RIMS Offers ERM ‘Maturity Model’ Tool

January 15, 2007

by Caroline McDonald

An online modeling tool designed to give guidelines and best practices for enterprise risk management programs is being offered by the Risk and Insurance Management Society in New York.

The “Risk Maturity Model for Enterprise Risk Management” is a collaboration between RIMS and LogicManager Inc.

“Risk managers are constantly in contact with us, looking for information about how to start, how to further develop, how to do this piece and that piece, and it’s being done a la carte, if you will,” John Phelps, a member of the RIMS board of directors, told National Underwriter.

The program will help risk managers “see how these things fit together and see where the pieces are missing in their program,” said Mr. Phelps, who is director of risk management for Blue Cross and Blue Shield of Florida.

He noted that risk managers looking for an honest assessment to show upper management where their program is versus where it could be, based on industry standards, will have a tool for the first time.

Risk managers, he said, not only benefit from the experience of practicing enterprise risk management, but “they also have a tool that they haven’t had before, to honestly self-analyze where they are with their program.”

One of the most important takeaways of the model is that too often risk management is looked at from a compliance standpoint, even though “you’re not measuring value with that type of approach,” Steven Minsky, chief executive officer of LogicManager and co-developer of the RIMS Risk Maturity Model, told NU.

What the model is measuring, he explained, is “how well you’re uncovering risks, how effective you are, and how you back that up with data.”

He added that there are “so many case studies of companies like ChoicePoint, which for years emphatically proclaimed the strength of their security. But it turned out that they were only secure in one area-hacking from outside.”

ERM, he said, is about “making sure you have a comprehensive view of risk, and that you’re looking at the external factors, relationships and people,” including suppliers.

“This is a unique contribution that RIMS is making,” he added. “This is not a check-box approach. This is about quality and about measuring quality and business value.”

In addition to publishing a reference guide, the Risk Maturity Model features a real-time benchmarking exercise that allows executives to score key characteristics of their risk programs and generate a personalized assessment that identifies program maturity.

This tool is designed as a resource for all corporate functions tasked with risk management responsibilities, including operations, compliance, internal audit, information technology and security, as well as at the board level, according to RIMS.

One of the key criteria now examined by Standard & Poor’s, according to Mr. Minsky, is risk culture. However, while S&P looks at the ERM culture when considering ratings, “they provide no guidance, really, on what is risk culture, how you measure it and how you get there,” he said. “It can be unnerving for a company to be measured by an organization that is recognizing it when they see it.”

With the maturity model, he said, a risk manager can break risk culture down into the components that make up a strong risk competency, and work on areas where improvement is needed.

The Risk Maturity Model is based on the Capability Maturity Model, a methodology developed by the Carnegie Mellon University Software Engineering Institute in the 1980s. Originally the model was used to advance software engineering methodologies and processes, according to RIMS.

Since then the theory behind the Maturity Model has been applied to other corporate operations, such as supply chain and people management, as well as embraced by some organizations within the technology, finance and defense industries.

Mr. Minsky said that a unique feature of the Risk Maturity Model is its applicability, regardless of the specialized frameworks and standards an organization is using-whether it is the Australian/New Zealand Risk Standard, COSO ERM, COBIT 4.0, Standard & Poor’s ERM or Sarbanes-Oxley.

The Risk Maturity Model and benchmark exercise are available in full to RIMS members and participants in the corresponding RIMS Risk Maturity Model professional development workshops. Nonmembers can gain online access to an executive summary on the model, and full access to the benchmarking exercise and personalized assessment.

RIMS said its goal is to gather 500 participants in the benchmark exercise in order to accumulate substantial statistics on program maturity by industry, geography and company size.

The long-term goal is to maintain and analyze the statistics to provide the risk management community with a valuable benchmarking reference and trend analysis for enterprise risk program maturity, RIMS added.

The Risk Maturity Model for Enterprise Risk Management and other resources are available online at the RIMS ERM Center of Excellence at www.RIMS.org/ERM.