ERM Chapter 14 Risk Maturity

ISO 31000:2018 29 Minutes

Many organizations infrequently assess the suitability and efficiency of their risk management processes, resulting in disengagement, apathy, diminished value, and occasionally, the collapse of risk management efforts. By integrating these ideas, we can evaluate our performance in applying the purpose, components, timing, responsibilities, and methods of risk management. This is reflected in our risk management maturity, which refers to “the extent of our ability to handle risks effectively.”

Numerous risk management maturity models exist, and a brief online search reveals examples from consultants, regulatory authorities, government entities, risk management organizations, and more. These models span various fields—such as health and safety, treasury, third-party onboarding, and insurance—and cover industries like rail, healthcare, financial services, construction, accounting, project management, logistics, and beyond. A growing number of organizations recognize the value of assessing their risk management maturity. The advantages include:

  • Enabling an organization to gauge how deeply risk management is integrated into its operations.
  • Offering a comparison to industry best practices, peers, and sector standards where feasible.
  • Identifying deficiencies and redundancies in its application.
  • Revealing areas where enhancements can be made.

Risk management maturity is evaluated on a spectrum, ranging from “low” to “high.” A low maturity level suggests either an absence of risk management or the use of a generic process that is neither customized nor effectively implemented, merely serving to check a box. Conversely, high maturity reflects a risk-aware culture where skilled individuals actively apply risk management to safeguard, sustain, and enhance an organization’s value. Typically, maturity models feature 3, 4, or 5 levels, each with distinct labels. Lower levels might be described as very basic, immature, ad hoc, naïve, initial, informal, or nascent, while higher levels are often termed advanced, optimized, value-driven, natural, mature, explicit, or leading.

It’s worth noting that the language used to describe these levels can carry emotional weight. Organizations or individuals might resist acknowledging a “very basic” or “naïve” maturity level, which could hinder their engagement with maturity assessments. To address this, it may be wise to adopt neutral numbering (e.g., 1 to 5) or terms like “very low” to “very high” instead of potentially charged descriptors, similar to how risk impact and likelihood scales are handled. Risk management maturity is also assessed across various elements or factors that contribute to an effective process. The number and nature of these factors vary by model, often shaped by the model’s focus—whether it targets a specific industry, sector, or business area (though ideally, measurement should be uniform across an organization). Examples of these contributors range from broad to specific, such as:

  • People and tools.
  • Policy, framework, process.
  • Governance, process, reporting, and continuous improvement.
  • Framework, governance, process, systems, capabilities, and culture.
  • Framework, sustainability and resilience, process, performance, application, root cause analysis, and emerging risks.

While some models emphasize the process itself, most center on four primary contributors:

  • Culture – our mindset toward risk management and its purpose.
  • Process – the actions we take and their timing.
  • Experience – who participates in risk management.
  • Application – how we put risk management into practice.

These core contributors are underpinned by more detailed attributes, which include metrics tied to maturity levels (low to high). These metrics provide scores that reflect maturity across the different components.

Similar to evaluating risk culture, risk management maturity can be gauged through surveys or interviews, provided the questions and scoring remain consistent. Assessments of risk management maturity capture a moment in time, typically focusing on the present state of maturity. However, it’s essential to clarify the timeframe under review at the outset—whether it’s a survey, questionnaire, or interview—by specifying, for instance, that it addresses the current level, asking, “Where do we stand today?” Understanding an organization’s existing maturity level is critical for pinpointing areas needing improvement. Some organizations, especially those without prior maturity assessments, may also want to track how far their risk management has evolved, prompting questions about progress in culture, process, experience, or application up to now. Equally important is determining the organization’s target maturity level, which reveals not just where improvements are needed, but how much progress is required to deliver value. However, the priority lies in identifying an appropriate target level. Many organizations aim for the highest maturity tier, yet optimal value might be achieved at a slightly lower level, often with less cost, time, effort, and resources. By comparing the current maturity to this appropriate target, a gap analysis can highlight improvement opportunities and potential solutions, with roadmaps to maturity explored later in this unit. Balance across all measured contributors—such as culture, process, experience, and application—is vital. If an organization excels in some areas but lags in others, its overall maturity will remain low. Risk management maturity differs from risk management sophistication. Sophistication reflects deep expertise, extensive knowledge, or advanced complexity (e.g., in technology), and in risk management, it relates to enhancements driven by growing experience and understanding. Yet, sophistication should align with an organization’s needs to yield benefits—no more, no less. This connects to earlier points about desired versus appropriate maturity levels and the extent of progress required to maximize value from risk management efforts.

