Observations of Risk Management Maturity – from First Attempts to High Reliability Organisations

This post presents a reflection on the journey of a business from first attempts to best practice risk management.  It is drawn from Peter’s observations of companies over a 25 year period – and is prepared in the hope that decision making teams can identify where they are on the journey and identify a good pathway forwards for their businesses.

The interactive graphic below shows this maturity pathway – run your mouse pointer onto each point to activate the hot-spot – which will open up an explanation / provide more data on the key points.  You can click here for another version of the graphic.

The key points in a concise list are:

  • Identification – decision makers identify that too many things are going wrong and can’t be managed just by having good people on board.  This aligns with the Vulnerable / Reactive steps in other models;
  • Resistance – the risk approach is seen by people in the business as another improvement initiative in a long line of similar adventures – an additional point it is the point where there is push back against the attempted change to a risk aware organisation;
  • Overload – everyone embraces the benefits of understanding and controlling risk – and work diligently to identify more and more problems with more and more required solutions (controls and actions).  This aligns with the Compliant phase of other models – and is the start of generating large volumes of documentation – which generally makes commitments to do more than is possible;
  • Restart (Repeats) – the whole system becomes unworkable so a task force is put together to try and solve the problem.  This is a step in most organisation’s journey – with lots of discussion and best practice discussions occurring – but the generally observed output of the process is a new risk assessment tool and replacement of the incident database – two activities which reset the organisation to commence back towards over-load but do little to “clean up” the body of commitments already generated;
  • Critical Controls – are identified as a potential way out of the risk soup that has been created – but their selection is typically intuitive.  This lines up with the Proactive / Resilient phases in other models – and is definitely a step forwards but still leaves many exposures in the compliance and traceability of documents;
  • Data Focus – the incidents, near misses and problems collected as part of implementing a risk management approach is information rich – and is now accessed in a way that yields the most value, until finally the whole combines in;
  • Pathways – which crystallize all the myriad of data points into powerful models for how the business could end up suffering a loss, provide a manageable suite of controls with critical controls highlighted and supported and are “fact backed” so that decisions made have the best chance of success in avoiding high consequence losses – keep an eye on this blog for more documentation on data focus and risk pathways which are a major focus for the ORM team with their clients at the moment.

It would be remiss of me to not offer to assist you in understanding more about this model – so please feel free to contact me for more information and expansion on these points.


Leave a Reply

Your email address will not be published.