Skip to main content
You’ve taken an Enterprise Risk Management (ERM) maturity assessment, you’ve received your results, and now you have no direction and feel like you’ve just wasted 15-minutes. In this blog, we dive into why an assessment score is not meant to be the end game.

In an earlier blog post, we shared the two critical flaws that we often see in ERM Program Assessments. But there is actually a third flaw that is more problematic than the other two combined. We call it the “Now What?” problem. 

Now What?

Perhaps you’ve completed one of the many online ERM Program Assessment tools out there (we're biased, but we think this one is pretty good). It generates your score: Medium Appetite/Medium Capacity. Is that what you expected? Better than you thought? Are you surprised by the score? Did you print it out and put it on the refrigerator?

But before you decide what to do with your score, you’ll need to understand how it was calculated.

Maturity is More Than Eating a “Balanced” Lunch

Assessing almost anything in life in a linear fashion can be tricky, because you often get skewed data or incomplete information.  Let's say your partner asks if you ate lunch today, and you answer “Yes”.  But they didn’t ask what you ate for lunch today, which may have been “a bag of Doritos.”

These are two very different data points to two similar questions.  A program assessment score should be calculated in a similar fashion. It should not just be a linear scale from 1-5. A simple numerical scale doesn’t accurately reflect the journey that has been taken by an organization, and often misrepresents the path that lies ahead. It also often minimizes or ignores the culture of an organization, which is a key factor when assessing a risk management program. Our online assessment measures multiple factors, which we have grouped into Risk Appetite and Risk Culture:

Pictured is a box with 9 squares numbered 1 through 9 from the bottom left up to the top right. The X-axis represents Capacity while the Y-axis represents Appetite.


In this illustration, you can see our sample organization’s assessment was calculated at Medium Appetite and Medium Capacity. We call having both medium Appetite and Capacity “Stability”.  This ERM program is resourced appropriately, the organization generally understands what is expected, and the results seem to be acceptable.  But how do you know if this is good or bad for your organization? This is why an assessment score is not meant to be the end game. To be effective, it should really be the starting point of both strategic and tactical discussions.

Finding Your Direction

Assessments are a great opportunity to not only determine where you stand currently, but to help decide where you want to go. This is a great time to meet with management and discuss the goals of your ERM program, and how those fit into the organization’s strategic objectives.  If your program is currently at a Medium Appetite/Medium Capacity, you may think the goal is to get to High Appetite/High Capacity. But that might not be the case. For your organization, Medium Appetite/High Capacity might be the goal. One of the risks with an assessment score is that people often assume that the highest score is always the goal. But is the ROI there for your organization? It might not be. If strengthening your program from Medium Appetite/High Capacity to High Appetite/High Capacity requires an initial investment of $5 million and an ongoing investment of 1,500 hours a year, and the end result will only mitigate $500,000 of risk, is the investment worth it?

How Big of a Lift?

A reason for having the strategy and direction discussion with management first is that it makes the second part of the conversation much easier.  If your organization decides its ERM program needs to be at a Medium Appetite/High Capacity, and it's currently at a Medium Appetite/Medium Capacity, you'll need to do some analysis and come back to management and say, “Based on our direction that we need to be at a Medium Appetite/High Capacity, here is the level of effort that will be needed.”

That level of effort will include the total number of hours, and any other resources to grow the program to the goal maturity. That may include a mix of financial investments, software, allocation of existing headcount, possible new headcount, and business champions/sponsors. You’re not telling management what to do, you are just advising them on what they need to reach their objectives.

Winning 2nd Place in a Two Person Race

Assessments can’t be done in a vacuum. You may be asked, “if we are at a Medium Appetite/Medium Capacity, how many organizations have higher Appetite or higher Capacity than we do?” And you will need that information. That is why the final key to program assessments is benchmarking your score to other organizations.

Takeaway: The right program assessment can provide valuable data and insight, but it’s vital that you strive to grow your ERM program to the point where it best supports your organization. Be careful that you don’t just shoot for an arbitrary box on the maturity scale. More importantly, an assessment can be the catalyst for valuable discussions with management. It is through these discussions that organizations focus on the most critical areas of improvement, identify a roadmap to a more robust program, and answer the “Now what?” question...