Free ebooks ==> www.Ebook777.com i Praise for R i s k M at u r i t y Mo d e l s ‘Risk management maturity models enable organizations to gauge the development and evolution of their risk management practices Domenic Antonucci’s Risk Maturity Models stands out from other risk management texts on this topic because it provides very practical guidance, supported by numerous case studies The book brings to life the benefits of risk maturity models when effectively applied and is simple but effective in its approach.’ Nicola Crawford, IRM UK Board member ‘We live and work in an increasingly complex, faster-moving and connected world The risk landscape faced by organizations today and in the future is increasingly one made up of intangible risks: risks typically more difficult to assess and control than more “traditional” physical risks Intangible risks demand an enterprise risk management (ERM) approach – archaic risk silos have no place in this world – cyber is not just an IT risk, people are not just an HR risk Risk management is at the top of the boardroom agenda and organizations are seeking ways in which they can evaluate and benchmark their ERM maturity This authoritative book by Domenic Antonucci, a recognized international thought leader in the space of risk maturity, is a welcome addition to every risk professional’s toolkit The book follows a logical approach and is packed with information designed to explain risk maturity and to help risk professionals use this technique in support of their position as risk leaders and trusted risk advisors.’ Julia Graham, Airmic Ltd ‘For years Domenic Antonucci has been one of the leading thinkers on risk management maturity models Now he’s sharing his thoughts in a book that can help others use maturity models as a means to advance risk management maturity Risk Maturity Models should be in the library of every risk management practitioner who’s looking to advance their risk management capabilities.’ Paul Sobel, Vice President/Chief Audit Executive, Georgia-Pacific LLC, and ex-Chairman of The IIA www.Ebook777.com Free ebooks ==> www.Ebook777.com ii ‘Risk maturity models are useful to organizations that want to compare their current state of risk management capability to an appropriate target level With his book, Domenic Antonucci offers risk practitioners not only a comprehensive review of existing risk maturity models, but also a method to build one that will satisfy the specific needs of any organization.’ Ghislain Giroux Dufort, President, Baldwin Risk Strategies Inc ‘Risk Maturity is currently a hot topic within the Risk Management discipline, being mentioned in various standards as well as being discussed at length in conferences across the globe Up until this book however, there have been a lack of publications on the topic Domenic Antonucci provides a detailed insight into the history of Risk Maturity Models and their benefits The book is relevant to all organizations implementing risk management who are seeking more information on risk maturity models, whether they believe themselves to be “best in class” and looking for a way to measure their risk maturity, or having only recently started their Risk Management Journey and looking for a roadmap to help guide them to increased levels of maturity.’ Alexander Larsen, BHRM, FIRM, Risk and Controls Co-ordinator, West Qurna Project, Pilot Camp, Iraq www.Ebook777.com iii Risk Maturity Models How to assess risk management effectiveness Domenic Antonucci iv Publisher’s note Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publisher and authors cannot accept responsibility for any errors or omissions, however caused No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the editor, the publisher or any of the authors First published in Great Britain and the United States in 2016 by Kogan Page Limited Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms and licences issued by the CLA Enquiries concerning reproduction outside these terms should be sent to the publishers at the undermentioned addresses: 2nd Floor, 45 Gee Street 1518 Walnut Street, Suite 900 London EC1V 3RS Philadelphia PA 19102 United Kingdom USA www.koganpage.com 4737/23 Ansari Road Daryaganj New Delhi 110002 India © Domenic Antonucci, 2016 The right of Domenic Antonucci to be identified as the author of this work has been asserted by him in accordance with the Copyright, Designs and Patents Act 1988 ISBN 978 7494 7758 E-ISBN 978 7494 7759 British Library Cataloguing-in-Publication Data A CIP record for this book is available from the British Library Library of Congress Cataloging-in-Publication Data Names: Antonucci, Domenic, author Title: Risk maturity models : how to assess risk management effectiveness /   Domenic Antonucci Description: London ; Philadelphia : Kogan Page Limited, [2016] | Includes   bibliographical references and index Identifiers: LCCN 2016016341 (print) | LCCN 2016024355 (ebook) | ISBN   9780749477585 (alk paper) | ISBN 9780749477592 (ebook) Subjects: LCSH: Risk management | Risk assessment Classification: LCC HD61 A567 2016 (print) | LCC HD61 (ebook) | DDC  658.15/5 dc23 Typeset by Graphicraft Limited, Hong Kong Print production managed by Jellyfish Printed and bound by CPI Group (UK) Ltd, Croydon, CR0 4YY