We celebrate this Sweet 16 passing with ceremonies and initiations and are even given new rights. We officially can cut some ties from parents and can do new things without their consent. At 16, we are considered officially "mature." For all my readers who are 16, congratulations! And for those who are a tad older, stop laughing.
Is measuring the maturity of anyone or anything an elusive goal? Can the same be said about trying to gauge the "risk management maturity" within an organization? Is there a special maturity number once reached that we celebrate?
The global risk management community has dedicated many skills and years to developing and evolving all forms of models and tools that attempt to measure the maturity of our enterprise risk management (ERM) programs within organizations. Being a veteran ERM road warrior, one of my overarching goals is to institutionalize risk management practices within daily operations. My approach is to assess the organization's "state of the union." I gauge how advanced risk practices are in key areas and to assist me, I use risk maturity tools.
A good risk maturity tool should suggest and aid in describing observed levels of efficiency and risk management effectiveness. The enterprise risk managementmaturity assessment should help you demonstrate organizational strengths and weaknesses, which will aid in the design of an improvement plan for corporate governance and risk management. This sequential assessment should help you advance risk awareness at all levels of the organization. Equally as important, risk maturity evaluation tools should help set the stage and means for measuring your effectiveness as a risk leader and change agent.
But, there are other things to be cautious about when using risk maturity tools. Never come to an organization with a Sweet 16 maturity number in mind. Not every organization wants to be as risk mature as another. Moreover, many times they simply have no need to be so "risk sophisticated." Becoming risk savvy takes effort and resources. Not every organization should invest in that. The company size, mission and permeating organizational risk appetite and tolerance should prescribe the desired level of maturity required. We should be wary of tools that infer that risk maturity is only reached at one particular scoring level ? Level 16 maybe?
An effective risk management maturity framework should at its heart have a clearly delineated risk management process. This process has to match the desired risk management process for that organization, or fall in line with existing risk-based processes. Otherwise, you will be simply using the wrong ruler to measure risk management efficacy.
Lastly, we should always remain aware that an organization is fluid. It is always reconsidering and modifying its goals, vision and direction. We should recognize that a maturity evaluation is only reflective of a specific period where conditions and leadership remained somewhat stable. In many ways, maturity scores are fleeting and somewhat short lived.
So, just like life after age 16, institutionalizing risk management is also a journey. Expect it to be forever maturing.
JOANNA MAKOMASKI is a specialist in innovative enterprise risk management methods and implementation techniques. She can be reached at email@example.com.
March 1, 2012
Copyright 2012© LRP Publications