« “You can’t get there from here” – A case for creating a Targeted Product Profile (TPP)
The Balance of Extremes in the Decision Making Process May Be the Optimal Way »

What is your organization’s level of risk management maturity (and what should it be)?

When working with companies in designing and implementing a programmatic approach to risk management, a key strategic question always emerges – what kind of company do you want to be regarding risk management?

Most organizations we observe start their Risk Management Program implementation from a current state situation where:

  • There is wide variation in the risk assessment and management approaches being applied
  • Risk is being addressed as a series of independent initiatives
  • Processes for assessing and prioritizing risk are typically subjective
  • Risk management is reactive – “after the fact” and “detection-oriented”

However, what these same organizations are targeting for their “To Be” risk management program often varies.  One size does not fit all and the choices can be described on a continuum.

Every company has different risks as well as goals for its risk management program.   Like everything else, the more thorough and sophisticated the risk management model being implemented, the more resource consuming the implementation.  At the same time, the level of business benefit (including risk protection) will vary based on the model.

maxiom group risk graphic 2

Compliance – This base level model is focused on meeting regulatory requirements.  It is quality-system centric and primarily is applied to resolve known issues.  Companies utilizing this model typically utilize isolated, ad-hoc tool and techniques.  The model provides very limited levels of risk protection.

Protection – This model adds more controls and processes, but is usually applied to a particular business unit or function.  The model focuses on protecting assets and company value with some proactive management to prevent failures.  The model provides moderate levels of protection.

Enhancement – This is the broadest model, providing the fullest risk protection.  Here, the knowledge and management of risk is so mature that beyond preventing failures, intelligent risk taking is leveraged as a competitive advantage.  This model is one that includes the entire enterprise in its scope.

What are your comments regarding this maturity model as a way of thinking about risk programs?  How does your organization fit with the model and the comments I’ve made?  Please share your thoughts.

Fred Greulich

Tags:

This entry was posted on Tuesday, June 1, 2010 at 2:47 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site, or Forward Forward

Leave a Reply