A while back I created a risk maturity methodology for the Auditor Generals Office in one of the Europeans countries. This model with some modification later became the basis for the annual risk maturity assessment that our company and Deloitte ran across CIS countries for over 4 years. I also used this maturity model to audit risk management effectiveness in Europe and Middle East. So, as you can probably guess, I have a lot of data points and though it would be interesting for you to see how your company compares and where you stand in terms of integrating RM2 into decision making.
To keep this simple I selected 10 most interesting metrics covering integration of risk management into decision making, planning and performance management. Each of the questions has 3 options, option A implies little or no formal risk management, option B implies RM1 (window-dressing and ineffective COSO style approach) and option C implies RM2 (based on decision science and probability theory). Each option is scored to calculate the overall maturity out of 100%.
Overall risk maturity
Over the last few years more than 500 companies have participated. Based on the overall assessment of maturity less than 10% of the companies surveyed began their RM2 journey. Most participants indicated little to no formal risk management or various types of RM1, which is a nice way of saying no effective risk management. Results are alarming to say the least. Let’s investigate where the problem lies in each of the 10 questions below.
1. Integration into planning and budgeting
Only 23% respondents claim to have RM2 practices when integrating risk analysis into planning and budgeting. 77% have limited or no integration, which implies risk management is purely a corporate governance exercise, window dressing and lip service.
- Risks related to the achievement of strategic goals or budget are not analyzed or analyzed after the strategy or the budget have been approved – 40%
- The results of the risk analysis are considered by the management when setting goals / forming the budget, however this is done ad-hoc and not formalized – 38%
- Risk management is integrated directly into planning and budgeting processes. Goals, objectives and annual budget are set based on the risk analysis – only 23%
2. The effect of risk analysis on objectives and budgets
Only 23% respondents claim to have RM2 practices when linking outputs from risk analysis to objective setting or budget planning. This means 77% of the participants do risk assessments and these risk assessments exist in a parallel universe, disconnected from something meaningful for the company. If risk analysis is disconnected from planning and budgeting and the outputs of risk analysis is ignored by decision makers and Boards.
- Strategic objectives and budgets are usually updated after risk events happen and loses are incurred, rather than preventively – 23%
- There is a regular risk assessment process (annual, semi-annual, quarterly or monthly). Risk assessments are initiated and carried out on time, however the outcomes of risk assessments are not directly linked to the actualization of strategic goals and budgets – 55%
- The outcomes of risk analysis directly affect the revision of strategic goals and budgets -23%
3. Integration into the decision-making processes
Only 25% claimed that significant strategic, budget or investment decisions are made by management only after conducting thorough risk analysis, alternatives are analysed and mitigation actions are discussed. 75% don’t regularly and systematically perform risk analysis for important decisions.
- Strategic and investment decisions are made by top management throughout the year without any systematic, structured or transparent risk analysis – 33%
- The risk analysis is conducted only for some significant decisions, however this is done ad-hoc – 43%
- Significant strategic, budget or investment decisions are made by management only after conducting thorough risk analysis, alternatives are analysed and mitigation actions are discussed – 25%
4. Discussing risks with the Board
30% of the participants claim to have clear and transparent risk communication with the Board. For them, issues related to risk management are discussed as part of each significant decision instead of as a separate agenda item. 70% either don’t discuss risks with the Board or do it at pre-defined intervals disconnected from decisions made by the Board.
- Issues related to risk management are not regularly included on the Board’s agenda – 23%
- Issues related to risk management are discussed at the Board on a quarterly basis, once every six months or at least on an annual basis – 48%
- Issues related to risk management are discussed as part of each significant decision instead of as a separate agenda item. Risks are presented in a systematic, consistent and complete manner. In situations of high uncertainty risk management professionals are invited to the Board meeting to participate in the actual decision-making process – 30%
5. Documenting the outcomes from risk analysis
44% of the participants claim that outcomes of risk analysis are documented and included in the materials accompanying each significant decision. This is probably the most positive response we have seen so far. Still 56% don’t document results of the risk analysis well, creating no audit trail, no possibility for back testing and validation.
- Risk analysis is informal and not documented at all – 26%
- Some risk analysis is carried out, but the outcomes are not always documented – 31%
- The outcomes of risk analysis are documented and included in the materials accompanying each significant decision – 44%
6. Integration into core operational processes
Only 30% of the participants claimed that risk management is integrated into core operational processes within their organisations (sales, production, logistics, etc). 70% continue to treat risk management as a separate stand alone exercise limiting the value they get from effective risk management.
- The organization identifies, analyses and manages only those types of risks, which are regulated by law – 35%
- Risks associated with the core operational processes are identified, assessed and managed at a given frequency (quarterly, semi-annually or on an annual basis) – 35%
- Risk management is integrated into core operational processes, risks are analysed not at a given frequency, but as an integral part of the operating activities – 30%
7. Risk management techniques used
Only 28% of the participants claim to be using RM2 techniques that link risk information to objectives and decisions. 72% don’t do risk analysis or use techniques that have been scientifically proven to be ineffective. 72% of the companies surveyed do risk management, but it is probably better if they didn’t. 55% use heatmaps and risk registers to store and communicate risk information, it is truly a sad day for the risk profession.
- Risk assessment results are not documented – 18%
- Risk assessment results are documented as heat maps and / or risk registers – 55%
- Risk assessment results are documented in the form of business indicators or key performance indicators based on risk (CF@Risk, Earnings@Risk, RAROC, KPI@Risk, Schedule@Risk), which shows the effect of risks on the company’s objectives – 28%.
8. Integration into the back-office processes (procurement, finance, IT, legal, etc)
Only 23% of the participants claimed that risk management is integrated into back-office processes within their organisations (procurement, finance, IT, legal, etc). 77% continue to treat risk management as a separate stand alone exercise and have so far failed to optimise back office processes through risk management.
- Risk assessments on back-office processes and supporting functions are done informally or post factum – 28%
- Risks associated with the back-office processes are identified, assessed and managed at a given frequency (quarterly, semi-annually or on an annual basis) – 50%
- Risk management is fully integrated into back-office processes, risks are analysed not at a given frequency, but as an integral part of the operating activities – 23%
9. Risk management disclosure in management reporting
35% of the participants claim to provide transparent disclosure about risk management in financial and management reporting. Given the value even disclosure can generate with insurance, credits rating agencies, stakeholders and auditors, this is very surprising.
- Risk management information is not covered in financial or management reporting – 33%
- Organisation discloses risk management information in line with the minimum requirements for the preparation of annual reports and financial statements – 33%
- Information on the existence of a systematic and integrated risk management approach, risk management procedures and the outcomes of the risk analysis are presented in the financial and management reporting in line with the ISO31000:2018 principles. Actions aimed at developing risk management culture are also covered – 35%
10. Interaction with Internal Audit
Only 30% of the participants claim to have effective two-way risk information exchange with internal audit teams. 28% claim risk management processes are not linked to internal audit or internal control activities, which is bound to break some sort of IIA standards.
- Risk management processes are not linked to internal audit or internal control activities
- Risk management professionals provide information about risks to the internal audit department to create a risk-based audit plans and to the internal control department to optimize the internal control system within the organization
- All internal audit and internal control activities (audit plan, structure of reports, scope of work) are based on risk information. Information about control weaknesses and internal audit findings are used by risk managers to perform quantitative risk assessments to support executive and Board decision making
Where does your company stand in terms of risk maturity?