February 25, 2011, 11:04 AM — It goes without saying that the business environment affecting all organizations is loaded with numerous, complex risks. And there is an overwhelming consensus from the executives we speak that the riskiness of the business environment is changing at significant levels for most, as evidenced by the performance, growth and reputation challenges in the financial services caused by failures in risk management and by the recent global economic downturn. And the civil unrest demonstrated over just over the past few weeks adds yet another new risk dimension.
So this leads to the question of why risk management has failed the financial industry. There are many reasons, far too many to cover here. Suffice it to say that failures are due more to human activity and inactivity, rather than the failures in complex risk models or technologies. For several years now, we've advocated a view of risk at an enterprise level. But even today, although most speak about increased attention to enterprise risk management (ERM) at Board levels, few firms appear to have the organizational prowess and human fortitude to put in place the policies, technologies, and processes to prove out the promise of ERM.
Over the last few weeks I've commented on the state of the ERM market though a couple a channels - a soon to be published editorial note with www.allaboutrisk.com and a web cast with Bank Systems and Technology and SAP. One of my key points is right in the title - Is there "proof or STILL promise" in ERM? I'm thinking that ERM could be the next GRC - nice in concept, but where's the value, and how are people measuring the value from their organizational, human capital, and technology investments. In general, I think the industry is still struggling with the definition of true Enterprise Risk Management, and the proof points/value propositions are still developing. ERM in terms of definition is still maturing, the market of solutions is still maturing, and through discussions we're having, naturaly we're finding firms at different places in ERM maturity.
So I'd like to suggest a simple maturity model (below) with four primary milestones to help the industry and individual firms gauge progress and value. The four milestones are REACTING, FILLING GAPS, RE-ARCHITECTING, OPTIMIZING, and we can use the guidence from other common maturity models to define what state a users might be in at each of these ERM milestones. In defining this guidence, keep in mind that the best, balanced ERM strategies will leverage, in my opinion, existing organizational and technical infrastructures with new capabilities and disciplines that display a few common attributes, including: