CIOReview
Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
| | SEPTEMBER 201719CIOReviewOver the last ten years of my "risk leader" portion of my career, as the head of enterprise risk management at USAA (2001-10), as well as my work as an ERM consultant subsequent, I was challenged by several questions that impact risk management results and by extension, effectiveness and ultimate success, all under the header of "risk management maturity."The starting point for this subject needs to be two key things to get straight. First, how are you defining "risk" and have you driven a consensus among key stakeholders about that definition. The second is both which risks are you going to manage and where on the loss curve do they fall? This may sound simple and straight forward but the reality is that many risk leaders have responsibilities for only a portion of the risks organizations face; often only the insurable risks. If that's the case, you have your answer to both concerns nailed.If on the other hand, you are a risk leader/stakeholder with broader accountability for more or all risks (enterprise-wide risk management) that could impact an organization (both negatively and positively), then the first question of "what is a risk?" requires clear definition. The most commonly accepted definition of risk is "uncertainty." I like this simple definition and it captures the most central element of concern. However, the real challenge remains the question about the level of uncertainty (aka frequency/likelihood) and to many, even more important, the level of impact or severity. My favorite chart to help illustrate this concept is one where the "tail" of the loss distribution represents where the proverbial "black swans" live.A typical loss curve has as its peak, the expected level of loss and the black swan sits out on the tail of this curve, where the x-axis is impact of severity of loss and the y-axis is the frequency or likelihood of loss. While many hazard focused leaders put their attention on risks at expected level or to the left along the x-axis where certainty of loss rises, the challenge is where in this region of the curve to the right should one be managing? While the possibility of loss becomes increasingly remote as you move out towards the tail of the curve, the impact of events become more destructive. Key questions that must be answered include:· Do we care more about likelihood or impact or are they equal?· What level of investigation do we apply to remotely likely risks?· How do we apply limited resources to remotely likely risks?· Do we have a consensus among key stakeholders as to what risks we should focus on and how?· Do we have or need an emerging risk management process?· Do we have a consensus on and clear understanding of how we define risk in our organization?These issues are the starting point to the risk management maturity question, one that if executed well, facilitates organizational success. From these answers, you can chart your course for what this will mean to your firm. The answers will define the process elements of maturity that will be needed to achieve your target state. But we need to define what risk maturity is in order to track progress towards it and to ensure that stakeholders are aligned around the chosen components.This concept of maturity is applicable to most functional areas, including information technology. It is an effective way The Nexus of Risk Maturity AND ENTERPRISE PERFORMANCEBy Chris Mandel, SVP, Strategic Solutions, SedgwickChris MandelCXO INSIGHTSBy Chris Mandel, SVP, Strategic Solutions, Sedgwick
< Page 9 | Page 11 >