Measuring Risk Maturity

If you’ve ever used a GPS device while driving, you know how helpful they can be – if you know your ultimate destination. But when you have only a vague idea of where you need to go, a GPS won’t save you time or fuel. It’s the same with planning an enterprise risk management (ERM) program. It’s important to ask where your organization is now and what you have that supports ERM. What steps can your organization implement right now? What about further down the road? It’s a daunting process, which can be difficult to get started and maintain.

Earlier this year, Aon and The Wharton School of the University of Pennsylvania launched the Aon Risk Maturity Index. The index is a proprietary online tool helping risk and finance leaders assess the development level of their organization’s risk management structure and implementation. The index gives participants both a glimpse of their current location and a road map to risk maturity.

Measuring Risk Maturity

Index questions focus on corporate governance, management decision processes and risk management processes, all key checkpoints on the road map. Aon and Wharton analyze responses to identify activities associated with improved financial performance. Upon completion of the index questions, participants receive a risk maturity rating and an outline for improving their rating. In addition, they gain insight into the levels of risk maturity globally. The index focuses on 10 characteristics of risk maturity:

• board understanding and commitment to risk management;
• executive-level risk management stewardship;
• risk communication;
• risk culture (engagement and accountability);
• risk identification approaches;
• stakeholder participation in risk management;
• risk information and decision-making processes;
• integrating risk management and human capital processes;
• risk analysis and quantification to understand risk and demonstrate value; and
• risk management focus on value creation.

The Risk Maturity Index also gives insight into big-picture issues in risk management development globally, by providing participants with a distribution of Risk Maturity Rating results.

Participants’ results are kept completely confidential, and Aon and Wharton use aggregate data to identify patterns. One pattern often early exposed is the general lack of risk portfolio analysis within programs. In other words, although organizations are identifying individual risks, they’re not looking for simultaneous risks or potential domino effect risks. They may be missing the forest for the trees, for example, by not seeing beyond their own individual risks to the system in which they are contained. Or to put it yet another way, they might not see where their organization “fits” in the global chain, or where individual risks “fit” within their portfolio.  Reflecting on recent events in Japan and the ongoing European debt crisis, we see why this is important. Sources of business interruption aren’t neatly contained within your organization’s apparent structure: they come from far and wide.

We have also discovered a lack of formality and inconsistent expectations of risk management performance – including a disparity between the risks the organization wants to take and why. We’ve seen many organizations do not regularly outline and update their policies. Consistent structures and processes are a key foundation of ERM, so it is essential for organizations to start defining risk and their risk management activities more formally.

Another preliminary finding points to the relationship between risk maturity and overall financial performance. Early results reflect a correlation between higher risk maturity ratings and improved return on assets and stock performance for most firms. More importantly, the components of maturity associated with these performance differences are likely to vary by industry. Such a broad and important issue requires further study, but it’s an exciting correlation and it points to the fact that businesses and industries face different risks and need to take different risk management approaches.

What does this mean for a chief financial officer or risk manager? Given ongoing – and often increasing – time and budget pressures, it may not be possible to implement every recommendation or follow every best practice. The good news is, it’s now possible to pick and choose wisely, using the lessons learned from organizations that have been there before. With a greater understanding of risk maturity, it is possible to determine immediate priorities and what’s realistic to implement in the short term.

You’ll know where you need to go in the long run, but you’ll also know which turn you need to make next.