Sense and nonsense of risk maturity assessments

Can you “manage” maturity?

Maturity assessments are the new fad of management. You encounter them everywhere. Also, and perhaps most often, in risk management. Risk management and internal control systems need to be assessed and benchmarked and turned upside down and inside out. These tendencies appear to be indicative of an overly strong desire for micro management. Organizations are afraid of a big unknown which may come to haunt them, so they check the doors; then they benchmark their doors against the doors of their neighbors (peer group). The problem is that it is yet another way many organizations hide from their core responsibility, which is managing their risks, not talking about managing their risks, or planning to manage their risks.

Maturity assessments can favor form over substance

The formal process of assessment has gotten in the way of the actual execution. How wrong can that be? Time spent assessing performance, which is not bad in and of itself, is not spent on doing actual work. All other things remaining equal, the relative part spent on actual management should significantly outweigh the effort invested in assessment.

The new frontier of Risk Management

Matthew Leitch stated a couple of years ago that risk management was a practice which was in full development. He mentioned the wild risk management frontier, with snake oil salesmen trying to sell you the newest fad. This time, it’s not hair growth potion, it’s multi dollar investments.

Back stage pass

Now, how would you do this? Snake oil salesmen had an accomplish in the audience, with a “bald” wig (hiding his hair) who all of a sudden appeared to have had hair growth at an amazing speed. He told a wonderful story, which appeared possible (although not likely); and he provided a benchmark, a recognizable reference which could be used as a baseline for own future hair growth assessment. “Hey, I may be balding, but I am not as bald as this guy was, therefore, this tonic will do me even more good.” Any comparison in the paragraphs below between risk consultants and snake oil salesmen is – by the way – purely coincidental.

Objective maturity assessments

Your consultant develops a risk maturity assessment tool. Quite likely he will use the most often referenced framework, COSO-ERM. This framework, written by accountants for accountants , is most certainly not the best risk reference framework out there for anything but financial processes. Using COSO-ERM, your consultant creates a reference framework which will allow you to assess your risk maturity across different dimensions. If they do their jobs right (remember, their job is not giving you the best possible risk management framework), The tool will score your performance higher in some aspects, lower in some others, for a total score which is just about a tiny bit lower than the average for your sector, industry or whatever. In other words, the consultant took their own mirror, held it in front of you and claimed an objective assessment. Do this: match your weaknesses with their preferred product portfolio. You’ll likely see a trend.
Risk maturity assessments against an external benchmark are irrelevant, because there is no organization like your own organization. Your risk response is tailored to the environment you are working in, the structure and constitution of your organization and the exposures you have. There is no wrong or right risk response, there is only your own risk response, which is entirely based on your risk perception and your risk appetite.

When risk maturity assessments are relevant

Risk maturity assessment are not inherently bad. They will contribute value if their scope contains at least the following elements:
* you compare the risk maturity evolution for your own organization over time
* you compare the evolution with the evolution of your risk profile: the exposure of your organization to risks.

If you repeat this assessment on a regular basis with the same assessment team will provide you with insights on how the risk management focus of your organization shifts with the changes in your organizational risk exposures.

There is no ideal risk management profile

There are risks, and there are people that manage those risks as best as they can, with the available means, within certain limits. We should focus on building this kind of systems instead of overanalyzing and providing snake oil salesmen with a gullible audience. I’m not saying there are no good consultants in this area (I consider myself one) but there are quite a few charlatans as well. Be aware and remain critical.
After all, the management of your external provider risk is a key risk to manage.