11.1 Risk Management Maturity

Every organization encounters risk and uncertainty, whether at the project or enterprise level, and there is growing acknowledgment of the need for formal, structured methods to address these challenges. Increasingly, organizations recognize that effective risk management is vital to the success of both projects and the broader business. As they grapple with uncertainties, there is a rising demand for support in crafting robust processes to identify, evaluate, and mitigate risks. However, despite widespread agreement on the value of risk management, successful integration into organizational practices remains rare. Those attempting to embed risk management into their operations experience mixed results, and many abandon the effort before realizing the anticipated benefits. Often, this stems from unrealistic expectations and a lack of clarity about what implementation entails or how it should be overseen. To adopt a formal risk management approach should treat the implementation as a project in itself, complete with defined objectives, success criteria, thorough planning, resource allocation, and diligent monitoring. To set goals, outline the process, and track progress, organizations must first assess their current risk management practices and define their target state. This requires benchmarking their existing maturity and capability against a widely accepted framework, enabling an objective evaluation of their current level and a clear path toward greater maturity.

EXISTING MATURITY MODELS

Maturity models are a well-established concept. The Software Engineering Institute (SEI) at Carnegie-Mellon University developed the Capability Maturity Model (CMM) for software engineering organizations, outlining five progressive levels: Initial (Level 1), Repeatable (Level 2), Defined (Level 3), Managed (Level 4), and Optimizing (Level 5). Each level is distinctly characterized, allowing organizations to evaluate themselves against a standardized scale and set improvement targets. While the SEI CMM is widely recognized, it applies primarily to software development, and efforts to adapt it to other project types have not gained broad traction. Another prominent model, the Business Excellence Model from the European Foundation for Quality Management (EFQM), defines nine criteria for excellence—Leadership, People Management, Policy & Strategy, Resources, Processes, People Satisfaction, Customer Satisfaction, Impact on Society, and Business Results. These criteria include success factors that enable organizations to assess performance, compare against European benchmarks, and devise improvement strategies. Both the SEI CMM and EFQM Model offer general frameworks for capability, maturity, and excellence but lack specific guidance for organizations seeking to implement or enhance formal risk management processes. Preliminary efforts to adapt the CMM for risk management in software development have focused narrowly on tools and techniques and have not progressed significantly. A universal, risk-specific maturity model would greatly benefit organizations aiming to establish or refine risk processes. Such a model could build on CMM and EFQM principles but tailor them to risk management across all industries.

THE RISK MATURITY MODEL FRAMEWORK

Organizations’ approaches to risk management range from having no formal process to fully integrating it into operations. The proposed RMM simplifies this spectrum into four clear levels. While some organizations may not fit perfectly into one category, the levels are distinct enough to classify most unambiguously. More than four levels could introduce unnecessary complexity without adding meaningful precision.

The RMM levels are:

  • Level 1 – Naïve: Unaware of risk management needs, with no structured approach to uncertainty. Processes are reactive and repetitive, with minimal learning from past events or preparation for future risks.
  • Level 2 – Novice: Experimenting with risk management through a few designated individuals, but lacking formal, generic processes. Benefits are recognized but not fully realized due to ineffective implementation.
  • Level 3 – Normalized: Risk management is routine, applied to most or all projects with formalized, widespread processes. Benefits are understood organization-wide, though not always consistently achieved.
  • Level 4 – Natural: A risk-aware culture prevails, proactively managing risk across all business facets. Risk data enhances processes and competitive advantage, addressing both threats and opportunities.

DIAGNOSING RISK MATURITY LEVEL

The RMM level descriptions offer a broad indication of maturity, but a detailed diagnostic tool is needed for consistent, objective assessment. Below is lists attributes under four headings—Culture, Process, Experience, and Application—allowing organizations to compare themselves against clear criteria. While some may straddle levels, the distinctions are generally sharp enough for clear classification. The assessed level can guide strategies for enhancing risk capability or benchmarking against competitors.

Level 1 – Naïve

  • Definition: No awareness of the need for risk management. No structured approach to handling uncertainty. Management processes are reactive and repetitive, with little effort to learn from past experiences.
  • Culture: No understanding of risk. Resistant to change and prefers sticking to existing methods.
  • Process: No formal processes in place.
  • Experience: No knowledge of risk principles or language.
  • Application: No structured application, dedicated resources, or risk management tools.

Level 2 – Novice

  • Definition: A few individuals experiment with risk management, but there is no structured or standardized approach. The benefits of risk management are recognized but not fully realized due to ineffective implementation.
  • Culture: Risk processes may be seen as extra work with unclear benefits. Risk management is applied only to selected projects.
  • Process: Some formal methods exist, but there are no standard procedures. The effectiveness of risk management depends on internal experts and external support.
  • Experience: Limited understanding, with only a few individuals having some exposure to risk management but little formal training.
  • Application: Application is inconsistent. Availability of staff and tools varies, and risk management methods are used in an unstructured way.

