An online modeling tool designed to give guidelines and best practices to enterprise risk management programs was launched today by the Risk and Insurance Management Society Inc. (RIMS).
The Risk Maturity Model for Enterprise Risk Management is a collaboration between RIMS and LogicManager, Inc.
"Risk managers are constantly in contact with us, looking for information about how to start, how to further develop, how to do this piece and that piece, and it's being done a-la-carte, if you will," John Phelps, member of the RIMS board of directors and director of risk management for Blue Cross and Blue Shield of Florida Inc. told National Underwriter.
The program will help them "see how these things fit together and see where the pieces are missing in their program," he said. He noted that risk managers looking for an honest assessment to show upper management where their program is versus where it could be, based on industry standards, will have a tool for the first time.
Risk managers, he said, not only benefit from the experience of practicing enterprise risk managers, but "they also have a tool that they haven't had before, to honestly self-analyze where they are with their program."
Steven Minsky, chief executive officer of LogicManager Inc. and co-developer of the RIMS Risk Maturity Model, told NU that one of the most important takeaways of the model is that too often risk management is looked at from a compliance standpoint, and therefore, "you're not measuring value with that type of approach."
What the model is measuring, he said, is "how well you're uncovering risks, how effective you are and how you back that up with data."
He added that there are "so many case studies of companies like ChoicePoint, which for years emphatically proclaimed the strength of their security. But it turned out that they were only secure in one area--hacking from outside."
ERM, he said, is about "making sure you have a comprehensive view of risk and that you're looking at the external factors, relationships and people," including suppliers.
"This is a unique contribution that RIMS is making," he said. "This is not a check-box approach. This is about quality and about measuring quality and business value."
In addition to publishing a reference guide, the Risk Maturity Model features a real-time benchmarking exercise that allows executives to score key characteristics of their risk programs and generate a personalized assessment that identifies program maturity.
The tool is designed as a resource for all corporate functions tasked with risk management responsibilities, including operations, compliance, internal audit, IT and security, as well as at the board level, according to RIMS.
One of the key criteria now examined by Standard & Poor's, Mr. Minsky said, is risk culture. While S&P looks at the ERM culture in regard to ratings, "they provide no guidance, really, on what risk culture is, how you measure it and how you get there." He added that "it can be unnerving for a company to be measured by an organization that is recognizing it when they see it."
With the maturity model, he said, a risk manager can break risk culture down into the components that make up a strong risk competency and work on areas where improvement is needed.
The Risk Maturity Model is based on the Capability Maturity Model--a methodology developed by the Carnegie Mellon University Software Engineering Institute (SEI) in the 1980s. Originally the model was used to advance software engineering methodologies and processes, according to RIMS.
Since then the theory behind the Maturity Model has been applied to other corporate operations such as supply chain and people management, and embraced by some organizations within the technology, finance and defense industries.
The Risk Maturity Model presents a five-level progression for program maturity, from "non-existent" to "Leadership." The seven drivers for the systematic progression of levels are termed "Attributes," and include variables such as ERM Process Management, Risk Appetite Management, Uncovering Risks, and Business Resiliency and Sustainability.
Mr. Minsky said that a unique feature of the Risk Maturity Model is its applicability, regardless of the specialized frameworks and standards an organization is using--whether it is the Australian/New Zealand Risk Standard, COSO ERM, COBIT 4.0, Standard & Poor's ERM or Sarbanes-Oxley.
The Risk Maturity Model and benchmark exercise are available in full to RIMS members and participants in the corresponding RIMS Risk Maturity Model professional development workshops. Non-members can gain online access to an executive summary on the model and full access to the benchmarking exercise and personalized assessment.
RIMS said its goal is to gather 500 participants in the benchmark exercise in order to accumulate substantial statistics on program maturity by industry, geography and company size. The long-term goal is to maintain and analyze the statistics in order to provide the risk management community with a valuable benchmarking reference and trend analysis for enterprise risk program maturity.
The Risk Maturity Model for Enterprise Risk Management and other resources are available online at the RIMS ERM Center of Excellence at www.RIMS.org/ERM.
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.