Observations of Risk Management Maturity – from First Attempts to High Reliability Organisations
This post presents a reflection on the journey of a business from first attempts to best practice risk management. It is drawn from Peter’s observations of companies over a 25 year period – and is prepared in the hope that decision making teams can identify where they are on the journey and identify a good pathway forwards for their businesses.
The interactive graphic below shows this maturity pathway – run your mouse pointer onto each point to activate the hot-spot – which will open up an explanation / provide more data on the key points. You can click here for another version of the graphic.
The key points in a concise list are:
- Identification – decision makers identify that too many things are going wrong and can’t be managed just by having good people on board. This aligns with the Vulnerable / Reactive steps in other models;
- Resistance – the risk approach is seen by people in the business as another improvement initiative in a long line of similar adventures – an additional point it is the point where there is push back against the attempted change to a risk aware organisation;
- Overload – everyone embraces the benefits of understanding and controlling risk – and work diligently to identify more and more problems with more and more required solutions (controls and actions). This aligns with the Compliant phase of other models – and is the start of generating large volumes of documentation – which generally makes commitments to do more than is possible;
- Restart (Repeats) – the whole system becomes unworkable so a task force is put together to try and solve the problem. This is a step in most organisation’s journey – with lots of discussion and best practice discussions occurring – but the generally observed output of the process is a new risk assessment tool and replacement of the incident database – two activities which reset the organisation to commence back towards over-load but do little to “clean up” the body of commitments already generated;
- Critical Controls – are identified as a potential way out of the risk soup that has been created – but their selection is typically intuitive. This lines up with the Proactive / Resilient phases in other models – and is definitely a step forwards but still leaves many exposures in the compliance and traceability of documents;
- Data Focus – the incidents, near misses and problems collected as part of implementing a risk management approach is information rich – and is now accessed in a way that yields the most value, until finally the whole combines in;
- Pathways – which crystallize all the myriad of data points into powerful models for how the business could end up suffering a loss, provide a manageable suite of controls with critical controls highlighted and supported and are “fact backed” so that decisions made have the best chance of success in avoiding high consequence losses – keep an eye on this blog for more documentation on data focus and risk pathways which are a major focus for the ORM team with their clients at the moment.
It would be remiss of me to not offer to assist you in understanding more about this model – so please feel free to contact me for more information and expansion on these points.