Tag Archives: RIMS Risk Maturity Model

Immediate Vault Immediate Access

RIMS ERM Conference 2021: Introducing the New RIMS Maturity Model

Posted on by

This morning at the two-day RIMS ERM Conference 2021, attendees got a “sneak preview” of the new RIMS Risk Maturity Model, presented by Carol Fox, former RIMS vice president of strategic initiatives, and Tom Easthope of Microsoft’s enterprise risk management team. RIMS decided to “reboot” the Risk Maturity Model, Fox said, since the original model was launched in 2006, and the field of risk management had changed quite a bit in the years since, as had the world in general.

Easthope outlined how the new Risk Maturity Model was “designed by practitioners, for practitioners” with input from peers, pundits, academics and critics, to show what success looks like in mature organizations. To achieve this, the new model focuses on how advanced an organization’s risk management capabilities are, not necessarily whether the organization had performed specific actions, as the previous model stressed.

Fox told the audience, which attended in person and tuned in online, that the new Risk Maturity Model was built to “grow as the profession grows,” and outlined its five pillars:

  1. Strategy Alignment: Risk related to strategy can lead to riches or ruin.
  2. Culture and Accountability: Culture and accountability drive action.
  3. Risk Management Capabilities: Risk management capabilities encompass more than proficiencies in a single process.
  4. Risk Governance: Integrated governance leads to performance improvements.
  5. Analytics: Analytics are the engines to inform decision making and influence action.

The model is also customizable for each individual organization’s goals and context. When answering the model’s questions, risk managers will have the opportunity to specify their organization’s target on each metric. Success is then measured along five tiers, with Tier 1 being “No formal capacity in place” and Tier 5 indicating that “Capability exists in a continuous improving cycle, informed by internal/external inputs.” The model will not only give a score, but also provide risk managers next steps to help them advance their programs to the next level.

A presentation slide titled "Differentiating the Five Tiers," outlining the five tiers of the model's potential results.

As more people enter data and use the model, risk managers will be able to compare their own performance against that of other organizations and industries—though the presenters stressed that the data provided will be anonymized to both users and the researchers behind the scenes. Companies will also be able to access reports on different respondents across departments to see how answers differed within the organization.

The presenters extended an invitation to participate in the next phase of testing and to give feedback. The goal, they said, is for the model to reflect the reality of risk management today and to “evolve with the world that we live in.” Beta testing is slated to begin in December and to get involved, interested risk managers can contact the organization through the RIMS app, get in touch with Fox and Easthope via LinkedIn, or email RIMS vice president of strategic initiatives Soraya Wright.

This session and many others from the conference can be viewed on-demand online after the event.

Can ORSA Work For All Businesses?

Posted on by

In addition to impacting the way countless organizations conduct business, the 2008 financial crisis was an awakening for regulators charged with reviewing and setting the rules that shape the way organizations assume risk. Insurance, perhaps the riskiest business of them all, did not go unscathed.

buy singulair online cosmeticdermcenter.com/wp-content/uploads/2023/10/jpg/singulair.html no prescription pharmacy

Not only are insurers responsible for managing their own internal risks, but careful calculations and guidelines are built into their business models to ensure that the risks fall within set parameters.

buy sildalis online cosmeticdermcenter.com/wp-content/uploads/2023/10/jpg/sildalis.html no prescription pharmacy

Regulators will argue, however, that this wasn’t always the case.

Own Risk Solvency Assessment (ORSA) was adopted and now serves as an internal process for insurers to assess their risk management processes and make sure that, under severe scenarios, they remains solvent.

U.S. insurers required to perform an ORSA must file a confidential summary report with their lead state’s department of insurance.  The assessment aims to demonstrate and document the insurer’s ability to:

  • Withstand financial and economic stress with a quantitative and qualitative assessment of exposures
  • Effectively apply enterprise risk management (ERM) to support decisions
  • Provide insights and assurance to external stakeholders

While ORSA is requirement for insurers, a new study by RIMS and the Property Casualty Insurers Association, Communicating the Value of Enterprise Risk Management: The Benefits of Developing an Own Risk and Solvency Assessment Report, maintains that ORSA can be used for all organizations looking to strengthen their ERM function.

