Many organisations look for some metric of maturity of their ERM program to show how well they are performing, and potentially where and how they can improve, Hans Læssøe, principal consultant at AKTUS and former risk manager of Lego explains.

Many organisations look for some metric of maturity of their ERM program to show how well they are performing, and potentially where and how they can improve.

The very short response to the header questions is “Business Value”, i.e. whether the ERM program add value to the organisation or not. Anything else is less important.

There is no official metric which enables a company to compare the metric with its competitors or “the market” and hence, ERM maturity measurement cannot presently be used as a parameter in the “race” for share prices or the like. A company must apply its own indicators /parameters.

So, the maturity of an ERM program is best shown in terms of the perceived value of this i.e. the more value the ERM program is seen to have to the organisation – the more mature the ERM program (probably) is.

Maturity has nothing to do with “age”. Some companies have had an ERM program for 2-3 years, and run a very mature and value-adding approach, whereas others (alas, too many) are using the same, almost futile quarterly reporting effort for decades without having any value to show for it.

Below some indicative questions, which can be rated on a 0 (not at all) to 5 (“perfect”) scale. The overall score shows my maturity, and the underlying questions indicate what has to be improved to increase the level of maturity.

  1. Is your ERM process systematic? Ad hoc approaches are rarely efficient.

  2. Does your ERM approach cover your entire organisation, including key vendors and partners? Wholism is important to avoid missing the obvious.

  3. Does your ERM approach include external (competitor, political, technology, ) issues? This is important as many risks emerge from outside the company.

  4. Does your ERM data include issues from strategic projects/initiatives? This is important as most major losses companies suffer are driven by bad strategies or poor implementation.

  5. Do you apply fact-based analytical quantification of your ERM risks? This is pivotal as qualitative ’I think’ assessments are likely to be wrong due to human biases.

  6. Are risk handlings governed on who does what and how do we know it will work? This is needed as something has to be done about the key risks listed.

  7. Do you use Monte Carlo simulation for consolidation of your risk portfolio? Monte Carlo simulation is currently the only way to consolidate a risk portfolio and show the ’fat tails’ of the potential combined effect of multiple risks materialising in unison.

  8. Do you have an agreed/known level of acceptable risk-taking? A tangible and Board approved level of what is acceptable and is not outperforms the gut feeling of individual executives.

  9. Does your ERM drive decision making, including that of taking on more risks to enhance competitiveness? This is pivotal as risk management is not about risk aversion. In some cases, the best a risk manager can do is to urge executives to “do more”

One could probably come up with more such questions. However, often, less is more – and in many cases, question 9 above is the only one that really matters.

Note that piece this is focused on the ERM program, and is not directed towards individual decisions and intelligent risk-taking which prescribes that decisions are made with risks and opportunities identified, analysed and handled – fully embedded in the decision process as advocated by ISO 31000.