Level 3 – Normalized

  • Definition: Risk management is integrated into routine business processes. Most projects follow structured risk procedures. The benefits of risk management are recognized across the organization, though consistency may still be an issue.
  • Culture: A clear risk management policy is in place. Benefits are understood and expected, and resources are allocated to support risk management efforts.
  • Process: Standardized processes are applied to most projects. Formal procedures are embedded into the quality system, and risk budgets are actively managed at all levels.
  • Experience: The organization has a core team of trained professionals. Risk management tools and processes are developed and implemented systematically.
  • Application: Risk management is routinely and consistently applied across all projects. Dedicated resources and a structured set of tools and methods are in place.

Level 4 – Natural

  • Definition: A strong risk-aware culture is embedded throughout the organization. A proactive approach to risk management is applied in all business areas. Risk information is actively used to improve business operations and create a competitive advantage. Opportunity management is also emphasized.
  • Culture: Leadership fully supports and promotes risk management. A proactive approach is encouraged and rewarded.
  • Process: Risk-based processes are fully integrated into business operations. Risk management is regularly updated and improved, with continuous feedback mechanisms in place.
  • Experience: All employees are risk-aware and trained in essential risk management skills. Learning from past experiences is a key part of the process, and external training is regularly conducted to enhance expertise.
  • Application: Risk management is embedded in all activities. Decision-making is risk-based, supported by advanced tools and reporting methods.

PROGRESSING BETWEEN MATURITY LEVELS

Once maturity is assessed, organizations can plan steps to advance. Few, if any, organizations currently operate at Level 4. Many hover at Levels 2 or 3, or are transitioning from 2 to 3, while a significant number remain at Level 1. With risk management’s rising prominence and recognized benefits, organizations often start at Level 1 aiming for Level 3. Accurate self-assessment is critical, as jumping from Level 1 to 3 faces substantial hurdles, and a phased approach via Level 2 may prove more sustainable. Each transition presents unique barriers and strategies, outlined below.

Level 1 to 2 – Naïve to Novice

Naïve organizations face significant challenges:

  • Unfamiliarity with risk processes and terminology.
  • Unclear benefits and costs of implementation.
  • No internal expertise or experience.
  • Resource constraints due to ongoing crises.
  • Resistance to external advocates due to lack of context.

Actions:

  • Define clear implementation objectives.
  • Seek reputable external expertise, avoiding generic solutions.
  • Build a trained prototype team.
  • Conduct awareness briefings across all levels.
  • Secure senior management sponsorship.
  • Pilot risk management on select projects.
  • Celebrate early wins to build momentum.
  • Plan long-term, ensuring resource commitment.
  • Establish progress checkpoints.
  • Explore tools compatible with existing systems.
  • Draft initial risk procedures and templates.

Level 2 to 3 – Novice to Normalized

Novice organizations rely on a few advocates exploring risk techniques, often inconsistently applied to major projects. Progress to Level 3 requires overcoming:

  • Inconsistent processes.
  • Dependence on limited internal skills.
  • Overzealous advocates alienating peers.
  • Lack of support eroding morale.
  • Limited credibility without proven results.

Actions:

  • Strengthen senior management backing.
  • Provide formal risk training.
  • Leverage external expertise to expand scope.
  • Allocate sufficient resources.
  • Showcase benefits on key projects.
  • Publicize successes to encourage adoption.
  • Expose staff to external learning opportunities.
  • Formalize processes with clear policies.
  • Embed risk into routine operations.
  • Collect metrics to demonstrate value.

Level 3 to 4 – Normalized to Natural

Level 3 organizations routinely apply risk processes but may grow complacent, believing no further improvement is needed. Advancing to Level 4, where risk management is instinctive and opportunity-focused, faces:

  • Loss of momentum reducing quality.
  • Outdated processes amid changing needs.
  • Underinvestment in tools and skills.
  • Over-specialization limiting ownership.

Actions:

  • Review and refine processes regularly.
  • Invest in updates and training.
  • Apply risk management universally.
  • Foster a “think risk” culture.
  • Integrate risk into decision-making.
  • Counter fatigue with re-launches and rewards.
  • Refresh skills periodically.
  • Use external expertise for innovation.

Maintaining Level 4

Few reach Level 4, where risk management is intrinsic and proactive. Complacency threatens this state, requiring:

  • Sustained senior leadership commitment.
  • Regular audits to maintain standards.
  • Leveraging competitive advantages.
  • Pioneering risk applications.
  • Continuous process improvement.
  • Engaging stakeholders in risk processes.

Implementing risk management is a substantial, long-term endeavor, far beyond adopting tools or training staff. The RMM offers a four-level benchmark to assess and enhance risk capability, aiding organizations and their supporters in diagnosing maturity and crafting tailored strategies. Future refinements, such as a self-assessment questionnaire, could further sharpen diagnostics. For now, the RMM provides a practical tool for initiating or improving formal risk management approaches.

Critical success factors

Determining an organization’s desired and appropriate risk management maturity levels can be bolstered by defining what successful risk management looks like in practice. Drawing from ISO 31000, the COSO (2017) ERM Framework, and the Orange Book (2020), we’ve distilled key principles into five attributes of effective risk management, captured in the acronym PACED: Proportionate, Aligned, Comprehensive, Embedded, and Dynamic. These attributes have shaped the framework for an organization’s risk architecture, strategy, and protocols, while also aiding in the evaluation of the risk management process to confirm its effectiveness . Additionally, we’ve examined how assurance is provided for both risk management and internal controls. Across these dimensions, an organization must clarify its own vision of success. Critical success factors for project risk management, which are just as applicable to enterprise risk management. These factors align with the four contributors to risk management maturity discussed earlier:

  • Supportive organization (Culture) – encompassing a risk-aware culture, clear goals, and sufficient resources.
  • Simple, scalable process (Process) – featuring a customized process supported by policies and manuals.
  • Competent people (Experience) – marked by consistent terminology, skilled staff, and suitable attitudes and behaviors.
  • Appropriate methods, tools, and techniques (Application) – supported by infrastructure, software, training, and toolkits or factsheets.

By defining these critical success factors, an organization can clarify the purpose, structure, and practical application of its risk management efforts, as well as guide improvements. This foundation can then inform the creation of key performance indicators for risk management and metrics to assess both its current state and the ideal future maturity level.

Roadmaps to risk management maturity

Risk management maturity is not something that develops instantly. A gap analysis will reveal that reaching the ideal and suitable level of maturity for an organization requires time and involves multiple stages. One effective way to navigate this journey is by using an improvement roadmap. Roadmaps serve as strategic plans to steer an organization through a prolonged enhancement process. They should detail each proposed improvement, including the timeline and effort required for implementation, as well as the expected level of progress each step will achieve.

Every improvement should come with clear objectives that are specific, measurable, achievable, realistic, and time-bound (SMART) to provide a precise direction for the organization. However, similar to risk management itself, certain maturity levels can only be attained incrementally, as attempting to fully realize all objectives simultaneously may be impractical or unfeasible. To meet these objectives, roadmaps need to outline specific actions for each improvement, complete with timelines, necessary resources, and associated costs. These efforts should align with the organization’s broader strategy and integrate with existing or planned activities to ensure there is both the capacity and commitment to carry them out. Basic roadmaps typically highlight key areas for enhancement, setting short-, medium-, and long-term goals, and indicating the corresponding level of risk management maturity achieved at each stage. Knowing how mature an organization’s risk management is doesn’t just show the current level of risk control—it also helps create a plan for improvement.

Quick Win: Roadmaps can include short-, medium- and long-term tasks Short-term goals are commonly known as “quick wins.” Quick wins refer to changes that are noticeable and deliver immediate results. While these impacts don’t need to be transformative, they should bring tangible value to an organization. Examples of quick wins in risk management include:

  • Revising risk descriptions to clearly distinguish causes, risks, and consequences.
  • Evaluating controls to confirm they actively manage risks—rather than merely gathering data or offering advice—and ensuring they are effective.
  • Encouraging deeper scrutiny of risk management information.
  • Initiating conversations about “unknown knowns”—the obvious but unaddressed issues, or “elephants in the room.”

When quick wins are achieved, their collective influence often exceeds the sum of their individual effects. Drawing from the examples above, clearer risk insights and stronger control assurance can boost confidence and understanding among staff at all levels. This, in turn, fosters greater commitment to and engagement with the risk management process, heightening risk awareness and strengthening the organization’s risk culture. Nonetheless, quick wins are just one piece of the improvement roadmap and are not self-sustaining, as their scope is often confined to specific teams or areas. To reach enterprise-wide risk management maturity goals, broader improvements must also be strategically planned for the medium and long term.

Quick wins typically involve short-term tasks that demand minimal investment, particularly in terms of capital spending. In contrast, larger initiatives or those dependent on achieving a certain level of risk management maturity in specific areas are classified as medium- or long-term tasks. The duration of these tasks aligns with the roadmap’s overall timeline. For instance, in a one-year roadmap, a long-term task might span nine months or commence in the ninth month. Certain improvements may be substantial enough to necessitate a business case for capital funding. Consequently, many of these enhancements, by their nature, are treated as standalone projects. Once approved, they often integrate into project planning, design, execution, and handover phases. An effective risk management improvement roadmap must also account for shifts in the risk management landscape, as well as the organization’s context and goals. For example, UK corporate governance requirements for financial reporting are set to evolve post-December 2013. Similarly, expectations for operating within and reporting on Environmental, Social, and Governance (ESG) criteria are growing more defined and formalized. When such changes emerge during the planning of a risk management improvement initiative, they need to be incorporated. This could influence the roadmap’s outcomes, as resources might be redirected or adjustments to the plan become necessary. Regardless of the timeline or potential modifications to the risk management maturity roadmap, its completion often signals the start of the next one. Perfection is elusive, and enhancing risk management evolves into an ongoing cycle of continuous improvement.