Free ebooks ==> www.Ebook777.com v Co nt e nt s List of contributors viii About the author ix Foreword by Kevin Knight x Foreword by Norman Marks xii Acknowledgements xiv List of abbreviations xv Introduction  01 Background to risk maturity models 7 Introduction 7 Concepts and definitions 8 Origins of capability maturity models 16 Misunderstanding 1: all models are born equal 25 Misunderstanding 2: global best practice 26 Misunderstanding 3: progression without regression or stasis 27 Misunderstanding 4: just a tool 29 Summary 30 02 The case for a risk maturity model 31 Introduction 31 Benefits delivered by ERM and a risk maturity model 34 Assessing risk management effectiveness 47 Alternatives complement using a risk maturity model 50 Limitations to using a risk maturity model 53 Summary 56 03 Comparing risk maturity models against each other 58 Introduction 58 Dealing with biases when comparing risk maturity models 59 Approach to comparing risk maturity models 62 Tiering the models 63 www.Ebook777.com vi Contents Directory comparing 77 maturity models 66 Results and analysis of the directory of risk maturity models 133 Summary 136 04 Tailoring and benchmarking a risk maturity model 138 Introduction 138 Tailoring and benchmarking 140 Tailoring by ERM standards and voluntary codes 143 Tailoring by corporate governance codes and guidance 156 Tailoring by sectors 162 Tailoring by organization operating model 167 Tailoring by risk function operating model 175 Tailoring by economic value chain 182 Tailoring by key performance indicators 184 Tailoring by context and design-related methods 185 Summary 185 05 Designing a tailored risk maturity model  187 Introduction 187 Components of a maturity model 188 Domains as a component of a maturity model 189 Capabilities as a component of a maturity model 189 Scales as a component of a maturity model 197 Levels as a component of a maturity model 203 Alternative design formats 207 Enhancements to the design of a maturity model 228 Optimizing objectivity, tailoring and reporting 236 Summary 251 06 How risk, audit and board functions benefit from risk maturity 252 Introduction 252 The risk function and risk maturity 253 The internal audit function and risk maturity 257 The board and CxO function and risk maturity 258 Benefits for risk, IA and board functions 260 Summary 262 Contents 07 Summary of risk maturity models from practitioner perspectives 264 Practitioner Megan learns to leverage resources to move up the curve 264 Practitioner Chris learns to keep it simple moving up the curve 265 Practitioner Asha learns advanced external benchmarking 266 Practitioner Alan learns advanced self-benchmarking 267 Summary and future moving up the risk maturity curve 268 Glossary 270 References 275 Further reading 283 Index 293 vii viii L i s t o f co nt r i buto r s Ahmed Barakat Alex Dali Alex Sidorenko Alexander Larsen Arnold Schanfield Barbara Monda Beaulah Misrole Dan Clayton Eddie McLaughlin Ghislain Giroux Dufort Grant Purdy Henry Ristuccia and team Henry Ziff Kevin Knight Liz Taylor Michael Herrinton and his team Nick Wildgoose and his board Nicola Crawford Martin Davies Norman D Marks Paul Hopkins Sandra Parkins Steven Halliday Stig Sunde Tim Leech Toby Shore ix Ab o ut th e a uth o r Domenic Antonucci Domenic is a practising chief risk officer and senior strategic risk, governance and compliance specialist An Australian expatriate based in Dubai UAE, Domenic specializes in bringing organizations ‘up the risk maturity curve’ and building risk practitioner tools for implementing ERM, ISO 31000:2009 and COSO ERM Formerly with Marsh Risk Consulting, Shell and Red Cross, he enjoys over 30 years experience in risk, corporate strategic planning and business management across many sectors in Europe, Africa, the Middle East, Asia and Australia-Pacific A regular international conference presenter and author, he is the content author for various risk maturity model software releases These include Benchmarker™ risk maturity model, the first tool to self-assess risk management effectiveness through a set of capabilities expected to be delivered by a head of risk and ‘cross-walked’ to both ISO 31000 and COSO ERM Free ebooks ==> www.Ebook777.com x Fo r e w o r d By Kevin Knight T he concept of risk management has been around for decades with respect to the buying and selling of insurance and managing loss-control activities With the publication of AS/NZS 4360 – Risk Management by Standards Australian and Standards New Zealand in 1995 and its subsequent revisions in 1999 and 2004, it moved into how organizations made decisions with respect to uncertainty The publication of ISO 31000:2009 Risk management – Principles and guidelines saw the risk management process being applied to the management of the effect of uncertainty on organizational objectives and how managerial decisions created the risk of ‘Is this the right decision and can the organization manage the decision to a successful outcome?’ Risk was seen as neutral and management was focused on maximizing the opportunity whilst minimizing the threat Importantly, organizations should develop strategies to improve their risk management maturity alongside all other aspects of their organization Risk maturity models are powerful tools to effect such strategies A consequence of this focus on managing the effect of uncertainty on objectives within the organization is the need to measure its effectiveness in achieving organizational objectives, as well as the effectiveness of linemanagement decision making with respect to risks under their control Domenic Antonucci takes us on the journey from the initial modification of capability modelling in 1997 and its evolution into a risk maturity model through to the multitude of risk maturity models competing for attention in today’s marketplace The author asserts quite rightly that the highest purpose behind risk maturity models is, amongst other uses, to assess risk management effectiveness tailored to your unique organization In the chapter ‘Tailoring and benchmarking a risk maturity model’ he provides a wealth of practical advice and examples to enable the risk practitioner to develop a risk maturity model that is focused on the needs of their organization Domenic brings many years of knowledge, skills and practical experience in the management of risk and organizations and the measurement of its effectiveness within a wide range of organizations He is especially focused www.Ebook777.com 290 Further Reading OGC Office of Government Commerce Portfolio, Programme and Project Management Maturity Model (P3M3), Version 2.1 (2006) [Online] https://www.axelos.com/best-practice-solutions/p3m3 [accessed 9.11.15] Paape, L and Speklé, R (2012) The adoption and design of enterprise risk management practices: an empirical study, European Accounting Review 21 (3), pp 533–64 Parkins, S (2009) ERM Readiness Assessment Tool, presentation on behalf of Fraser Health to Healthcare Enterprise Management Conference, Meeting the ERM Integration Challenge, Canada, unpublished PMI Global Operations Centre (2003) Organizational Project Management Maturity Model (OPM3®), Project Management Institute (PMI), Newtown Square, Pennsylvania, United States Porter, ME (1985) Competitive Advantage, Free Press, United States Porter, ME (1996) What is strategy? The Value Chain, Harvard Business Review, United States Power, M, Ashby, S and Palermo, T (2013a) Risk Culture in Financial Organisations: Final report, Financial Services Knowledge Transfer Network [Online] www.lse.ac.uk/researchAndExpertise/units/CARR/pdf/Final-RiskCulture-Report.pdf [accessed 01.12.15] Power, M, Ashby, S and Palermo,T (2013b) Guidance on Supervisory Interaction with Financial Institutions on Risk Culture: Feedback on the FSB’s consultative document [Online] http://www.financialstabilityboard.org/wp-content/uploads/ c_140206c.pdf [accessed 12.11.15] PMI (2008) A Guide to the Project Management Body of Knowledge, 4th edn, Newton Square, Project Management Institute, United States Praxiom Research Group (2010) ISO 31000 Introduction [Online] http://www.praxiom.com/iso-31000-intro.htm [accessed 9.11.15] Protiviti (2006) Guide to ERM: Frequently asked questions [Online] http://www.knowledgeleader.com/KnowledgeLeader/content.nsf/Web+Content/ WhitePapersArticlesGuidetoEnterpriseRiskManagementFrequently AskedQuestions!OpenDocument [accessed 14.9.14] Protiviti (2014) Establishing and Nurturing an Effective Risk Culture: Enabling the chief risk officer’s success, series white paper [Online] http://www.protiviti.com/ en-US/Documents/White-Papers/Risk-Solutions/CRO-Series4-Establishing-andNurturing-an-Effective-Risk-Culture-Protiviti.pdf [accessed 9.11.15] Purdy, G (2008) Executive Workshop: Implementing risk management in 2008, Institute of Risk Research University of Waterloo [Online] http://www irr-neram.ca/pdf_files/May9-2008/report.pdf [accessed 27.9.15] PwC (2013) Risk Survey 2013 [Online] http://www.pwc.com/gx/en/services/ audit-assurance/publications/risk-in-review.html [accessed 9.11.15] PwC (2015) The Alignment Challenge: How strategic is your ERM program? How To Achieve Excellent Enterprise Risk Management Series, Article 2, April 2015 Further Reading [Online] https://www.pwc.ie/media-centre/assets/publications/2015-pwc-irelandenterprise-risk-management-erm-strategies.pdf [accessed 9.11.15] Rasmussen, M (2013) 20/20 Research GRC Enterprise Architecture CMM [Online] http://thriveonrisk.com/conversations/watch/18/The-Future-of-Enterprise-GRCArchitecture, Posted 22 Mar 2013 [accessed 9.11.15] Rosemann M and Brocke J vom (eds) (2010) Handbook on Business Process Management 1, 107 International Handbooks on Information Systems, Springer-Verlag, Berlin Heidelberg Ryan, T (2011) Business-IT alignment maturity: The correlation of performance indicators and alignment maturity within the commercial airline industry, ProQuest, UMI Dissertation Publishing, BiblioBazaar Salz, A (2013) An Independent Review of Barclays Business Practices, Barclays PLC [Online] http://online.wsj.com/public/resources/documents/ SalzReview04032013.pdf [accessed 9.11.15] Sagacious Consulting (2009) Product Team Maturity Model [Online] http://blog.sagaciousconsulting.com/2009/09/product-team-maturity-model/ [accessed 9.11.15] Shortbreed, J, Fraser, J, Purdy, G and Schanfield, A (2011) The Future Role of Internal Audit in (Enterprise) Risk Management [Online] https://annex.mville edu/images/stories/Graduate_Academics/GPSCenterForRiskManagement/ ResourceLibrary_Articles/TheFutureRoleofInternalAuditinEnterprise_ RiskManagement.pdf [accessed 9.11.15] Schuh, R (2004) A Maturity Model for Measuring Nonprofit Organizational Development, doctoral dissertation [Online] http://d-scholarship.pitt.edu/8301/ [accessed 9.11.15] SEC (2009) Rule 33-9089 and 404 [Online] https://www.sec.gov/rules/final/ 2009/33-9089.pdf [accessed 9.11.15] SEI (2001) People Capability Maturity Model® (P–CMM®) Version 2.0., Software Engineering Institute at Carnegie Mellon University [Online] http://pdf world net/pdf/71115/People-Capability-Maturity-Model-pdf.php [accessed 9.11.15] Shore, T (2013a) Enterprise Risk Management At Dubal, unpublished slide presentation, Dubai, UAE Shore, T (2013b) A Case Study on Enterprise Risk Management Program in the Middle East [Online] https://www.youtube.com/watch?v=AThaJcvFn1c [accessed 9.11.15] Singapore Corporate Governance Council (2012) Risk Governance Guidance for Listed Board [Online] http://www.mas.gov.sg/~/media/resource/fin_development/ corporate_governance/RiskGovernanceGuidanceforListedBoards.ashx [accessed 3.11.15] Snohomish County (2012) Electricity Subsector Cyber Security CMM PUD [Online] http://www.slideshare.net/EnergySec/john-fry-2012-09251128-esc2m2-case-study (DA excellent on use for planning) [accessed 9.11.15] 291 292 Further Reading Sturman, M (2013) Transgrid NSW Government Enterprise Risk Management Journey in TransGrid, Transgrid NSW Government TMF Conference paper, p 16 [Online] http://www.google.com/search?client=safari&rls=en&q= NSW+Government+Treasury+ERM+Risk+Maturity+Model+of+2013&ie= UTF-8&oe=UTF-8 [accessed 19.10.15] Taylor, L (2010) Using the LTRC Risk Management Performance Ladder [Online] http://www.slideshare.net/liztaylor/ltrc-performance-ladder [accessed 10.11.12] Teil, B (2013) Inductive Design of Maturity Models: Applying the Rasch algorithm for design science research [Online] http://www.abstract.xlibx com/a-economy/132906-16-vorgelegt-von-david-raber-aus-deutschlandgenehmigt-auf-antrag.php [accessed 9.11.15] Thomson Reuters Survey (2013) The Evolving State of Enterprise Risk Management [Online] https://risk.thomsonreuters.com/whitepaper/evolvingstate-enterprise-risk-management [accessed 9.11.15] UMass Dartmouth (2015) Decision-making process [Online] http://www.umassd edu/fycm/decisionmaking/process/ [accessed 4.11.15] Ulrich, D (2012) What’s next for HR? The six competencies HR needs for today’s challenges [Online] http://www.personneltoday.com/articles/13/11/2012/58988/ whats-next-for-hr-the-six-competencies-hr-needs-for-todays-challenges.htm [accessed 9.11.15] Vergopia, C (2011) Project Review Maturity and Project Performance: An empirical case study, ProQuest, UMI Dissertation Publishing, BiblioBazaar, United States Versace, M (2011) Enterprise Risk Management – Proof or Still Promise: An ERM maturity model paper, IDC 25 February [Online] https://idc-insights-community com/financial/financial-services-technology/enterprise-risk-management-proofor-still-promise [accessed 9.11.15] Virtual Corp (2015) Business Continuity Maturity Model® (BCMM®) [Online] http://www.virtual-corp.net/Home/Services/BusinessContinuityMaturityModel aspx [accessed 9.10.15] Wendler, R (2012) The Maturity of Maturity Model Research: A systematic mapping study, Technische Universität Dresden, Faculty of Business Management and Economics, Helmholtzstraße 10, 01062 Dresden, Germany, Information and Software Technology, 54 (12), December, pp 1317–39 [Online] http://www sciencedirect.com/science/article/pii/S0950584912001334 [accessed 9.11.15] Wessman, WL (2006) The Nature of Thought: Maturity of mind, University Press of America, United States Witkin, BR and Altschuld, JW (1995) Planning and Conducting Needs Assessment: A practical guide, Sage Publications, United States Yang W (2012) Three-Dimensional Complex Construction Project Management Maturity Model: Case study of 2010 Shanghai Expo [Online] http://www scientific.net/AMM.209-211.1363 [accessed 9.11.15] Zurich Insurance (2012) Risk Management in a Time of Global Uncertainty, Harvard Business Review Analytic Services [Online] https://hbr.org/2012/03/ risk-management-in-a-time-of-g.html [accessed 9.11.15] 293 INDEX Note: The index is filed in alphabetical, word-by-word order Within main headings, numbers are filed as spelt out in full, acronyms are filed as presented, ISO and ISO/IEC codes are filed in numerical order Page locators in italics denote information contained within a Figure or Table Aberdeen Group OpRisk framework  46, 67, 68, 141, 142, 155, 166, 223 Accenture ERM maturity assessment  36–37, 67, 68–69, 155, 166 Active Risk™  65, 67, 69, 155, 166 advanced risk management practices  43–46 Aho capability maturity model  67, 70, 155, 167 ALARM 153 national performance model  67, 70–71, 94, 155, 167, 222 analysis  164, 177, 271 Annex SL  146 Aon-Wharton Risk Maturity Index  67, 71–72, 141, 142, 155, 167, 191, 192, 223, 238 AS/NZS4360  101, 146, 148 assessment, risk management effectiveness  15–16, 30, 51, 270 Association of Insurance and Risk Managers (AIRMIC)  152, 153 Association of Proposal Management Professionals (APMP)  74 assumptions  59, 60, 169 ASX Principles of Corporate Governance  156, 159 attitude 12 audit committees  158–59 see also IA function Australia 