Guest Post by James Kline (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
In February 2021, the Organization for Economic Cooperation and Development (OECD) published an Enterprise Risk Management Maturity Model. This model is designed for Tax Administration Agencies. It is the culmination of work that began in 2018. This work was designed to develop stand-alone maturity models for a broad range of organizational activities. One of which was Enterprise Risk Management. This piece examines this model and discusses how such models are being used by government elsewhere.
Enterprise Risk Management (ERM) is a process by which an organization can identify and prioritize the risks that it faces. This approach covers the entire organization. Generally, the risks are separated into strategic and operational risks. The strategic risks are risks which cross operational boundaries and affect the entire organization. The risks often placed in the strategic categories are financial, regulatory, and reputational. Operational risk could include quality control, supply chain management, and accounts payable and receivable.
Thomas Brandt, Chief Risk Office of the United States Internal Revenue Service, in his Preface to the document notes the linkage to the ERM and the purpose of the model.
“The ability to identify, understand and mitigate risks appropriately is more important than ever. My hope is that his new maturity model will help us in understanding our capabilities in this area in an objective and testable manner, to provide staff and senior leadership with an overview of their administration’s maturity level, including in comparison to their peers, and to inform decision-making going forward.” (1)
Maturity models are a common tool used for organizational self-assessment. The OECD development of an Enterprise Risk Management maturity model for Tax Administration agencies is an attempt to not only encourage the use of ERM by Tax agencies, but to provide them with a self-assessment mechanism. In addition, their approach is designed to allow Tax Administration agencies to compare their ERM performance with others.
The rest of the piece looks at the OECD ERM maturity model structure and compares it with that used by Comcover, the self-insurance arm of the Commonwealth of Australia.
OECD ERM Structure
The OECD ERM maturity model has five levels. These are along with a brief description:
- Emerging – ERM is not well understood or practiced throughout the administration.
- Progressing – Some ERM capabilities and practices are in place and there is a general understanding in most business areas of the role of risk assessment and risk management at a high level.
- Established – ERM capabilities and practices are generally well established in the culture and forma processes of the administration.
- Leading- ERM capabilities and practices are well integrated into strategic planning and performance management activities and risk appetites are clearly articulated.
- Aspirational-ERM capabilities and practices are fully integrated with strategy and performance management and reinforced through the organizational culture at all levels.
OECD lists eight “indicative” attributes against which the levels are used to determine the organization’s ERM maturity. These eight are: Strategy, Governance, Culture, Risk Identification, Risk Analysis and Evaluation, Risk Treatment, Review and Revision, and Information, Communications and Reporting.
The last five in the list are elements which are contained in the ISO 31000:2018. (2) These elements are designed to help management determine the degree to which the process of ERM implementation is being practices throughout the organization. The Strategy, Governance and Culture attributes help management determine the degree to which the philosophy of risk management and practice are being integrated.
For instance, to treat or mitigate a risk, management must determine it risk appetite. The appetite is the level of risk management wants to allow for any given risk. Risk appetites are generally broken down into zero tolerance, some tolerance, tolerate. The levels are sometimes quantified. Regardless, the specification of the risk appetite for specific risks tells management and employees at all levels what is acceptable and what is not.
In the case of the OECD ERM model, the emphasis is on the extent to which risk appetites are understood within the organization. For instance, under Strategy at the Emerging and Aspirational level the guide states:
Emerging: “There is a limited understanding of risk appetite by senior leadership”.
Aspirational: “Risk appetite statements are incorporate into all business objective and monitored in real-time through advanced analytic techniques with suggestions for changes put forward.” (3)
As can be seen, the level of sophistication associated with risk appetite increases as one moves up the matrix. The same occurs for Risk Analysis and Evaluation.
Emerging: “Risks are either not analyzed formally or risk analysis is done in an inconsistent manner based on the previous experience and management judgement and without any common format, resulting in an unreliable assessment of enterprise level risk.”
Aspirational: “Risk analysis is carried out using an integrated risk assessment system based on a wide range of real-time qualitative and quantitative data, both internal and external, and using advanced technology tools (such as artificial intelligence) to map cause and effect relationship, including the impacts on interrelated risks.” (4)
While each level has a definition, the placement of activities within the level is subjective. It depends on one’s interpretation. It is easy to determine if risks are not analyzed in a formal manner. But, how precise can one be in determining if risk analysis is carried out using “an integrated system based on a wide range of real-time qualitative and quantitative data”?
The problem of subjectivity in determining ERM maturity is delt with by Comcover, the Commonwealth of Australia’s self-insurance group, by the listing of key items which help determine the extent of ERM implementation.