Why Create a Risk Maturity Roadmap?

  • Risk maturity assessments help you understand how well an organization manages risk.
  • They allow you to focus on weak areas instead of spending effort on areas that are already strong.
  • A clear roadmap can help get leadership support for more resources.
  • If leadership wants to achieve a higher level of risk maturity than what current resources allow, this can justify asking for more investment.
  • A roadmap helps integrate risk management into daily business operations.
  • Comparing your organization’s risk maturity with others in the industry can help gain executive support.
  • These roadmaps can also speed up improvements.
  • Creating internal rankings can encourage competition between teams or departments, leading to faster progress.
  • Rewarding improvements with incentives can further motivate employees.
  • However, not all areas of a business need to reach the highest risk maturity level—sometimes, a “good enough” level is sufficient.
  • The highest maturity levels should be reserved for the most critical areas of the business.

Assessing Your Current Risk Maturity

  • Start by understanding the organization’s culture, current risk capabilities, and leadership’s expectations.
  • This helps set clear goals for what risk management should achieve.
  • External consultants might not fully understand your organization’s unique needs.
  • Their models might rate your organization’s maturity level lower than it actually is if they do not consider how your system is tailored to your business.

Building a Risk Maturity Roadmap

The assessment results should be presented in a dashboard and included in the annual risk review. A more detailed review can be conducted every two to three years.

  • To create a roadmap, look at where you were a year ago, where you are now, and where you expect to be in a year with current resources.
  • This can be visually represented using different colors for past, present, and future states.
  • Set clear criteria to measure progress, often using maturity levels ranging from one to four or five.
  • Define maturity criteria for all areas of risk management, including risk culture.
  • Use language that aligns with existing risk management frameworks.
  • Compare your progress with industry standards like ISO guidelines or benchmark against competitors.
  • Assessments should include both documentation reviews and practical evaluations of how risk tools and processes are used.
  • Interviews are the best way to gather information but should be informal to encourage open discussion.
  • Surveys can also help measure risk maturity but must be clear and concise.

11.2 Network and causal analysis

Risks and controls are not standalone elements; they are interconnected within and across an organization, playing a key role in managing information flow. This interconnectedness deserves deeper exploration when integrating and sustaining risk management within an organization. Even in the smallest or most straightforward organizations, risks are linked—one person’s risk might be another’s trigger or outcome, and controls may address overlapping or distinct risks throughout the entity. Understanding this web of risks and controls, and having the ability to trace causal relationships across the organization, strengthens the embedding of risk management. It also boosts engagement and support for the process by minimizing redundancies and gaps in risk management efforts, enhancing efficiency and reducing wasted effort. Risks and controls do not operate independently; they form a network of relationships within and across an organization, significantly influencing how information is managed. This interconnected nature warrants closer examination when embedding and maintaining risk management practices. Even in the simplest or smallest organizations, risks are interrelated—what one person perceives as a risk might be a cause or result for someone else, and controls may target either shared or separate risks across the organization. Grasping this intricate system of risks and controls, and being able to follow cause-and-effect chains throughout the organization, bolsters the integration of risk management. It also fosters greater participation and commitment by reducing inefficiencies, such as overlaps or gaps in risk management activities, thereby streamlining efforts and conserving resources.

Software tools exist to map these risk networks and connections. However, for some organizations, such tools are either unavailable or insufficiently equipped to establish or support these links. In such cases, a centralized risk management function becomes even more critical. This function ensures uniformity in applying risk management practices and fostering a consistent risk culture across the organization. With its comprehensive understanding of risks, it can uncover patterns and relationships that others might overlook. Even when advanced risk management software is in use, a central function can still reveal previously unnoticed connections. Beyond this, employing techniques that identify risk and control linkages proves valuable. Causal analysis can clarify how risk triggers are related and show how altering those triggers might impact a risk or cascade to others. Similarly, effect analysis examines the consequences of a risk materializing, revealing how changes in those outcomes could affect the risk itself or related risks. These methods, while integral to risk assessment, also enhance the embedding of risk management by equipping organizations to recognize and address interconnected, cross-cutting risks effectively. There are software solutions designed to chart these risk interconnections. Yet, for some organizations, these tools are either inaccessible or lack the capability to fully link or facilitate these relationships. In such scenarios, a centralized risk management function becomes indispensable. This unit promotes consistency in risk management practices and cultivates a unified risk-aware culture across the organization. Leveraging its deep insight into risks, it can identify trends and connections that might otherwise go unnoticed. Even with sophisticated risk management software in place, a central function can still spot previously undetected linkages. Additionally, using techniques that highlight ties between risks and controls is highly beneficial. Causal analysis sheds light on how risk origins are connected, demonstrating how changes to those origins might influence a specific risk or ripple out to others. Effect analysis, on the other hand, explores the fallout of a risk occurring, showing how shifts in those consequences could impact the risk itself or related ones. These approaches, essential to risk evaluation, also deepen the integration of risk management by enabling organizations to effectively identify and manage interwoven, organization-wide risks.

What challenges prevent businesses from recognizing and assessing interconnected risks?

  • Even when risk management is seen as essential, some leaders resist it due to insufficient information to contextualize risks properly. They may acknowledge a risk exists but lack a clear grasp of its implications or potential long-term effects on the organization’s success. Consequently, without a robust risk identification and analysis program, risk management practices within business units can falter.
  • Absence of dual-perspective risk assessments: Many organizations fail to adopt a two-way risk identification and assessment approach—top-down from leadership pinpointing strategic risks and bottom-up from operations spotting related breakdowns and trends. This bidirectional strategy enables both strategic and operational levels to adapt their plans effectively.
  • Reactive rather than proactive risk strategies: Risk management is often approached as a compliance task—creating rules for employees to follow—rather than a proactive tool integrated with strategic planning to address gaps and blind spots. This “check-the-box” mindset limits its potential as a decision-making aid.
  • No cohesive framework for analyzing and linking risk themes: Raw data alone doesn’t ensure sound risk decisions. A key hurdle for organizations is that, despite having risk data, they lack the expertise to extract actionable insights or understand risk interconnections. Data needs to be distilled into clear, digestible insights for the board, delivered through accurate, comprehensive reports to the right people at the right time. Effective reporting hinges on strong risk data aggregation, supported by solid infrastructure and governance.

Even now, businesses apply controls without fully considering their impact across different areas. Siloed control systems can result in excessive, overlapping, or redundant measures that drive up costs, waste time, and erode efficiency. An integrated risk management approach is vital to shift the focus from spending 80% of effort on data collection to prioritizing analysis. Risk management must advance to provide businesses with a deeper understanding of risks and their complex web of interconnections, as these linkages can magnify impacts, directly or indirectly.

Checklist for an Effective Risk Management Program

  • Create a structured program for identifying and assessing emerging risks tied to shifts in the business environment.
  • Establish risk and performance metrics aligned with organizational goals.
  • Promote data sharing and communication across business units.
  • Develop a unified enterprise risk taxonomy with consistent terminology organization-wide.
  • Gain deeper insight into risk relationships through cause-and-effect analysis.
  • Use a risk aggregation tool to spot trends, patterns, and critical risk areas.
  • Enhance automation in risk management to reduce repetitive data tasks, leveraging data-driven assessments.
  • Enable real-time monitoring to alert teams of looming risk events proactively.
  • Integrated Risk Management (IRM) builds on existing risk identification, assessment, and management practices, aiming to clarify connections between risk areas for proactive handling.

For IRM to succeed, it requires alignment of people, processes, technology, and data within a unified ecosystem, all working toward a shared objective. However, risk identification and assessment alone fall short without measurable indicators. Thoughtfully designed metrics are essential to provide meaningful risk insights. While many assume IRM technology centers on deploying an enterprise Governance, Risk, and Compliance (GRC) tool, it demands broader consideration. IRM extends the GRC framework, weaving risk management seamlessly into compliance, cybersecurity, vendor risk, and business continuity efforts.

