Home > Risk > How mature is your risk management program?

How mature is your risk management program?

One of the established ways to assess a risk management program is through the use of a maturity model.

This can not only help assess where your program is, but stimulate a discussion of where you want to be – and what actions should be taken, over what period of time, to improve the maturity of the risk management program.

Please answer this survey with respect to your organization. The intent is to see where organizations around the world stand, comparing the results – which I will share in this blog.

Enter the survey here.

  1. June 22, 2012 at 12:55 PM

    Maturity models in themselves are not a safe proxy for excellence models. These two models can align, split with no relationship or even form opposed purpose. To match a maturity model to a Risk Management Process, first use the Risk Management process to evaluate the cost/benefit of the maturity model to your risk management process.

    Are you truly saying that more risk is created from greater sigma in your risk evaluation process? For example, risk assessment is folded into the variable cost of each project so the more repeatable, reliable and direct it is, the better.

    Are you truly saying that more risk is created by failing to learn from past risk assessment outcomes or from failing to learn from the process defects inside each risk assessment process? What exactly are you trying to mature? Is that the best bang for your buck? Does it remedy either a direct risk exposure or a process risk exposure in risk management itself?

    Does new risk materialize slow enough that you can benefit from a knowledge base of past risk evaluation or past process error evaluations of risk? Do you need the ability to project risk into completely new realms by learning how to learn about new risks? If not, you do not need a CMMi level 5 behavior. The process maturity will not provide the value for the cost expected. Process maturity is not about bragging rights or merit badges for management.

    CMM is a handy definition to reach for. But, it can suffer from the problem of the guy with the hammer, everything starts to look like a nail. That said, Risk Management can use both excellence enhancements as a core discipline and process enhancements in operational maturity of the risk assessment processes.

    Another area of Risk Management that needs a look is “statistical process control”. When I know what my risk is, and I know what my risk variance is and I track these over time, when do risk “mean shifts” and “over or under materialized risks” cause how come investigations?

    In Six Sigma this would be called “C” in the DMAIC process for Control metrics, responsibilities, knowledge base and approved actions over the Risk Exposures that are being managed, by Risk Management.

    In my view, the Risk Exposure and Risk Variance processes are suffering from “D” and “M” problems in that Risk Exposures are not cleanly Defined or well Measured. While this activity is really going on a Qualitative Levels on scales from 1 to 5 and Low to High, what hard metric defines a 1 or a Medium is very fuzzy. Matching these assessments with Analysis that derives statistics, covariance, designed experiments, correlations, validates decision support models has a lot of room for excellence growth.

    If Risk Management can be reduced to dollars per year, how much at risk money got saved by moving a risk exposure from High to Medium? What traceable form of input and computation and tracking allowed us to know that?

    Effectively, Risk Management needs to apply Application Security principles to its own processes. Valid Data, Valid Process, Valid Output by Authorized Persons in a traceable form with a history. This would rather quickly develop at least a CMM level 2 behavior in the Risk Management Process even when the goal was not Process Maturity but simply Operational Excellence.

    After CMM level 2, we might start learning from the traceable history of Risk Management activity and that would lead to CMM level 3 behaviors.

    Once we align Process Maturity with Process Excellence goals, then the “synergy” between the two makes pursuing one lead to advances in the other. Without aligning them, process waste multiplies and LEAN Six Sigma would declare that the cost of quality is not worth the benefit and recommend that process maturity should be abandoned.

    Best Wishes,

    Don Turnblade
    Six Sigma Blackbelt, CISSP-ISSMP, CISM, CISA

  2. June 22, 2012 at 9:11 PM

    Beyond what Don said, you’re risk program is only as useful as its intelligence function. If that has high uncertainty, all else is Muda.

  3. July 17, 2012 at 3:37 PM

    Risk management create an important role in businesses. The risk management is helps to reduce the different kind of risk like fraud, theft, harassment. It can also include accidents in the workplace or earthquakes, fires and other natural disasters.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: