Embed Size (px)
Citation preview
1
A new tool for assessing the Organizational Risk Maturity: a diagnose matrix
Autoria: Luciel Henrique de Oliveira, Luiz Carlos Di Serio
Abstract Based on a compilation and reinterpretation of traditional models of management maturity in four different perspectives, this work aimed to propose a new approach: a matrix to diagnose and measure the Organizational Risk Maturity. The working methodology consisted of a literature review of the most common models for evaluating organizational maturity, and their compilation. The proposed matrix was applied to three cases of companies for testing and validation. Performance improvement professionals can use this matrix to diagnose the current internal state of the organization, articulate the desired future state, and coordinate change solutions. 1. Introduction This paper presents a theoretical essay on organizational risks maturity models, compiling traditional models in a new approach with four perspectives: organizational, sustainability, global supply chain and project management. For this, we consider some traditional maturity models, along with other contemporaries. It aims to help bring a new integrated view of the issue of corporate risk, and enable a wider measurement and analysis of how the company treats its risks. The optimization of supply chains, more company interdependency prompted by the evolution of lean manufacturing, and the establishment of global supply networks have increased companies’ exposure to different types of uncertainties and consequently, to greater risk (HARLAND et al., 2003). According to the Global Risks 2008 report, published by the World Economic Forum, the main current risks stem from supply chains, the financial system, food safety, and issues related to energy availability and use. Usually are differing issues between an organization, and an individual project and too between sustainability and operational subjects. This fact needs to be taken into account in using the models. One must first decide if they want to determine their organization's risk management (RM) maturity level or a specific project's risk management maturity level, and if we need consider sustainability and operations & global sourcing maturity levels.
The American Institute of Certified Public Accountants (AICPA,2014) classifies business risks into three groups: (1) risks relating to the business environment threats in the business environment in which the company operate : competitive, political, regulatory, and financial environment demand; (2) risks related to business processes and assets: threats and key business processes and loss of physical, financial and other assets; and (3) risks relating to information: threats due to the lack of quality information for decision making and supplying information to third parties. Complementing Martin, Santos and Dias Filho (2004, p.10) also propose three dimensions of business risk, as in figure 1.
Risk Class Discrimination
Ownership Risks Associated with mobilization, acquisition, maintenance and arrangement of assets (with the exception of human assets)
Process Risks Originating from the use or operation of assets to achieve business objectives.
Behavioral Risks Linked to the acquisition, maintenance, use and arrangement of human enterprise asset base, among which is the ability of management.
Figure 1: Dimensions of the business risk Source: Adapted from Martin, Santos & Dias Filho (2004)
2
Risk can occur in many different forms, such as known or unknown, quantitative or qualitative, and even real or imaginary (Shaw, Abrams, & Marteau, 1999). According Thamhain (2013, p.22), “risk is derived from uncertainty. It is composed of a complex array of variables, parameters, and conditions that have the potential of adversely impacting a particular activity or event, such as a project”. At the minimum, three interrelated sets of variables affect the cost and overall ability of dealing with risk: (set #1) Degree of uncertainty; (set #2) Project complexity; (set #3) Impact. Understanding these variables is important for selecting an appropriate method of risk management, and for involving the right people and organizations necessary for effectively dealing with a specific risk situation.
Based on a compilation and reinterpretation of traditional models of management maturity in four different perspectives, this work aimed to propose a new approach: matrix to diagnose and measure the Organizational Risk Maturity, comprehensive and timeless way. The working methodology consisted of a careful literature review of the most common models for evaluating organizational maturity, and their subsequent compilation. The next step has been proposed a new maturity model: the enterprise maturity matrix, considering broader aspects than traditional models, more aligned with the dynamic, complex and unstable reality of the contemporary market. Finally the proposed matrix was applied to three cases of companies for testing and validation.
2. Theoretical Framework 2.1.Organizational Risk Management Maturity Model – OR3M
The Zou, Chen, & Chan (2010) study describes the development process of a Web-based RM3 risk management maturity model, including its contents, its validation and testing, as well as its applications. The RM3 contains five attributes—management, culture, risk identification, risk analysis, and systematic risk management and these are measured against a four-level scale: initial, repeated, managed, and optimized. “The risk management maturity model RM3 was successfully developed and validated using a group of risk management experts and specific construction organizations”, (ZOU, CHEN, & CHAN, 2010, p.862)
The authors note that once tested, the RM3 was also successfully used in different construction organizations to gain a broad understanding of the current risk management maturity in the industry. Based on the research findings, it could be claimed that the RM3 developed in this research was user friendly, comprehensive, practical, and useful for construction organizations. It was found that the size and history of a construction organization may affect their risk management maturity—the bigger and longer history the organization, the more mature they are in risk management. The weakest attribute in construction organizations and the industry as a whole is risk analysis. As a starting point to enhance their risk management practice, construction organizations may use the RM3 to assess their current risk management maturity. Based on the study of Zou, Chen, & Chan (2010) and RMRDPC (2002) document was developed the Organizational Risk Management Maturity Model (OR3M), shown in Figure 2.
In the level 5, the risk management results from past historical and relevant data are analyzed to determine how accurate risk identification and analysis were versus actual impacts and causes. Zou, Chen, & Chan (2010) have implemented the model in a sample of Australian construction industries. They found that the weakest attribute was “analyzing risks” followed by “application of standardized risk management process”.