Activity touchpoints, including budget, strategy, and systems

Many organizations treat risks and controls as separate entities, often due to the structure of their risk registers or the design of their risk management framework and processes. Recognizing patterns or groups of risks—along with their causes, effects, and associated controls—is crucial, even if this is done manually through a centralized risk function. As highlighted in earlier discussions on critical success factors, risk management should be straightforward and adaptable, interacting with—or, per ISO 31000, fully integrated into—all organizational activities. This integration applies not only to managing risks but also to the risk management process itself, which is vital for embedding and sustaining risk management within an organization. This concept is further emphasized in Integrated Enterprise Risk Management. The COSO (2017) ERM framework underscores this by linking its core value chain to strategy, highlighting the risks of a strategy misaligning with an organization’s mission, vision, and values. COSO views strategy alignment within the ERM framework as equally important as identifying and managing risks. Notably, while many organizations assess risks that could derail strategy and objectives, few evaluate risks inherent in crafting that strategy. This gap often stems from the absence of a C-suite risk management leader. Strategic discussions about an organization’s direction—often sensitive or commercially confidential—can feel undermined by someone challenging decisions without a seat at the executive table. Some organizations turn to external risk management consultants for strategic input, but the resulting insights are rarely shared with the internal risk management team, leaving the broader impact of these decisions on organizational risks unclear. This disconnect between risk and strategy mirrors challenges in budget setting. Conversations about risk management often exclude those responsible for budgeting across the organization. Yet, most risk management decisions involve capital spending or contingency use, with ripple effects on financial resources and the capacity to address risks elsewhere. This issue extends to funding risk management itself. Hiring dedicated risk professionals, creating training programs, purchasing software, or engaging consultants incurs costs that may not align with an organization’s financial reality or strategic priorities. These expenses must be weighed against how much the organization is prepared to invest in controlling risks and enhancing its risk management maturity. This balance is especially critical when considering risk appetite and the understanding that not all risks warrant unlimited mitigation efforts. As previously noted, risks are not isolated, nor is risk management a standalone activity detached from broader business operations. Embedding risk management effectively requires attention to its key maturity drivers: culture, process, experience, and application. In many organizations, decisions about implementing risk management or addressing specific risks exclude input from budget owners or those accountable for objectives. Such exclusions can strain specific business areas or the organization as a whole, impairing risk management efforts. Oversight of both risk management’s implementation and its outcomes is essential to ensure the right risks are taken, at the right time, by the right people, in line with the organization’s risk appetite, tolerance, and capacity.

Why Budgeting Should Be Integrated into Your Risk Management Plan

Bringing risk management into your budgeting process offers numerous advantages. Viewing your organization holistically, rather than as a collection of separate units, allows you to identify priorities and allocate funds more effectively. The risk-versus-opportunity discussions typical in risk management are equally valuable for budgeting. Could a particular area drive growth? If so, how much investment is needed to capitalize on it? Is a department lagging or hindering broader company objectives? If yes, how can the budget be adjusted to support improvement? Additionally, monitoring budget outcomes and their impact on overall performance can reveal emerging risks. Rising costs in certain areas may signal developing risks that require attention and mitigation. Budgeting and risk management should collaborate closely to enhance the success of both functions.

How to Incorporate Budgeting into Your Risk Management Plan

Risk management involves anticipating future challenges, much like budgeting, where financial teams forecast funding needs and assess their impact on cash flow and profitability. An enterprise risk management (ERM) approach to budgeting should involve the entire organization, not just the finance team. When individual employees or departments focus solely on their own needs, they may overlook the broader company’s requirements. Examining how budget line items affect various departments ensures funds are distributed to maximize overall benefit while staying within financial limits. Consider adapting the typical risk assessment process for budgeting: identify potential risks, evaluate their company-wide impact, collect relevant data, and determine mitigation strategies—whether by reallocating resources or adjusting the budget. Regular financial reporting and continuous monitoring are also essential, providing consistent metrics to guide decisions for the next annual budget cycle.

Role of Software

We explored risk software as a component of the “Application” critical success factor, which encompasses suitable methods, tools, and techniques. Additionally, we addressed risk management information systems in Unit 2, Section 4, under risk protocols. Risk management software often plays a role in advancing an organization’s risk management maturity. However, when developing a maturity roadmap, it’s essential to weigh the cost and benefits of such software, as well as its compatibility with other systems used for different functions. Software can enhance risk management maturity when reliance on tools like spreadsheets leads to poor risk oversight, limited data analysis, or ineffective reporting. Furthermore, the traditional practice of conducting manual risk reviews every six months or annually no longer suffices to ensure risks are managed or controls remain effective. This challenge is compounded by the growing need to assess and discuss the evolving context, risks, and controls, necessitating an automated, ongoing system rather than a manual, periodic one. That said, software should only be considered after risk management processes are established and functioning. Organizations struggle to define their software needs if they lack clarity about their risk management goals and requirements. If an organization already uses software for related tasks—like incident or claims management or audits—and it offers most of the features needed for enterprise risk management (ERM), leveraging that system could be a practical starting point. However, if the existing software is too niche, overly rigid, or cumbersome, exploring other options may be necessary. When evaluating standalone risk software, its integration with existing related systems should be a priority—such as whether it can consolidate reporting outputs. Some organizations mistakenly assume that purchasing risk software automatically elevates their maturity, which is not true. Significant funds can be squandered on systems that promise comprehensive solutions but fail to align with the organization’s specific needs. Many software vendors tout automated ERM capabilities, yet their products may introduce unexpected constraints that hinder rather than help.

Risk management software should be easy to use. To get risk information in and out, it should be set up for “light users”—people who don’t work on the risk team—rather than just the risk team’s needs. This means the software needs to let these users enter data without making it hard for them. Usually, this is done with a simple form or portal that works on phones, tablets, or laptops. Getting data out is just as key because it helps make smart risk-based decisions. So, the software should have a flexible reporting tool that creates clear, visual reports to support decisions and goals. This might include ranking risks to focus on, tracking action progress, or watching new risks that pop up.

