Tag Archives: Risk Maturity Model

Immediate Vault Immediate Access

RIMS ERM Conference 2021: Introducing the New RIMS Maturity Model

Posted on by

This morning at the two-day RIMS ERM Conference 2021, attendees got a “sneak preview” of the new RIMS Risk Maturity Model, presented by Carol Fox, former RIMS vice president of strategic initiatives, and Tom Easthope of Microsoft’s enterprise risk management team. RIMS decided to “reboot” the Risk Maturity Model, Fox said, since the original model was launched in 2006, and the field of risk management had changed quite a bit in the years since, as had the world in general.

Easthope outlined how the new Risk Maturity Model was “designed by practitioners, for practitioners” with input from peers, pundits, academics and critics, to show what success looks like in mature organizations. To achieve this, the new model focuses on how advanced an organization’s risk management capabilities are, not necessarily whether the organization had performed specific actions, as the previous model stressed.

Fox told the audience, which attended in person and tuned in online, that the new Risk Maturity Model was built to “grow as the profession grows,” and outlined its five pillars:

  1. Strategy Alignment: Risk related to strategy can lead to riches or ruin.
  2. Culture and Accountability: Culture and accountability drive action.
  3. Risk Management Capabilities: Risk management capabilities encompass more than proficiencies in a single process.
  4. Risk Governance: Integrated governance leads to performance improvements.
  5. Analytics: Analytics are the engines to inform decision making and influence action.

The model is also customizable for each individual organization’s goals and context. When answering the model’s questions, risk managers will have the opportunity to specify their organization’s target on each metric. Success is then measured along five tiers, with Tier 1 being “No formal capacity in place” and Tier 5 indicating that “Capability exists in a continuous improving cycle, informed by internal/external inputs.” The model will not only give a score, but also provide risk managers next steps to help them advance their programs to the next level.

A presentation slide titled "Differentiating the Five Tiers," outlining the five tiers of the model's potential results.

As more people enter data and use the model, risk managers will be able to compare their own performance against that of other organizations and industries—though the presenters stressed that the data provided will be anonymized to both users and the researchers behind the scenes. Companies will also be able to access reports on different respondents across departments to see how answers differed within the organization.

The presenters extended an invitation to participate in the next phase of testing and to give feedback. The goal, they said, is for the model to reflect the reality of risk management today and to “evolve with the world that we live in.” Beta testing is slated to begin in December and to get involved, interested risk managers can contact the organization through the RIMS app, get in touch with Fox and Easthope via LinkedIn, or email RIMS vice president of strategic initiatives Soraya Wright.

This session and many others from the conference can be viewed on-demand online after the event.

RIMS Risk Maturity Model: ERM Approach and Process Management

Posted on by

Last week, we introduced the latest findings from studies of the RIMS Risk Maturity Model. In an effort to explain the model and results of the study more fully, it’s beneficial to break the RMM into each of its attributes. Here we’ll examine the first two attributes of an effective ERM program, ERM Based Approach and ERM Process Management.

ERM Based Approach

The emphasis of this attribute is to move organizations from an old, obsolete style of governance to a more holistic, integrated approach. Old-style governance is focused on regulatory compliance and silo specific risk management. The problem with this approach is it leaves the organization exposed to risk that isn’t governed by regulatory mandates, as well as cross functional risk that may be systemic to the company.

We see examples of failures in this approach all the time. West Virginia’s water contamination crisis, for example, was caused by a series of risks with inadequate controls—the chemical tank was not adequately surveyed, the employees were not directed to immediately report the leak, even the water filtration organization wrongly estimated that it could filter the chemicals out. None of these entities were at fault from a regulatory perspective, but they were still on the hook for millions in remediation (the chemical plant filed for Chapter 11 bankruptcy in January).

buy rybelsus online abucm.org/assets/jpg/rybelsus.html no prescription pharmacy

An ERM approach moves organizations past regulatory concerns, which are only a subset of the overall risk universe. This requires a number of activities that the Risk Maturity Model identifies as drivers of ERM Maturity—tone from the top, assimilation into front line activities, risk ownership—which when combined result in a more risk-aware enterprise.

RIMS Risk Maturity Model: ERM Process Management

With a new governance mindset in place, organizations can move to applying a risk-based process framework of Identify, Assess, Evaluate, Mitigate and Monitor within each business process.

The RMM assesses the degree to which these activities are pervasive inside business processes. Many executives misinterpret these processes as unique to ERM, when in fact the steps are iterative, constantly reoccurring within organizations but without any defined process or standardizations.

buy amaryl online abucm.org/assets/jpg/amaryl.html no prescription pharmacy

The key to ERM process management is to create a common language and structure so areas can better transfer knowledge to each other where beneficial.  This is done by integrating these framework steps into the business in a way that provides accountability, repeatability, and adequate reporting. A great example is the Vendor Management Governance function. Vendor management is frequently tasked with identifying critical vendors, assessing their risk (such as “due diligence”) and then managing through mitigation (contracts, insurance certificates) and monitoring (shipping times, order completion).

The problem is that vendor management, like other functions, is operating independently with too little information exchanged between vendor management and other governance functions.

Why is this important?

Strategic imperatives are by nature cross-functional, but are rarely linked to processes and activities on the front line. When not linked, risks to corporate objectives are either not addressed or treated differently by the business processes. This alignment is a critical driver of ERM maturity. Organizations that can effectively communicate goals—not just at the corporate level, but down to the front lines—are better equipped to achieve results and elevate concerns.

buy lasix online abucm.org/assets/jpg/lasix.html no prescription pharmacy

Interested in seeing how this approach differs from traditional governance? Watch our short video on Strategic Risk Management.