3
LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5 Initial Ad hoc Repeatable Managed Optimized
Manage- ment
Perspective
The organiza-tion is unawa-re of the need and value for risk manage-ment and has no structured approach to dealing with risk.
The organiza-tion starts awa-re of the need and value for RM and structured approach begins to deal with the hazard.
Basic RM processes are established on a project-by-project basis although they may not be consistently achieved in all cases.
Generic RM systems and processes are formalized, implemented, and documented where the benefits are understood at all levels of the organization.
The organization has a risk-aware culture with a proactive approach to RM in all project activities.
Organizati- onal Risk Culture
The organization is not experimenting the application of RM.
The organiza-tion starts search for applications of RM.
The organization makes realistic project commitments based on the results observed on previous projects and on the risks identified for individual projects.
Top management provides strong support while employees are empowered to implement RM processes to take on risks.
Risk informa-tion is acti-vely used to improve RM processes and gain compete-tive advanta-ge. The con-sideration of risk is inhe-rent to all processes.
Identfyng Risks
No attempt is made to identify risks in the project or to develop mitigation or contingency plans.
The organization initiates initiates attempts to identify project risks and begin structuring mitigation plans.
The RM is disciplined because planning and tracking of individual project is stable and earlier successes can be repeated.
RM is systematically structured planning and monitoring of projects is stable and based on learning from previous successes and failures.
Identifying, assessing and managing uncertainty becomes nature to the organization and risk mana gement is built into all activities.
Analyzing Risks
The normal method for dealing with problems is to react after a problem occurs with no proactive thought.
The organization continues reacting after a problem occurs, but begins proactive thoughts.
Minimum RM process has been applied including risk identification and analysis and responses.
Application process well-structured RM, with frequent identification and analysis of risks and responses.
Risks are not only identified and analyzed but also optimized where the opportunities are maximized.
Standardized RM (Risk
Management) Process
The organization has no formal or structured RM process in place.
Occasionally, capable and forceful managers can identify and work to mitigate risks during the project.
There is a lack of organizationwide and standardized RM processes.
The process is based on a common, organizationwide understanding of the activities, roles and responsibilities.
Risk review and learning is implement-ted. RM knowledge base is established and used for risk and opportunity optimization modeling.
Figure 2: Organizational Risk Management Maturity Model – OR3M Source: Adapted from Zou, Chen, & Chan (2010) and RMRDPC (2002).
4
2.2.Sustainability Risk Management Maturity Model – SR3M
LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5 Viewing
compliance as opportunity
Making value chains
sustainable
Designing sustainable
products and services
Developing new business models
Creating next- practice
platforms
Cen-tral
chal-lenge
To ensure that compliance with norms becomes an opportunity for innovation.
To increase efficiencies throughout the value chain.
To develop sustainable offerings or redesign existing ones to become eco-friendly.
To find novel ways of delivering and capture value, wich will change the basis of competition.
To question through the sustainability lens the dominant logic behind business today.
Com-peten-
cies needed
The ability to anticipate and shape regulations. The skill to work with other companies, including rivals, to imple-ment creative solu-tions.
Expertise in techniques such as carbon mana- gement and life-cicle assessment. The ability to redesign operations to use less energy and water, produce fewer emissions, and generate less waste. The capacity to ensure that supplies and retailers make their operations eco-friendly.
The skills to know which products or services are most unfriendly to the environ-ment. The ability to generate real public support for sustainable offerings and not be conside-res as “green-washing.”
The manage-ment know-how to scale both supplies of green materials and the manu-facture of products. The capacity to understand what consumers want and to figure out different ways to meet those demands. The ability to under-stand how partners can enhance the value of offerings.
Knowledge of how re newable and nonrenewable resources affect business eco-systems and industries. The expertise to synthesize business models, technologies and regulations in different industries.
Inno-vation oppor-tunity
Using compliance to induce the company and its partners to experiment with sus-tainnable technologies, materials and processes.
Developing sustainable sources of raw mate-rials and components. Increasing the use of clean energy sources such as wind and solar power. Finding innovative uses for returned products.
Applying techniques such as biomimicry in product development. Developing compact and eco-friendly packaging.
Developing new delivery technologies that change value-chain relationships in signify-cant ways. Creating monetization models that relate to services rather than products. Devising business models that combine digital and physical infrastructures.
Building busi-ness platforms that will enable customers and suppliers to manage energy in different ways. Developing products that won’t need water in categories associated with it, such as cleaning pro-ducts. Designing technologies that will allow indus-tries to use the energy produced as a by-product.
Figure 3: Sustainability Risk Management Maturity Model – SR3M Source: NIDUMOLU, PRAHALAD & RANGASWAMI (2009, p.5)
5
Sustainability isn’t the burden on bottom lines that may executives believe it to be. Becoming "environment-friendly" organizations can lower costs and increase revenues. That's why sustainability should be a touchstone form all innovation. Nidumolu, Prahalad & Ragaswami (2009) says that in the future, only organizations that make sustainability a goal will achieve competitive advantage. That means rethinking business models as well as products, technologies and processes (Figure 3). Today we note that sustainability is starting to transform the competitive landscape, which will force organizations to change the way they think about products, technologies, processes and business models. Treating sustainability as a goal, early movers will develop competencies that rivals will be hard-pressed to match. That competitive advantage will stand them in good stead, because sustainability wills always an integral part of development. Becoming sustainable is Maturity Model based on a five-level process, and each level has its own challenges. Here's how to tackle them and emerge from the recession ahead of the pack. 2.3. Operations & Global Sourcing Risk Management Maturity Model – OGS3M Global sourcing can bring many benefits to organizations, but it can also expose them to a number of risks. So, we need to understand how managers assess global sourcing risks across the entire supply chain and what actions they take to mitigate those risks. Supply chain risk management has increasingly attracted the interest of academics and practitioners. The research reported here focuses on a specific type of risk, which we have termed "supply risk", i.e. those risks associated with the sourcing of products by a focal firm. This type of risk has been investigated by several authors (e.g. Fagan, 1991; Peck and Juttner, 2002; Christopher & Lee, 2004; Fitzgerald, 2005; Trent & Monczka, 2005; Tsai, Liao, & Han, 2008). However, there is still a limited understanding about how supply risks should be assessed when making global sourcing decisions and how they are mitigated once global sourcing is in place. Risk in supply chains is a critical issue since companies, which are unable to manage it are likely to suffer in terms of performance. Poorly managed risks can lead to inaccurate forecasting, lower product quality, decrease in turnover and share price, loss of reputation, and poor relationships with the other members of the supply chain and conflict amongst the organization’s stakeholders (Cousins et al., 2004). To eliminate, or at least mitigate these effects, companies need to adopt supply chain risk management strategies (Frosdick, 1997; Christopher, 2005; Manuj & Mentzer, 2008). Christopher et. al. (2011), revealed that most companies do not have a structured supply chain risk management and mitigation system. Nevertheless they do use a number of informal approaches to cope with risk. The paper proposes that a multidisciplinary approach is required when dealing with global sourcing risks. The study presents a classification of risks covering four categories: supply risk, process and control risks, environmental and sustainability risks, and demand risks. The authors address a research gap concerning managers’ approaches to assessing and mitigating supply chain risk in a global context. In this context, this study proposes a new categorization for global sourcing risks and offers a characterization of global sourcing risk mitigation strategies applicable to different industries. Christopher and Peck (2004) and Christopher (2005) classify supply chain risk into five categories: [1] process risk; [2] control risk; [3] demand risk; [4] supply risk; and [5] environmental risk. The first two risk categories relate to factors internal to an organization, the third and fourth relate to factors internal to the supply chain, but
6
external to the organization and the fifth category relates to factors external to the supply chain. These five categories are depicted in Figure 4.
EnvironmentalRisk
Organization internal factors
Supply chain internal factors
Figure 4: The relationship between supply chain risks. Source: Adapted from Christopher & Peck (2004)
Models developed since 2000 take global sourcing as part of the global supply chain strategy and indicate that global sourcing is linked with marketing. Meixell & Gargeya (2005) conclude that: (a) . Global supply chain models need to address the composite supply chain design problem by extending models to include both internal manufacturing and external supplier locations; (b) . Global supply chain models need a broader emphasis on multiple production and distribution tiers in the supply chain; (c) Performance measures used in global supply chain models need to be broadened in definition to address alternative objectives, and (d) Most models aim to solve a difficult problem related to globalization, but few address the practical global supply chain design problem at a more comprehensive level. Global sourcing risks caused by these factors can be classified into different categories. Based on the supply chain risk categorization proposed by Christopher and Peck (2004), Christopher et. al. (2011) proposes that global sourcing risk can be classified as follows: supply risk, process and control risk, environmental and sustainability risk, demand risk (Figure 5).
Global Sourcing Risks Examples Supply risk Supply risk Supply disruptions, unreliable suppliers
Environmental and sustainability risk
Fluctuations on interest rates, quota restrictions, unanticipated resource requirements, high levels of CO2 carbon footprint emissions during the global sourcing activity
Process and control risk Inefficient supply teams in the organizations Demand risk Variations in demand, uncertainties in demand market.
Figure 5: Global sourcing risk classification Source: Based and adapted from: Christopher & Peck (2004); Manuj & Mentzer (2008)
Christopher et. al. (2011) proposed to frame the strategies for mitigating global sourcing risks. They considered four possibilities: (1) Network re-engineering; (2) Collaboration between global sourcing parties; (3) Agility - critical in terms of the
7
global sourcing process since it reduces companies response time to supply disruptions; (4) Creating a global sourcing risk management culture. According to Ferrando & De La Parra (2008), we can consider seven main processes in Operations & Global Sourcing: Subscription, Emission, Benefits, Invoicing, Investments, Reinsurance, and Signature Authorizations. (See figure 6).
LEVEL 1 Traditional
LEVEL 2 Awareness
LEVEL 3 Monitoring
LEVEL 4 Quantification
LEVEL 5 Integration
Cul-ture
No culture of control. No action of the board on either IC (Internal Control) or RM (Risk Management).
The board mandate for the implantation of IC and RM. Management promotes IC in specific actions.
The benefits of IC and RM are recognized and expected. In accordance with the Board's mandate, top managers demand periodic reports on IC.
