Whether your organization is just launching a risk management program or looking to mature an existing one, having a vision and a roadmap makes all the difference.
Understanding the key risks affecting your organization and the manner in which those risks have the ability to shape outcomes will set you up for more strategic decision making and increased clarity in reporting to your board and stakeholders.
After implementing risk management practices at Irwin Mitchell, risk management veteran, Danny Pollard, joined Metamorph Group, bringing over 9 years of experience to the role of Group Risk and Assurance Manager. In his responses to the following questions, he provided some insights into his roadmap for risk management.
How did the risk management journey begin at Metamorph Group?
Pollard, Group Risk and Assurance Manager, Metamorph Group (UK):
Upon joining Metamorph Group in June 2021, there was no risk management function or risk management framework in place. Everyone was dealing with risk management in their own separate silos and doing different things, which for me set off immediate alarm bells.
The first thing that needed to be set was a clear structure. This was to be comprised of the Group Risk Assurance Team, Risk Owners & Control Owners, and specialist Risk Management Functions (i.e., HR, Finance, IT). In the near future, our business will be looking to define a Group Risk Committee — but for now, we are progressing well as a business.
This newer structure provides for a flow of information both upstream and downstream. We report up for evaluation and the business provides direction back down. This structure also provides the Senior Leadership Board with the information and tools they need to be accountable for risk management and the assurance that they will achieve their objectives.
How do you consider your risk maturity model?
If you want to manage risk and your framework, there’s no better way than to measure your maturity.
I include a Risk Maturity Scorecard in our Risk Assurance Report provided to leadership. This gives leadership insight into the multiple different areas we believe are the “core areas” affecting risk management. Each core area has a scale from 1-5 in terms of maturity and the area undergoes a multitude of tests to determine and achieve a desired level of maturity. Once you get to that right level of maturity, or as you progress in maturity, you can start getting more complex or doing more integrated things — for example, trying to make things automated. This helps you make risk management more manageable, measurable, and reportable — which is also helpful in aligning with the Board on risk management initiatives.
How did you determine your core areas of risks?
Core areas of the risk management maturity model started simply by having a conversation with senior leadership to understand what mattered to them with regards to risk management. Once I understood their perspective, I applied this to the required elements of any risk management framework of the risk architecture, strategy, and procedures.
The important thing here is to keep it simple. Using ‘Risk Leadership’ as an example, our colleagues are inspired by what leadership does and how it does it —by having the right ‘Risk Leadership’, this will start gradually introducing a ‘Risk Aware Culture’ into how the business operates. This then assists the ‘People’ aspect as we all see things in different ways based on our experiences and knowledge on certain areas through to how we were brought up — all these different perspectives can give a true insight to risk exposures both existing and/or on the horizon. This assists in the creation of a ‘Risk Radar’ or as I call it, an early warning system so we can be more proactive in managing risks rather than reactive but this is only achievable if the senior leadership supports it.
You can then start to say, “It is all well and good having senior leadership support our initiative, and colleagues are aware of what is expected from them.” But how do they do it effectively? This is where ‘Risk Strategy and Policies’ and ‘Risk Management Processes’ takes effect because as Risk Managers, we need to coordinate risk management activities, yet we cannot be everywhere all at once. Therefore, we need policies and procedures, etc., so new and existing colleagues can help themselves and achieve what is required for the effective management of risk.
By understanding what matters to senior leadership and working backwards from what good looks like, you will understand what core areas apply to your business to allow you to start building a model to measure your framework so you can manage it.
Looking ahead, where do you see this risk maturity evolving?
In my experience, one has to be realistic. I would like to see us move to the third-target maturity level within at least 3 years. This level means we’ve got a solid risk management framework in place, done the basics right, and supported an effective risk-aware culture.
Once we hit that, we will look to move towards more complex ways of providing analytics and insights. Additionally, this benchmark will keep moving — we’ll continue to “go for gold.” But, I think getting the basics right first and creating a foundation sets you up for success in the future.
It’s a reality that resources and time are limited — not just for those in my direct group, but for everyone. You won’t find as much success labeling everything as urgent and hammering for responses. It’s a marathon, not a sprint.
For someone who’s starting on the same road, what were things that surprised you?
Everyone has their way of doing things. I like to identify that “one source of truth.” It’s important to get all of the different perspectives — get the right people involved at the right time to source the right information. The Risk Assurance Report I referenced in my response to an earlier question has become the place for this source of truth. When you pull everything together, you start to see the issues and the opportunities that come along with it.
One key challenge I’ve found is making sure there is a common language set for all stakeholders. For example, setting the understanding that “residual risk” does not equal “inherent risk.” Something as simple as that can change how that one source of truth is communicated out and how that information is received.
People are passionate! Risk is often seen in a negative light — you see this in the news stories and the headlines. But, if we can change that and use that passion to help stakeholders achieve their objectives and turn that fear into a positive — we can make real progress with this.
You must ensure there is not a culture of fear. People are scared to talk about risks with a fear they will get blamed. This can lead them to not provide a true picture of the risk environment. If people are not honest with themselves and the risk team, you’ll encounter all sorts of hurdles and challenges. It’s all about letting people know that you are working alongside them and helping them to achieve their objectives. Ultimately, we’re identifying areas of opportunity to be even better together. Creating the one source of truth, communicating early, speaking the same language, and working with others in an open and collaborative manner is really going to help this.
Any last thoughts for risk management professionals starting on this journey?
I’d say as you start this risk management journey, remember to:
- Have your foundation to support the case
- Keep it simple
- Solidify the risk management process
- Encourage the importance of risk management and make it imperative and integral to the culture
- Make the case for risk management to both stakeholders and the Board
- Measure, measure, measure…
- Test, test, test… ensure it works and enable stakeholders to help you
Interested in learning more about Danny’s journey? View the on-demand “Risk Roadmap: 5 Considerations When Launching Your Risk Program” OCEG and Origami Risk webinar here.
Do you know where your organization is on the road to ERM maturity?
The ERM Maturity Tool from Origami Risk enables risk managers and other executives to evaluate the effectiveness of their ERM initiatives, whether they are just getting started or have well-established programs. Upon completing a brief 17-question online survey, risk managers instantly receive a custom PDF indicating where their organization’s ERM program stands in terms of a variety of key indicators. It also provides benchmarks against peers and a list of next steps for making improvements or driving results based on responses to the questions.