Risk managers have a new online tool to help them not only gauge how advanced their enterprise risk management processes are but also to understand how they could be improved.
After cursory reviews of the Risk Maturity Model, unveiled last week by the Risk & Insurance Management Society Inc., several risk managers and consultants said they were eager to use the self-assessment, educational and benchmarking tool.
“I was very happy to see RIMS come out with this and define ERM better,” said Kevin Hoskinson, director of enterprise risk management solutions at Sun Microsystems Inc. of Broomfield, Colo.
“I think I have a tool in front of me that neither I nor any risk manager can ignore,” said Joey Page, risk manager for the city of Plano, Texas.
But risk managers and consultants also cautioned that the tool has limitations. They said it offers only limited guidance on developing an ERM process, could generate inconsistent assessments and does not offer the most robust benchmarking capabilities.
The tool is designed to help guide risk managers as they implement ERM processes, but it is not meant to provide step-by-step implementation directions, explained John Phelps, who chairs the RIMS ERM Development Committee, which developed the model over the past eight months.
Instead, the model is designed to help risk managers evaluate how far along they are in implementing an ERM process using one of several existing ERM standards or a method of their own design, said Mr. Phelps, director of risk management for Blue Cross & Blue Shield of Florida Inc. in Jacksonville. It also is designed to be supported by ERM tools available at the RIMS Web site, he said.
RIMS has made the model available at www.rims.org. To promote ERM industrywide, the tool, which runs on software developed by LogicManager Inc. of Boston, is free to all RIMS members. In addition, a limited version is available to nonmembers.
The first step in using the tool is answering a series of questions about the subject organization’s ERM process, which takes about 15 to 20 minutes.
The model then generates a report that scores the process on seven attributes (see box). The model scores each attribute on a maturity level that ranges from one to five, with one denoting no maturity in that area and five representing a leadership position.
For each attribute, the model suggests what the organization would need to accomplish if it wanted to reach higher maturity levels.
The model also would provide risk managers with a “personalized assessment” of their entire risk management program as measured against the model, Mr. Phelps said.
After about 500 risk managers have used the model and contributed data on their ERM processes, the tool also would allow them to benchmark against other organizations by business sector and size, Mr. Phelps said.
Overall, risk managers said they are looking forward to using the tool.
“It looks like it would give a pretty good assessment of where I need to go to get to the best in class,” said Gary F. Kilburg, assistant treasurer, risk management, at Whirlpool Corp. of Benton Harbor, Mich. Mr. Kilburg has been implementing an ERM process at Whirlpool over the past few years.
Walter N. Coleman of Atlanta-based First Data Corp. said he anticipates using the results of the tool’s self-assessment feature when First Data next renews its directors and officers liability and errors and omissions coverage. During negotiations with underwriters in recent years, the topic of how far First Data’s ERM process has progressed has been “practically all we’ve talked about,” said Mr. Coleman, senior vp-risk, control and audit.
In addition, “anything you can do” to make the corporate board feel more comfortable with how its organization’s ERM process compares with others, “the better off you are,” Mr. Coleman said.
Plano’s Mr. Page said he was “excited” about the tool because so little ERM guidance is available to public sector risk managers. Mr. Page described his ERM process as in the “research and development phase.”
Plano’s risk management department initially will use the model as a “diagnostic tool” that will help guide the department as it develops an ERM process, said independent consultant John R. Billingham. Later, risk management will use the tool as a “scorecard” to compare its process with those at other public and private entities, he said.
While it will be a helpful addition to risk managers’ toolbox in the early phases of developing an ERM process, the model will not be an ERM panacea, risk managers and consultants said.
Even with the tool, “there’s still a hunger for a step-by-step manual on doing ERM,” Mr. Hoskinson said.
Prakash Shimpi, the New York-based ERM practice leader for the Tillinghast unit of Towers Perrin, agreed. He said the model will help risk managers “think about things they can be doing” but is short on providing specific guidance.
Because of some “jargony” language in the model, risk managers likely will interpret its prompts differently, said Christy Kaufman, an associate director in the ERM practice at Chicago-based Aon Corp. That could lead to varying results for ERM processes at the same stage of development, she said.
James Lam, a former chief risk officer at two companies and now the head of consulting practice James Lam & Associates of Wellesley, Mass., said benchmarking results are more valuable when organizations measure each other in person rather than online.
“This way, the ERM staff can obtain firsthand knowledge of lessons learned, ask important questions and observe specific applications of ERM,” he said.