Risk maturity model

1. Risk maturity model 1 Julian: The benchmarking methodology we�re using this year relies on the concept of a risk management maturity model that is used to determine how mature an agency�s risk management framework current state is. Can you talk us through this some more Sean. Sean: That�s correct � the model introduces the concept of 5 levels of maturity, that are used to depict an agency�s evolution of risk management capability that are a result of the actions of management and their investment in the enterprise risk framework. So there are 5 levels of maturity for each of the 10 elements. Each risk element is individually described at each level of maturity. These descriptions provide the characteristics you would expect to see for each risk element of each level of maturity These levels of maturity are applied across risk elements regarded as essential for an effective risk management framework. This model is consistent with the ISO/AS/NZS 31000:2009 standards and has been used globally by Deloitte for a number of years now. The benchmarking survey has used the Comcover Better Practise Guide to customise the model and align it to the 10 risk management elements identified in the guide. Importantly, an organisation�s maturity level should be reflective of the capabilities required to achieve their objectives. So not every organisation needs to have level 5 maturity capability for every risk category � some categories might only require a level 3 or level 4. The capability is dependent on level of maturity required. Julian: So what is the final result agency�s can expect from using this model..? Sean: The end result of this is that any single agency can use the model to determine their current maturity state and measure this against where they want to be at. Julian: The benchmarking methodology we�re using this year relies on the concept of a risk management maturity model that is used to determine how mature an agency�s risk management framework current state is. Can you talk us through this some more Sean. Sean: That�s correct � the model introduces the concept of 5 levels of maturity, that are used to depict an agency�s evolution of risk management capability that are a result of the actions of management and their investment in the enterprise risk framework. So there are 5 levels of maturity for each of the 10 elements. Each risk element is individually described at each level of maturity. These descriptions provide the characteristics you would expect to see for each risk element of each level of maturity These levels of maturity are applied across risk elements regarded as essential for an effective risk management framework. This model is consistent with the ISO/AS/NZS 31000:2009 standards and has been used globally by Deloitte for a number of years now. The benchmarking survey has used the Comcover Better Practise Guide to customise the model and align it to the 10 risk management elements identified in the guide. Importantly, an organisation�s maturity level should be reflective of the capabilities required to achieve their objectives. So not every organisation needs to have level 5 maturity capability for every risk category � some categories might only require a level 3 or level 4. The capability is dependent on level of maturity required. Julian: So what is the final result agency�s can expect from using this model..? Sean: The end result of this is that any single agency can use the model to determine their current maturity state and measure this against where they want to be at.

2. Risk maturity model � 3 step process 2 Julian: There are a number of steps to the maturity model process Sean, can you briefly walk through these with us..? Sean: That�s correct. Year 1 will be used to implement the benchmarking methodology and get a measure of where each agency is at. It is important to add, that the results for this year, 2010, won�t be comparable to previous years. This is because the survey is so different. Intuitively participating agencies will be able to compare their report from this year to previous ones, but this won�t be included in this year�s benchmarking process. In Year 2, agencies will be able to compare their current maturity levels to their target maturity levels. This will include showing any gaps that exist between where an agency�s capabilities are currently at and where it thinks they should be at. And in Year 3, agencies will be able to compare how they have shifted over the entire survey period and identify where any gaps still exists. Julian: Will agencies be able to determine their own �target� maturity level? Sean: That is certainly the preferred approach. After receiving their Year 1 results it would be ideal for agencies to look closely at their requirements and identify where they want to be � remembering that not everyone needs to have the most mature level of risk management for every element.Julian: There are a number of steps to the maturity model process Sean, can you briefly walk through these with us..? Sean: That�s correct. Year 1 will be used to implement the benchmarking methodology and get a measure of where each agency is at. It is important to add, that the results for this year, 2010, won�t be comparable to previous years. This is because the survey is so different. Intuitively participating agencies will be able to compare their report from this year to previous ones, but this won�t be included in this year�s benchmarking process. In Year 2, agencies will be able to compare their current maturity levels to their target maturity levels. This will include showing any gaps that exist between where an agency�s capabilities are currently at and where it thinks they should be at. And in Year 3, agencies will be able to compare how they have shifted over the entire survey period and identify where any gaps still exists. Julian: Will agencies be able to determine their own �target� maturity level? Sean: That is certainly the preferred approach. After receiving their Year 1 results it would be ideal for agencies to look closely at their requirements and identify where they want to be � remembering that not everyone needs to have the most mature level of risk management for every element.

3. Risk maturity model � target state 3 Julian: You�ve mentioned agencies will be able to identify the gap in the level of maturity of their risk management capabilities to those of their target state. Sean: That�s correct Julian. As this slide indicates, agencies will be able to identify any gaps that exist between their current risk management capability maturity state to that of where they think it should be at. This is not just for their overall maturity state, but will also be at each individual element level. This gives the end results much more granularity and provides agencies with the ability to prioritise key areas of their risk management capabilities that need addressing. Julian: Will the survey reports show the level of maturity for each of the 10 elements? Sean: Yes, The participant report received in late May will indicate where the agency sits in terms of risk maturity for each of the 10 elements and at an overall level. Julian: You�ve mentioned agencies will be able to identify the gap in the level of maturity of their risk management capabilities to those of their target state. Sean: That�s correct Julian. As this slide indicates, agencies will be able to identify any gaps that exist between their current risk management capability maturity state to that of where they think it should be at. This is not just for their overall maturity state, but will also be at each individual element level. This gives the end results much more granularity and provides agencies with the ability to prioritise key areas of their risk management capabilities that need addressing. Julian: Will the survey reports show the level of maturity for each of the 10 elements? Sean: Yes, The participant report received in late May will indicate where the agency sits in terms of risk maturity for each of the 10 elements and at an overall level.