Use of the IC reports by top management for decision making. Setting strategic goals relative to risk tolerance levels.
The culture of control integrated into the ethical code. Culture of control extended throught the organization, proactive focus.
Pro-cesses
Absence of formally established manage-ment processes. No implantation for IC and RM processes.
System of internal order with all the process manuals and job descriptions. Analysis of separation of tasks and conflicts of interests.
Minimal establishment of indicator and controls in the 7 main processes. Warming system and actions to correct causes of error.
Systematic process for the calculation SCR QIS3. / Management of the business conside-ring risks. / Process of periodic quantification of the OR.
Culture of information on all the processes with indicators of losses and causes. Valuation of OR VaR or Tail VaR.
Pratical Appli-cation
No application or RM. No analysis made of OR (Operational Risk).
Appointment of a person responsible for IC and application of resources.
Qualitative methods of OR analysis. Minimal application to the 7 main processes.
Preparation and annual revision of a Risk Map. Measurement of all risks. Decision making based on the evolution of the Risk Map.
Implementation of qualitative and quantitative methods, and creation of historical databases. Quantitative processing of the information with mitigating straregic goals.
Experi-ence
Neither the principles nor the language or OR have ever been applied. No experience in RM or OR processes.
Limited to a few collaborators. Experience in processes is limited to the administration department.
Development and implementation of processes of mana-gement and control with the aid of outside advisers.
Personnel with the capacity to implement processes of RM and control. Support of outside advisers but under the initiative of in-house personnel.
All staff with the capacity to implement processes of RM and control. The entire organization involved in the evolution of risks.
Figure 6: Operations & Global Sourcing Risk Management Maturity Model – OGS3M Source: Adapted from Ferrando & De La Parra (2008). 2.4.Project Risk Management Maturity Model - PR3M The PMBOK® Guide (PMI, 2008), defines Project Risk Management as the systematic process of identifying, analyzing, and responding to project risk. Successful
8
projects have dealt effectively with all types of risk1, maximizing benefits while minimizing uncertainty. This Program is developing guidelines and standards to define "best practices" or "suggested practices" for effective Risk Management. Risk Management within organizations and individual projects has developed into an accepted discipline, with its own language, techniques, procedures and tools. The value of a proactive formal structured approach to managing risks and uncertainty is widely recognized, and many organizations are seeking to introduce risk management into their organizational and project processes in order to gain the potential benefits. Despite this increasing consensus on the value of risk management, effective implementations of risk management processes into organizations and projects are not common. Those who have tried to integrate risk management into their business processes have reported differing degrees of success, and some have given up the attempt without achieving the potential benefits. In many of these uncompleted cases, it appears that expectations were unrealistic, and there was no clear vision of what implementation would involve or how it should be managed. Organizations attempting to implement a formal structured approach to risk management need to treat the implementation itself as a project, requiring clear objectives and success criteria, proper planning and resourcing, and effective monitoring and control. In order to define the goals, specify the process and manage progress, it is necessary to have a clear view of the organization s current approach to risk, as well as a definition of the intended destination. The organization must be able to benchmark its present maturity and capability in managing risk, using a generally accepted framework to assess current levels objectively and assist in defining progress towards increased maturity. There is currently a broad consensus on the fundamentals and potential benefits of project risk management when it is conducted within a mature and effective process and supported by a comprehensive infrastructure. The core elements of project risk management are known and used, and many organizations are noting the benefits of implementing risk processes within their projects and wider business. However, there are a number of areas where risk management needs to develop in order to build on the foundation that currently exists. One of the most important of these is the ability to measure effectiveness in managing risk. The concept of maturity models is well developed and accepted, called the Risk Management Maturity Model (RMMM), describe by Hillson (1997). The Software Engineering Institute (SEI, 2001) at Carnegie-Mellon University has developed a Capability Maturity Model (CMM) for Software organizations and one (CMMI) for Systems Engineering organizations (www.sei.cmu.edu/cmmi). These models define five levels of increasing capability and maturity, termed Initial (Level 1), Repeatable (Level 2), Defined (Level 3), Managed (Level 4) and Optimizing (Level 5). Each level is clearly characterized and defined, enabling organizations to assess themselves against an agreed scale. Having discovered its CMM level, an organization can then set clear targets for improvement, aiming towards the next level of capability and maturity. The classic report describes a Risk Management Maturity Model with four levels of process maturity, each linked to specific attributes, that provides a methodology that allows an organization to determine whether or not its risk processes are adequate for the organization, identify realistic targets for improvement, and produce action plans for developing or enhancing their Risk Management process maturity level. Much of the model is based on the initial work accomplished by Hillson (1997, 2000). The Figures 7 and 8 show the compilation of : Project Risk Management Maturity Model.
9
LEVEL 1 Initial
LEVEL 2 Ad Hoc
LEVEL 3 Repeatable
LEVEL 4 Managed
LEVEL 5 Optimized
Definition Unaware of the need for management of uncertainties. No structured approach to dealing with uncertainty. Repetitive and reactive MP. Little or no attempt to learn from past projects or prepare for future projects.
No structured approach in place. Aware of potential benefits of managing risk, but ineffective implementation.
