We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Manage Tomorrow's Surprises Today

Steven Minsky

RIMS Risk Maturity Model: ERM Approach and Process Management

Vote 0 Votes

Common LanguageLast week, we introduced the latest findings from studies of the RIMS Risk Maturity Model (RMM). In an effort to explain the model and results of the study more fully, it's beneficial to break the RMM into each of its attributes. This week we'll examine the first two attributes of an effective ERM program, ERM Based Approach and ERM Process Management.

ERM Based Approach

The focus of this attribute is to move organizations from an old, obsolete style of governance to a more holistic, integrated approach. Old-style governance is focused on regulatory compliance and silo specific risk management. The problem with this approach is it leaves the organization exposed to risk that isn't governed by regulatory mandates, as well as cross functional risk that may be systemic to the company.

We see examples of failures in this approach all the time. West Virginia's water contamination crisis was caused by a series of risks with inadequate controls - the chemical tank was not adequately surveyed, the employees were not directed to immediately report the leak, even the water filtration organization wrongly estimated that it could filter the chemicals out. None of these entities were at fault from a regulatory perspective, but they were still on the hook for millions in remediation (the chemical plant filed for Chapter 11 bankruptcy in January).

An ERM approach moves organizations past regulatory concerns, which are only a subset of the overall risk universe. This requires a number of activities that the Risk Maturity Model identifies as drivers of ERM Maturity - tone from the top, assimilation into front line activities, risk ownership - which when combined result in a more risk-aware enterprise.

RIMS Risk Maturity Model: ERM Process Management

With a new governance mindset in place, organizations can move to applying a risk-based process framework of Identify, Assess, Evaluate, Mitigate and Monitor within each business process. The Risk Maturity Model assesses the degree to which these activities are pervasive inside business processes. Many executives misinterpret these processes as unique to ERM, when in fact the steps are iterative, constantly reoccurring within organizations but without any defined process or standardizations.

The key to ERM Process management is to create a common language and structure so areas can better transfer knowledge to each other where beneficial.  This is done by integrating these framework steps into the business in a way that provides accountability, repeatability, and adequate reporting. A great example is the Vendor Management Governance function. Vendor Management is frequently tasked with identifying critical vendors, assessing their risk (e.g. "due diligence") and then managing through mitigation (contracts, insurance certificates, etc.) and monitoring (shipping times, order completion).

The problem is Vendor Management, like other functions, is operating independently with too little information exchanged between Vendor Management and other governance functions.

Why is this important?

Strategic Imperatives are by nature cross-functional, but are rarely linked to processes and activities on the front line. When not linked, risks to corporate objectives are either not addressed or treated differently by the business processes. This alignment is a critical driver of ERM maturity. Organizations that can effectively communicate goals, not just at the corporate level, but down to the front lines, are better equipped to achieve results and elevate concerns.

Interested in seeing how this approach differs from traditional governance? Watch our short video on Strategic Risk Management.

Enhanced by Zemanta

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at steven.minsky@logicmanager.com.

Recently Commented On

Monthly Archives