Maturity Models as a Vehicle for Improving Risk Management Practices
CEOs now readily recognize that risk is ubiquitous Also boards commonly accept the tenet that risk management improves business performance. However the benefits of risk management derived by organizations will depend directly on the level of maturity of their risk management practices.
In the absence of an organization-wide knowledge infrastructure, repeatable results depend entirely on the availability of specific individuals with a proven track record - and this does not necessarily provide the basis for long-term success and continual improvement throughout an organization. As a result, organizations are increasingly turning to maturity models for assessing and improving processes on the premise that the quality of a system or product is highly influenced by the quality of the process used to develop and maintain it.
By way of definition, a Risk Maturity Model is a generally accepted reference model or framework of mature practices for appraising an organization’s risk management competency. Experience has shown that risk management maturity can be described as a series of distinct incremental steps which progressively derive greater benefits. A maturity model is a structured collection of elements that describe characteristics of effective processes.
The use of maturity models is now widespread with international adoption across multiple industries. They provide a direct way of enabling organizations to describe, communicate and implement process improvement. They contain the essential elements of effective processes and describe an evolutionary improvement path from ad hoc, immature processes to disciplined, mature processes with improved quality and effectiveness. The ‘parent’ of the majority of maturity models is the Capability Maturity Model (CMM) published by the Software Engineering Institute (SEI) based at Carnegie Mellon University, Pittsburgh, USA.
Maturity models are a valuable tool in enabling organizations to benchmark their current risk management capability and maturity, and to understand how and where improvement may be achieved. They are a much-needed barometer for the risk management community, as well as CEOs, CFOs, CIOs, compliance, internal audit and other functions with risk management responsibilities. They are intended to provide a well-structured and detailed guide to facilitate the progressive incremental improvement in risk management practices. With the aid of a maturity model, organizations can set their realistic long-term goals for risk management, by having a clear understanding of their current maturity (in terms of current working practices) and the areas that require improvement.
As illustrated in Figure 1, to construct a maturity model three types of information are required: a set number of levels of capability, criteria in the form of risk management practices together with competencies which describe specific capabilities.
Figure 1: Inputs to a maturity model
Levels
Maturity models are typically composed of four or five levels of maturity, and the quality of the processes within each level is described by the use of assessment criteria. There is no limit on the number of criteria that might be adopted; however models commonly contain less than 10 to avoid becoming unwieldy. Hence the common structure for a maturity model is a matrix, as illustrated in Table 1 below. On a completed matrix, each of the cells is populated with a competency.
The levels within a maturity model provide:
- stepping stones for incremental improvement;
- a realistic and sensible transitional route from an immature state to that of a mature and capable organization;
- a tool for the objective judgement of the quality of risk management practices.
Table 1: Structure of a maturity model
Each level is given a label and an overview or general description of what that level (of attainment) means. When constructing a model it is necessary to define each of the levels in summary form, in terms of the degree of maturity of the risk management capabilities practiced at that level. This helps organizations discern more quickly what their capabilities are and how realistically their organization’s processes can classified.
The levels are aimed at describing a stage of development in implementing a practice. The criteria are primary risk management practices that an organization would establish, to develop risk management capabilities. These would typically be:
- Content of a risk management process;
- Applying the process;
- Providing training to enable staff to understand and implement the process;
- Management oversight of the process;
- Embedding the process within the organization.
The competencies included in the cells of the matrix describe how well developed these practices should be for each of the different levels. So for instance the competencies will describe incremental improvements in risk identification across the different levels of a model.
The growing popularity of maturity models and the breadth of their application stems from the benefits that they can offer organizations. They provide organizations with a road map for process improvement that can be readily constructed, assimilated and communicated. They also provide a vehicle for benchmarking risk management processes. They enable organizations to build an action plan of the activities they wish to embark on to improve their processes and enable the benefits of risk management to be realised in terms of minimising costly project overruns, making informed decisions when selecting between options and making the risk ownership profile of different contracts transparent.
The author
Robert Chapman is a risk management specialist and director of Dr Chapman Consulting. He can be contacted at
robert.chapman@drchapman-consulting.com