Risk maturity

Does this sound like you or your organisation?…..

We’ve got a risk register and mitigation plans. We report to the Board on risk every meeting. We’ve got dozens of procedures that help us with compliance and work health safety. We’re accredited to the NDIS Quality and Safeguarding standards and maybe even another different accreditation body as well. We tick the boxes on what we need to do with clinical compliance. We even have a risk policy that was based on the international standard. Surely, we are doing everything we need to on risk management, right?

Maybe. If this example sounds like you, then you are certainly doing a lot of things right on risk management, and that is really important for minimising the risk of incidents and ensuring you achieve the objectives in the strategic plan that you are aspiring towards.

Maybe you don’t have many or all of the above elements in place, and that’s ok too. Every organisation starts somewhere, and risk management measures need to be scaled from small, low risk organisations up to larger, complex and higher risk organisations.

Deloitte produced The Risk Intelligent Enterprise Maturity Model about a decade ago and I think it provides a great perspective to look at your risk management activities, no matter the size or focus of your organisation.

Level 1 Tribal and Heroic is about ad hoc risk management which might be done well by one person or group within the organisation

Level 2 Specialist Silos is where there are some risk mitigations in place and steps taken to reduce risk. You might have insurance in place and a few simple policies, but risk is only thought about by a few people.

Level 3 Top-down is where the tone of risk management is set at the top and policies/procedures are in place, but risk management is still somewhat reactive. Many disability and aged care organisations are at this point now – the quality and safeguarding standards that we operate under have ensured that most organisations get to this point. However, accreditations are about setting minimum standards, and best practice requires doing more than the minimum.

Level 4 Systematic is where risk management is getting more sophisticated. By this point, risk is a factor in every business decision being made, staff take ownership bottom up in the organisation, and a cultural transformation has taken place where all staff view their decisions and actions through a lens of risk management.

Level 5 Risk Intelligent is the highest aspiration, and it is difficult to get an entire organisation to this level. I’ve seen some teams operate at this level, and when you do, you can make amazing decisions which boost profitability and remove the downside risks when things go wrong, as they sometimes do.

There is a big difference between being Risk Intelligent and Risk Averse. Being Risk Intelligent is about knowing what risks your organisation is better than anyone else at taking on, rather than avoiding risk altogether.

The international standard on risk management defines risk in terms of the effect of uncertainty on achieving objectives. Risk management is linked inextricably to your strategy and what you are aspiring to achieve. If your strategy and business model involve working in difficult situations or with challenging people, and you have the right people and systems in place, then you can operate a business model like that in a Risk Intelligent way.

I’ve been in workshops where this model has been shown and it is fascinating to see people look at it and calibrate the risk practices against all the different parts of their organisation.

We all want to be level five. It’s only human when you put up a model like this to think that you are doing well. However, more often than not, I have heard people reflect that there are functions or parts of the organisation which operate at different levels.

Maybe some of the clinical elements of the work are at about a level three or four, but other back office administration functions are more like a level two. If your goal is to put in place the minimum standards of quality and safeguarding for your industry sector, then you are likely only operating at level three at best. Achieving a higher level requires leadership modelling and an organisation commitment to resource it appropriately.

What are some practical steps you can take to improve your level of risk intelligence?

Stop and think – do we need to change? What needs to change? Who do I need to talk to about making changes? Have I got the right people or tools/technology to get there? Do I need to update or write a new risk policy? What do you need to do to improve the risk culture? Do you need some external help to map out a path to becoming more risk intelligent, or a specialist consultant to help with one element of it?

CBB consultants have experience in helping organisations plan their risk management activities. If you’d like any assistance with risk management, please contact 1300 763 505 for an obligation free consultation with one of our Business Consultants.


Andrew Ellis
Business Consultant
Email: aellis@cbb.com.au
Phone: 1300 763 505


Reference: Deloitte – The Risk Intelligent Enterprise: ERM Done Right https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Governance-Risk-Compliance/dttl-grc-riskintelligent-erm-doneright.pdf