Conducting a risk maturity review

Andrew Potter
by Andrew Potter
11 min read
Aug 26, 2020

This blog post is an adapted version of a paper from Risk Leadership Network's Intelligence platform, contributed by BAI Communications CRO, Andrew Potter. Usually the case studies we compile from practising risk managers are unattributed and only available to members, however Andrew is happy to share his risk maturity review experience with the wider risk community.

Andrew Potter, CRO of Risk Leadership Network member organisation, BAI Communications, had been in his role for five years when he decided to conduct a risk maturity review. Rather than focus on benchmarking against an index, Andrew wanted the review to analyse risk and audit’s performance against international standards and frameworks. The process was a positive experience, and outputs included broader business recognition of risk’s achievements and an ‘evidence base’ for Andrew to use in advancing future risk initiatives.

Contents

Executive summary

  • Andrew Potter, CRO of Risk Leadership Network Member organisation, BAI Communications, embarked on a risk and audit maturity review after five years in his greenfield in-house risk role.
  • He began by putting together an RFP, which outlined a very specific scope and asked potential consultants to consider risk management and internal audit processes, procedures and frameworks; reporting outputs and communications with the business; and how the functions aligned to international best practice.
  • Andrew did not want a maturity scale ‘rating’, but rather a more substantial assessment of the risk and audit functions’ performance against international standards and frameworks.
  • The consultant designed and implemented a process that included review of all formal risk and audit documents, the risk and audit software (and its use within the business), and qualitative interviews with around 25 key stakeholders.
  • Outputs included recognition of good practices within the organisation, as well as a constructive list of six key recommendations for future-state development of the risk and audit functions. These recommendations have become invaluable as evidence to assist risk function in furthering some of their new initiatives.

Context

I’d never done a risk maturity survey before and I was intrigued about the benefits, says Andrew Potter, CRO of Risk Leadership Network Member organisation, BAI Communications. When I joined my organisation five years ago, it was a greenfield in-house risk opportunity. So, it was me who had put together all of our risk framework documents.

Within these documents, I’d stated that at least once every five years, a maturity or benchmarking review should be conducted. In fact, when five years rolled around, I doubt any of the other executives or members of the audit and risk committee had the review top of mind. But I knew it was something we needed to do.

From my perspective, a regular risk maturity review provides that all-important, impartial check-in of the risk function. It verifies whether you’re servicing your organisation in the best way possible and assesses the views of your stakeholders. If there is any trouble brewing, it may give you an opportunity to get on the front foot, too.

When I first raised the idea, I got some comments around ‘opening up a can of worms’, but I felt confident in what the function had achieved in the past five years. I also believed we would benefit from fresh ideas and guidance on areas to improve over the next five years.

Key steps

Putting together the RFP and selecting a consultant

As I said, I hadn’t conducted a risk maturity review before. I engaged our procurement department, and we put together an RFP that outlined all the elements I thought the review should include.

I asked potential consultants to consider:

  • Our risk management processes, procedures and framework
  • Our internal audit processes, procedures and framework
  • Our reporting outputs and communications with the business
  • How we aligned to international best practice.

This last element, in particular, was important to me. I didn’t like the idea of doing a risk maturity review and getting back a single benchmark figure. For example, there are many companies who measure themselves against indices. One to five ratings on a maturity scale, that sort of thing.

For me, the problem with these kinds of outcomes is that they’re not very nuanced and they may not be internationally consistent. Different consultants use different frameworks, and even though they provide a wealth of in-depth, insightful commentary to support their rating, people usually end up focusing only on the number.

Instead, we determined we would assess our performance in the context of these two internationally recognised standards:

I was careful to clearly establish the scope of the review from the outset. Another reason I think companies don’t always get the outputs they anticipate is because the project brief isn’t understood in the same way by both parties.

Stipulating exactly what should and shouldn’t be reviewed, in terms of areas of the business, helped in our case. Also, confirming—once we did engage a consulting firm—exactly who would be working on our review and what their roles would be helped to ensure the process ran smoothly.

Although we designed the RFP so any company could submit, we did invite to tender certain companies that we felt would match the brief well. Importantly, these were also companies that weren’t already working for us in other areas and might therefore introduce conflicts of interest.

In the end, our decision was straightforward. The company we selected demonstrated extensive experience and laid out a very clear methodology of what they were planning to do and exactly how they were planning to do it (more on this below).

