- Risk Management
Risk Appetite:
Understanding your maturity for risk management
You may already have a Risk Management Process in place, but is it effective? A lot of organisations have made the effort to introduce a standardised process, but that is unlikely to be enough to realise the full benefits of Risk Management and truly be a mature Risk-orientated organisation.
In this article, we’ll look at how to tailor your Risk Management strategy by determining your Risk Appetite and explain how you can build a model to measure how well it is implemented using a Risk Maturity Assessment.
Do you have the stomach for Risk Management?
A good place to start for your organisation to derive the most value from risk management practice, is to understand how much risk your team is willing to accept, this is known as your Risk Appetite.
The world has never been more complex and volatile, as seen in the daily news and felt in Boardrooms. War, climate change, cyber-risks, the energy crises, the cost of living and the fallout from the pandemic is still sending shockwaves around all organisations.
Understanding your Risk Appetite
Before effective risk management practices can be initiated and embedded, an essential process must be undertaken to understand your mission as a business and curate operational delivery to align with these values. This will dictate your risk appetite going forward.
Risk Appetite is the level of risk an organization is willing to pursue or accept in order to attain its business objectives.
Ultimately, all businesses from all sectors encounter risk and must accept a specific level of risk that is unique to their own business. If a business is geared towards growth and expansion, its risk appetite must be higher, and therefore its risk culture, operating style, and decision-making will reflect this.
Risk Appetite vs Risk Tolerance
Risk Appetite is a broader concept that reflects the overall desire to take on risk, which may vary based on strategic goals and external factors. On the other hand, Risk Tolerance is the specific level of risk that an organization can accept, often in measurable terms, without jeopardizing its position.
While Risk Appetite sets the stage for how much risk an organization is prepared to embrace, Risk Tolerance dictates the thresholds for specific risks that can actually be tolerated on a project or operational basis. Both concepts work together to inform decision-making and help in establishing a balanced approach to risk management.
Have you bitten off more Risk than you can chew?
How do you know if your Risk Appetite and Tolerance are realistic though? In the context of Risk Appetite, you may be willing to accept some ambiguity around your level of risk, but if not, you will want to have a way of knowing where your weak spots are. That’s where an understanding of your Risk Maturity becomes important when defining your appetite and tolerance.
Implementing a Maturity Assessment
Some clients/businesses run Risk Management Maturity Assessment Models (RMMAM) to provide their Corporate Risk Functions/Project Sponsors with an evidence-based model to assess and baseline Risk Management maturity across projects/programmes.
A Risk Management Maturity Assessment Model usually consists of 3-4 questions in each of the following 6 sections:
- People
- Leadership
- Partnering (industry or Customer)
- Processes
- Risk Handling
- Project Outcomes
These questions are to ascertain a rounded picture of individuals perceptions of Risk Management practices within the project delivery space, with questions being scored 1-5 in terms of maturity:
- Awareness and Understanding
- Implementation planned and in progress
- Implementation in all key area
- Embedding and improving
- Excellent capability established
In some respects, running the model is the easiest part! The model can be sent out as a Microsoft Forms questionnaire which participants are required to complete individually, rather than collectively as a delivery team, to ensure the most honest and rounded picture of Risk Management can be elicited.
Taking Responsibility for Risk Maturity
A certain degree of corporate responsibility is required in the sense of establishing the ‘to be’ position in terms of total maturing – or continuous improvement – aligned to the maturity scoring above.
For example, in an organisation/project/programme that is well established, we would most probably recommend striving for a ‘to be’ position of 4 – embedding and improving – to show the constant development and implementation of risk management processes to enhance maturity. Whereas for a project in the initiation/kick-off/concept phase, we might expect to see a more realistic target maturity score of 2 – implementation planned and in progress – to demonstrate the current position of the project and its resources.
The final corporate responsibility centres around possibly the most contentious aspect – Who? The subject of Risk Management maturity can be a difficult concept depending on the organisation, the sector, the attitude and behaviour from sector to sector, etc. Each project varies so widely that no experience as a Risk Manager or even Project Manager will be the same.
An organisation may choose to utilise a RACI (Responsible, Accountable, Consulted, and Informed) matrix to outline the project delivery functions whose input is required in the RMMAM to present the most rounded ‘as is’ position possible. However, every organisation varies, so this list is by no means exhaustive. We would expect to see the organisation/corporate/project sponsor make the decision here.
Who Cares!?
When it comes to running maturity models/audits/reviews, there is often a question of – so what? What tangible outcome of running this?
As mentioned, the RMMAM questionnaire is design to compare an ‘as is’ position against a corporate dictated ‘to be’ position and ultimately understand what actions are required to implement significant change or maintain the state of play to ensure adherence with this ‘to be’ position.
Thanks to the specific nature of the questionnaire example used so far, the next steps in terms of results and ‘acting upon them’ are relatively simple. The raw data is manipulated to determine the overall level of maturity including several aspects:
- The individual outputs from each of the Project Delivery Stakeholders identified above is carried out.
- Each question is scored by each of the stakeholders. who can then use a minimum to give an overall maturity score per question.
- Each of the 6 sections then uses the same minimum to drive an overall section maturity score.
- The 6-section scores are then interpreted in a series of graphs to demonstrate any issues or areas for improvement on the annual drumbeat of the RMMAM being conducted.
The delta between the corporate dictated ‘to be’ position and the question/section maturity scores is what drives the ‘Action Plan’ – the ultimate output from the RMMAM. In the instance identified in this report, the client also utilises a free text area for every question allowing those completing the maturity questionnaire to provide evidence against the maturity score they allocate – this can be utilised in terms of specifically targeting areas of improvement in the Action Plan.
Conclusion
Risk management, tools, and perceptions are different in every business and sector however, the need for engaged and ‘bought-in’ Project Delivery Professionals is common throughout.
Your risk process, like all processes, needs continuous improvement driven by iterative maturity assessments which must be approached in a holistic method to ensure that the perceptions of all those involved in Project Delivery, who feasibly engage with Risk Management processes, are captured.
Clear assignment of roles and expectations is critical – a Risk Management Maturity Assessment Models is an integral tool that can be used to ensure individuals are held accountable for their understanding and engagement of Risk Management Processes.
Thank you to Tim Samways, Senior Technical Manager, and Josh Bailey, Delivery Manager, for contributing to this article.
Need help assessing your
Risk maturity?
Our risk experts are
an email away!