Management of uncer-tainty built into all organization-nal processes. RM imple- mented on most or all projects. Formalized generic risk process.
Risk-aware culture with proactive approach to RM in all aspects of the organization. Benefits understood at all organizational levels.
All the features of previous level plus: active use of risk information to improve organizational processes and gain competitive advantage.
Culture No risk awareness. No upper manage-ment involvement. Resistant/reluctance to change. Tendency to conti-nue with existing processes even in the face of project failures.
Risk process may be viewed as additional overhead with variable bene-fits. Upper management encourages, but does not requi-re, use of RM. RM used only on selected projects.
Accepted policy for RM. Upper Management requires risk reporting. Dedicated resources for RM. Bad news risk information is accepted.
Top-down commitment to risk management, with leader-ship by example. Upper mana-gement uses risk infor- mation in decision-making.
All the features of previous level plus: Proactive risk management encouraged and rewarded. Organizational philosophy accepts idea that people make mistakes.
Process No formal process. No RM Plan or documented process exists. None or sporadic attempts to apply RM principles. Attempts to apply RM process only when required by customer.
No generic formal Processes. Process effectiveness depends heavily on the skills of the project risk team and the availability of external support. All risk personnel located under project.
Generic processes applied to most pro-jects.Formal processes incorporated into quality system. Risk metrics collected.Key suppliers participate in RM process.
Risk-based organizational processes. RM culture permeating the entire organization. Regular evaluation and refining of process. Routine risk metrics used with consistent feedback.
All the features of previous level plus: Key suppliers and customers participate in the Risk Management process. Direct formal communication channel to organization management.
Experience No understanding of risk principles or language. No understanding or experience in accomplishing risk procedures.
Limited to individuals who may have had little or no formal training.
In-house core of expertise, formally trained in basic RM skills. Development and use of specific processes and tools.
All staff risk aware and capable of using basic risk skills. Learning from experience as part of the process.
Regular training for personnel to enhance skills. Documenta-tion, know-ledge manage-ment and learning from experience is indispensable
Figure 7: Project Risk Management Maturity Model - PR3M Source: Adapted from RMRDPC (2002) & Thamhain (2013).
10
LEVEL 1 Initial
LEVEL 2 Ad Hoc
LEVEL 3 Repeatable
LEVEL 4 Managed
LEVEL 5 Optimized
Application No structured application. No dedicated resources. No RM tools in use. No risk analysis performed.
Inconsistent application of resources. Qualitative risk analysis methodology used exclusively.
Routine and consistent application to all projects. Dedicated project resources. Integrated set of tools and methods. Both quali-tative and quantitative risk analysis methodolo-gies used.
Risk ideas applied to all activities. Risk-based reporting and decision making. Both qualita- tive and quantitative risk analysis methodolo-gies used on having valid and reliable historical data sources.
All the features of previous level plus: State-of-the-art tools and methods. Dedicated organizational resources for Project Risk Management.
Figure 8: Project Risk Management Maturity Model - PR3M (Figure 7 complementation) Source: Adapted from RMRDPC (2002) & Thamhain (2013). 3. Proposal of a matrix to Organizational Risk Maturity Diagnosis
From four models adapted and compiled in the theoretical framework of this paper, a matrix was arranged to diagnose and measure the Organizational Risk Maturity, in a comprehensive and timeless way. This matrix is a contribution to the improvement of the practices of analysis and risk management in organizations. We considered the models previously compiled and presented and applied to the analysis of three organizations with operations in Brazil. The following topic presents an application testing of the proposed model with specific organizations. The further research will also try to develop methodologies to overcome the limitations identified in previous section.
Albu & Panzar (2010) presents the enterprise maturity matrix, in which maturity misalignment is one of the major reasons that many change initiatives fail. They studied different organizational maturity models and produced a more complete model, considering 13 variables: Control, Culture, Decision, Information flow, Leadership Style, Rewards, Shared values/Norms, Staff and skills, Strategy, Structure, Systems, Teams and Workforce. This model was also used to compose the matrix developed.
3.1. Presentation of the analyzed cases
We chose to conduct semi-structured interviews with a prepared questionnaire containing specific sections to help map out the implementation process, the current stage of the risk management system, and the results obtained. For each case analyzed we conducted interviews with the executive in charge of the organization’s risk management. The interviews were based on a prepared script and were conducted in the company’s facilities during scheduled meetings. They lasted an average of 3 hours and covered the entire scope established in the script.
In each question the interviewees were asked to explain the company’s experience. At the end of questions with previously-established factors, it was requested that the interviewee grade the degree of agreement with this practice and the degree to which it has been implemented. The interview was not restricted to the suggested factors, so the interviewees were free to propose new ones. This approach aimed at obtaining a minimum group of factors for future comparison between companies. Although the selected companies did not authorize the disclosure of their names nor of details that enabled their identification, the selected cases are described in the following topics.
11
COMPANY A This company is a Brazilian industrial company and a traditional player in its
segment. One of the country’s most profitable private business conglomerates, it combines family control, high performance professional management, and partnerships with the capital market. Its trajectory has been marked by a capacity for innovation, risk taking and the adoption of bold new business models and products for the achievement of value solutions for the organization and society as a whole.
The company’s risk management system was implemented in 2005, during the selection of a consultancy firm as part of the formalization of the risk analysis process. Some specific areas in the company already had a risk-identification and handling system, although there was no standardized structure and methodology. Demand for the structuring of a risk management system came from the holding company and majority shareholder. It was determined that two subsidiaries were to develop a common system that could, as a secondary goal, meet the requisites of the Sarbanes-Oxley Law. A working group was created containing members of the controllership, information technology, and auditing areas of the two companies and which was led by Investor Relations Management.
Risk identification and analysis exclusively cover the company and are not extended to its supply chain. Risk management is associated with strategic planning. Risk identification takes place at least once a year through the analysis of scenarios (external and internal environments) as part of one of the stages in the strategic planning cycle. There are preventive plans to reduce or eliminate the identified risks, while more significant risks are handled through a contingency plan drawn up in accordance to the risk’s priority. Risk management culture in Company A is still under development. According to the interviewees, risk management is still “confined” to the risk management Subcommittee and consequently, only a small number of executives have taken part in the full process - from identification to the drawing up of contingency plans for certain risks.
Risk analysis is already part of the executives’ routine and the biggest change brought by the adoption of the risk management system is the formalization of the process and the creation of a single referential (classification, terminology, templates). The process is quite effective for those involved in assessing risks and in drawing up plans of action. According to the interviewees, there is not yet proactivity in risk identification and assessment, as with few exceptions these activities are undertaken upon demand from the Subcommittee. An important determining factor for the introduction of this culture was the implementation by the CEO of the No Surprise Policy, which is frequently mentioned in his periodic statements to the company’s employees (which are called “A Chat with the CEO”). The financial department also plans implementation and has established the need “to perfect risk management”.
COMPANY B
A holding company that operates through subsidiaries in the production, distribution and commercial sectors. It is Brazil’s largest company in its segment. It has great experience and knowledge of its activities, acquired from significant expertise and tradition. Risk management as a structured process dates back to 2005, when the company started to comply with the Sarbanes-Oxley Law following its listing on the New York Stock Exchange. At the time the process was led by the Corporate Governance area, which is directly linked to the CEO. The Corporate Governance area was created in 2002, with the initial purpose of adapting the company to the BOVESPA’s Novo Mercado corporate governance level.
12
A process was established whereby there is annual evaluation of the controls for each of the accounts in the company’s financial statements. The process consists of identifying the interface areas and the existing controls for each line in the financial statement. Based on this there is a self-assessment of the controls’ effectiveness, followed by a series of field tests and verifications aimed at proving control efficiency. The company has four main risk areas that are the object of more detailed analysis - in the form of pilot projects. Risk management is implemented by the Risk Management Department, which reports directly to the CEO. The department has four analysts in addition to its Chief Risk Officer. Effectively the office has a supporting role and is in charge of establishing the rules and standardizing the organization’s risk management process. Identification of specific risks is done by the business areas under the Risk Management Department.
As regards culture and decision-making, the company has not developed a corporate culture for risk management. According to the interviewee, the process is still strongly linked to the strategic planning period during which SWOT analyses are carried out for each type of business. As risk management is still under implementation, there have been no evident cultural changes, as risk identification and handling have not simultaneously occurred in all areas of the company. In the case of the controls listed by the Sarbanes-Oxley Law’s certification process, there is already more awareness about the need to identify potential risks during changes in procedures – a sign of increased maturity in the company’s culture. In the interviewee’s opinion the benefits obtained from risk management are still limited, as shown by the current stage of implementation. Among the benefits proposed there is a perception of improvement in the operating results prompted by a reduction in losses and in interruptions. At this stage, it is not yet possible to associate risk management implementation with lower payments to insurers or to fundraising in the market, although the AA+ rating assigned by Austin will positively affect market confidence in the company.
COMPANY C
A diversified global industrial company that supplies products and services to clients worldwide. It is Brazil’s main producer and supplier of its products. Through a combination of the strength and expertise acquired as a global company, it has become a supplier of value and innovation to its clients. In Brazil this company has a high level of quality and commitment and supplies excellent brands, products and solutions to its clients in the South American market.
Corporate risk management in Company C started in 2006. The process was centrally coordinated in the US, as risk management is an attribution of the vice CEO responsible for the corporate management system. In Brazil the initiative to implement risk management is recent, starting in May 2008 with a workshop in the industrial plant aimed at identifying the unit’s main risks. This company’s case is different from the others, as it shows risk assessment in one production unit belonging to a global corporation. For this reason, the local risks are identified and handled almost exclusively at the operating area. Financial and strategic risks are dealt with on a corporate level and so are all the processes related to the Sarbanes-Oxley Law.
The facilitating factors considered most important for the implementation of risk management were: support from the leadership, training on how assess risks, and the actions of the multifunctional team. The interviews showed that employees from all areas took part in a workshop held with members from headquarters and received initial training. As regards the complicating factors, the interviewee said that none of those
13
listed actually hindered implementation or risk assessment. As the initiative came from headquarters, it received the prompt adhesion and mobilization of all parties involved.
