Several surveys and studies conducted over the last few years have set out to clearly define, measure, and assess risk maturity using several indicators, attributes and methodologies, the application of which has had varied levels of success when organizations attempt to quantify their real maturity levels. We know of course that risk management is hardly ever an exact science, especially when one takes into account the fact that uncertainty is at its core.
However, the industry has seemed to gain a considerable appreciation for the value of a clear and concise plan of action when it comes to improving on and further embedding a culture of risk and control throughout the organization, and thereby attaining ever increasing levels of risk maturity through the proper application of these plans.
Whether your business is a SMME, a large scale corporation, a government department, municipality or NGO, or a global conglomerate with hundreds of thousands of employees, uncovering risk is a challenge that requires not just knowledge and foresight, but access to the observances and operations of multiple data types embedded within varied accessible and sometimes inaccessible sources.
These sources are incredibly widespread and include people, systems, industries, markets, processes and trends. The key is finding a way to manage all these touch points, without succumbing to the vastness of the task. In fact, the only way to do this is to ensure that every process owner is equipped to manage their own risk portfolio, and to report back on their observations of certain pre-defined metrics as often as possible, and as easily as possible.
Even more important than this is that these process owners also need to be capable of reacting to the stimuli they receive in a way that mitigates the risk, and ensures objectives are achieved in line with the corporate plan and strategic vision. It doesn’t sound easy, and that’s because it isn’t.
Observation of the results, reviews and comments on the numerous surveys and studies into risk maturity (links to some of these studies can be found in the footnotes below) seems to suggest that an integral part of the solution is the utilisation of technology to bring the touch points closer together and facilitate an integrated approach to risk management, at the same time improving the quality and consistency of data captured and embedding a formalised, systems-driven approach.
The subsequent culture of risk and control right the way through the entire organization guarantees accountability, and gives you a reliable early warning system of a changing environment, making proactive remedial action possible.
Well then, case closed. Every single organization should go out and buy risk management software, and they’ll be risk mature in no time, waving their magical technology wand, and transforming Kansas into the “Emerald City of Oz” complete with the sound of red heels clicking magically together, and a perfectly in tune rendition of the “Oz Spangled Banner” playing in the background. The reality is, life is no fairy-tale – “Toto, I’ve a feeling we’re not in Kansas anymore”.
Although there is most definitely the right time to implement software, a time when the implementation thereof causes the risk management approach and methodology to go downright viral, with great success, and tremendous positive impact on the business, there is also the wrong time. Having being personally involved in the implementation of risk management software at a large number of organizations over the last 10 years, I can certainly attest to the challenges faced, the dedication required, and the various factors that play a role in the subsequent triumph, or in the odd case failure of these projects.
It may be true that reaching the pinnacle of risk maturity and a position of fully enabled risk leadership cannot be accomplished without the use of technology and software, it is also true that great software implemented on an imperfect, incomplete process only serves to highlight the imperfections even further.
If your risk management methodology, policy or framework is weak, or you don’t have the requisite buy-in from the top as to the value of an effective and efficient execution of risk management at every level, the implementation of even the most intuitive and capable of risk management software solutions will meet with resistance, and even potentially fail to deliver the desired results.
To inject some musical imagery into the conversation, imagine playing a great song on a perfectly tuned Fender Stratocaster, blasting out of a top of the range Marshall Amplifier in a room with perfect acoustics. Just one problem, you have two weeks of ukulele lessons behind you, and the three chords you’ve learnt… you play them badly.
The concept of scoring and assessing risk maturity seems to boil down to rating the ability of the executive and management to implement a well-structured, universally accepted and cost effective risk management framework that ensures risks are managed within acceptable appetite and tolerance levels in the pursuit of the achievement of the company’s or institution’s objectives.
To return to our musical metaphor, do you, as an organizational collective, have all the necessary knowledge, skill, talent, training, capability and awareness to pick up that legendary instrument, plug in that amp and rock like it’s the “Summer of 69”? Utilizing the right risk management software, at the appropriate time, whilst having accurately assessed the effectiveness, proactivity and coverage of your risk management framework and processes (RIMS Risk Maturity Model – see http://riskmaturitymodel.org/rims-risk-maturity-model-rmm-for-erm/) gives you a far greater chance of reaping the rewards of a successful software implementation.
Validate your assessments by taking part in risk maturity surveys like the ones run by the Institute of Risk Management South Africa (IRMSA), and do research on how best to identify the correct software to match your requirements, as well as on what to expect when implementing software. Another great way to do this is by communicating with other professionals in the field of risk management, and even arranging site visits with companies who have successfully implemented software.
Technology can be an incredible enabler in so many ways, and it is important that we embrace it as an enabler, and not as a solution in and of its own.
Feel free to take a look at the following guides which provide information on considerations to make when buying risk management software, as well as a step-by-step infographic on how to implement risk management software effectively.
“Technology is best when it brings people together”
Matt Mullenweg – WordPress founder
Author: Paul van der Struys