Recently, during a Risk-based performance implementation, we were asked by our client for advice on approaches to understanding the relative maturity of their current approach to risk management, which level of maturity is right for them and how to measure maturity post implementation.
Google ‘Risk Maturity Model’ and a number of very interesting approaches will be presented. Many of these models provide the answer to the question ‘How mature is our risk management process?’ in one form or another. However, in this case, answering this single question didn’t feel sufficient as our client was seeking to do more than simply ‘tick boxes’ with this project. They were seeking to drive a business transformation.
Further research uncovered Michael Hammer’s, Process and Enterprise Maturity Model (PEMM) which is described as “a new framework that helps executives comprehend, formulate, and assess process-based transformation efforts”.
It focuses on two groups of characteristics to ensure business processes are performed to a consistent, high standard over time. They are:
- Process enablers
- Organisational capabilities
In Hammer’s paper ‘The Process Audit’, he states that “PEMM is different from other frameworks, such as Capability Maturity Model Integration (CMMI), because it applies to all industries and all processes”. Therefore, we decided to consider it as a basis for an ‘Operational Risk Maturity Model’ because of the emphasis on both the process and the organisational capability aspects.
Too often, excellent processes are designed and implemented (be they risk related or not), yet still fail because the capability was not in the business to support the newly designed process. Developing organisational capability, particularly in areas such as risk, is critical to success.
Having refined the ‘off the shelf’ PEMM so that it reflected both risk management and our client’s specific organisational considerations, we used the resulting maturity model with the ‘C-level’ and their direct reports, to develop a picture of their current level of maturity and what the appropriate ‘target maturity’ should be by business area (becoming exemplar across all areas of the business may not be necessary and in fact the cost/benefit may not hold up).
Three months on, and after a little more refinement and a second round of assessment, Hammer’s PEMM has proven to be an excellent basis for developing what is now an enterprise risk management maturity model. The strength of this PEMM-based model and the aspect that has gained traction and generated the most discussion at the ‘C-level’ was not its ability to answer the question “How good are our risk management processes?”, as important as it is, but rather its ability to answer the question “Do we have the organisational capability to execute our risk management process?” Expanding the focus from simply asking “How mature are our risk processes?” to include questions such as, “What is the right level of maturity, and do we have the organisational capability to support these processes?” has led to a significant change in mindset at the ‘C-level’ which in turn has lead to a more general change across the entire business.
Using PEMM as a basis for an enterprise wide risk management maturity model has meant that we have a model that addresses both process maturity and organisational maturity. This has proven to be an excellent tool for creating change and influencing behaviours related to risk management.
If you are seeking to understand your risk maturity and move beyond the traditional risk maturity models we suggest considering PEMM as a basis for your approach. Alternatively, contact us and we will share our experiences.