Upload
jorge-franco-zapata
View
222
Download
0
Embed Size (px)
Citation preview
7/31/2019 Organisational Maturity in Risk Management
1/14
Version: 30th
January 03 Version 014
ORGANISATIONAL MATURITY
IN BUSINESS RISK MANAGEMENT
The IACCMBusiness Risk Management
Maturity Model(BRM3)
7/31/2019 Organisational Maturity in Risk Management
2/14
Version: 30th
January 03 Version 014
CONTENTS
1.0 Introduction ....................................................................................................3
2.0 The Risk Management Working Party............................................................ 4
3.0 How to Use the Model.................................................................................... 5
4.0 High Level Organisational Maturity Characteristics ........................................ 6
5.0 Detailed Level Questionnaire .........................................................................7
6.0 Summary Scores .........................................................................................13
7.0 Business Unit Sizing Questionnaire .............................................................14
7/31/2019 Organisational Maturity in Risk Management
3/14
Version: 30th
January 03 Version 014
1.0 Introduction
1.1 General
The IACCM Risk Management working group has attempted to address the question of howan organisation could evaluate, in a quantifiable fashion, its level of maturity in the area ofbusiness risk management.
This document is aimed at providing answers to questions like:
How can I assess whether my organisations approach to risk management is adequate?
How can I compare my organisations approach with best practice or against ourcompetitors?
Is there an accepted benchmark for organisational risk management?
1.2 Process the Group Utilised
In meetings between May-October 2002, the IACCM Business Risk Management Working
Group defined four levels of organisational business risk management maturity (Novice,Competent, Proficient, Expert) against four key attributes (Culture, Process, Experience,Application). Each attribute has been further defined using several diagnostic characteristics,with each characteristic described for each of the four increasing levels of maturity.
The Group has established by reference to steps 1 to 4 as set out in 1.3 below, a model thatprovides a sound basis for individual companies to begin their evaluation cycle.
At some point in the future the Group may establish steps 5 to 12 as set out in 1.3 below,depending upon the sponsorship and direction received both from the Association and the
companies represented by the members of the working party.
7/31/2019 Organisational Maturity in Risk Management
4/14
Version: 30th
January 03 Version 014
1.3 Introduction to the Whole Model
To be able to implement a model which allows a company to address the whole evaluate,
change, review assessment cycle, the company should address all 12 steps in the cycleidentified below.
1. Agree maturity model structure (levels and attributes)2. Describe each maturity level in a summary vision statement3. Identify a set of characteristics which comprise each attribute4. Define each characteristic for each maturity level5. Determine how to measure each characteristic6. Create diagnostic tools to measure characteristics7. Create analysis tool to assist in interpretation of data
8. Identify barriers to progressing between maturity levels (1-2, 2-3, 3-4, staying at 4)9. Identify enablers to overcome barriers10. Create generic template development plans for moving between maturity levels11. Perform pilot applications of the model, reviewing and modifying if necessary
following pilot12. Publish
2.0 The Risk Management Working Party
2.1 Members of the Group
Linda Duodu - Siemens Business Services Limited
Rosemary Gott - NNC Limited
Graham Jackson - Best Practice Partnership Limited
Steve Minto - RWE NUKEM Limited
John Pedretti - Logica UK LimitedPhil Phillips - Hewlett Packard
Greg Russell - Blake Newport Associates
Dave Scarbrough - Fujitsu Services
Rachel Wilcock - Energis Communications Limited
The Group would like to give special thanks to Dr David Hillson of Project ManagementProfessional Solutions Ltd. David participated throughout this project and provided aframework for the Group to utilise in this work.
7/31/2019 Organisational Maturity in Risk Management
5/14
Version: 30th
January 03 Version 014
3.0 How to Use the Model
The model as it applies to Business Risk Management is shown as a High LevelOrganisational Maturity Model in Section 4.0. It identifies four levels of organisationalcompetence in the area of business risk management:
Novice
Competent
Proficient
Expert
and defines this competence in terms of the organisations approach against four attributes:
Culture
Process
Experience
Application
Thus, it can be seen that for an organisation at the Novice, or nave, stage the attributes aretypically all at the lowest level. The culture is unaware of the need for formal management ofrisk and it therefore follows that there are no processes in place to deal with it, theorganisation has no experience in managing risk, and there is no process to be applied.
At the next level, Competent, the organisation will have recognised the requirement for riskmanagement, and the evidence of this recognition is shown in the organisations culture, theexistence of a process, its application and the accumulation of experience. Mostorganisations will aspire to and be satisfied with reaching Level 3 Proficient wheremanagement of risk is routine and consistent across all projects. However, the modelidentifies a further, Expert level of maturity where a risk-aware culture drives the organisationinto proactive risk management, seeking to gain the full advantages of employing bestpractice processes.
Using this basic template, the Working Party then developed a full Detailed LevelQuestionnaire in Section 5.0. This can be used by organisations not only as a tool to identifytheir current level of maturity against a number of criteria, but also to set realistic targets forimprovement, and measure progress towards achieving them.
The IACCM Detailed Level Questionnaire is provided as a set of tables with each rowcontaining one characteristic within an attribute. The descriptions of each characteristic in thetable should be considered in turn, and the appropriate maturity level selected, scoring 1, 2, 3or 4 for that characteristic. The characteristic scores for each attribute are then totalled, andthe average attribute score is calculated. The four attribute scores are then averaged to give
an overall level score.
Calculated attribute and level scores will usually not be whole integers (i.e. precisely 1, 2, 3 or4), as organisations will probably lie between the levels of the maturity model. As a result,these scores are usually presented to one decimal place. For example, Level 2.3 representsan organisation whose maturity is generally Competent but which is progressing towardsProficient in some areas.
7/31/2019 Organisational Maturity in Risk Management
6/14
Version: 30th
January 03 Version 014
Page 6 of 14
4.0 High Level Organisational Maturity Characteristics
Level of Maturity
Attribute: Novice Competent Proficient Expert
CULTURE Risk averse
Lacking awareness /understanding
Lacking strategy
Lacking commitment
Patchy, inconsistent
Some understanding /awareness
Cautious approach,reactive
Prepared to take appropriaterisks
Good understanding of benefitsacross most of organisation
Strategy mapped into processimplementation
Proactive
Intuitive understanding
Belief, full commitment to bethe best
PROCESS Where present tend to beinefficient informal, ad-hoc
Inconsistent
No learning fromexperience
Standard approach /generic.
Consistent approach butscalable
Tailored to specific needs
Adaptive
Proactively Developed
Fit for purpose
Best of Breed
EXPERIENCE None; nothing relevant Basic competence Proficient
Formal qualifications
Extensive experience
Leading qualifications
Externally recognised highcompetence
APPLICATION Not Used Inconsistent majorprojects only
Process driven
Inadequately resourced
Consistently applied
Adequately resourced
Proactively resourced
Across entire business
Flexible
Measured for improvement
7/31/2019 Organisational Maturity in Risk Management
7/14
Version: 30th
January 03 Version 014
Page 7 of 14
5.0 Detailed Level Questionnaire
A B C D
Level of Maturity Score
Attribute Novice Competent Proficient Expert
1-Novice2-Competent
3-Proficient4-Expert
CULTURE
Risk averseLacking awareness /understandingLacking strategyLacking commitment
Patchy, inconsistentSome understanding /awarenessCautious approach,reactive
Prepared to takeappropriate risksGood understanding ofbenefits across most oforganisationStrategy mapped intoprocess implementation
ProactiveIntuitive understandingBelief, full commitment tobe the best
1.1. Senior Management
Attitude to RiskManagement Process
Unsupportive or hostile Passive support Promote and support
concept
Actively champion with
understanding
1.2. OrganisationalCommitments to Policy,Process and People
No commitment Different groups do differentthings. Responseuncoordinated, no cohesionbetween groups
Generally consistentacross all organisation(some deviation)
Consistent across allorganisation with process inplace for continualimprovement
1.3. Belief in Value of RiskManagement
Perception is that riskmanagement is adistraction
Perceived as having limitedvalue by entire organisation
Belief that riskmanagement can help andadd value
Belief can improve businessperformance and include inbusiness targets
1.4. Goal Congruence andAttitude Alignment
Negative alignment Neutral alignment withpersuasion towards goal
congruence
Individuals objectivesmatch company
Striving to make continuousimprovements, active
alignment to create synergy1.5. Approach to Risk Sharing
(external)No sharing at all. Customerpushes all risk to prime /subs
Reasonable risk allocationbut poor reward structure
Open risk / rewardrelationship (customer /prime / subcontractors)
Help other parties managetheir risks and share /amend rewards
1.6. Approach to Risk Sharing(internal)
No sharing at all Discussions documentedoccasionally
Open communicationsbetween departments
Proactively helps otherparties manage their riskand share / amend rewards
7/31/2019 Organisational Maturity in Risk Management
8/14
Version: 30th
January 03 Version 014
Page 8 of 14
CULTURE Novice Competent Proficient Expert
1-Novice2-Competent3-Proficient4-Expert
1.7. Risk Appetite Either risk averse or takesrisk without knowledge /understanding of risksinvolved
Some understanding andawareness of need to takerisks
Understands wantsmanages and takes risksappropriate to thecompany
Understands the need forand actively manages aportfolio of risks
1.8. Risk Response Strategies
(ways of avoiding orreducing risk)Turndown, Transfer, Treat,Tolerate
Accepts risks without
strategy or turndown, noknowledge of availableoptions or decision takenon inappropriateinformation
Tendency to choose
standard response withoutdue consideration of allpossible options
Considers every risk and
chooses an appropriateresponse applyingconsidered strategies
Highly developed set and
range of strategies appliedappropriately. Considersrisks on their merits andchooses / makes mostappropriate response
1.9. Risk Awareness No shared criteria Commonality in discretegroups. Risk defining termsare used consistentlyacross company. Mostemployees are aware ofrisk pertaining to their roles
Risk glossary existsdefining terms which areused consistently acrosscompany. All employeesaware of risk pertaining totheir role.
All employees are aware ofimpact of risks in context ofcompany
1.10. Communication of RiskStrategy
Little or adhoccommunication
Strategy communicatedbetween departmentsoccasionally, howeverinformation is not clear orconcise
Strategy and process inplace and communicatedbetween individualsprojects departmentsand organisation
Strategy and process inplace and used betweenindividuals projects departments organisation.Feedback flowing up anddown organisation
CULTURE Total = x (Maximum = 40)
Ave Score = x
(Total divided by number ofattributes)
7/31/2019 Organisational Maturity in Risk Management
9/14
Version: 30th
January 03 Version 014
Page 9 of 14
Attribute Novice Competent Proficient Expert
1-Novice2-Competent3-Proficient4-Expert
PROCESS
Where present tend tobe inefficient informal,ad-hoc
InconsistentNo learning fromexperience
Standard approach /generic
Consistent approach butscalableTailored to specific
needs
AdaptiveProactively DevelopedFit for purpose
Best of Breed
2.1. Risk Response Strategy No strategy Strategy is inconsistentlyapplied
Strategy is consistentlyapplied
Strategy proactivelymodified to reflect changesin environment
2.2. Formality No formality Adhoc and inconsistent Well structureddocumented andconsistently implemented
Right level of formality forthe type of risk. Users canproactively modify andformalise the existingprocesses to suit thesituation
2.3. Effectiveness Not effective Works in specific areas(partially effective)
Works consistently at / forall levels in theorganisation
Adapts pro actively tointernal and externalchanges
2.4. Durability Breaks / fails often Process is tried and testedand based on past /historical business
Process is relevant tocurrent business needs
Relevant, evolves to meetchanging needs ofbusiness maturity
2.5. Scope Little or nothing available Available in a few areas Common across thecompany
Fit for purpose by businesstransaction and modified tomeet business needs
2.6. Knowledge Management Poor, either information is
frequently lost and toolsavailable are inadequate ornon existent
Tools available used on
adhoc basis, consequentlyinformation is captured andapplied inconsistently
System is maintained,
populated and used,information is captured andused to modify workingpractices
System is comprehensive
and available, includesexternal data, knowledge iscaptured, discussed andcommunicated as part ofthe organisations culture
7/31/2019 Organisational Maturity in Risk Management
10/14
Version: 30th
January 03 Version 014
Page 10 of 14
PROCESS Novice Competent Proficient Expert
1-Novice2-Competent3-Proficient4-Expert
2.7. Integration with OtherBusiness Processes
None Insular (Functionallyorientated)
Part of the businessprocess (cross functional)
Across total supply chain(supplier/ prime / customer)
2.8. Scalability Nothing to scale Fixed scale Scalable in few steppedincrements by division /unit. Small number of fixed
options (small / medium /large)
