Fundamentals of Risk Management
Download 3.45 Mb. Pdf ko'rish
|
Fundamentals of Risk Management
|
Risk-aware culture
299 Risk maturity models Increases in risk management effectiveness can also be measured by the use of risk maturity models. The level of risk management sophistication provides an indication of the benefits that can be achieved from risk management. The level of risk maturity in the organization is a measure of the quality of risk management activities and the extent to which they are embedded within the organization. Risk maturity models can be used to measure the current level of risk culture within the organization. The greater the level of risk maturity, the more embedded risk management activities will become within the routine operations undertaken by the organization. The hallmarks of successfully embedded risk management are considered later in this chapter. Risk maturity is not the same as considering the level of sophistication that an organization achieves in respect to risk management. An organization may have limited expectations of risk management, but nevertheless have a very mature ap- proach to the way in which it seeks to obtain the available benefits. The level of risk maturity within an organization is an indication of the way in which risk processes and capabilities are developed and applied. In an immature organization, informal risk management practices will take place. However, there is likely to be a blame culture in existence when things go wrong and a potential lack of accountability for risk. Also, resources allocated to manage risks may be inappropriate for the level of risk involved. When explicit risk management is in place, there will be attempts to keep the processes dynamic, relevant and useful. There is likely to be open dialogue and learning so that information is used to inform judgements and decisions about risks. There will be confidence that innovation and risk-taking can be managed, with support when things go wrong. When an organization becomes obsessed with risk, there will be over-dependence on process, and this may limit the ability to manage risk effectively. There will be over-reliance on information at the expense of good judgement, and dependence on process to define the rationale behind decisions. Individuals may become risk-averse for fear of criticism and procedures are followed only to comply with requirements, not because benefits are sought. Table 24.4 sets out a system for determining the level of risk maturity within an organization with regard to risk management processes. This table sets out four levels of risk maturity, described as naïve, novice, normalized and natural (4Ns). The characteristics of each of these levels are described in the table. Table 24.4 also aligns the 4Ns model with the FOIL methodology for describing the level of risk maturity in an organization. Clearly, it is better for an organization to seek a higher level of risk maturity. However, the approach to achieving risk maturity in the organization should be proportionate to the level of risk that the organization faces. The level of risk maturity within an organization will help define the level of sophistication that the organization has in its risk management activities. Figure 4.2 discusses the level of sophistication of the contribution that risk management can make to company activities. The greater the level of risk management sophistication achieved by an organization, the greater the benefits. Achieving an improved level |