54, 134–35, 146, 154, 156, 159, 199 Axelos P3M3 Management  67, 72–73, 167 Bain & Co  170 balanced scorecard (BSC)  184, 191, 241 Banca del Gottardo  80 banking sector  16, 22, 48, 56, 80, 92, 161 bar charts  228, 229, 232, 233, 234, 238 bar-line charts  229 BASEL III  161 basic tier models  65, 67, 69, 77, 102, 118, 123, 131, 133, 135–36 BCCM®  64, 66, 67, 73–74, 155, 156, 166, 204, 221, 247 BD-CMM®  67, 74–75, 155, 167 BDI 74–75 bear markets  44–45 benchmark-able tier models  64, 67, 76, 78, 91, 107, 110, 112, 135–36 Benchmarker™  64, 67, 75–76, 145, 150, 155, 156, 166, 212, 223 reporting tools  231–32, 233 benchmarking  152–53, 163, 267, 270 external 62, 64, 71, 89, 140–43, 237–38, 265–67 internal  15, 140, 142 benefits  32, 34-47, 57 best practice  26–27 bias  21, 59–62, 64, 76, 82, 136, 154, 199, 200, 237 binary opinion (judgements)  47, 51 board 41, 178, 258–59, 261–62, 262–63, 268, 270 Booz Allen enterprise resilience risk management 76–77 BP  27–28, 264 BSC (balanced scorecard)  184, 191, 241 building blocks  188 business continuity maturity model see BCCM® development capability maturity model see BD-CMM® performance 46 process management (BPM)  39, 91, 109–10, 189 risk management  23, 101 Business Development Institute International 74–75 Canada 48, 82, 90, 96, 131, 134–35, 137, 146, 151, 153 candlestick charts  228, 229 capability (capabilities)  10, 11–13, 14, 20–22, 41, 60, 61, 170–71, 189–97, 270 294 Index capability (capabilities)  continued completion format  207, 208, 218–19, 265 descriptions 190–91 improvement gaps  16 levels  10, 270 maturity models (CMMs)  8–11, 12, 17–20, 109–10, 126, 135, 270 capacity  13, 153, 270 Capgemini Sigma Map™  67, 77 Carnegie Mellon University Software Engineering Institute  17–20, 74–75 Causal Capital ERM maturity model  67, 77–78, 155, 166 CEB ERM maturity diagnostic model  78 centre of excellence model  177 CEOs 258–59 certifiable tier models  64, 66, 67, 72, 73, 79, 119, 122, 135–36 CERT®-RMM resiliency maturity model  66, 79 challenge question  139 change 205–07 check-the-box approach  62 check-the-text-box format  215–19 checklists 52 Ciorciari EnteR COSO-based assessment tool 80, 155, 166 CIPS  167 Gold Certification  161–62 supply chain capability maturity model  67, 81, 155 CIRANO corporate reputation risk maturity model  67, 82, 167 CMMs (capability maturity models)  8–11, 12, 17–20, 109–10, 126, 135, 270 COBIT IT guidelines  114, 161 IT process maturity model  67, 83, 87, 155, 167, 211 codes see voluntary reference codes combined assurance  159, 243–44, 257, 259, 261, 270 commercial-off-the-shelf companies  20 competency  11–12, 30, 270 competitive advantage  22, 23, 34–35, 36–37 compliance  46, 56, 61, 83, 151, 177, 179, 181, 200, 271 see also governance, risk, compliance (GRC) components  188, 270 see also capability (capabilities); domains; levels; scales comprehensive assessment approach  51, 97 conceptual tier models  65, 67, 135–36, 137 Accenture  68–69 Aho  70 CIRANO  82 COBIT IT  83 COSO  84 CRMS EMPIRISK  84–85 Economist Intelligence Unit  86 Elmaallam Information Systems  87 FERMA  89 Gartner  91 Hillson  93 HM Treasury ‘Orange Book’  94 IIARF-Sobel  97 Kaplan-Mikes  104 McGraw  114 Marx  113 Monda  115–16 Pergler-McKinsey & Co  121 S&P  128 Tiel  130 consultants  60, 78, 239, 240–41, 244, 266 context  25, 140, 150, 185, 186 continuous improvement  25, 41, 55, 91, 97, 177, 255–57 control/compliance models  177 control effectiveness assessment  51 corporate business models  164–65 citizenship 159 governance  33, 36, 41, 48, 106, 156–62, 165, 178, 185–86, 271 see also King III code performance management (CPM)  40, 42, 67, 70 reputation risk  82 see also governance, risk and compliance (GRC); INSEADArguden ‘LOGIC’ corporate governance model; King III code COSO (Committee of Sponsoring Organizations of the Treadway Commission) 271 ERM 2004  53, 67, 84, 143–45, 149–51, 154–56, 176 see also Ciorciari EnteR COSObased assessment tool; PwC risk management maturity model COTS firms  20 CPM (corporate performance management)  40, 42, 67, 70 credit ratings  35, 38, 46, 128, 246 agencies  48, 50, 128 see also S&P (Standard & Poor’s) Index crisis response  37–38 CRMS EMPIRISK ERM game simulation  67, 84–85, 155 CROs  165 see also risk officers cross-walking  76, 144, 149, 155–56, 163, 233, 246, 248, 266 culture, risk  92, 96, 254 CxOs  192, 253, 261–62, 262–63, 268 dashboards 247, 250, 251 data  60, 142, 164 decision-analysis 271 decision-making  165, 271 Deepwater Horizon explosion  28 Deloitte  41, 54 Risk Intelligent Enterprise™ maturity model  67, 85–86, 140, 141, 155, 166, 176–79, 224, 237–38, 248 Delphi subject matter experts (SMEs)  116–17, 239–41, 249, 266 descriptions capability 190–91 levels  225, 228 scales 199 directors  158, 160 see also risk directors directory 62–137 domains  23–24, 188, 189, 249, 271 multi-domain levels  220, 221–23 door-opener approach  62, 72 drivers 182, 183, 253 Dubai Aluminium PJSC (DUBAL)  225–26 dysfunctional interfaces  170 E&Y (Ernst & Young)  41, 42–43, 141, 153, 195–96 risk management framework review 88–89, 212 EBITDA  40, 42–44, 153 EBITDA/EV (EBITDA Multiple)  40, 42, 44 economic value chain  171, 173, 182–84, 186, 253, 257, 258 Economist Intelligence Unit (EIU) ERM model  67, 86, 141, 166 