Advancing Your Organization’s Risk and Resilience Maturity
Getting to the Head of the Risk & Resiliency Class
Organizations with risk and resilience processes siloed within departments operate at the Ad Hoc, Fragmented, or Defined stage. At these stages, risk and resilience management programs manage risk and continuity at the departmental level, and lack an integrated view, with no gain in efficiencies from shared processes.
In the Integrated and Agile maturity levels, organizations have centralized risk and resilience oversight to create consistent programs around the world with common risk and resilience processes supported by an integrated risk and resilience information and technology architecture. These organizations report process efficiencies reducing human and financial capital requirements, greater agility to understand and report on performance, risk, and continuity, and greater effectiveness through the ability to report and analyze risk and resilience data. The primary difference between the Integrated and Agile stage is the integration of risk and resilience in the context of performance, objectives, and strategy aligned across the organization. Differences may be seen in top-down support from executive management, and when various risk and resilience functions align with a strategy to collaborate and share information and processes.
Considerations for Moving From Ad Hoc and Fragmented to Defined
Departments at the Ad Hoc and Fragmented stage have siloed approaches to risk and resiliency management at the department level. This means no integration or sharing of the program and related risk and resilience information, processes, or technology. An organization that sees itself at the Ad Hoc stage should skip the Fragmented stage, and plan to move to the Defined stage.
To move from Ad Hoc or Fragmented to Defined requires the department to reduce manual data integration and improve overall visibility into risk and resilience at the department level. Organizations should consider defining risk and resilience process and information architecture at the department level and implement technology to manage multiple risk and resilience initiatives cohesively.
Considerations for Moving from Defined to Integrated
Departments at the Defined maturity stage are in a good place to lead the organization in a risk and resilience strategy to the Integrated stage. They have a strategic approach to risk and resilience management at the department level, supported by mature risk and resilience processes that can be extended to other departments.
To move from the Defined to the Integrated stage requires a common process, information, and technology approach that spans multiple departments. Organizations can leverage risk and resilience insight to improve planning and strategic decisions. A common governance model for risk and resilience management is used across lines of business, functions, and processes. The organization needs a common risk and resilience methodology and taxonomy. Organizations at this level report process efficiencies – reducing human and financial capital requirements, greater agility to understand and report on risk and resilience, and greater ability to report and analyze risk and resilience data.
Considerations for Moving from Integrated to Agile
The difference between the Integrated and Agile stages is primarily one of context. At the Integrated stage, the organization provides a consistent approach to managing risk and resiliency in the context of hazards and continuity. This is supported by an established risk and resilience process, information, and technology architecture. While risk and resilience are understood in the context of the business, it is still focused more on risk and continuity than performance and strategy. At the Agile stage, the organization has performance, strategy, and objectives set the context to achieve a greater ability to avoid issues and not just respond to events.
Achieving the Agile stage requires risk and resilience expectations set as part of the annual strategic planning processes. The organization has measured and monitored risks and resiliency metrics in the context of business strategy, performance, and objectives. There is shared data and technology about risk and resilience, as well as decision support, optimization, and business intelligence. The organization has integrated risk and finance data to drive performance while mitigating risks and ensuring integrity across the organization’s operations, services, and extended enterprise of third-party relationships.
This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Risk & Resiliency Management Maturity Model: A New Paradigm on Risk, Resiliency & Continuity Integration.