According to the report:

Whether or not required by regulation or standard-setting bodies, documenting the following internal practices is a worthwhile endeavor for any company in any sector to utilize in their goal to preserve and create value:

  • Enterprise risk management capabilities

  • A solid understanding of the risks that can occur at catastrophic levels related to the chosen strategy

  • Validation that the entity has adequately considered such risks and has plans in place to address those risks and remain viable.

The connection between the ORSA regulation imposed on insurers and the development of an ERM program within an organization outside of the insurance industry is apparent.

ORSA and ERM both require the organization to strengthen communication between business functions. Breaking down those silos are key to uncovering business risk, but perhaps more importantly, is the interconnectedness of those risks.

Secondly, similar to ERM in non-insurance companies, ORSA requires risk management to document its findings, processes and strategies. Such documentation allows for the process of managing risks to be effectively communicated to operations, senior leadership, regulators and stakeholders. Additionally, documentation enhances monitoring efforts, the ability to make changes to the program and is a benefit that allows ERM to reach a “repeatable” maturity level as defined by the RIMS Risk Maturity Model.

Developing an ERM program has become a priority for many organizations as senior leaders recognize the value of having their entire organization thinking, talking and incorporating risk management into their work. Examining and implementing ORSA strategies can be an effective way for risk professionals to get their ERM program off the ground and operational.

buy zetia online cosmeticdermcenter.com/wp-content/uploads/2023/10/jpg/zetia.html no prescription pharmacy

Key Steps to a Robust Risk Management Program

Posted on by

rm-monitoring
Our business environment is constantly changing—technologies improve, regulations are modified, competition increases, and demand evolves. Effective risk management grants an ability to adapt to these changes.

Recent headline events, including the Volkswagen emissions deception, the Wells Fargo scandal, and the penalty paid by Dwolla to the Consumer Financial Protection Bureau (CFPB), illuminate powerful motivators for strong risk management programs. Key to a robust program is preventing stressful, and possibly catastrophic, surprises.

When Plains All American Pipeline failed to detect corrosion in its pipeline, for example, the result was a 3,000-barrel oil spill and millions of dollars in fines. The corrosion had run under the radar because the company did not delegate sufficient inspection resources and did not maintain proper procedures and systems for preventing problems from escalating into emergencies. Risk management best practices, however, could have standardized these procedures throughout the organization and prevented the disaster from occurring.

Complying with regulators like the SEC and CFPB
Dwolla, a small, private e-commerce and online payment company, was found by the CFPB to be guilty of risk management negligence for inadequate data security practices. The catch is that Dwolla did not suffer a data breach and none of its customers were compromised.
buy avanafil online https://galenapharm.com/pharmacy/avanafil.html no prescription

The CFPB fined Dwolla $100,000 as part of its increased focus on companies’ existing prevention strategies. Regulators are no longer simply pursuing organizations that have suffered risk management incidents; organizations need to take proactive approaches rather than simply hope to get by.

Improving productivity and encouraging innovation
An independent, peer-reviewed report, “The Valuation Implications of Enterprise Risk Management Maturity,” published in The Journal of Risk and Insurance, proved that organizations with mature ERM programs (as defined by the RIMS Risk Maturity Model) can achieve a 25% firm valuation premium over those without. Risk management does not have to be a burdensome addition to daily responsibilities—and if it is executed properly, it won’t. It simplifies daily operations by increasing transparency and allowing more resources to be devoted to value-add activities, like product development and customer services.

Checklist for evaluating your risk management efforts

A better question than “does my organization perform risk management?” is “how effectively does my organization identify and mitigate risks?” The following checklist outlines characteristics common to effective risk management programs. Your organization should prioritize development in these areas.

  1. Effective risk management governance

Boards, through their risk oversight role, are accountable for a risk’s material impact, whether the cause is at the executive level or on the front lines. The SEC considers “not knowing about a material risk” negligence, which carries the same penalties as fraud.

  • The board must monitor the effectiveness of the organization’s risk management process, ensuring it reaches all levels and business areas.

  • Internal auditors must independently confirm the board is informed on all material risks.
  • All material risks must be disclosed to shareholders, along with evidence that they are effectively mitigated.
  1. Performance management and goal management
  • Divide corporate objectives into business-unit contributions.
  • Identify business processes contributing to a goal within each business unit.
  • Cascade goals to all front-line managers within contributing processes.

