How the Risk Maturity Model Works

Hack Wilson was an MLB star in the 1920’s, but he had a drinking problem. Realizing his potential, Hack’s manager pulled him into the dugout and said, “If I drop a worm into a glass of water, it swims around fine. If I drop it into a glass of whiskey, it immediately dies. What does this prove?”

Hack responded, “If you drink whiskey, you’ll never get worms.”

Hack’s observation, while misguided, provides a lesson in the difficulty of training and educating employees. Over the next several weeks, I hope to provide a step-by-step walkthrough of the Risk Maturity Model (RMM) for Enterprise Risk Management, and while doing so provide a framework that can be used to educate, implement, and enhance the ERM program at your own organization.

Recently the target of a third party study of ERM programs, enterprise risk management maturity as measured by the Risk Maturity Model, is proven to add 25% to a corporation’s bottom line value, but how is that value achieved? What is it about Enterprise Risk Management that makes these organizations more efficient, better operating, and ultimately more successful?

The answer is that the Risk Maturity Model is a step-by-step guide on how to implement, improve and measure the adoption of the best practices of ERM defined by ISO, COSO and other ERM standards. The Risk Maturity Model is broken down into 7 Risk Maturity Model attributes, and the resulting culture, processes, tools, and structure that allow organizations to realize potential opportunities while managing adverse events and surprises. As outlined by the RMM, enterprise risk management is particularly effective in addressing cross-functional or silo-specific challenges and gaps by providing a common framework.

That’s a loaded response, and as shown above, educating process owners, risk managers, and even executives about the value of ERM can be tricky. That’s the value of the Risk Maturity Model. The RMM breaks down ERM into practical requirements, allowing organizations to assess their current capabilities, while providing concrete guidance for a pathway forward. The 7 core attributes are:

1. ERM-based approach – Executive support within the corporate culture.
2. ERM process management – Integration into business processes.
3. Risk appetite management – Accountability within leadership and policy to guide decision-making.
4. Root cause discipline – Binding events with their process sources.
5. Uncovering risks – Risk assessment tools to document risks and opportunities.
6. Performance management – Executing vision and strategy utilizing balanced scorecard.
7. Business resiliency and sustainability – Integration into operational planning.

In each of the next few posts, we’ll cover more fully what a mature ERM program looks like from the perspective of one of our 7 attributes. The goal is to improve your organizations ability to manage risk, while exploring the correlation between business value and ERM maturity.