effective decision-making  271 effectiveness, risk management  15–16, 41, 47–50, 170, 270, 271 efficiency  16, 41, 59, 271 elements see components Elmaallam Information Systems maturity model  67, 87 emerging risk management practices  43–44 Emirates Global Aluminium PJSC (EGA) 225–27 enablers 182, 183, 257, 258 enhancements 228–36 Enron  26, 149, 161 enterprise risk group  178 enterprise-wide risk management (ERM) 17, 23, 24–25, 31–57, 115–17, 132, 133–34, 271 Ernst & Young (E&Y)  41, 42–43, 88–89, 141, 153, 195–96 Europe 24, 89, 94, 134, 135, 137, 151, 152–53, 161 European Foundation for Quality Management (EFQM)  24, 38–39, 94, 99 LTRC/EFQM risk management performance ladder  67, 108–09, 166 external benchmarking 62, 64, 71, 89, 140–43, 237–38, 265–67 consultants  60, 78, 239, 240–41, 244, 266 reference standards  245–46 surveys 237–38 facilitation  52, 245 failures 56 FERMA (Federation of European Risk Management Associations)  43–44, 48, 141, 151, 152–53 risk management maturity model  67, 89 financial performance 35, 37, 43 sector  22, 60, 96–97, 103, 121, 129–30, 163–66 see also Causal Capital ERM maturity model five-point scales  199, 200–03, 208, 266 flow-charts 52 for-profit organizations  34, 37–39, 40–41, 163–66 format 271 four-point scales  66, 199, 200, 208, 210, 265, 267 Fraser Health ERM maturity model  67, 90, 96, 140, 155, 167, 244, 265 FRC Combined Code  159–60 functional accountability maps  168, 169 future improvements  231–35 G31000 146 risk maturity model  67, 90–91, 155, 156 game simulations  84–85 GANTT project planner  193–95 Gartner maturity models  67, 91–92, 155, 166 295 296 Index Genius Methods risk culture maturity monitor  67, 92, 155, 166 global best practice  4, 26–27 goals 19, 74 governance, risk, compliance (GRC)  61, 119–20, 271 see also corporate governance government 48, 72, 73, 96, 120, 131, 153–54, 167, 215 see also HM Treasury ‘Orange Book’ self-assessment tool; NSW Government Treasury ERM risk maturity model; Western Cape Government (South Africa) growth  43–44, 53–54, 136 GULFCO 241–42 halo effect  60–61 hard benefits  32, 37–39, 42–47, 57 HB 158:2010  199-201, 210 health sector  24, 90, 96 see also Fraser Health ERM maturity model heat maps  249 Hillson, David  23, 40, 136 risk maturity model  67, 93, 155, 166, 221 HM Treasury ‘Orange Book’ self-assessment tool  94, 210, 211, 213–15 Hopkinson, Martin  45 QinetiQ project risk maturity model  93, 95, 98, 141, 212, 222 HR  173 HRDC risk culture maturity model  24, 67, 96, 155, 167 Humphrey, Watts S  17, 24, 221 IA function  30, 47, 51–52, 178–79, 243, 243–44, 257–58, 261, 262–63, 268 see also audit committees; IIARF-Sobel ERM maturity assessment; Institute of Internal Auditors (IIA) IBM model  67, 96–97 IIA (Institute of Internal Auditors)  12, 33, 47, 51, 57, 149, 161, 199, 261, 262 see also IIARF-Sobel ERM maturity assessment IIARF-Sobel ERM maturity assessment  67, 97, 155 incident response  37–38 INCOSE maturity model 24, 67, 87, 98, 155, 167 indicators 191 see also key performance indicators (KPIs); key risk indicators (KRIs) industry best practice  27 Influence Inc regulatory risk maturity model  67, 98 information  172 governance  106 security  115 information systems maturity model  61, 87, 100 infrastructure firms  28–29 INSEAD-Arguden ‘LOGIC’ corporate governance model  67, 99, 155, 166, 167, 222 Institute of Internal Auditors (IIA)  12, 33, 47, 51, 57, 149, 161, 199, 261, 262 see also IIARF-Sobel ERM maturity assessment Institute of Risk Management (IRM)  152, 153 risk appetite model  99–100 risk software maturity curve  100 insurable risks  41, 61, 133 insurance brokers  60, 61, 132, 245, 265 sector  26, 60, 129, 133, 167 see also Association of Insurance and Risk Managers (AIRMIC); insurable risks; insurance brokers; Marsh; Risk and Insurance Management Society (RIMS) integrated tier models  108, 132 intermediate tier models  64, 67, 69, 71, 85, 88, 105, 124, 125, 135–36 internal audit function  30, 47, 51–52, 178–79, 242–43, 243–44, 257–58, 261, 262–63, 268 see also audit committees; IIARFSobel ERM maturity assessment; Institute of Internal Auditors (IIA) benchmarking  15, 140, 142 IRM-AIRMIC-ALARM : 2002  153 ISACA (Risk IT maturity framework)  67, 83, 100–01, 114, 155, 156, 161, 167, 221 ISO 3004  148 ISO 31000  14, 41, 51, 53, 65, 102–03, 143–48, 154–56, 193, 195 G31000 risk maturity model  90–91 organizational context  185 and risk functions  176, 256, 258 and risk plans  255 ISO/IEC 15504  19, 21, 212, 221, 222 ISO/IEC 31010  30, 148 ISO/IEC 33001  19, 21 Index IT  60, 61 see also COBIT; Gartner maturity models; ISACA (Risk IT maturity framework); ITI Global IT reliability process model; McGraw BSIMM-V software security model; Marx Management control systems maturity model; OCEG Redbook GRC Capability Model™ ITI Global IT reliability process maturity model 103, 222 job descriptions  168, 169, 179, 254–55 Kaplan-Mikes ERM maturity model  67, 104, 167 Kerzner project management maturity model  67, 104–05, 166 key performance indicators (KPIs)  46, 184–85, 271 practices 19 process areas (interfaces)  18, 19, 74, 170 process maps  168, 169 risk indicators (KRIs)  40, 196, 271 King III code  14, 99, 156, 157–59, 162, 176, 188, 232–35, 272 knowledge 12 KPMG  34–35, 38 ERM assessment model  67, 105, 166 labels  204, 205, 220 leadership 159 see also Supply Chain Risk Leadership Council (SCRLC) Lederman/GARP assessment model  106, 155, 166, 204, 223 levels  10, 18–19, 203–07, 220–28, 270, 272 Likert scale levels  18–19, 272 line management  32, 165, 176, 255, 259 linear risk approach  60, 164 lines of defence  165, 259, 261, 262, 274 LogicManager™  46, 61, 67, 106–07, 124, 151, 155, 166, 191–92, 237 long-term risk maturity reporting  231–32 loss reduction  36 LTRC/EFQM risk management performance ladder  67, 108–09, 166 Luyckx enterprise business process maturity model 109–10 McGraw BSIMM-V software security maturity model  67, 114 McKinsey & Co  21–22, 26, 34, 39, 40, 49, 56, 60, 249 Pergler-McKinsey & Co risk management maturity model  67, 121, 155, 163–66, 223 management 35, 178 see also board; CEOs; CROs; CxOs; line management; risk directors; risk managers; risk officers market capitalization  37–38 marketing slogans  236 Marks, Norman  41, 49, 50, 56, 220, 224 ‘Marks on Governance’  48 Marsh 3 Insurance ERM maturity models  111 Risk Consulting ERM maturity models  67, 110, 112, 141, 155, 166, 211, 222, 223, 237 Marx management control systems maturity model  67, 113, 155, 167 material risk-bearing capacity  13 matrix design  192–93, 251, 272 mature risk management practices   43–44 maturity  8–9, 11, 272 models  9–11, 272 see also risk maturity models; tailored risk maturity models (tailoring) score weighting  235–36 maturity-of-process methodology  19–20 Mayer MMGRSeg information security 115, 155 measurement  200, 272 see also metrics MECO  195, 229–31 metrics  13, 18, 32, 33, 46, 68, 95, 170 see also measurement milestones  78, 190–91, 208, 214, 228 models 9 see also maturity models moderate risk management practices  43–44 modules 191–92 Monda ERM Index  65, 67, 115–17, 155, 167, 195, 223, 243 multi-domain levels  220, 221–23 multi-point numeric scales  200 multiple capabilities 20–21 maturity models  246–50 Murphy 4e model  67, 117–18, 155, 167 NACD (National Association of Corporate Directors) 52 Blue Ribbon report  156, 160 natural resources sector  21, 22 nearest-fit models  246 New York University (NYU)  297 298 Index NGOs (non-government organizations)  6, 60, 139, 162, 163, 218–19, 243–44, 264 non-financial sector  60, 163–66 non-linearity  164 North America  54, 84, 107, 124, 137, 149, 151 see also United States not-for-profit organizations (NFPs)  34, 40, 162–63, 167, 182, 187, 210, 244 NSW Government Treasury ERM risk maturity model  118–19, 154, 212 objectivity 236–50 OCEG Redbook GRC Capability Model™  119–20, 153, 155, 173 OECD (Organisation for Economic Co-operation and Development)  48, 54, 146, 160 OGC Management of Risk (MoR®) Projects maturity model  120, 222 P3M3 projects  173, 222 operational risk (OpRisk)  46, 133, 134 optimism bias  64, 82, 199, 200, 237 organization  11, 27–28, 52, 55, 165, 272 operating model (OpMod)  167–81, 186 see also corporate business models; forprofit organizations; infrastructure firms; NGOs (non-government organizations); not-for-profit organizations (NFPs) Organisation for Economic Co-operation and Development (OECD)  48, 54, 146, 160 outsourcing 244–45 pain points  170 PDCA (plan-do-check-act) framework  253, 256–57, 258, 259 people 30, 172, 180 Pergler-McKinsey & Co risk management maturity model  67, 121, 155, 163–66, 223 planning 13 see also PDCA (plan-do-check-act) framework; risk management plans PMI OPM3®v2 organizational project management maturity model  64, 67, 122, 155, 221, 222 posed statement format  207, 219 Principle (k)  14, 148, 253, 255, 256, 258, 263 process  61, 171, 172, 173, 180, 272 development 18–20 maps 169 process-centric capability format  208, 209 profit leak points  170 profits  42–43, 170 progression 205–07 project risk maturity model  24, 98, 104–05, 117–18, 122, 133, 134, 191 savings 45–46 Project Management – Body of Knowledge (PM-BOK) 26 proprietary-to-self risk maturity models 247 Protiviti process maturity matrix  61, 123 public sector  70–71, 163 PwC 149 risk management maturity model  52, 67, 123–24, 166 QinetiQ Project Risk Maturity Model  93, 95, 98, 141, 212, 222 questionnaires  52, 219–20, 239–40 radar charts  230, 235 range score ratings  239, 241–43 ratings  197–203, 237, 239, 241–43 reasonable assurance  49–50, 272 regression  27–29, 56, 205–07 regulation  36, 56–57 regulatory risk maturity model  98 reporter/central analysis model  177 reporting  48–49, 52, 158, 228–35, 254 see also dashboards reputation  35–36, 82 residual status reports  52 retail sector  22, 171, 172 return on asset performance  45 equity performance  45 investment 38–39 revenue growth  43–44 RIMS see Risk and Insurance Management Society (RIMS) risk  13, 272 appetite  99–100, 158, 164, 165 committees 158, 180, 244 culture  92, 96, 254 directors  30, 259, 260, 270 exposures  164 function  175–81, 252–57, 260–61, 262–63, 268 insight  164 managers  30, 49, 144, 158–59, 260, 273 maturity models  13–15, 17, 246–50, 273 Index offshoots  20–21, 23–25 maturity, strategies  273 officers  253, 254–55, 268 oversight  52, 148, 258 ownership  177, 178 registers  21, 22, 28, 69, 241, 266 speciality  134, 137, 242, 273 taxonomy  164 see also governance, risk, compliance (GRC) Risk Academy risk maturity model  67, 125, 155 Risk Focus  3–4 Risk and Insurance Management Society (RIMS)  46, 48, 107, 151–52 maturity model  124, 141, 155, 167, 222 risk management  13–14, 23, 50, 178, 191, 273 advanced practices  43-46 effectiveness  15–16, 41, 47–50, 170, 270, 271 emerging practices  43–44 mature practices  43–44 moderate practices  43-44 plans  14, 254, 255–56, 258, 260, 273 standards  143–48, 254 see also ISO 3004; ISO 31000; ISO/IEC 15504; ISO/IEC 31010; ISO/IEC 33001; voluntary reference codes system  13, 14, 15, 20, 48–49, 273 Riskonnect ERM technology maturity model  67, 126, 141, 155, 166 ROA performance  45 road (route) maps  9, 10, 39, 40, 41 ROE performance  45 ROI performance  38–39 S-curve graphics  249 S&P (Standard & Poor’s)  33, 48, 65, 67, 128–29, 155, 166, 212 Sarbanes-Oxley Act (SOX)  150–51, 161 scales  197–203, 210–20, 273 five-point  199, 200–03, 208, 266 four-point  66, 199, 200, 208, 210, 265, 267 three-point 199 SCRLC (Supply Chain Risk Leadership Council) 193 maturity model  127, 212, 216–17, 218–19, 223, 228–30 SEC (Stock Exchange Commission)  150–51, 160 Securities Commission of Malaysia  159 SEI CMM  17–20, 24 self-benchmarking 267 Shell  3, Shore, Toby  225–26 ‘shrink-wrap’ companies  20 silo factor  273 Singapore Corporate Governance Council 159 skill 12 slide-bar charts  229, 230 SMEs (subject matter experts)  116–17, 239–41, 249, 266 soft benefits  32, 34–37, 39–41, 57 ratings 237 software engineering sector  11, 17–20, 60, 114, 123, 124 Solvency II Directive  161 source reliability  2, 49 specialized tier models  64, 67, 135, 136, 137 Aberdeen Group OpRisk maturity model  68 Aho capability maturity model  70 ALARM national performance model  70–71 BCCM® 73–74 BD-CMM®  74 Causal Capital Sigma Map™  77 Ciorciari EnteR assessment tool  80  CIPS maturity model  81 Fraser Health ERM maturity model  90 Genius Methods maturity monitor  92 HR risk culture maturity model  96 INCOSE projects risk maturity model  98 INSEAD corporate governance model  99 IRM risk appetite maturity model  99–100 IRM risk software maturity curve  100 ISACA risk IT maturity framework  100–01 ITI global IT reliability maturity model  103 Kerzner project management maturity model  104–05 Lederman/ GARP information governance model  106 Luyckx enterprise business process maturity model  109 Marsh Insurance maturity model  111 Mayer information security model  115 Murphy 4e model  117–18 OGC MoR® model  120 299 300 Index specialized tier models  continued QinetiQ  95 Riskonnect technology maturity model  126 S&P insurance model  129 SCRLC supply chain model  127 Syntex financials maturity model  129–30 stakeholders  40, 50 Standard & Poor’s (S&P)  33, 48, 65, 67, 128–29, 155, 166, 212 stasis  205, 207 Stewart, Walter  17 Stock Exchange Commission (SEC)  150–51, 160 stock prices  38, 45 strategy (strategic risk)  14, 38, 104, 158, 164, 273 subject matter experts (SMEs)  116–17, 239–41, 249, 266 supply chain risk  133, 134 see also CIPS; SCRLC (Supply Chain Risk Leadership Council) Supply Chain Risk Leadership Council see SCRLC (Supply Chain Risk Leadership Council) surveys  52, 88–89, 151–52, 152–53, 237–38 sustainability 159 Syntex Management Systems OpRisk and financials maturity model  67, 129–30, 155, 166 system 13 three lines of defence  165, 259, 261, 262, 274 three-point scales  199 Tiel maturity model  67, 130 tiering 63–66 Tobin Q ratio  44 training 158 Treasury Board of Canada risk maturity capability model  131, 153 Treasury Board frameworks  153–54 see also HM Treasury ‘Orange Book’ self-assessment tool; NSW Government Treasury ERM risk maturity model; Treasury Board of Canada risk maturity capability model treatment index  249, 250 ‘Turning Risk into Results’ (E&Y)  42, 88–89, 141, 153, 195–96 tailored risk maturity models (tailoring)  13–15, 25, 138–86, 188, 191, 204, 248–49, 273 Taylor, Liz  108–09 technology  59, 61, 171, 172, 180, 183 see also IT telecommunications sector  22 text-in-box format  215–19 text page-book format  213–15 Western Cape Government (South Africa)  163, 232–35 Willis Risk Consulting risk maturity model 132 Wrigley-Rumelt-Andrews model  67, 155, 166, 174 UK  134, 135, 137, 154, 159–60 United States  134, 137, 156 see also North America valuations 44 value 23, 37, 40 value chain see economic value chain voluntary reference codes  143, 154–62, 245–46 see also COSO ERM 2004; ISO 31000; King III code; risk management standards Zurich risk maturity model  67, 133, 155, 166 301 THIS PAGE IS INTENTIONALLY LEFT BLANK 302 THIS PAGE IS INTENTIONALLY LEFT BLANK 303 THIS PAGE IS INTENTIONALLY LEFT BLANK Free ebooks ==> www.Ebook777.com 304 THIS PAGE IS INTENTIONALLY LEFT BLANK www.Ebook777.com ... 2.1) Risk management for our purposes is synonymous with such terms as enterprise risk management (ERM), integrated risk management or strategic risk management 13 14 Risk Maturity Models Risk. .. profession Risk maturity models still climbing up their own risk maturity curve The other point of interest for me about risk maturity models is the irony As a tool approaching 20 years of age, risk. .. all risk owners to manage a risk management plan evidenced in part by risk training, risk knowledge and appropriate application of risk- informed management decision making.’ Background to Risk