At the end of my first year of managing the ERM program for a large Florida property insurance company, we had a big risk consulting firm come in and assess the maturity of the program.
ERM maturity assessments measure where your ERM program sits on a scale (typically 1 to 5 or words that label the numbers) in a variety of areas. Sounds great, right?
I mean, executives love them…
It puts the program in black-and-white terms, comparing what the program is doing in comparison to other organizations, and telling management what needs to happen to make it “better.”
When it came to the assessment for my former company, there were interviews with executives and upper management, a review of governance documentation, and interviews with me and my team. And we fared decent in some areas, already ranking a 2-3 for program governance, but 1-2 for the actual risk management process, etc.
Looking back several years later, I realize that the assessment they conducted was really a combination of a maturity assessment and an effectiveness assessment.
Isn’t that what we should be measuring? How effective the ERM program is for the organization?
After all, it doesn’t matter what other organizations are doing for ERM – what should only matter is the existing ERM program is effective for your organization. Your organization may not need a really mature program; what you have now is working great. Or the organization tried taking steps to mature but realized it wasn’t really ready to have the additional steps in the process or information. Some organizations, frankly, don’t have a mature enough risk culture to accept a mature ERM program, which means you need to focus on risk culture before you try to mature the program.
Not to mention, why did the executives tell the consultants things that they didn’t feel comfortable telling us? That should be a red flag right there!
If your executives do not feel comfortable telling you that there are parts of the program that they have problems with, you have a bigger problem on your hands! Every program needs champions, but executives not talking to the risk management team means that they could be the exact opposite of what you need…which will negatively impact the effectiveness of the program.
What kind of information would you like out of a program assessment – maturity or effectiveness?
To share your thoughts on ERM maturity assessments, leave a comment below or join the conversation on LinkedIn.
And if you are looking for a maturity assessment specific to your organization that will be useful for moving your ERM program forward and improving the effectiveness of your program, please don’t hesitate to contact me to discuss your needs today.