A diagnose matrix for assessing the Organizational Risk Maturity
Luiz Carlos Di Serio <[email protected]> Luciel Henrique de Oliveira <[email protected]>
EAESP/FGV Fundação Getúlio Vargas São Paulo - Brazil
1. Introduction
It’s a theoretical essay on
organizational risks maturity models,
compiling traditional models in a new
approach with four perspectives
Organi-zational
Global supply chain
Sustaina-bility
Project mana-
gement
1. Introduction
• We consider some traditional maturity models, along with other contemporaries.
• It aims to help bring a new integrated view of the issue of corporate risk, and enable a wider measurement and analysis of how the company treats its risks.
2. Theoretical Framework
• 2.1. Organizational Risk Management Maturity Model – OR3M
• 2.2. Sustainability Risk Management Maturity Model – SR3M
• 2.3. Operations & Global Sourcing Risk Management
Maturity Model – OGS3M
• 2.4. Project Risk Management Maturity Model - PR3M
2.1. Organizational Risk Management Maturity Model – OR3M
LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5 Initial Ad hoc Repeatable Managed Optimized
1
Management Perspective
The organization is unaware of the need and value for risk management and has no structured approach to dealing with risk.
The organization starts aware of the need and value for RM and structured approach begins to deal with the hazard.
Basic RM processes are established on a project-by-project basis although they may not be consistently achieved in all cases.
Generic RM systems and processes are formalized, implemented, and documented where the benefits are understood at all levels of the organization.
The organization has a risk-aware culture with a proactive approach to RM in all project activities.
2
Organizational Risk Culture
The organization is not experimenting the application of RM.
The organization starts search for applications of RM.
The organization makes realistic project commitments based on the results observed on previous projects and on the risks identified for individual projects.
Top management provides strong support while employees are empowered to implement RM processes to take on risks.
Risk information is actively used to improve RM processes and gain competitive advantage. The consideration of risk is inherent to all processes.
Source: Adapted from Zou, Chen, & Chan (2010) and RMRDPC (2002).
2.1. Organizational Risk Management Maturity Model – OR3M
LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5
Initial Ad hoc Repeatable Managed Optimized
3 Identfyng
Risks
No attempt is made to identify risks in the project or to develop mitigation or contingency plans.
The organization initiates initiates attempts to identify project risks and begin structuring mitigation plans.
The RM is disciplined because planning and tracking of individual project is stable and earlier successes can be repeated.
RM is systematically structured planning and monitoring of projects is stable and based on learning from previous successes and failures.
Identifying, assessing and managing uncertainty becomes nature to the organization and risk mana gement is built into all activities.
4 Analyzing
Risks
The normal method for dealing with problems is to react after a problem occurs with no proactive thought.
The organization continues reacting after a problem occurs, but begins proactive thoughts.
Minimum RM process has been applied including risk identification and analysis and responses.
Application process well-structured RM, with frequent identification and analysis of risks and responses.
Risks are not only identified and analyzed but also optimized .
5 Standardized
RM (Risk Management)
Process
The organization has no formal or structured RM process in place.
Occasionally, capable and forceful managers can identify and work to mitigate risks during the project.
There is a lack of organizationwide and standardized RM processes.
The process is based on a common, organizationwide understanding of the activities, roles and responsibilities.
Risk review and learning is implement-ted. RM knowledge and used for risk and opportunity optimization.
Source: Adapted from Zou, Chen, & Chan (2010) and RMRDPC (2002).
2.2. Sustainability Risk Management Maturity Model – SR3M
LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5 Viewing compliance as
opportunity
Making value chains sustainable
Designing sustainable products and services
Developing new business models
Creating next- practice platforms
1 Central
chal-lenge
To ensure that compliance with norms becomes an opportunity for innovation.
To increase efficiencies throughout the value chain.
To develop sustainable offerings or redesign existing ones to become eco-friendly.
To find novel ways of delivering and capture value, wich will change the basis of competition.
To question through the sustainability lens the dominant logic behind business today.
2 Com-
peten-cies
needed
The ability to anticipate and shape regulations. The skill to work with other companies, including rivals, to imple-ment creative solu-tions.
Expertise in techniques such as carbon mana- gement and life-cicle assessment. The ability to redesign operations to use less energy and water, produce fewer emissions, and generate less waste. The capacity to ensure that supplies and retailers make their operations eco-friendly.
The skills to know which products or services are most unfriendly to the environ-ment. The ability to generate real public support for sustainable offerings and not be conside-res as “green-washing.”
The management know-how to scale both supplies of green materials and the manu-facture of products.
The capacity to understand what consumers want and to figure out different ways to meet those demands.
Knowledge of how re newable and nonrenewable resources affect business eco-systems and industries. The expertise to synthesize business models, technologies and regulations in different industries.
Source: NIDUMOLU, PRAHALAD & RANGASWAMI (2009, p.5)
2.2. Sustainability Risk Management Maturity Model – SR3M
Source: NIDUMOLU, PRAHALAD & RANGASWAMI (2009, p.5)
LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5 Viewing compliance as
opportunity
Making value chains sustainable
Designing sustainable products and services
Developing new business models
Creating next- practice platforms
3
Inno-vation oppor-tunity
Using compliance to induce the company and its partners to experiment with sus-tainnable technologies, materials and processes.
Developing sustainable sources of raw materials and components. Increasing the use of clean energy sources such as wind and solar power. Finding innovative uses for returned products.
Applying techniques such as biomimicry in product development. Developing compact and eco-friendly packaging.
Developing new delivery technologies that change value-chain relationships in signify-cant ways. Creating monetization models that relate to services rather than products.
Building business platforms that will enable customers and suppliers to manage energy in different ways. Developing products that won’t need water in categories associated with it, such as cleaning pro-ducts.
2.3. Operations & Global Sourcing Risk Manag. Maturity Model – OGS3M
LEVEL 1 Traditional
LEVEL 2 Awareness
LEVEL 3 Monitoring
LEVEL 4 Quantification
LEVEL 5 Integration
1 Culture
No culture of control. No action of the board on either IC (Internal Control) or RM (Risk Management).
The board mandate for the implantation of IC and RM. Management promotes IC in specific actions.
The benefits of IC and RM are recognized and expected. In accordance with the Board's mandate, top managers demand periodic reports on IC.
Use of the IC reports by top management for decision making. Setting strategic goals relative to risk tolerance levels.
The culture of control integrated into the ethical code. Culture of control extended throught the organization, proactive focus.
2 Pro-
cesses
Absence of formally established manage-ment processes. No implantation for IC and RM processes.
System of l order with all the process manuals and job descriptions. Analysis of separation of tasks and conflicts of interests.
Minimal establishment of indicator and controls in the 7 main processes. Warming system and actions to correct causes of error.
Systematic process for the calculation SCR QIS3. Manage-ment of the business risks. / Process of periodic quantification of the OR.
Culture of information on all the processes with indicators of losses and causes. Valuation of OR VaR or Tail VaR.
Source: Adapted from Ferrando & De La Parra (2008).
2.3. Operations & Global Sourcing Risk Manag. Maturity Model – OGS3M
LEVEL 1 Traditional
LEVEL 2 Awareness
LEVEL 3 Monitoring
LEVEL 4 Quantification
LEVEL 5 Integration
3
Pratical Appli-cation
No application or RM. No analysis made of OR (Operational Risk).
Appointment of a person responsible for IC and application of resources.
Qualitative methods of OR analysis. Minimal application to the 7 main processes.
Preparation and annual revision of a Risk Map. Measurement of all risks. Decision making based on the evolution of the Risk Map.
Implementation of qualitative and quantitative methods, and creation of historical databases. Mitigating straregic goals.
4
Experi-ence
Neither the principles nor the language or OR have ever been applied. No experience in RM or OR processes.
Limited to a few collaborators. Experience in processes is limited to the administration department.
Development and implementation of processes of mana-gement and control with the aid of outside advisers.
Personnel with the capacity to implement processes of RM and control. Support of outside advisers but under the initiative of in-house personnel.
All staff with the capacity to implement processes of RM and control. The entire organization involved in the evolution of risks.
Source: Adapted from Ferrando & De La Parra (2008).
2.4. Project Risk Management Maturity Model - PR3M
LEVEL 1 Initial
LEVEL 2 Ad Hoc
LEVEL 3 Repeatable
LEVEL 4 Managed
LEVEL 5 Optimized
1 Definition
Unaware of the need for management of uncertainties. No structured approach to dealing with uncertainty. Repetitive and reactive MP. Little or no attempt to learn from past projects or prepare for future projects.
No structured approach in place. Aware of potential benefits of managing risk, but ineffective implementation.
Management of uncer-tainty built into all organization-nal processes. RM imple mented on most or all projects.
Risk-aware culture with proactive approach to RM in all aspects of the organization. Benefits understood at all organizational levels.
All the features of previous level plus: active use of risk information to improve organizational processes and gain competitive advantage.
2
Culture
No risk awareness. No upper manage-ment involvement. Resistant/reluctance to change. Tendency to conti-nue with existing processes even in the face of project failures.
Risk process may be viewed as additional overhead with variable bene-fits. Upper management encourages, but does not requi-re, use of RM. RM used only on selected projects.
Accepted policy for RM. Upper Management requires risk reporting. Dedicated resources for RM. Bad news risk information is accepted.
Top-down commitment to risk management, with leader-ship by example. Upper mana-gement uses risk infor- mation in decision-making.
Features of previous level plus: Proactive risk management encouraged and rewarded. Organizational philosophy accepts idea that people make mistakes.
Source: Adapted from RMRDPC (2002) & Thamhain (2013).
2.4. Project Risk Management Maturity Model - PR3M
LEVEL 1 Initial
LEVEL 2 Ad Hoc
LEVEL 3 Repeatable
LEVEL 4 Managed
LEVEL 5 Optimized
3
Process
No formal process. No RM Plan or documented process exists. None or sporadic attempts to apply RM principles. Attempts to apply RM process only when required by customer.
No generic formal Processes. Process effectiveness depends heavily on the skills of the project risk team and the availability of external support.
Generic processes applied to most pro-jects.Formal processes incorporated into quality system.
Risk-based organizational processes. RM culture permeating the entire organization.
All the features of previous level plus: Key suppliers and customers participate in the Risk Management process.
4 Experience
No understanding of risk principles or language. No understanding or experience in accomplishing risk procedures.
Limited to individuals who may have had little or no formal training.
In-house core of expertise, formally trained in basic RM skills. Development and use of specific processes and tools.
All staff risk aware and capable of using basic risk skills. Learning from experience as part of the process.
Regular training for personnel to enhance skills. Documentation, knowledge manage-ment and learning from experience.
5
Application
No structured application. No dedicated resources. No RM tools in use. No risk analysis performed.
Inconsistent application of resources. Qualitative risk analysis methodology used exclusively.
Routine and consistent application to all projects. Dedicated project resources.
Risk ideas applied to all activities. Risk-based reporting and decision making.
All the features of previous level plus: State-of-the-art tools and methods. Dedicated resources for Project RM.
Source: Adapted from RMRDPC (2002) & Thamhain (2013).
Diagnose matrix for assessing the Organizational Risk Maturity
Organizational Sustainability Operations &
Global Sourcing
Project
1 Management Perspective Central challenge Culture Definition
2 Organizational Risk Culture Competencies needed Processes Culture
3 Identfyng Risks Innovation opportunity Pratical Application Process
4 Analyzing Risks
Experience Experience
5 Standardized Risk Management Process
Application
Brief overview
Diagnose matrix for assessing the Organizational Risk Maturity
Organizational
Sustainability
Operations & Global Sourcing
Project
1.Initial
2. Ad hoc
3. Repeatable
4. Managed
5. Optimized
5.Creating next - practice platforms 4.Developing new business models 3.Designing sustainable products and services 2.Making value chains sustainable 1.Viewing compliance as opportunity
1.Traditional
2.Awareness
3.Monitoring
4.Quantification
5.Integration
1.I
nit
ial
2.A
d H
oc
3
.Rep
eata
ble
4.M
anag
ed
5.O
pti
miz
ed
Brief overview
3. Proposal of a matrix to Organizational Risk Maturity Diagnosis
• A matrix was arranged to diagnose and measure the Organizational Risk Maturity, in a comprehensive and timeless way.
• This matrix is a contribution to the improvement of the practices of analysis and risk management in organizations.
• We considered the models previously compiled and presented and applied to the analysis of three organizations with operations in Brazil.
• The proposed model proved rich for a more careful analysis of each individual organization, for it considering the 13 defined variables by Albu & Panzar (2010).
3.1. Presentation of the analyzed cases
1 Semi-structured interviews with a prepared questionnaire containing specific sections to help map out the implementation process, the current stage of the risk management system, and the results obtained.
2 For each case analyzed we conducted interviews with the executive in charge of the organization’s risk management.
3 In each question the interviewees were asked to explain the company’s experience.
Source: Search results. Prepared by the authors.
3.1. Presentation of the analyzed cases Case Key features Capabilities Risk identification and
analysis magnitude
A
Brazilian conglomerate, that combines family control, high performance professional management, and part- nerips with the capital market.
Innovation, risk taking and the adoption of bold new business models
Only the company, not extended to its supply chain
B
A holding company that operates through subsidiaries in the production, distribution and commercial sectors.
Knowledge of its activities, acquired from significant expertise and tradition
Only the company, not extended to its supply chain
C
Diversified global industrial company that supplies products and services to clients worldwide
Supplier of value and innovation
The company and extended to supply chain partners.
Source: Search results. Prepared by the authors.
3.2. Matrix Diagnosis of the Organizational Risk Maturity
I Organizational
(OR3M)
II Sustainability
(SR3M)
III Operations &
Global Sourcing (OGS3M)
IV Project (PR3M)
Total Score
Value %
Company A 3 3 4 5 180* 28,8%
Company B 2 4 4 4 128 20,5%
Company C 4 3 5 4 240 38,4%
Source: Prepared by the authors.
(*) 3 x 3 x 4 x 5 = 180 Range: 1 to 625 (maximum possible).
3.2. Matrix Diagnosis of the Organizational Risk Maturity
Source: Prepared by the authors.
0
0,5
1
1,5
2
2,5
3
3,5
4
4,5
5
Organizational
Sustainability
Operations & GlobalSourcing
Project
ABC
Sourcing
To show another application of the
matrix, was chosen the case of
company C, best evaluated in this
example, to apply a detailed
diagnosis, using the elements of
enterprise maturity matrix.
3.2. Matrix Diagnosis of the Organizational Risk Maturity
Variables by Albu & Panzar (2010)
ALBU, Emanuel & PANZAR, Carmen. (2010) A new tool for assessing maturity alignment: the enterprise maturity matrix. Performance Improvement. Vol.49, N.9. October, 2010.
4. Conclusion
A new maturity model approach
Matrix to diagnose and measure the
Organizational Risk Maturity
The Matrix needs to be empirically
tested
the current internal state of the organization
articulate the desired future
state
coordinate
change solutions
Use this matrix to diagnose:
4. Conclusion
• Using the matrix framework to analyze the organizational characteristics
it was found some limitations: • (a) The 13 variables proposed by Albu & Panzar (2010) may not be able to
cover all the organizations complexity, so may be necessary to consider other dimensions on the internal organization.
• (b) The organization results are not included in the model, which considers structures and processes in the four major Risk Management Maturity Model axes considered.