Mature risk management: a benchmarking tool from Human Resources Development Canada facilitates assessments of risk management practices in the organization - Risk Watch

Internal Auditor, August, 2002 by Basil Orsini

INTERNAL AUDITORS ARE increasingly using risk assessments to plan audit projects. At the same time, senior managers are striving to transform their organizations into high-performance businesses, understanding that this requires shifts in risk-management attitudes and expectations. This transition presents an opportunity for auditors to enhance their value by developing methods to better relate their work to the organization's key business risks.

What follows on the next page is a diagnostic tool that can help managers evaluate the maturity of risk management in their areas, give auditors a better appreciation of the enterprisewide transitions involved in integrated business risk management, and support companywide understanding of what's involved in managing risks.

Developed by Human Resources Development Canada (HRDC), the country's largest federal department, the benchmarking tool profiles a range of practices -- both desirable and undesirable -- in the management of risk Managers and auditors can use it to assess the strengths and weaknesses of risk management practices and to develop improvement plans.

HRDC developed the tool through a collaborative effort with officers from its national and regional offices. Under the leadership of the internal audit group, these officers adapted the results of international research consolidated by KPMG Canada on best practices in managing risk in private and public sector organizations.

The diagnostic tool organizes 20 performance indicators within a holistic framework of five management elements. Situating employees within a holistic framework that identifies both strengths and weaknesses enhances individual and team learning and dialogue. It also promotes a common language and understanding, which is key to transitioning to an integrated approach. Managers can use the diagnostic tool to assess their area's level of maturation, with or without the active involvement of internal auditing.

The complete tool contains five levels of progressively mature organizational behavior to describe each indicator. It is applicable to a variety of business risks, including program, operational, and project risks. Although only part of the tool is printed here, it can be viewed in its entirety on The IIA's Web site -- www.theiia.org, under "Publications" -- in English and in French.

The performance indicators of mature risk management are summarized on the next page. To demonstrate how the tool works, the five levels of increasing maturity are presented for the first indicator, "Valuing Employees' Contribution to Risk Management." Auditors and managers can adapt the principles in this diagnostic framework for their own organization.

The diagnostic tool enables internal auditors to engage managers and employees from different business lines in developing a collective understanding of how to integrate risk management. Risk management processes provide an occasion for auditors and their clients to work together to predict and define a future with fewer surprises.

RELATED ARTICLE: A Risk Management Diagnostic Tool

1. ORGANIZATIONAL CULTURE

* VALUING EMPLOYEES' CONTRIBUTION TO RISK MANAGEMENT -- Employees are encouraged and recognized for identifying risks and opportunities, and for identifying risks that are not being managed.

Level 1: A high level of skepticism exists within the organization. Staff perceives mixed messages on risk tolerances. Management does not value employee's contribution to risk management.

Level 2: Management consults staff and allows them to participate in risk management initiatives. Staff's contribution to managing risk is recognized on an ad hoc basis. Risk management is considered in rewards and sanctions.

Level 3: The working environment supports a proactive approach to managing risks. Risk information is shared. A strong sense of teamwork exists across the organization.

Level 4: Recognition and reward systems encourage staff to manage risks and to take advantage of opportunities. Management is committed to learning from positive and negative outcomes.

Level 5: Management encourages employees to identify new challenges and opportunities, as well as risks that are not appropriately managed.

* RISK MANAGEMENT CULTURE -- Risk management is performed at every level and is integrated with the organization's management practices. Individual and organizational expectations for risk management are aligned.

* ROLES AND RESPONSIBILITIES IN MANAGING RISK -- Roles and responsibilities are understood and risk management is embedded in all employees' behavior.

* LINKAGE TO ETHICS AND VALUES -- The organization's approach to risk management reflects ethics and values as well as sensitivity to legal and political considerations.

2. LEADERSHIP AND COMMITMENT

* SENIOR MANAGEMENT SHOWS LEADERSHIP -- Senior management is committed to establishing risk management at all levels of the organization.

* RISK POLICY AND MANAGEMENT FRAMEWORK -- The organization provides a multi-disciplinary perspective for assessing and responding to strategic and operating risks.