While I am keeping the survey open (please participate if you have not already and I will update my report if there are sufficient additional responses), I want to share the results and discuss what they mean.
80 people answered the survey:
- 45% were in financial services (15% in insurance and 9% in banking).
- 30% were with organizations based in the U.S., 21% in Europe (6% in the U.K.), 11% from Canada, and 6% from Australia/New Zealand.
- 45% of the respondents were internal auditors, 31% risk officers, and 10% were consultants or external auditors.
The survey asked people to assess their enterprise risk management program on this maturity scale:
- Ad hoc: Risk management processes and frameworks are undocumented; there is a state of dynamic change; reliance is placed on individual heroics.
- Preliminary: Risk defined in different ways, in silos.
- Defined: The organization has a common risk framework with an organization-wide view of risk. Action plans are implemented in response to high priority risks.
- Integrated: ERM activities are coordinated. Common tools and processes are used, with enterprise-wide risk monitoring, measurement and reporting. Scenario planning and process metrics are in place.
- Optimized: Risk discussion is embedded in strategic planning, capital allocation, etc. and in daily decision-making. The organization has an early warning system in place to notify board and management to risks above established thresholds.
The chart below reflects the overall results.
The results are fairly consistent with those COSO found in its 2010 Report on ERM (PDF), although COSO’s survey only had four maturity levels, omitting Optimized.
Given that I would expect the majority of participants to be with organizations that have a risk management program (most people would have heard about the survey from my postings in LinkedIn risk management, governance, and audit groups), I am not surprised to see just under 14% self-assess as in the Ad Hoc risk management stage. In a more representative sample, I would expect more people to be at this or the Preliminary level and fewer in Optimized.
I am also not surprised to see that only a small number (even of this select group) have moved beyond the Defined stage to implement the risk monitoring and other features of the Integrated stage, let alone embedded risk management into business processes as envisaged by the Optimized stage.
My concern is that companies will get to the Defined stage and stop — not realizing the value and promise of the higher maturity levels.
Questions that I think need to be answered (please let me know if there are more) are:
- Is the maturity different for financial services companies?
- Is there a difference by geography?
- Is there a difference when the response is by a risk officer?
The survey says: financial services companies are, in general, at higher maturity levels.
The results by geography indicate that, in general, the U.S. lags Australia and New Zealand but is somewhat ahead of Europe.
When you look at who is responding, the maturity level is higher than average when the respondent is a risk officer.
So what does this all mean?
- Although questions remain as to whether they consider all risks (including strategic and operational), respondents in financial services self-assess as having higher maturity levels.
- Even so, there is room for improvement in the level of maturity for all industries.
- The U.S. and Europe continue to lag behind Australia/New Zealand.
- Organizations should understand where they are (in risk management maturity), contrast that with where they want to be (if different), and take actions as needed.
I welcome your views and comments.