Fully scalable andmanaged with flexibleapproach to meet all
business requirements
PROCESSTotal = x (Maximum = 32)
Ave Score = x(Total divided by number ofattributes)
7/31/2019 Organisational Maturity in Risk Management
11/14
Version: 30th
January 03 Version 014
Page 11 of 14
Attribute Novice Competent Proficient Expert
1-Novice2-Competent3-Proficient4-Expert
EXPERIENCENone; nothing relevant Basic competence Proficient
Formal qualificationsExtensive experienceLeading qualificationsExternally recognised
high competence3.1. Access to Qualified Staff in
OrganisationNo access to people withrelevant risk managementqualifications
Access to people withcurrent qualification whichincludes a risk managementmodule
Access to people withcurrent risk managementqualifications
Fellow of Institute of RiskManagement or MSc inRisk Management
3.2. Range and Depth ofExperience of People inRisk Management
None relevant to riskmanagement
Worked in risk managementcapacity on a range ofprojects but less than 5years experience
Worked on several similarprojects for more than 5years
Worked on / led riskmanagement aspect onextensive range of projects
3.3. Attitude Alignment of RiskManagement Team to
Organisation
Negative alignment Neutral alignment Positive alignment Active alignment
3.4. Skills and Capabilities ofPeople Responsible forRisk Management
None relevant to riskmanagement
Basic skills able toparticipate in riskmanagement issues
Can lead and is able to takeinitiative
Trains / mentors and ableto tackle unexpected issues
3.5. Corporate ResourceAllocation
Resource is allocated asavailable no planning /forecasting involved
Limited resources poorlypublicised Roles coveredbut not all by appropriateresources
Comprehensive, relevantand available
Active dissemination of bestpractices Able to apply bestresources at any time
3.6. Training / PersonalDevelopment
None Minimum training Formal organised andupdated programme
Incentivised training planand training activelyencouraged
EXPERIENCE Total = x (Maximum = 24)
Ave Score = x(Total divided by number ofattributes)
7/31/2019 Organisational Maturity in Risk Management
12/14
Version: 30th
January 03 Version 014
Page 12 of 14
Attribute Novice Competent Proficient Expert
1-Novice2-Competent3-Proficient4-Expert
APPLICATION Not UsedInconsistent majorprojects onlyProcess driven
Inadequately resourced
Consistently appliedAdequately resourced
Proactively resourcedAcross entire businessFlexible
Measured forimprovement
4.1. Adequacy of RiskManagement Resources inrelation to an activity orevent
None Limited Adequate Sufficient and proactive
4.2. Use of Policies / Standards Not used Not consistently used orfully adhered to
Used and adhered to Used appropriately andadhered to
4.3. Use of AppropriateProcesses / Systems forProject
None or inappropriate Not consistently used orfully adhered. Roles aredefined and allocated
Used and adhered toOrganisation is adequatelystructured and regularly
reviewed and understood
Used appropriately andadhered to. Organisation isflexible, current and clearly
understood4.4. Effective Implementation of
Response to RiskNo responses actioned Selected responses not
effectively employedSelected responses areeffectively employed for allidentified risks
Selected responses areeffectively employed forrisks including emergentrisks. Responses can copewith anything. Ability tohandle emergent risks
4.5. Quality of Reporting toStakeholders
None Routine non filtered riskreporting
Stakeholders aware ofrelevant risks
Interactive risk reporting
4.6. Feed forward to futureProjects
None Routine non filteredanalysis
Managed and lessonslearned communicated
Strategic review (includingexternal data) and lessons
learned implemented4.7. Use of Metrics /
Performance ManagementNone or detrimental Generic measures Project specific to
determine successIncentivised to encouragecontinued improvement
APPLICATION Total = x (Maximum = 28)
Ave Score = x(Total divided by number ofattributes)
7/31/2019 Organisational Maturity in Risk Management
13/14
Version: 30th
January 03 Version 014
Page 13 of 14
6.0 Summary Scores
Total ScoreAvailable
Actual Score AverageScore
CULTURE 40
PROCESS32
EXPERIENCE24
APPLICATION 28
OVERALL SCORE
FOR THE ORGANISATION:
7/31/2019 Organisational Maturity in Risk Management
14/14
Version: 30th
January 03 Version 014
Page 14 of 14
7.0 Business Unit Sizing Questionnaire
In order to allow us to undertake some analysis we would appreciate knowing more about the operating element of your company for which you will completethe business risk maturity model. This could be your entire company or, preferably, the individual operating unit which is reasonably self contained andoperates as a business entity.
Turnover?