Mature risk and resilience management is a seamless part of risk governance and operations. It requires a top-down view of risk and resilience, led by the executives and the board, where risk and resilience management are part of the fabric of business operations and processes – not an unattached layer of oversight. It also means bottom-up participation, where business functions identify and monitor risk and resilience that expose the organization. GRC 20/20 has developed the Risk and Resiliency Management Maturity Model to articulate maturity in the risk and resilience management processes and provide organizations with a roadmap to support acceleration through their maturity journey.
There are five stages to the model:
- Ad Hoc
1: Ad Hoc
Organizations at the Ad Hoc stage of maturity have reactive approaches to risk and resilience management at the department level. Businesses at this stage do not understand risk and exposure; few if any resources are allocated to risk and resilience. The organization addresses risk and resilience in a reactive mode — doing assessments when forced to. There is no ownership or monitoring of risk and resilience, and certainly no integration of risk and resilience information and processes in context of objectives, strategy, performance, and business change.
The Fragmented stage sees departments with some focus on risk management and business continuity within respective areas, but they are disconnected and not working together. Information and processes are highly redundant and lack integration. With siloed approaches to risk management and resilience (e.g., business continuity, disaster recovery), the organization is still very document centric. Processes are manual and they lack standardization, making it hard to measure effectiveness.
The Defined stage suggests that the organization has some areas of risk and resilience that are managed well at a department level, but it lacks integration to address risk and resilience across departments. Organizations in the Defined stage will have defined processes for risk and resilience in some departments or business functions, but there is no consistency. Risk and resilience processes have the beginning of an integrated information architecture supported by technology and ongoing reporting. Accountability and oversight for certain domains such as business continuity, disaster recovery, and/or enterprise and operational risk management are beginning to emerge.
In the Integrated stage, the organization has a cross department strategy for managing risk and resilience across departments and functions. Risk and resilience are aligned across several departments to provide consistent strategy, frameworks, and processes supported by a common risk and resilience information and technology architecture. The organization addresses risk and resilience through shared processes and information that achieve greater efficiency and effectiveness. However, not all processes and information are completely integrated, and risk and resilience if focused on avoiding issues and not on agility.
At the Agile Maturity stage, the organization has completely moved to an integrated approach to risk and resilience management across the business that includes an understanding of risk and compliance in context of performance and objectives. Consistent core risk and resilience processes span the entire organization and its geographies. The organization benefits from consistent, relevant, and harmonized processes for risk and resilience management with minimal overhead.
Agility is the ability of an organization to move quickly and easily; the ability to think and understand quickly. Good risk and resilience management is going to clearly understand the objectives of the organization, its performance goals, and strategy, and continuously monitor the environment for 360° situational awareness to be agile. To see both opportunities as well as threats so the organization can think and understand quickly and be prepared to move to navigate to seize opportunities while avoiding threats/exposures to the organization and its objectives.
But that is not enough. We need agile organizations to avoid and prevent events, but we also need agility to seize on opportunities and reliably achieve (or exceed) objectives. Agility is not just avoidance of hazards, threats, harms. Agility is also the ability to understand the environment and engage to advance the organization and its goals. Organizations need to be agile and resilient. Risk and resilience management needs to be an integrated part of performance, objective, and strategy management to achieve this capability to enable situational awareness for this organization so it can seize on opportunity as well as avoid exposures and threats.
The Agile Maturity is where most organizations will find the greatest balance in collaborative risk and resilience management and oversight. It allows for some department/business function autonomy where needed, but focuses on a common governance model and architecture that the various groups in risk and resilience governance participate in. The Agile stage increases the ability to connect, understand, analyze, and monitor risk relationship and underlying patterns of impact on performance, objectives, and strategy – as it allows different business functions to be focused on their areas while reporting into a common risk and resilience governance framework and architecture. Different functions participate in risk and resilience management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems.
This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Risk & Resiliency Management Maturity Model: A New Paradigm on Risk, Resiliency & Continuity Integration.