Protecht.ERM Showcase: Manage all your risks with an easy to use and configurable system
Watch Now

Maturity is “the state or quality of being fully grown or developed.” 

Transformation means “a marked change, as in appearance or character, usually for the better”. When we apply this to Enterprise Risk Management (ERM) within an organisation, it requires some refinement.  We would suggest “transforming your risk management through maturity” means to “develop your risk management towards being fully grown by making a marked change for the better in both appearance and character”.

In order to do this successfully, there are a number of key ingredients to get right. The following are 7 of the most critical. 

Ingredient 1:  Your people

Your management’s and staff’s awareness, knowledge, attitude and culture is the most critical ingredient for successful ERM maturity. The key elements are that management and staff must:

  • Understand that risk management is the responsibility of everyone, not just the appointed “risk managers”. ERM, to be successful must be embedded across all departments, functions and activities.
  • Be engaged with the ERM processes.
  • Understand the value add of ERM by understanding what’s in it for them and for the organisation.
  • Walk the talk and lead by example, especially where more senior staff members are involved.
  • Prioritise their risk management responsibilities.
  • Be risk aware.
  • Develop and maintain the right risk culture.

In turn, this can best be achieved by:

  • Education through training and awareness sessions and workshops by risk practitioners who can inspire, motivate and impart practical knowledge.
  • Implementing an ERM methodology that is fit for purpose, user-friendly, intuitive and easy to understand.
  • Implementing an ERM support system that is fit for purpose, user-friendly, intuitive and easy to use.
  • Promoting a positive risk management culture.
  • Providing support resources to staff to discuss risk management issues and ask for clarification, guidance and assistance.

Ingredient 2:  Your ERM methodology

Type “ERM Methodology” into Google and you will be swamped with thousands of opinions on different methodologies, frameworks and standards on risk management.  It can be so daunting that “doing nothing” can seem the attractive option! 

Unless you have a very strong opinion of what methodology you want it pays to find a trusted partner, one that resonates with you, speaks your language and demonstrates practical risk management that can help you sift through the sea of guidance and show you the methodology that is right for you and your organisation.

Ingredient 3:  Roles, responsibilities and governance

You must have a governance structure that:

  • Demonstrates the importance of ERM throughout the organisation.
  • Makes it clear where the responsibilities of risk management lie and that these responsibilities are across all layers of staff, not just the “risk manager.”
  • Clearly assigns ownership of risks and controls.
  • Provides channels and support to escalate risk matters.
  • Provides independence between risk ownership and management and the review, challenge and oversight of that management.

Ingredient 4: Keep it Real, Keep it Simple

Like any new and evolving discipline, risk management has and is developing a language full of lingo and acronyms.  Some may be inevitable but be aware that at times, as Bob Geldof once said, “lingo is the invented language to imply expertise”.

Subsequently, we should use “real” language that staff can relate to. Similarly, we should minimise the use of acronyms. 

Ingredient 5: Your ERM Systems

Type “ERM Systems” into Google and you will get almost as many results as there are for ERM methodologies. Where do you start in selecting the right system for you? Some thoughts:

  • Do your research and find out what other organisations use and what their experience is with each system.  It is better to hear from customers than a system salesperson.
  • Make sure that the system can be tailored to your methodology and what you want otherwise you will be forced to follow the methodology of the software provider who may not be the best experts in risk management.
  • Make sure the system is able to grow as you transform and mature. You will soon outgrow a system that cannot grow with you.
  • Make sure the software was designed and built by practical risk managers, not theorists!
  • Make sure the software provider has a strong long-term development roadmap. Risk management is developing rapidly and requires ongoing development to stay relevant and current.
  • What else can the system give you outside of the standard risk management functions? Can it help you automate existing manual or spreadsheet-based functions such as you’re a Gifts Register, Legal Documents and Contracts register and Training Registers?
  • How easy is the system to maintain? Cloud-ware is the future but ensure the appropriate level of security exists over your data with the provider.

Ingredient 6: Your ERM reporting

 In many ERM processes, the majority of effort is put into collecting data and less on turning that data into intelligence and reporting it to management and staff in a usable, relevant way which adds value.  You should be able to work with the receivers of risk information and specify what information and in what format it is required. 

Your ERM process should be able to deliver that information quickly and in the exact format that is required.  Reports and dashboards should be tailorable by the user so that they can make adjustments as and when required. 

Ingredient 7: Results not process focussed

Too many risk management processes seem to focus on completion of the process and the administration rather than achieving the end result.  You can feel like you are just filling up forms and collecting and posting data, rather than adding value. Administration and process should be kept to a minimum and the time spent on the visualisation of the output and the action that that triggers.

This requires your risk management processes to be as streamlined as possible. The data collection to be tailored and easy and a minimum focus on “why you do it“, and not “do it because you have to”.

Once you have formed a view that you wish to transform your ERM to begin reaping the true benefits that it can offer, prepare a “blueprint” for what maturity looks like for you and over what period you wish to mature. 

All steps from that point onwards should be moving you towards that blueprint.

Lastly, have patience and remember
that Rome was not built in a day!


Banner_A Pratical Guide to Risk Maturity_Blog_1200x6002


Related Articles

feature image
Enterprise Risk Management, Operational resilience

Operational resilience

Over the past ten years, consumer banking behaviours have significantly changed. Today, the majority of customers engage banks via digital channels....
Read more
feature image
Compliance Management, Enterprise Risk Management, Protecht Culture, Compliance Professionals

It all starts with sound Risk Management

This interview was featured in the Forge Magazine. You can access the full publication here.  Too many organisations view risk management as a...
Read more
feature image
Enterprise Risk Management, Health & Safety

Aligning your Workplace, Health & Safety capability with an ERM framework

Enterprise Risk Management (ERM) is becoming increasingly accepted as an integral part of business management processes within successful...
Read more