In terms of timeframes, we sent out the RFP around November. Tenders were submitted by Christmas. We reviewed options and selected our consultant in January and February, and by March we had signed the contract. The review itself was completed by June and we received the report in July. If I date the ‘beginning’ of the process back to when I first raised the idea with our Group CFO, though, I’d say the total process took us about a year.

Designing and conducting the review

Once we’d engaged our consulting firm, the first thing we did was to sit down and meet the full team who were going to be working on our review. I gave them additional context about our organisation and how we operate across the world. Again, I made it clear that the review was only to focus on risk and internal audit, but that it needed to look at our functions globally and in the context of global best practice.

In their tender, the consultants had already laid out their proposed three phases, which were along the lines of:

  • Phase 1: Current-state assessment. Where are we today? What’s working well? What can we improve on?
  • Phase 2: Future-state development. What should we look at over the next five years in terms of evolving our maturity?
  • Phase 3: Collate findings and report. This included a preliminary report to me, a detailed report to the executive, and a final presentation to the audit and risk committee.

For each phase, they set out the key activities, outputs and estimated time effort. They also provided the principles-based methodology they were going to use, in terms of the risk management standards and the professional practices framework.

Once engaged, they put together a more detailed project plan. I reviewed and approved that document, but I then got out of the way and left them to implement. I also provided a list of high-level stakeholders whom they should interview, but again, I didn’t get involved in facilitating those interviews.

The consultants did share their questions with me before speaking to stakeholders, but I didn’t make any changes. Initially, I was surprised at the simplicity of their interview approach, which centred around four key questions. However, upon reflection, I’ve realised that these questions were broad enough to allow interviewees to provide their honest feedback, but without being led down any particular path.

The questions were:

  • What is the nature of your experience with the corporate risk management and/or internal audit programs?
  • Can you please describe the value or benefit you receive in your role from the programs?
  • Can you please describe any issues or improvement opportunities for the programs?
  • Considering risk management and internal audit activities, are there any you believe should be stopped, started or continued?

These were given to the majority of interviewees in advance, so they could consider their replies. They ended up speaking to around 25 different stakeholders. Feedback was provided anonymously.

We didn’t do a broader staff survey. Our organisation is quite lean, and we felt that once we’d spoken to our 25-odd stakeholders we’d collected quite a diverse set of views.

Additionally, the consultants reviewed around 25 to 30 different risk documents, as well as looking at the risk software we use, whether it was fit-for-purpose, whether it was integrated across the business etc. And this analysis was all done against criteria developed from those international standards and frameworks I mentioned earlier.

The whole review was quite qualitative and it needed to be, as I deliberately wanted it to focus on the maturity and performance of the functions.

Outputs

Six key recommendations and good practices

Our final report comprised good practices identified and six key recommendations for the future, as well as a number of smaller observations and ideas. We received a consolidated presentation and a more detailed document.

In terms of good practices, I have already found it very useful to have this ‘impartial’ positive feedback. I believed risk and audit had a strong relationship with most of our stakeholders (something that was confirmed by the review), but this report enables us to elevate those achievements to the executive and the audit and risk committee, too.

The report noted good practices such as the below. This list isn’t exhaustive, but for the purposes of inclusion here, it illustrates the types of elements that were assessed:

  • A common risk framework that was suitable across the enterprise
  • Common risk management information software that was used at group and business levels
  • Internal audit reviews of control effectiveness being used to inform risk management
  • A single risk appetite statement that fits the requirements of a diverse, growing global business.

Nine good practices were identified in total. In each case, the consultants provided detail and evidence around why they considered these elements to be good practice. Again, this evidence included specific references to the criteria developed from the international standards. The consultants also incorporated broader, contextual observations, based on their industry experience. We found this commentary added a useful extra layer of insight and informal ‘benchmarking’, if you like.

I won’t detail out all of our recommendations either, but I’ve included a few below to show how we are using them as an evidence-base to further new risk initiatives and plans.

One recommendation was to align risk and audit’s purpose, mandate and resourcing with future state needs of the group. In other words, although the company is global, currently all of our risk and audit team are based in Australia. We already had tentative plans in motion to hire new people, but the review was able to capture first-hand feedback from senior executives, based in the northern hemisphere, saying ‘we would benefit from having a risk and audit representative closer to us’.

Another recommendation was to require earlier consideration of risk in business decision-making at all levels across the group. Again, the consultants made this recommendation based on feedback from some senior executives. They also reviewed a document I had produced for a big bid we tendered for and noted that the risk component was completed quite late in the process. In fact, I’ve been recommending for some time to get the risk function involved in strategic business decisions at the outset, so it’s invaluable to have this formal piece of evidence. It’s given me a basis from which to develop a plan of action.

A third recommendation was to explore the use of data analytics to increase effectiveness of internal audit. This is not really a surprise, because data analytics is a topic everyone is talking about these days. As with many companies, we are somewhat limited by our current software and systems as to what we can achieve right now. But, again, just having that recommendation formally documented could be handy as we’re engaging with the different departments around continuous improvement initiatives.

Results

I was very happy with the outcomes of this review and the interactions throughout the process. I don’t believe there’s a one-size-fits-all approach for risk management. You have to make it work for the organisation you’re in. And, you have to gain the engagement of your key stakeholders.

So, we could have asked for industry benchmarking and a maturity ratings scale, but would it have been helpful? I don’t believe so. I think it was much better to measure our performance against international standards and frameworks. And then to literally just ask our stakeholders: ‘are you satisfied?’.

Obviously, you need to consider these two elements in tandem. It’s no good having happy stakeholders, but your risk management is failing across the board. Likewise, if you have perfect policies and procedures in place, but nobody wants to engage with the function, you’re not going to have much of an impact.

But once you look at these two elements together, you have the picture you need of the organisation’s maturity.

Lessons learned

  • Having gone through the process, I would strongly recommend undertaking a maturity review. If people are worried about ‘opening a can of worms’, I think there are steps you can take to manage expectations. This is not to say you are trying to control the results—these have to be impartial—but you can clearly outline the scope, get your bosses across what you’re planning to deliver, and make sure the project plan is agreed to and understood by all. We also set a budget cap for the project and selected a team from within the consulting firm that we felt would work well with the organisation.
  • It’s the first time I’ve done something like this, but I will definitely do it again. The review has really helped me to think about next steps and challenged me on some of the things I’ve been doing. For example, I’ve now spoken to my communications department and we’re beginning a quarterly email update from me to the organisation after each audit and risk committee meeting. This is something I’ve been thinking about for some time, but it’s never been prioritised on my list. But when you receive that black and white feedback from the organisation ‘this is something we would like’, it motivates you to put a plan into action.
  • There are a few things we’ve stopped doing as a result of the review too. One notable thing is audit and risk reporting going up to the audit and risk committee before it’s been seen by every member of the executive. Now, that has really only ever happened before in incredibly rare circumstances. But, of course, when the particular executive who had that experience was interviewed, that was what he remembered most about his interactions with our functions. It came back as very clear feedback in the report. It really hammered home for me the lesson that people remember their dissatisfactions and it can affect your ongoing trust and productive relationships. So, we’ve now committed to ensuring that never happens, and just this quarter I made a decision to defer an item from the committee report to the following meeting as a result.

This blog post is an adapted version of a paper from Risk Leadership Network's Intelligence platform, contributed by BAI Communications CRO, Andrew Potter. Usually the case studies we compile from practising risk managers are unattributed and only available to members, however Andrew is happy to share his risk maturity review experience with the wider risk community.

Risk Leadership Network’s Intelligence platform is a searchable database of peer-contributed case studies, tools and templates. Contributed by members, current and former senior risk managers and subject matter experts from around the world, the Intelligence platform is a melting pot of new ideas and shared learnings. You can view a list of all contributions currently available to members of the Risk Leadership Network here

Risk Leadership Network's Intelligence is one of four interconnected platforms that enable our members to collaborate and share knowledge across different sectors and geographies to improve the effectiveness of risk management. Click here for more information about our different platforms.

Are you an in-house risk manager who could benefit from collaborating with a global network of senior risk professionals? Talk to us about becoming a member today.
Previous post
← Optimising the new three lines model
Next post
Quantitative versus qualitative risk information: which one drives better decision-making? →
The visualisation tools and graphics risk leaders are using for risk reporting
Reporting and data

The visualisation tools and graphics risk leaders are using for risk reporting

Feb 10, 2022 7 min read
4 alternative approaches to risk culture

4 alternative approaches to risk culture

Jan 29, 2020 5 min read
Communicating the status of material risks: three common approaches and three alternatives
Reporting and data

Communicating the status of material risks: three common approaches and three alternatives

Nov 14, 2023 6 min read

Get new posts by email