ebook img

Risk maturity models: how to assess risk management effectiveness PDF

320 Pages·2016·3.38 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Risk maturity models: how to assess risk management effectiveness

i Praise for Risk MatuRity Models ‘Risk management maturity models enable organizations to gauge the development and evolution of their risk management practices. Domenic Antonucci’s Risk Maturity Models stands out from other risk management texts on this topic because it provides very practical guidance, supported by numerous case studies. The book brings to life the benefits of risk maturity models when effectively applied and is simple but effective in its approach.’ Nicola Crawford, irM UK Board member ‘We live and work in an increasingly complex, faster-moving and connected world. The risk landscape faced by organizations today and in the future is increasingly one made up of intangible risks: risks typically more difficult to assess and control than more “traditional” physical risks. Intangible risks demand an enterprise risk management (ERM) approach – archaic risk silos have no place in this world – cyber is not just an IT risk, people are not just an HR risk. Risk management is at the top of the boardroom agenda and organizations are seeking ways in which they can evaluate and benchmark their ERM maturity. This authoritative book by Domenic Antonucci, a recognized international thought leader in the space of risk maturity, is a welcome addition to every risk professional’s toolkit. The book follows a logical approach and is packed with information designed to explain risk maturity and to help risk professionals use this technique in support of their position as risk leaders and trusted risk advisors.’ Julia Graham, airmic Ltd ‘For years Domenic Antonucci has been one of the leading thinkers on risk management maturity models. Now he’s sharing his thoughts in a book that can help others use maturity models as a means to advance risk management maturity. Risk Maturity Models should be in the library of every risk management practitioner who’s looking to advance their risk management capabilities.’ Paul sobel, Vice President/Chief audit executive, Georgia-Pacific LLC, and ex-Chairman of The iia ii ‘Risk maturity models are useful to organizations that want to compare their current state of risk management capability to an appropriate target level. With his book, Domenic Antonucci offers risk practitioners not only a comprehensive review of existing risk maturity models, but also a method to build one that will satisfy the specific needs of any organization.’ Ghislain Giroux Dufort, President, Baldwin risk strategies inc ‘Risk Maturity is currently a hot topic within the Risk Management discipline, being mentioned in various standards as well as being discussed at length in conferences across the globe. Up until this book however, there have been a lack of publications on the topic. Domenic Antonucci provides a detailed insight into the history of Risk Maturity Models and their benefits. The book is relevant to all organizations implementing risk management who are seeking more information on risk maturity models, whether they believe themselves to be “best in class” and looking for a way to measure their risk maturity, or having only recently started their Risk Management Journey and looking for a roadmap to help guide them to increased levels of maturity.’ alexander Larsen, BHrM, firM, risk and Controls Co-ordinator, West Qurna Project, Pilot Camp, iraq iii risk Maturity Models How to assess risk management effectiveness Domenic Antonucci iv Publisher’s note Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publisher and authors cannot accept responsibility for any errors or omissions, however caused. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the editor, the publisher or any of the authors. First published in Great Britain and the United States in 2016 by Kogan Page Limited Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms and licences issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the undermentioned addresses: 2nd Floor, 45 Gee Street 1518 Walnut Street, Suite 900 4737/23 Ansari Road London EC1V 3RS Philadelphia PA 19102 Daryaganj United Kingdom USA New Delhi 110002 www.koganpage.com India © Domenic Antonucci, 2016 The right of Domenic Antonucci to be identified as the author of this work has been asserted by him in accordance with the Copyright, Designs and Patents Act 1988. ISBN 978 0 7494 7758 5 E-ISBN 978 0 7494 7759 2 British Library Cataloguing-in-Publication Data A CIP record for this book is available from the British Library. Library of Congress Cataloging-in-Publication Data Names: Antonucci, Domenic, author. Title: Risk maturity models : how to assess risk management effectiveness / Domenic Antonucci. Description: London ; Philadelphia : Kogan Page Limited, [2016] | Includes bibliographical references and index. Identifiers: LCCN 2016016341 (print) | LCCN 2016024355 (ebook) | ISBN 9780749477585 (alk. paper) | ISBN 9780749477592 (ebook) Subjects: LCSH: Risk management. | Risk assessment. Classification: LCC HD61 .A567 2016 (print) | LCC HD61 (ebook) | DDC 658.15/5--dc23 Typeset by Graphicraft Limited, Hong Kong Print production managed by Jellyfish Printed and bound by CPI Group (UK) Ltd, Croydon, CR0 4YY v Contents CoNTeNTs CLiosnt toefn ctso ntributors vviii About the author ix Domenic Antonucci ix Foreword x Foreword xii ACKNOWLEDGEMENTS xiv List of Abbreviations xv Introduction 1 Capabilities and risk management effectiveness 2 Our purpose 2 Risk maturity models still climbing up their own risk maturity curve 4 Global potential 4 Introduction to our practitioner representatives 5 Starting with the background to risk maturity models 6 01 7 Background to risk maturity models 7 Introduction 7 List of contributors viii COoringcienps tos fa cnadp dabefiilnitiyti omnast uri8ty models 16 Misunderstanding 1: all models are born equal 25 Misunderstanding 2: global best practice 26 About the author ix Misunderstanding 3: progression without regression or stasis 27 Misunderstanding 4: just a tool 29 Summary 30 Foreword by Kevin Knight x 0T2h e case for a risk maturity 3m1odel 31 Introduction 31 Benefits delivered by ERM and a risk maturity model 34 Foreword by Norman Marks xii Assessing risk management effectiveness 47 Alternatives complement using a risk maturity model 50 Limitations to using a risk maturity model 53 Acknowledgements xiv S0u3m mary 5568 Comparing risk maturity models against each other 58 Introduction 58 List of abbreviations xv Dealing with biases when comparing risk maturity models 59 Approach to comparing risk maturity models 62 Tiering the models 63 Directory comparing 77 maturity models 66 Results and analysis of the directory of risk maturity models 133 Summary 136 04 138 Tailoring and benchmarking a risk maturity model 138 Introduction 138 Introduction 1 TTaaiilloorriinngg abnyd E bReMnc hstmanadrkairndgs and voluntary codes 114403 Tailoring by corporate governance codes and guidance 156 Tailoring by sectors 162 Tailoring by organization operating model 167 Tailoring by risk function operating model 175 Tailoring by economic value chain 182 Tailoring by key performance indicators 184 01 Background to risk maturity models 7 TSuamilomrianrgy by context and des1i8gn5-related methods 185 05 187 Designing a tailored risk maturity model 187 Introduction 187 Introduction 7 CDoommpaoinnse anst sa o cfo am mpoatnuernitty o mf ao dmeal turity model 118889 Capabilities as a component of a maturity model 189 Scales as a component of a maturity model 197 Concepts and definitions 8 Levels as a component of a maturity model 203 Alternative design formats 207 Enhancements to the design of a maturity model 228 Origins of capability maturity models 16 OSupmtimmaizriyn g objectivity, tailo2ri5n1g and reporting 236 06 252 How risk, audit and board functions benefit from risk maturity 252 Misunderstanding 1: all models are born equal 25 Introduction 252 The risk function and risk maturity 253 The internal audit function and risk maturity 257 Misunderstanding 2: global best practice 26 TBehnee bfiotsa rfodr a rnisdk C, IxAO a fnudn cbtoioanrd a fnudn critsiokn ms aturity 225680 Summary 262 07 264 Misunderstanding 3: progression without regression or stasis 27 Summary of risk maturity models from practitioner perspectives 264 Practitioner Megan learns to leverage resources to move up the curve 264 Practitioner Chris learns to keep it simple moving up the curve 265 Misunderstanding 4: just a tool 29 PPrraaccttiittiioonneerr AAslahna lleeaarrnnss aaddvvaanncceedd seexltfe-brnenalc hbmenacrhkminagr kin2g6 7 266 Summary and future moving up the risk maturity curve 268 Summary 30 02 The case for a risk maturity model 31 Introduction 31 Benefits delivered by ERM and a risk maturity model 34 Assessing risk management effectiveness 47 Alternatives complement using a risk maturity model 50 Limitations to using a risk maturity model 53 Summary 56 03 Comparing risk maturity models against each other 58 Introduction 58 Dealing with biases when comparing risk maturity models 59 Approach to comparing risk maturity models 62 Tiering the models 63 vi Contents Directory comparing 77 maturity models 66 Results and analysis of the directory of risk maturity models 133 Summary 136 04 Tailoring and benchmarking a risk maturity model 138 Introduction 138 Tailoring and benchmarking 140 Tailoring by ERM standards and voluntary codes 143 Tailoring by corporate governance codes and guidance 156 Tailoring by sectors 162 Tailoring by organization operating model 167 Tailoring by risk function operating model 175 Tailoring by economic value chain 182 Tailoring by key performance indicators 184 Tailoring by context and design-related methods 185 Summary 185 05 Designing a tailored risk maturity model 187 Introduction 187 Components of a maturity model 188 Domains as a component of a maturity model 189 Capabilities as a component of a maturity model 189 Scales as a component of a maturity model 197 Levels as a component of a maturity model 203 Alternative design formats 207 Enhancements to the design of a maturity model 228 Optimizing objectivity, tailoring and reporting 236 Summary 251 06 How risk, audit and board functions benefit from risk maturity 252 Introduction 252 The risk function and risk maturity 253 The internal audit function and risk maturity 257 The board and CxO function and risk maturity 258 Benefits for risk, IA and board functions 260 Summary 262 Contents vii 07 summary of risk maturity models from practitioner perspectives 264 Practitioner Megan learns to leverage resources to move up the curve 264 Practitioner Chris learns to keep it simple moving up the curve 265 Practitioner Asha learns advanced external benchmarking 266 Practitioner Alan learns advanced self-benchmarking 267 Summary and future moving up the risk maturity curve 268 Glossary 270 References 275 Further reading 283 Index 293 viii LisT of C oNTriBUT ors Ahmed Barakat Alex Dali Alex Sidorenko Alexander Larsen Arnold Schanfield Barbara Monda Beaulah Misrole Dan Clayton Eddie McLaughlin Ghislain Giroux Dufort Grant Purdy Henry Ristuccia and team Henry Ziff Kevin Knight Liz Taylor Michael Herrinton and his team Nick Wildgoose and his board Nicola Crawford Martin Davies Norman D Marks Paul Hopkins Sandra Parkins Steven Halliday Stig Sunde Tim Leech Toby Shore ix aBoUT THe a UTHor Domenic antonucci Domenic is a practising chief risk officer and senior strategic risk, governance and compliance specialist. An Australian expatriate based in Dubai UAE, Domenic specializes in bringing organizations ‘up the risk maturity curve’ and building risk practitioner tools for implement- ing ERM, ISO 31000:2009 and COSO ERM. Formerly with Marsh Risk Consulting, Shell and Red Cross, he enjoys over 30 years experience in risk, corporate strategic planning and business management across many sectors in Europe, Africa, the Middle East, Asia and Australia-Pacific. A regular international conference presenter and author, he is the content author for various risk maturity model software releases. These include Benchmarker™ risk maturity model, the first tool to self-assess risk manage- ment effectiveness through a set of capabilities expected to be delivered by a head of risk and ‘cross-walked’ to both ISO 31000 and COSO ERM. x foreW orD By Kevin Knight The concept of risk management has been around for decades with respect to the buying and selling of insurance and managing loss-control activities. With the publication of AS/NZS 4360 – Risk Management by Standards Australian and Standards New Zealand in 1995 and its subse- quent revisions in 1999 and 2004, it moved into how organizations made decisions with respect to uncertainty. The publication of ISO 31000:2009 Risk management – Principles and guidelines saw the risk management process being applied to the management of the effect of uncertainty on organizational objectives and how managerial decisions created the risk of ‘Is this the right decision and can the organization manage the decision to a successful outcome?’ Risk was seen as neutral and management was focused on maximizing the opportunity whilst minimizing the threat. Importantly, organizations should develop strategies to improve their risk management maturity alongside all other aspects of their organization. Risk maturity models are powerful tools to effect such strategies. A consequence of this focus on managing the effect of uncertainty on objectives within the organization is the need to measure its effectiveness in achieving organizational objectives, as well as the effectiveness of line- management decision making with respect to risks under their control. Domenic Antonucci takes us on the journey from the initial modification of capability modelling in 1997 and its evolution into a risk maturity model through to the multitude of risk maturity models competing for attention in today’s marketplace. The author asserts quite rightly that the highest purpose behind risk maturity models is, amongst other uses, to assess risk management effective- ness tailored to your unique organization. In the chapter ‘Tailoring and benchmarking a risk maturity model’ he provides a wealth of practical advice and examples to enable the risk practitioner to develop a risk maturity model that is focused on the needs of their organization. Domenic brings many years of knowledge, skills and practical experience in the management of risk and organizations and the measurement of its effectiveness within a wide range of organizations. He is especially focused

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.