RIMS Risk Maturity Model: Performance Management

In the study measuring effects of enterprise risk management (ERM) maturity—as  defined by the RIMS Risk Maturity Model (RMM) assessment—no attribute had a more meaningful impact on bottom line corporate value than Performance Management. The correlation is not an accident. While many organizations say they have an effective handle on risk, their ability to execute the policies and procedures they’ve put into place are severely lacking.

The sixth RMM attribute of ERM Maturity, Performance Management, measures the ability for an organization to execute vision and strategy through the effective use of a balanced scorecard.

Balanced Scorecard

The root of the balanced scorecard concept lies in the desire to turn complex but passive strategic plans into marching orders and commitment that can be executed on a daily basis. The methods of accomplishing this result are familiar to risk managers: developing standardized criteria, prioritizing activities, and monitoring results.

To execute the Balanced Scorecard concept, corporations typically have a whole host of measures for monitoring control activity effectiveness, but what is consistently lacking is a means to measure the effectiveness of how the control activity is addressing performance goals. Risk bridges this gap.

The Role of Risk

Every business faces the challenge of cutting costs and making changes. After all, all activities are critically important to someone. So how do you assure that the greater good of the organization gets prioritized?

Linking risk to performance for a risk adjusted decision addresses this challenge.

Examples of performance management in the absence of a risk-based Balanced Scorecard are widespread. BP knew back in 2002 that a lack of pipeline maintenance could result in “catastrophe,” but management instead prioritized the short term operational budget in the interests of cutting maintenance costs. More recently, the U.S. government has dealt with criminal investigations into the Veterans Health Administration’s inability to deliver care to U.S. veterans, due to “significant and chronic system failures.” In the case of the VA scandal, monitoring metrics were improperly controlled and focused on the wrong measures of success. The result was falsified reports created in the interest of demonstrating compliance with policy, rather than execution of strategy.

A Seat at the Table

Involving risk in strategic decision making is the essence of performance management. In every failure we’ve documented, the risks were known, but rarely given a seat at the table. Organizations with mature enterprise risk management (ERM) programs have empowered their risk managers to take action and use ERM tools to support and provide transparency to the organization’s strategic plan.

To learn how Enterprise Risk Management adds transparency and discipline to an organizations strategic planning and performance management process, watch our webinar, “What is Strategic ERM.

RIMS Risk Maturity Model: Root Cause Discipline

After the last article, which discussed the first two attributes of the RIMS Risk Maturity Model (RMM), ERM Based Approach and ERM Process Management; our focus here is on the third attribute, Root Cause Discipline.

Root Cause Approach

In Washington, D.C., officials tried, but were nearly helpless in stopping the deterioration of the Lincoln Memorial. Rather than address the damage with costly repairs, they instead traced the concern back to a root cause. Deterioration was caused by the high powered hoses needed to clean the building—which were necessary because the building was an attractive home for birds. Birds were drawn to a very dense population of insects, which were attracted to the bright lights of the memorial.

So how do you stop the Lincoln Memorial from deteriorating? You dim the lights.

The root cause methodology provides clarity by identifying and evaluating the origin of the risk rather than the symptoms. Unveiling the triggers behind high level risk and loss events point to the foundation of where an organization is vulnerable.

Uncovering, identifying and linking risk back to the root causes from which they stem allows organizations to gather meaningful feedback, and move forward with accurate, targeted mitigation plans.

To illustrate an example in a business environment, consider the risk of inadequate training. Within an organization, there may be multiple departments experiencing risk regarding their training policies, procedures and documentation, yet each area is likely to be recording and recognizing this risk in its own way. The result is an extensive amount of information recorded in spreadsheets that requires time and energy to sort and sift through. By identifying the root cause, a risk manager can expose the underlying commonality between departments and their concerns, allowing more effective identification and mitigation of systemic risk.

Applying root cause to your current approach

To integrate this type of approach to an enterprise risk management (ERM) program, you must first identify the root cause foundation of your organization. The RMM is built on five root cause categories which cover all enterprise risks:

  • External – risk caused by third-party, outside entities or people that cannot be controlled by the organization
  • People – risks involving employees, executives, board members and all those who work for the organization
  • Process – risks that stem from the organizations business operations including transactions, policies and procedures
  • Relationships – risks caused by the organization’s connections and interactions with customers, vendors, stakeholders, regulators  or third parties
  • Systems – risks due to theft, piracy, failure, breakdown, or other disruption in technology, plant, equipment, facility, data or information assets

Understanding which core area of the organization a risk stems from provides the ability to effectively understand and mitigate the risk. For instance, theft from an external third party is very different than theft from an internal employee, and will thus have a very different response and mitigation strategy. One strategy would require an investment in IT or infrastructure, while the latter would need an HR policy change or new ethics program.

Looking for an example of root cause? Download our complimentary Risk Assessment Template.

Strong ERM Gives Companies Higher Market Value

A new study, “The Valuation Implications of Enterprise Risk Management Maturity,” released by the Journal of Risk and Insurance, has found that organizations exhibiting mature risk management practices realize a value growth potential of up to 25%.

The survey is the first wholly independent research project that confirms the value connection of mature enterprise risk management practices in organizations. Using data from the RIMS Risk Maturity Model (RMM) gathered from 2006 to 2011, Mark Farrell, the paper’s author and the actuarial science and risk management program director at Queens University Management School of Belfast (QUMS) and Dr. Ronan Gallagher of the University of Edinburgh Business School, provided evidence through this research that firms that have reached mature levels of enterprise risk management qualities exhibit a higher firm value. The broad data set encompassed publicly-traded organizations from a variety of industries. Nearly half the data tabulated by the researchers were submitted by RIMS members.

The study’s authors reported that “firms that have successfully integrated the ERM process into both their strategic activities and everyday practices display superior ability in uncovering risk dependencies and relationships across the entire enterprise and as a consequence enhanced value when undertaking the ERM maturity journey.”

The authors added, “Upon decomposition of the maturity score, we find that the most important aspects of ERM from a valuation perspective relate to the level of top-down executive engagement and the resultant cascade of ERM culture throughout the firm.”

The RIMS Risk Maturity Model for Enterprise Risk Management (RIMS RMM), was developed in 2005 by risk professionals and LogicManager, and is a free assessment tool for risk professionals and executives to develop and improve sustainable enterprise risk management programs. This online resource allows organizations to score their risk programs and receive an immediate downloadable report. The report provides information not only on current maturity levels, but offers ideas on what it may take to achieve a higher level of maturity in each of seven attributes.

“One of the biggest challenges in implementing an enterprise risk management program is articulating the value that it brings,” said Carol Fox, RIMS director of strategic and enterprise practice. “This research makes that value link quite clear. Although the study necessarily focused on publicly traded companies, the value proposition of enterprise risk management applies to not-for-profits and the public sector as well. In highlighting this research, we hope that more organizations will take advantage of the RIMS Risk Maturity Model to improve their risk practices and, in turn, create additional enterprise value.”

Steven Minsky, CEO of LogicManager and developer of the RIMS Risk Maturity Mode noted, “Boards and ERM committees now have an actionable internal road map and a corresponding return on investment measure to improve their enterprise risk management maturity from whatever level they are at today.”