Comcover’s Risk Maturity Model
Comcover annually conducts a self-assessment survey using its ERM Maturity Model. This model has six maturity levels. These are: Fundamental, Developed, Systematic, Integrated, Advanced and Optimal. It also contains nine elements against which a maturity level is determined. These nine elements are:
- Establishing a risk management policy.
- Establishing a risk management framework.
- Defining responsibilities for managing risk.
- Embedding systematic risk management into business processes.
- Develop a positive risk culture.
- Communicating and consulting about risk.
- Understanding and managing shared risk.
- Maintaining risk management capabilities.
- Reviewing and continuously improving management of risk.
While both models have a similar maturity structure, Comcover’s includes six levels, as opposed to OECD’s five. In addition, Comcover’s focus is on the administration of ERM. Strategy, Governance and Culture are not explicitly listed. However, they are covered in the questions used to determine the maturity level.
In order to determine the level of maturity for each element, the survey asks a series of questions. For each question there are multiple answers. The respondent is to mark all that apply.
For instance, under element 1 Establishing a risk management policy, there are four questions asked. One of the questions is: Has your entity defined its risk appetite? There are seven possible answers. They are listed below.
- Your entity has not defined its risk appetite.
- Your entity has developed a single, overarching risk appetite statement at a qualitative level.
- Qualitative risk appetite statements have been defined for categories of risk (e.g., financial, human resources, operations).
- Your entity has developed a methodology to explain its approach to defining its risk appetite.
- Risk tolerance limits (i.e., the specific level(s) of risk taking that is acceptable in order to achieve a specific objective or manage a category of risk) have been defined for categories of risk (e.g., financial, human resources, operations).
- Your risk appetite is periodically reviewed and updated based on changes in the internal and external environment.
- Your entity’s risk consequence/likelihood rating and descriptions explicitly line to your risk appetite and associated risk tolerance level by clearly indicating where risk ratings or levels are with, and outside, your risk appetite. (5)
To determine how well a department is doing, Comcover has scored each level. Thus, Fundamental is 0-.99, Developed is 1-1.99, Systematic is 2-2.99, Integrated is 3-3.99, Advances id 4-4.99 and Optimal is 5-6. An evaluation of the results of the responding department indicates that in 2015 the overall maturity level in 2015 was 3.28. In 2019 the overall level was 3.68. (6)
The use of a quantitative rating system allows management to assess not only overall ERM maturity, but the maturity level for each element.
Risk Maturity Models are an administrative tool which promote ERM and assist management in evaluating the ERM implementation progress within the organization. These models are being used around the world. The OECD’s ERM Risk Maturity Model and the Comcover model are two examples.
While structurally both models are similar in that they each have well defined maturity levels. The OECD model has five maturity levels, while Comcover has six. The OECD model has three elements which are not directly identified in the Comcover model. These are in addition to the ERM implementation elements which both models contain. The three are strategy, governance, and culture. The Comcover model covers most of these elements in the questions which assist in determining ERM implementation. In addition, the Comcover model provides a numerical value for each level. This value is based on the response to the questions associated with each of the risk management elements in the model. While both models allow for comparative analysis overall ERM implementation performance against other departments or agencies, the Comcover approach is less subjective.
Finally, the historical assessment of ERM implementation by Comcover shows maturity models are useful in encouraging and tracking ERM implementation.
- Organization for Economic Co-operation and Development, 2021, “Enterprise Risk Management Maturity Model”, https://oecd/tax/forum-on-tax-administratin/publications and products/enterprise-risk-management-maturity-model.pdf
- Kline, James J., 2019, Enterprise Risk Management in Government: Implementing ISO 31000:2018, CERM Academy, Portland OR, available on Amazon.
- Obit Cited page 15.
- Ibid page 19.
- Comcover, 2018, Comcover Risk Management Benchmarking Program 2018, Survey questions, Department of Finance, Australian Government.
- Deloitte, 2019, Comcover Risk Management Bencharming Program 2019 Key Findings Report, June, https://www.finance.gov.au/site/default/file/2019-11/2019-key-findings-report.pdf.
James J. Kline is a Senior Member of ASQ, a Six Sigma Green Belt, a Manager of Quality/Organizational Excellence and a Certified Enterprise Risk Manager. He has work for federal, state and local government. He has over ten year’s supervisory and managerial experience in both the public and private sector. He has consulted on economic, quality and workforce development issues for state and local governments. He has authored numerous articles on quality in government and risk analysis. His book “Enterprise Risk Management in Government: Implementing ISO 31000:2018” is available on Amazon. He is the principle of JK Consulting. firstname.lastname@example.org