Benchmarking organisational business risk management maturity : Introducing BRM3

1
Benchmarkingorganisational business risk
management maturity Introducing BRM3

• Presented by the
• IACCM Business Risk Management Working Group
• Contact via www.IACCM.com

2
RISK UNCERTAINTY

• Terms of reference To determine how to improve
  the management of Business Risk
• Risk is any uncertainty having an effect on the
  project (not just adverse)
• Management requires a formal approach to the
  identification, assessment, and analysis of Risk,
  in order to reduce it, eliminate it or benefit
  from it.
• Hence BRM3 ..

3
The case for benchmarking

• Why?
• You cant improve what you cant measure
• When?
• Before and after change
• Who?
• Anyone committed to improvement
• How?
• ...

?
4
A benchmarking process
Identify need for change
Decide to benchmark
Identify what to measure
Design framework/study
Data collection and analysis
Develop change plan
Implement and feedback
5
Using a benchmark approach

• Diagnose current level
• Set targets for improvement
• Develop action plan
• Implement
• Monitor progress
• Need an agreed framework

6
Which framework?

• Increasing interest in maturity models
• Software development SEI/CMM, 1993
• Quality management EFQM/BEM, 1996
• Generic risk management Hillson/RMM, 1997
• Project management PMI/OPM3, 2004
• Nothing for business risk management
• No need to reinvent wheel, start from existing

The Risk Maturity Model was a concept of,
and was originally developed by, HVR Consulting
Services Limited in 1997. All rights in the Risk
Maturity Model belong to HVR Consulting Services
Limited
7
Introducing BRM3

• Business Risk Management Maturity Model
• Based on generic Risk Maturity Model (CMM
  EFQM)
• Assess organisational business risk management
  capability
• four attributes
• Culture, Process, Experience, Application
• four levels
• Novice, Competent, Proficient, Expert
• Each attribute has defined characteristics

8
BRM3 Level definitions

• Level 1 - Novice
• unaware of need
• no business risk processes
• Level 2 - Competent
• experimenting
• informal approach
• ad hoc tools/methods

• Level 3 - Proficient
• routine risk management
• formal processes
• integrated tools/methods
• Level 4 - Expert
• risk-based culture
• proactive management
• state-of-art tools/methods

9
BRM3 attribute summary
10
Diagnostic structure
11
Sample diagnostics

• Culture/1.1 Senior management attitude to RM
• Unsupportive or hostile
• Passive support
• Promotes and supports concept
• Actively champions
• Process/2.2 Formality
• No formality in approach to risk
• Ad hoc and inconsistent risk process
• Well structured consistently implemented risk
  process
• Appropriate process level for risk faced,
  modified to suit situation

12
Sample diagnostics

• Experience/3.4 Skills capabilities
• None relevant to RM
• Basic skills required to participate in risk
  process
• Able to lead and take initiative in risk process
• Can tackle unexpected issues train/mentor
  others
• Application/4.4 Effective response implementation
• No proactive risk responses implemented
• Selected responses implemented but not
  effectively
• Selected responses effectively employed for all
  identified risks
• As 3, plus able to handle emergent risks

13
BRM3 analysis

• Bottom-up assessment
• 4 attributes, each with multiple-choice questions
• each answer corresponds to BRM3 Level (1-4)
• average question scores ? attribute score
• average attribute scores ? BRM3 Level
• Top-down interpretation
• BRM3 Level ? capability position in framework
• attribute scores ? strengths/weaknesses
• individual questions ? detailed analysis

14
Case StudyScoping

• Turnover
• No of Employees
• Typical Contract
• Supply chain role
• How long in business
• Perceived BRM3 level
• Market segment

• lt5 million
• lt50
• 25k
• Supplier
• 1-5 years
• Competent
• Retail

15
Case Study continued..HEADLINE ANALYSIS

• BRM Level 2.7
• Culture 2.7
• Process 2.4
• Experience 2.7
• Application 2.9
• Competent - approaching
• Proficient ?

16
Case Study continued.Top Down Assessment

• Level 2.7 Competent
• Attribute Scores
• Culture (2.7) there is commitment and belief
• Experience (2.7) appropriate expertise exists
• Application (2.9) existing processes are
  consistently applied
• Process (2.4) partial effectiveness expected
  benefits not obtained

17
Case StudyDetailed question analysis Culture

• Culture 2.7
• C3 Belief in Risk Management 4
• C8 Response Strategies 2
• C9 Awareness 2
• C10 Communication 2
• Is there a need for a process to capture the
  expertise available, and make it available
  consistently?

18
Case StudyDetailed question analysis - Experience

• Experience 2.7
• E2 Range and Depth of Experience 4
• E5 Limited allocation 2
• E6 No formal training programme 2
• The expertise exists but needs continuing
  development
• and support at corporate level.

19
Case StudyDetailed question analysis -
Application

• Application 2.9
• A2 Policies not used consistently 2
• A4 Responses not effectively employed 2
• A5 Interactive risk reporting 4
• Supports previous slides Need to capture the
  benefit from what is being done by consistently
  taking appropriate action on reports.

20
Case StudyDetailed question analysis - Process

• Process 2.4
• A1 Strategy inconsistently applied 2
• A2 Weakness in formality 2
• A3 Partially effective 2
• A5 Not available throughout company 2
• A6 Ad hoc information capture 2
• The weaknesses identified in earlier Attributes
  show themselves most clearly in these symptoms.
  

21
Case Study Summary

• TOP DOWN
• BRM3 Level 2.7 ? Competent
• Attribute scores
• Culture 2.7
• Process 2.4
• Experience 2.7
• Application 2.9
• Detailed question analysis
• C communication
• E resource allocation, training
• A lack of consistency
• P ad hoc, lack of formality

• BOTTOM UP
• Plan to reach BRM3 L3
• Strengths
• Belief in risk management
• Expertise available in organisation
• Areas to develop
• staff skills/training
• Formal response strategy
• Concerns
• Not fully capturing benefit of what is being done

22
BRM3 benefits

• Based on established models with broad track
  record
• Construction, nuclear, public sector, telecoms,
  defence, pharma, engineering
• Process is simple to administer
• self-assessment or audit
• Analysis is simple to understand
• bottom-up assessment ? top-down interpretation
• Results are powerful and pragmatic
• exposes strengths/weaknesses in detail
• enables precisely targeted improvement plans

23
Using results
Understand current position
Baseline for future measurement
Define realistic target
Tailor improvement programme
24
What next?

• BRM3 soon available on IACCM website
• Try it out for your organisation
• Provide feedback to Working Party
• Possible modifications/re-issue
• Possible development of diagnostic/analysis tools

25
Thank you

• Any questions ?

BRM3 was developed in May-October 2002 by the
IACCM Business Risk Management Working Group
Linda Duodu Siemens Business Services
Limited Rosemary Gott NNC Limited David
Hillson Risk Doctor Partners Graham
Jackson Best Practice Partnership Limited Steve
Minto RWE NUKEM Limited John Pedretti Logica UK
Limited Phil Phillips Hewlett Packard Greg
Russell Blake Newport Associates Dave
Scarbrough Fujitsu Services Rachel
Wilcock Energis Communications Limited