The State of Risk Maturity

September 27, 2018


The following article is based on my opinion of the risk maturity level in Southern Africa given the numerous clients whose risk methodologies we review and the 100s of detailed risk registers that we convert from unstructured Excel into a structured database such as BarnOwl. Below are my comments pertaining to the seven elements of Risk Maturity aligned to the RIMS Model.

Adoption of ERM

In general, I think most organisations see the need for effective risk management and are keen to adopt risk management; however, the embedding of the risk management is not there yet. Reporting on risk management is still in many cases a ‘tick box’ exercise confined to the annual reporting of a few top risks to ensure compliance with King IV (copy right Institute of Directors Southern Africa)

ERM Process Management

We have mature frameworks such as ISO31000 and COSO and almost every organisation has a very ‘nice’ ERM methodology document which looks great on paper. However in reality, the risk registers themselves are often of poor quality with incidents, root causes and risks mixed up, controls lumped together and all rated the same, generic / vague action plans with no real-time monitoring.
Arguably over 50% of organisations are still using Excel to manage their risk management process which explains the poor and unstructured quality of data.

Risk Appetite Management

Not many organisations are rating their risks quantitatively and many organisations only have a high-level generic risk appetite statement which is meaningless at the lower levels of the organisation. Please see for more information on effective risk appetite setting.

Root Cause Discipline

Contributing factors / causes of a risk. However, the quality of data and differentiation between risks, contributing factors, incidents and action plans is often lacking. Auditors are good at root cause analysis linked to findings however this knowledge does not often find its way back into the risk management process.

Performance Management

For risk management to be used effectively when executing vision, mission and strategy it needs to be a living system including the effective use of KPIs, KRIs and KCIs to drive a real time view of objectives, risks and controls. Many financial service organisations have well defined KRIs which may or may not be integrated with their risk management process, however many other organisations have yet to define their KIs (Key Indicators). There is also a greater move towards continuous auditing with real-time monitoring of KCIs (key control indicators) which should be fully integrated with risk management. IT risks and controls (ITIL, CoBIT, NIST etc.) lend themselves to KCIs (key control indicators) with more and more continuous testing and monitoring done by intelligent ‘bots’.

Business Resilience and Sustainability

Sadly, risk management is still ‘siloed’ in many cases and not integrated with operational planning and execution. Until a culture of risk management is inculcated and embedded within the organisation, the organisation will always be vulnerable to failure.

In Summary

In summary, for risk management to create value it needs to be integrated with day to day operations and integrated across silos. And finally, it needs to be a ‘living’ system with real-time Key Indicators and online action plans driving ownership and accountability.
The good news is that we are seeing the level of risk maturity improving over time. We also see that those organisations who take risk management seriously derive significant business benefit with increased Business resiliency and sustainability.
Watch the full video here: Click to view on YouTube

BarnOwl GRC and Audit software
Jonathan Crisp – Director