
Risk management is an iterative process. The process responds to changes in the environment, organization, systems
and structures.
There is a defined and readily apparent connection between calculated risks and the measurement of value creation.

Assessment models for likelihood and consequence, parameters and criteria are defined as components of the
framework and are evaluated on a regular basis.
The framework includes a system for setting priorities and for monitoring actions and improvement measures.
The framework includes periodic assessments of effectiveness as well as cost benefit of all key processes, controls
and actions.
21 October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad
 6. A SIMPLE MODEL by Nordal & Kjørstad

Available
online
via IIA Norway’s
website

interaction

22 October 2017 Y. Ayse B. Nordal and Ole Martin Kjørstad