  • Aggregate goal assessments and determine links between contributing business processes.
  1. Consistent risk identification and prioritization

Risk assessments must address more than high-level concerns. Effective assessments drill into risk events, uncovering the root cause, or problem “driving” the risk. Repeatable risk assessments are based on common numerical scales and scoring criteria across departments.

  1. Actionable risk tolerances

Risk appetite is a high-level statement that serves as a guide for strategic decisions. In order to be actionable, it should be accompanied by its quantitative cousin, risk tolerance. Risk tolerance is an effective monitoring technique for key performance goals and risk metrics.

  1. Centralized risk monitoring and control activities

Risk managers need to do more than design processes to identify risks and appropriate responses. A critical third component—monitoring—is the verification of a control’s effectiveness over the risk. A few key things to keep in mind to make monitoring effective:

  • Adjust risk assessments over time (spend less time on risks with decreasing indexes).
  • Reduce testing by identifying areas that can share controls (increase organizational efficiency).
  • Link risks and activities to determine which processes need to be monitored (prioritize activities/initiatives).
  • Monitor business metrics (discover concerning trends before they affect the organization).
  1. Forward-looking risk and goal reporting and communication

In order to continue funding their organizations’ risk management programs, boards need evidence that those programs are working. Risk managers should ask two basic questions before reporting to the board:

  • How might identified risks affect the board’s strategic objectives and key concerns?
  • Which metrics or trends most validate the program’s effectiveness?

These items are just a starting point for an analysis of your organization’s program. For a more in-depth blueprint and “state of ERM” report, take the RIMS Risk Maturity Model (RMM), a free best-practice assessment tool that scores risk management programs and generates an immediate report of your organization’s risk maturity.

RIMS Risk Maturity Model: Root Cause Discipline

Posted on by

After the last article, which discussed the first two attributes of the RIMS Risk Maturity Model (RMM), ERM Based Approach and ERM Process Management; our focus here is on the third attribute, Root Cause Discipline.

Root Cause Approach

In Washington, D.C., officials tried, but were nearly helpless in stopping the deterioration of the Lincoln Memorial. Rather than address the damage with costly repairs, they instead traced the concern back to a root cause. Deterioration was caused by the high powered hoses needed to clean the building—which were necessary because the building was an attractive home for birds.

online pharmacy vidalista with best prices today in the USA

Birds were drawn to a very dense population of insects, which were attracted to the bright lights of the memorial.

online pharmacy amoxil with best prices today in the USA

So how do you stop the Lincoln Memorial from deteriorating? You dim the lights.

The root cause methodology provides clarity by identifying and evaluating the origin of the risk rather than the symptoms. Unveiling the triggers behind high level risk and loss events point to the foundation of where an organization is vulnerable.
buy eriacta online https://galenapharm.com/pharmacy/eriacta.html no prescription

Uncovering, identifying and linking risk back to the root causes from which they stem allows organizations to gather meaningful feedback, and move forward with accurate, targeted mitigation plans.

To illustrate an example in a business environment, consider the risk of inadequate training. Within an organization, there may be multiple departments experiencing risk regarding their training policies, procedures and documentation, yet each area is likely to be recording and recognizing this risk in its own way. The result is an extensive amount of information recorded in spreadsheets that requires time and energy to sort and sift through. By identifying the root cause, a risk manager can expose the underlying commonality between departments and their concerns, allowing more effective identification and mitigation of systemic risk.

Applying root cause to your current approach

To integrate this type of approach to an enterprise risk management (ERM) program, you must first identify the root cause foundation of your organization. The RMM is built on five root cause categories which cover all enterprise risks:

  • External – risk caused by third-party, outside entities or people that cannot be controlled by the organization
  • People – risks involving employees, executives, board members and all those who work for the organization
  • Process – risks that stem from the organizations business operations including transactions, policies and procedures
  • Relationships – risks caused by the organization’s connections and interactions with customers, vendors, stakeholders, regulators  or third parties
  • Systems – risks due to theft, piracy, failure, breakdown, or other disruption in technology, plant, equipment, facility, data or information assets

Understanding which core area of the organization a risk stems from provides the ability to effectively understand and mitigate the risk. For instance, theft from an external third party is very different than theft from an internal employee, and will thus have a very different response and mitigation strategy.

online pharmacy cymbalta with best prices today in the USA

One strategy would require an investment in IT or infrastructure, while the latter would need an HR policy change or new ethics program.

Looking for an example of root cause? Download our complimentary Risk Assessment Template.