The risk maturity model is a key component of business continuity. In today’s post, we’ll look at how such a model can help an organization understand its risks, mitigate the risks that threaten its core services, and integrate business continuity with enterprise risk management, thus boosting resilience overall.
Related on MHA Consulting: Who’s the Boss? Successful Risk Mitigation Requires Centralized Leadership
One of the positive developments we’re seeing in business continuity today is that many organizations, especially sophisticated, forward-thinking ones, are beginning to take a more proactive, holistic approach toward understanding and managing risk.
At many companies there’s a move toward striving to understand the risks facing the organization at all levels and also what the impact of the various risks would be, if they occurred, on the company’s ability to continue to operations.
A powerful tool organizations can use in tackling this challenge is something called a risk maturity model.
What Is a Risk Maturity Model?
A risk maturity model is a framework that helps organizations evaluate their risk management processes and identify areas for improvement. It enables organizations to assess their level of risk management maturity and provides guidance on how to progress towards higher levels of maturity.
A risk maturity model typically consists of a set of criteria organized into maturity levels, which reflect increasing levels of sophistication and capability in risk management.
The maturity levels typically range from ad-hoc or reactive risk management practices, to proactive and integrated risk management practices that are aligned with the organization’s strategic objectives. Each level is characterized by a set of capabilities and best practices, which organizations can use to assess their current state and develop a roadmap for improvement.
Use and Benefits of the Risk Maturity Model
The great benefit about the risk maturity model from a business continuity perspective is, it provides a reasoned answer to a vital question: where should the company invest the time, money, and resources it has for improving continuity and resilience.
Risk maturity models can also help companies save money, by showing when BC areas they might be spending big on are not worth the expense.
As stated above, risk maturity models can be ad hoc and reactive or sophisticated and proactive—that is, more mature. The goal should be to gradually move toward a more comprehensive, mature approach.
A mature, fully integrated risk model would like something like this:
As part of the business impact analysis (BIA), people would be doing risk assessments of different areas at different levels throughout the company.
Assessments would be done across all the business units and departments. These would look at risks to a range of areas, including technology, people, facilities, and supply chain.
Meanwhile, management would be looking at risks on the global level, such as those relating to geopolitics or the economy.
Next, every such assessment would consider the risk mitigation controls that are in place to deal with the risks identified. (A risk mitigation control is anything that reduces the possibility a given risk could cause a serious impact. Common ones include BIAs, recovery exercises, and recovery plans.) The question to ask is, what are the risks that remain after those mitigations are taken into account?
Finally, the organization needs to identify which of the remaining risks have the potential to significantly impact its core services.
Any time there’s an intersection of a significant risk and a core service, it should be taken as a flashing red light.
The ability to identify these areas is what makes a mature risk model powerful. It lets you identify which three to five areas of risk you really need to do something about in order to minimize the risks that threaten your core services.
This is the point in the process where we see people say, “Holy cow! One of those key risks has the potential to affect one of our core services tremendously.”
A mature risk model has the ability to gather data on risks from across the organization, bubble it up to the senior levels, and boil it down to the handful of areas that are both highly critical and highly vulnerable. In this way a mature risk model provides actionable intelligence on what the organization should address first as it seeks to lower its risks and boost its resilience.
Two Further Benefits of the Risk Maturity Model
Here are two more things worth knowing about the risk maturity model:
One, when BC offices talk in terms of risk, they are speaking the enterprise risk management (ERM) department’s language. This increases the chances ERM will hear and understand them. It thus increases the chances that senior management will learn of BC’s concerns and input and take them into account. BC departments that “speak risk” tend to get more of a hearing, more traction, and more resources.
Second, using the risk maturity model pays. I’ve seen it here at MHA and over and over again at our clients. Over time, we see risks go down, the number of outages decrease, and insurance and other costs decrease. There’s nothing better than to go through the different of your company and be able to show how you reduced risk in that area.
Providing Guidance and Boosting Resilience
A risk maturity model is a powerful tool for organizations to assess and improve their risk management processes, especially in the context of business continuity and resilience. A mature risk model enables companies to gather data on risks from across the organization, and identify the handful of areas that are both highly critical and highly vulnerable.
This approach helps companies identify the three to five areas where they should focus their risk reduction efforts, providing actionable guidance and ultimately boosting resilience. Additionally, using a risk maturity model can help business continuity departments speak the language of enterprise risk management, increasing their visibility and influence within the organization.
For more information on risk management and other hot topics in BCM and IT/disaster recovery, check out these recent posts from MHA Consulting:
- Don’t Just Hope: Choosing Strategies to Mitigate Risk
- Risk Mitigation: The Four Types
- The Risk Management Process: Manage Uncertainty, Then Repeat
- Enter the Matrix: Why You Should Employ a Risk Management Matrix
- Why BCM and ERM Should Be BFFs
- Who’s the Boss? Successful Risk Mitigation Requires Centralized Leadership