Risk identification at the plant (operating focus) is based on corporate methodology. The process starts with a standard list of events that the units classify according to pertinence, severity and probability of occurrence. An event to evaluate risks is held annually, with participation from several areas (IT, production, sales, supply, projects, etc.). The main risks are classified and employees are appointed to draw up plans of action. As the plant has no risk indicators, reports about the monitoring of risk handling plans are presented during the plant’s executive meetings. A budget for risk mitigation actions is established on an annual basis and is also used as a basis for the executives’ evaluation. Financial exposure to risks does not take place at the plant, and there is no information available about how this is done on a corporate level.
Although risk management is still at an initial stage, as only one full cycle has been completed in the plant that is being analyzed, there is evidence that risk-related issues have started to be included in the executive and middle-management agenda. This is due to the constant monitoring of risk mitigation action plans and their inclusion as a theme of discussion in managerial meetings in several areas of the company. In the case of the evaluation of results obtained from risk management, the principal implementation gains perceived at the plant were improvements to opportunities, to threat identification and to corporate governance. When asked about his perception of the corporate risk system, the interviewee said improved investor confidence is imperceptible at plant level. There were no improvements regarding compliance with legal requirements or regarding financial reports, as these obligations had been met prior to the implementation of risk management. 3.2. Matrix Diagnosis of the Organizational Risk Maturity
We can consider the lines, the overall organization, specific sectors, units, or even certain management practices. The framework allows us to assess the composed maturity stage considering the four aspects that make up the risk, and thus determine the greatest vulnerabilities - those with lower total scores. From there it is possible to develop action plans to mitigate the most serious risks.
The four Risk Management Maturity Model are measured on a scale from 1 to 5. Calculation of total score is done by multiplying the scores obtained by each maturity model. Thus, we have, in an extreme situation in which the company, or industry practice is in stage 1 in the four models evaluated, your total score will be 1 x 1 x 1 x 1 = 1 (minimum possible). Already at the other end, you're at stage 5 in the four models, your total score will be 5 x 5 x 5 x 5 = 625 (maximum possible), or taken as a percentage, as shown.
I
Organizational (OR3M)
II Sustainability
(SR3M)
III Operations & Global Sour-
cing (OGS3M)
IV Project (PR3M)
Total Score
Value % Company A 3 3 4 5 180 28,8% Company B 2 4 4 4 128 20,5% Company C 4 3 5 4 240 38,4% Figure 9: Risk Management Maturity Model - comparing cases. Source: Prepared by the authors.
Figures 9 and 10 show the proposed matrix applied to three cases of selected companies for testing and validation.
14
Figure 10: Risk Management Maturity Model – Chart comparing cases. Source: Prepared by the authors.
To show another possible application of the matrix, was chosen the case of company C, best evaluated in this example, to apply a detailed diagnosis, using the elements of enterprise maturity matrix, defined by Albu & Panzar (2010). The results are summarized in Figures 10 and 11.
Company C Operations Total Total Organi- Sustaina- & Global Project Score Score
Elements zational ability Sourcing Value %Control 5 3 5 5 375 60,0Culture 4 2 4 4 128 20,5Decision 4 4 5 4 320 51,2Information flow 4 4 4 3 192 30,7Ladership Style 5 3 5 4 300 48,0Rewards 4 1 4 3 48 7,7Shared values/Norms 5 3 4 4 240 38,4Staff and skills 4 3 4 4 192 30,7Strategy 4 3 4 4 192 30,7Structure 5 2 5 4 200 32,0Systems 4 3 4 5 240 38,4Teams 4 3 4 4 192 30,7Workforce 4 3 4 4 192 30,7
Figure 11: Detailed diagnosis of Company C. Source: Prepared by the authors.
0
1
2
3
4
5
6
Control
Cultu
re
Decision
Inform
ation flo
w
Lade
rship Style
Rewards
Shared
value
s/Norms
Staff and
skills
Strategy
Structure
System
s
Team
s
Workforce
Organizational
Sustainaability
Operations & GlobalSourcing
Project Management
Figure 12: Detailed diagnosis chart of Company C. Source: Prepared by the authors.
15
4. Conclusion This paper presents a new maturity model approach, a matrix to diagnose and
measure the Organizational Risk Maturity. Performance improvement professionals can use this matrix to diagnose the current internal state of the organization, articulate the desired future state, and coordinate change solutions. The proposed model was applied to three cases of organizations previously investigated, being able to guide the diagnosis of a detailed and thorough manner. Moreover also proved rich for a more careful analysis of each individual organization, for it considering the 13 defined variables by Albu & Panzar (2010).
Maturity alignment indicates that an organization must implement the appropriate managerial and operational processes and systems in accordance with the desired maturity level. The Risk Matrix has only construct validity and needs to be empirically tested. This seeks to keep a balance between the complexity of the reality and simplicity and ease of use. That means simplifying the complex issues of the reality, which should be carefully analyzed.
Using the matrix framework to analyze the organizational characteristics it was found some limitations: (a) The 13 variables proposed by Albu & Panzar (2010) may not be able to cover all the organizations complexity, so may be necessary to consider other dimensions on the internal organization; (b) The organization results are not included in the model, which considers structures and processes in the four major Risk Management Maturity Model axes considered: Organizational, Sustainability, Operations & Global Sourcing and Project Management. The further research in this topic will include testing and application of the model with specific small and medium size construction organizations. The further research will also try to develop methodologies to overcome the cited limitations. References
AICPA (2014) American Institute of of Certified Public Accountants. Corporate Portal. Available at: www.aicpa.org. Accessed on 10/03/2014.
ALBU, Emanuel & PANZAR, Carmen. (2010) A new tool for assessing maturity alignment: the enterprise maturity matrix. Performance Improvement. Vol.49, N.9. October, 2010. www.ispi.org DOI: 10.1002/pfi
CHRISTOPHER, M. & LEE, H. (2004) Mitigating supply chain risk through improved confidence. International Journal of Physical Distribution & Logistics Management, Vol. 34 No. 5, pp. 388-96.
CHRISTOPHER, M. & PECK, H. (2004) Building the resilient supply chain. International Journal of Logistics Management, Vol. 15 No. 2. pp. 1-19.
Christopher, M. (2005) Logistics & Supply Chain Management: Creating Value-Adding Networks, 3rd ed., FT Prentice-Hall, Harlow.
CHRISTOPHER, M., MENA, C.; KHAN, O. & YURT O. (2011) Aproaches to managing global sourcing risk. Supply Chain Management: An International Journal. Vol.16 · Number 2. pp. 67–81
COUSINS, P.D., LAMMING, R.C. & BOWEN, F.E. (2004) The role of risk in environment-related supplier initiatives. International Journal of Operations & Production Management, Vol. 24 No. 6. pp. 554-65.
FAGAN, M.L. (1991) A guide to global sourcing. Journal of Business Strategy, Vol. 12 No. 2, pp. 21-9.
16
FERRANDO, A. & DE LA PARRA, C. (2008) Operational Risk Management Maturity Model. BDO Audiberia. Congreso Iberico de Actuarios. Lisboa.
FITZGERALD, K.R. (2005) Big savings but lots of risk. Supply Chain Management Review, Vol. 9 No. 9, p. 16.
FROSDICK, S. (1997) The techniques of risk analysis are insufficient in themselves. Disaster Prevention & Management, Vol. 6 No. 3. pp. 165-77.
HARLAND, C., BRENCHLEY, R. & WALKER, H. (2003) Risk in supply networks. Journal of Purchasing & Supply Management, v. 9.
HILLSON, David. (2000) Benchmarking Risk Management Capability. PMI Europe 2000 Symposium Proceedings, January.
HILLSON, David. (1997) Towards a Risk Maturity Model. International Journal of Project & Business Risk Management, Volume 1, Issue 1, pages 35-45, January.
MANUJ, I. & MENTZER, J.T. (2008) Global supply chain risk management strategies. Intern. Journal of Physical Distribution & Logistics Manag., Vol. 38 No. 3. pp. 192-223.
MANUJ, I. & MENTZER, J.T. (2008) Global supply chain risk management. Journal of Business Logistics, Vol. 29, No. 1. pp. 133-55.
MARTIN, N. C.; SANTOS, L. R. & DIAS FILHO, J.M. (2004) Governança empr., riscos e controles internos. Rev. contab. finanç. [online]. V.15, n.34, pp. 07-22.
MEIXELL, M.J. & GARGEYA, V.B. (2005) Global supply chain design: a literature review & critique. Logistics & Transportation Review, Vol. 41 No. 6. pp. 531-50.
NIDUMOLU, R., PHAHALAD, C.K. & RANGASWAMI, M.R.(2009) Why sustaina-bility is now the key driver of innovation. Harvard Business Review. Sep. pp.2-10.
PECK, H. & JUTTNER, U. (2002) Risk management in the supply-chain. Logistics & Transport Focus, Vol. 4 No. 10, pp. 17-21.
PMI. Project Management Institute. (2008) A Guide to the Project Management Body of Knowledge (PMBOK® Guide) Edition. Newtown Square, PA. e-book, 4th ed.
RMRDPC - Risk Management Research & Development Program Collaboration (2002). Risk management maturity level development.
SEI. Software Engineering Institute. (2001) Project Management Risk Management: Continuous Representation, CMMISE/SW/IPPD/SS, version 1.1.
SHAW, C., ABRAMS, K., & MARTEAU, T. (1999). Psychological impact of predicting individuals’ risks of illness. Social Science & Medicine, 49(12), 1571–1598.
THAMHAIN, Hans. (2013) Managing Risks in Complex Projects. Project Management Journal, Vol. 44, No. 2, 20–35. April. DOI: 10.1002/pmj.21325.
TRENT, R.J. & MONCZKA, R.M. (2005) Achieving excellence in global sourcing. MIT Sloan Management Review. Vol. 47 No. 1, pp. 24-32.
TSAI, M.C., LIAO, C.H. & HAN, C.S. (2008) Risk perception on logistics outsourcing of retail chains: model development & empirical verification in Taiwan. Supply Chain Management. Vol. 13 No. 6, pp. 415-24.
ZOU, P.X.W., CHEN, Y. & CHAN, T. (2010) Underst&ing & Improving Your Risk Management Capability: Assessment Model for Construction Organizations. Journal of Construction Engineering & Management, Vol. 136, No. 8, August, p. 854-63.
Endnotes Abbreviations: OR = Operational Risk; IC = Internal Control; RM = Risk Management; OM = Organization Management; MP = Management Processes.
