RISK MATURITY: Are necessary resources allocated to managing risk?

While the management needs to ensure that the necessary resources are allocated to the integration of risk management into decision making and core processes, considerations of the internal and external context should apply, and in particular:

  • People responsible for managing risk should:
    • Have sufficient industry, business, and technical knowledge and experience
    • Have strong facilitation, risk perception, psychology and issue resolution skills
    • Have corporate finance, financial modeling and statistical skills
  • Roles and responsibilities of the risk management team may include:
    • Methodology support, risk analysis, risk reporting, facilitation, risk management training, awareness building and communication
    • Performing independent risk analysis for all significant decisions, in some instances having veto power on risky deals or projects (my personal favorite).
  • Time dedicated to risk management:
    • Time dedicated to risk management integration and risk analysis should be considered. It takes time to change current decision-making processes and it takes time to perform risk analysis hence some decisions may need to be delayed or more time should be allocated to decision making.
    • Time dedicated by the top management to risk discussion as part of decision making will reflect the belief that risk management increases the likelihood of achieving corporate objectives.
    • The distribution of time dedicated to the different risk management activities (e.g. risk analysis versus risk monitoring)
  • Budget dedicated to risk management:
    • As part of the mandate and commitment of the top management, budget is a critical factor and it reflects strength, the commitment, the appetite of the senior management regarding the management of risks and the desire to integrate risk management into core business activities and decision making.
    • When there is a request for budget in risk management, it should be presented in the form of a cost-benefit analysis.
    • Decision makers should have adequate resources to be able to manage the risks associated with their responsibility for achieving objectives and their decisions.
  • Risk management software (for example software for risk modeling) and other tools may be required to perform risk management activities. Although I still recommend you give ModelRisk a try, its free functionality is more than enough for many business decisions.

When assessing risk management maturity, reviewers should check whether existing risk management team and the resources dedicated to the integration of risk management into decision making are consistent with the organization’s external and internal context and the overall risk profile. This can be ascertained through the discussion with the risk management team and a sample of the executives / decision makers.

– – – – – – – – – – – – – – – – – – – – – – – – –

This is an extract from a comprehensive G31000 risk management maturity model.

Interested in buying the full G31000 risk management maturity model? Click here or contact me directly if you want me to perform a quick gap assessment at your organization or you need help to integrate risk management into a particular business process or decision.

RISK-ACADEMY offers online courses


Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!


ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.


Advanced Risk Governance

This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.