  • Many-to-Many Relationships: In the real world, risks aren’t separate events sitting alone. They connect like a web, where one person’s risk might cause another’s. Controls, actions, and plans might also apply to several risks at once. Older software designs often organize data in a strict top-down way, forcing risks into isolated boxes (one-to-many links). But software that can handle risks, controls, actions, incidents, goals, and people in a network—with many-to-many connections—better matches how risks really work. This avoids the need to force risks into categories or awkwardly “tag” their links across separate lists. Instead, the software can show how risks, controls, and actions relate clearly.
  • Automation: Software brings change by turning a manual process into an automatic one. To keep the change manageable and boost the odds of a successful rollout, the software should automate your risk management steps without forcing you to tweak them. Platforms that demand you adjust your current process because of their technical limits should be skipped. Good risk management software should adapt to your process without needing custom coding—changes to the software itself. Too much customization means the wrong tool was picked and could spell trouble when updating the software later.

Comparison of Risk Management Software products

Software Journey

  • Software Readiness: Checking if organizations are prepared to switch their risk management to an automated system.
  • ERM Consulting/Training: Helping organizations that aren’t ready to automate by offering expert advice or training staff, especially if there’s resistance to the risk management process.
  • Market Sweep: A fair review of available software options to find the best fit for an organization’s needs.
  • Product Demo: For organizations eager to automate quickly—faster than a full market review or Satarla’s four-step risk management process—they can see a demo of the process set up in software.
  • Source: Building a business case to justify the cost of the software.
  • Implement: Providing product and project management help to set up the software based on the organization’s specific needs.
  • Rollout & Training: Engaging users and teaching them how to use the newly automated tasks.
  • Troubleshooting: Offering admin support to fix any software-related problems.
  • Admin Support: Assisting other administrators to keep the software running smoothly.
  • User Support: Helping users directly with their questions or issues.
  • Induction Training: Training new administrators on how to use the software effectively.

Change Management

Organizational change often happens through projects, programs, and portfolios. The Association for Project Management (APM) (2022) describes change management as the overall method an organization uses to shift from its current state to a desired future state, working together with stakeholders in a planned and organized way. The Chartered Institute of Personnel and Development points out that change is a constant in many organizations, driven by internal and external factors. However, they note that many organizations struggle to achieve the results they want from change efforts, and poor change management can have serious, long-lasting negative effects. Change management works best when it’s carefully planned and matches the organization’s strategy and culture. But sometimes, unexpected events—like global disruptions in recent years—can outpace an organization’s plans, showing how crucial resilience and flexibility are for long-term success. Change management needs to be adaptable, not just a sudden reaction to events. The APM highlights that change management is often essential for survival or staying relevant. Since risk management involves organizational change, change management methods can help introduce and keep improving it. The APM explains that successful change requires shifts in people’s attitudes, behaviors, and culture—known as the ABC model. Key steps to make this happen include:

  • Understanding why the change is needed.
  • Managing stakeholder relationships.
  • Talking to those who will use the new system.
  • Figuring out training needs.
  • Highlighting the advantages of the change.
  • Finding supporters to champion it.

It’s also important to think about barriers to change, which are similar whether they’re about general operations, starting risk management, or making it better. As mentioned, treating change management like a project works well for medium- and long-term risk management improvements. Another approach is using small, ongoing improvements, a core idea in lean management. The Lean Project Management Foundation (2022) describes lean management as a culture focused on “supporting society and the planet’s sustainable development by creating high-quality, innovative products and services.” Lean and agile management are related ideas often used interchangeably, though they’re distinct. We explored agile management regarding resilience. Lean management originated in the Toyota Production System in the mid-20th century, built on two main ideas: continuous improvement and respect for people. Teams speed up work by managing its flow, rather than rushing small batches. A key lean technique is Kaizen, meaning “change for good.” It pushes employees to constantly find ways to boost their own performance and their team’s, encouraging a “bottom-up” approach where staff take charge of changes. This helps everyone question routine practices and seek improvements.

Kaizen also speeds up spotting improvements compared to waiting for a formal risk management maturity review. It’s useful for both quick fixes and starting medium- and long-term changes. Blending traditional change management with lean methods like Kaizen combines top-down and bottom-up strategies, supporting ongoing risk management improvement. Kaizen uses techniques similar to risk management but focuses them on the risk management process itself—like its steps, reporting, or risk register—instead of other business areas. For example, while the article mentions targeting a production process for a “rapid improvement event,” in risk management, the focus could shift to specific elements like the process or risk register. Though a full Kaizen event isn’t recommended, its approach can highlight improvement areas and involve staff across the organization, boosting participation. Plus, fostering a habit of questioning risk management practices enhances its effectiveness, culture, process, experience, and application—ultimately lifting its maturity.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply