Risk Maturity Model
Data from risk managers will help share ERM initiatives
By Michael J. Moody, MBA, ARM
During the past few years, the Risk and Insurance Management Society (RIMS) increased its involvement in enterprise risk management (ERM) and even got a shot in the arm in 2006. Among other things, RIMS created its ERM Center of Excellence. This is a specific RIMS Web site which is a large repository of ERM-related resources from a variety of different sources. Included within the Center are articles on various ERM topics as well as links to many different ERM-specific resources. It also includes a catalogue of the various ERM standards that have been advanced through the international community. The site is an inclusive source of critical ERM information and is considered by many to be a “one-stop shopping” source for critical ERM information.
RIMS also has made advances in its professional development programs related to ERM, as evidenced by sessions offered at the RIMS annual conference. Just a few years ago, it was difficult to find any ERM sessions at the annual event; however, last year’s program had a specific ERM track. This year’s conference agenda also has a separate ERM track with even more ERM sessions.
In addition, RIMS has developed several specific stand-alone ERM professional courses. These courses are typically two- or three-day events held at locations around the country and are designed to provide overview information about ERM and the processes involved.
Quantum leap
The most notable ERM involvement was announced late last November when the headline from a RIMS press release stated: “RIMS Launches Risk Maturity Model for Enterprise Risk Management.” This was a major development according to John Phelps, director of risk management for Blue Cross and Blue Shield of Florida, Inc., and a RIMS director who is leading the task force to recommend a long-term strategy concerning the Society’s future role with enterprise risk management.
Phelps notes that the Risk Maturity Model (RMM) is an online tool that in its simplest form is designed to be a resource that can help “a risk manager understand where they are in the ERM journey.” In essence, he says, it additionally provides “a road map to show you how to get to the end of the process, as well as the various stages along the way.”
The RMM is based on the methodology developed by the Carnegie Mellon University Software Engineering Institute in the 1980s. Known as the Capability Maturity Model, the methodology was originally used to advance software engineering processes and has subsequently been successfully applied to a wide variety of other corporate operations. A number of corporate risk managers utilized the RMM to apply this proven technique within the risk management discipline.
Specifically, Phelps says, RMM will “help you understand the progress you make in the ERM process and where you need to go next.” Further, the RMM helps a risk manager understand the various components that need to be built to advance to the next step. “That, in my opinion,” says Phelps, “is the most valuable piece to this.”
The primary method of assistance offered by the RMM is a five-level progression for ERM program maturity, from “non-existent” to a leadership designation. This is accomplished through seven drivers, or attributes, as they are known, for the systematic progression of levels. Included in the progression are key variables such as ERM Process Management, Risk Appetite Management, Uncovering Risks, and Business Resiliency and Sustainability. Along with co-developer LogicManager, RIMS has determined that these attributes are the primary characteristics that identify and measure the degree of quality and business value in the ERM program. The RMM tool is designed to view risks across all areas of the business in order to identify strategic opportunities and reduce uncertainty.
Early in the development of the RMM, RIMS was aware of the large number of ERM standards that had been advanced by outside organizations. Accordingly, it had no intention of advancing yet another ERM standard, according to Phelps. In fact, “The RMM was developed specifically not to be a standard,” he says. However, RIMS realized that the model would need to work with all the other standards and that “each of the current crop of ERM standards works better with certain industry segments,” so they needed to have the RMM be able to work with any standard, Phelps says.
Next steps
Currently, RIMS is accumulating additional background information through a data collection process that is part of the RMM process. “It’s important that we have sufficient data to become a creditable source,” Phelps notes. He says that they will need between 500 and 600 responses from risk managers to their questionnaire. He hopes to have this completed prior to the annual conference, “so we can make some benchmarking statistics available at the conference.”
Additionally, several sessions at the conference will provide supplementary details regarding the RMM. Following the conference, RIMS will establish several stand-alone professional development programs that will further explain how the RMM program will work with the ERM process.
RIMS also has several other ERM projects it is planning to complete. Currently, it is working with a publisher to write an “ERM for Dummies” book. Phelps also says they have been having conversations with the Insurance Institute of America (IIA) about modifying the ARM program to include an ERM portion. Possible approaches are to include an ERM element within the current course material that is used for the ARM designation. Alternatively, they could pursue a separate ERM certification in conjunction with the ARM designation.
Just getting started
Phelps says that the ERM effort is just beginning, and he notes: “The role of risk management in an organization is changing, and the speed of the changes is unprecedented. Risk management is now seen as a strategic tool in many organizations. All of a sudden, we have moved from evolving risk management to more of a revolutionary change.” And he points out that this is big. “When you go from being ‘the insurance guy,’ to a player in the company’s strategic team, it is a very significant change in the function.”
But the real question, he points out is, “whether or not all risk managers can weather that change and contribute to the revolutionary changes, and make it to the next step; that remains to be seen.” *
For more information:
Risk and Insurance Management Society
Web site: www.rims.org |