RIMS 风险成熟度模型

November 27, 2006 RIMS Risk Maturity Model (RMM) for Enterprise Risk Management To benchmark your ERM program and receive a personalized assessment, go to http://www.RIMS.org/RMM p.2 © 2006 by Risk and Insurance Management Society, Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission. Preface and History The Risk and Insurance Management Society, Inc. (RIMS) is a nonprofit organization dedicated to advancing risk management, a profession that protects physical, financial and human resources. Founded in 1950, RIMS represents nearly 3,900 industrial, service, nonprofit, charitable and govern- ment entities. The society serves about 9,600 risk management professionals around the world. RIMS has adopted Enterprise Risk Management (ERM) as a core competency and will dedicate signifi- cant resources to it. To build an Enterprise Risk Management community, RIMS has launched the Enterprise Risk Management Center for Excellence. This provides educational and networking opportu- nities for members and coordinates important ERM resources. John Phelps, a RIMS board member, is chairman of the RIMS ERM Development Committee. The ERM Committee recognized the need for ERM education and a mechanism for measuring ERM maturity, so it created a Risk Maturity Model to let organizations reach risk management’s next level. The ERM Committee recognized the value of partnering with an expert ERM solutions provider to tap RIMS’ practitioners’ expertise and create the RIMS Risk Maturity Model. RIMS selected LogicManager, a leading developer of Enterprise Risk Management solutions and creator of its own innovative risk maturity model. LogicManager, based in Boston, donated its intellectual property, expertise and services and the RIMS Risk Maturity Model was born. This RIMS Risk Maturity Model is primarily an educational and benchmarking resource for Chief Risk Officers and other risk professionals to collaborate with their Board of Directors, senior management, operations management and managers from support functions of IT, internal audit, compliance, etc. p.3 © 2006 by Risk and Insurance Management Society, Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission. Acknowledgements ERM Development Committee ERM Development Committee Chair John Phelps, Director of Risk Management, Blue Cross and Blue Shield of Florida, Inc. ERM Development Committee Vice Chair Carol Fox, Senior Director, Risk Management, Convergys Corporation ERM Development Committee Liaison Mary Roth, Executive Director, Risk and Insurance Management Society, Inc. (RIMS) 1065 Avenue of the Americas, 13th Floor, New York, NY 10018 Phone: 212.286.9292 ERM Development Committee Members Eric Benson, Principal Risk Analyst, Corporate Risk Management, Allianz Life Insurance Co. of NA Roy Fox, Enterprise Risk Management Manager, Bonneville Power Administration Dan Kugler, Assistant Treasurer, Risk Management, Snap-on Inc. Michael Maida, Corporate Risk Manager, Agricore United Joanna Makomaski, P. Eng., Manager, Risk Management, Enbridge Gas Distribution Inc. Julie Pemberton, ARM, Manager, Enterprise Risk Management, Chiquita Brands International Inc. Beaumont Vance, Senior Enterprise Risk Manager, Sun Microsystems Inc. ERM Risk Maturity Model Developer Steven Minsky, Chief Executive Officer, LogicManager, Inc. (www.logicmanager.com) 30-31 Union Wharf, Boston, MA 02109 Phone: 617.649.1320 We welcome your feedback. Please provide us your comments and questions on the RIMS Risk Maturity Model to: steven.minsky@logicmanager.com. Board of Directors Members President Michael Liebowitz, Director of Insurance and Risk Management, New York University Vice President Janice Ochenkowski, Managing Director, Jones Lang LaSalle Treasurer Deborah Luthi, Director, Risk Management Services, University of California, Davis Secretary Joseph Restoule, Senior Risk Consultant, NOVA Chemicals Corporation Directors Janet Barnes, Snohomish County PUD No. 1 Karen Beier, Vice President, Risk Management, Shaklee Corporation Scott Clark, Risk & Benefits Officer, Miami- Dade County Public Schools Terry Fleming, Director, Division of Risk Management, Montgomery County, Maryland Michael Gaona Jackie Hair, Corporate Director, Worldwide Risk Management, Ingram Micro Inc. John Hughes, Director, Risk Management, Alex Lee, Inc. Kim Hunton, Risk Manager, City of Ottawa Daniel Kugler, Assistant Treasurer, Risk Management, Snap-on Inc. Janice McGraw, Manager, Risk Management & Insurance, McGill University John Phelps, Director of Risk Management, Blue Cross and Blue Shield of Florida, Inc. Ellen Vinck, Vice President, Risk Management & Benefits, BAE Systems Ship Repair Risk and Insurance Management Society, Inc. (RIMS) wishes to recognize: p.4 © 2006 by Risk and Insurance Management Society, Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission. Overview Smart, dedicated workers aren’t enough. The Software Engineering Institute (SEI) at Carnegie- Mellon University, which pioneered the Maturity Model concept in the mid-1980s, said, “Everyone realizes the importance of having a motivated, quality work force and the latest tech- nology, but even the finest people can’t perform at their best when the process is not understood or operating at its best.” Enterprise Risk Management (ERM) is a process. What is lacking, is a tool for objective and consistent measure- ment of its effectiveness. The RIMS ERM Development Committee and LogicManager stepped in to develop this missing link -- the RIMS Risk Maturity Model. A benchmarking framework designed to create clear, precise crite- ria, RIMS Risk Maturity Model (RMM) facilitates thorough planning and communication and guides monitoring and control. The role of the RIMS Risk Maturity Model for Enterprise Risk Management If Enterprise Risk Management is the weapon, the RIMS Risk Maturity Model (RMM) is the plan of attack. The RIMS RMM provides ERM practi- tioners with a way to combine all the best ele- ments from the most important models and stan- dards. This applies to all industries and across the risk spectrum. This RIMS RMM is a ladder of progressively organized and mature performance levels, a way to evaluate and set goals. Focus the risk picture While the risk officer ranks fill up rapidly, most learn on the job. They come to risk management with a variety of backgrounds -- legal, finance, internal audit, risk management, compliance or IT. Their views tend to align with their back- grounds and responsibilities. Rigorous controls might take precedence for the internal auditor, for instance, while regulations might be a priority for the compliance team. Security might be key for the information technology group and brand and company reputation could be a top goal for marketing. The smart risk officer recognizes the importance of all of those, but doesn’t stop there. The team must also be led to balanced, big-picture deci- sions. The RIMS RMM crystallizes the risk pic- ture by analyzing best practices and setting goals. This lets the risk officer and stakeholders build consensus about priorities and tactics. A common approach ensures results – efficiencies in the short term, reduced uncertainty in routine decisions in the mid-term and, in the long term, a competitive advantage gained by making big bets on emerging trends. For both veteran risk managers and novices, RIMS RMM is an indis- pensable tool that provides a game plan for pro- gram development and enhances risk manage- ment. And it also speeds the delivery of a rock- solid ERM Process, building a foundation for improving programs, strengthening objectivity and prioritizing resources for allocation. Benefits of using a Maturity Model The Maturity Model approach is a method that’s proven across a variety of industries. Based on extensive case studies in which a Maturity Model approach was used over the past 25 years, the evidence shows that with each step up in maturi- ty level, organizations get concrete results. A Maturity Model is a structured way of highlighting aspects of effective ERM Processes. Benefits for Practitioners • Build consensus and establish milestones. • Benchmarking from best practices. • Communicate clearly to the board, regulators, rating agencies, executive management, process owners, support functions (back office groups such as internal audit, IT and compliance), etc. Benefits for ERM stakeholders • Streamline the ERM Process. • Eliminate duplication of efforts and connect support functions with process owners. • Measure ERM value, based on priorities. • Create a shared language and vision. Benefits for Organizations • Tackle inadequately addressed risks and opportunities. • Resolve business process inefficiencies. • Build a repeatable and scalable process for better decision making Reduce costs Understanding a risk’s root cause is much cheaper than simply treating the symptom. ERM uncovers and attacks the root cause. Example: a global energy company tried to save 10 percent on maintenance costs, but RIMS Risk Maturity Model (RMM) for Enterprise Risk Management pipeline leaks cost them billions of dollars in clean-up costs and damage to their reputation. ERM connects the root cause to the ultimate cost and improves decision making at a fraction of the cost. Increase top line revenue A compliance issue can lead to rethinking business strategy and finding an opportuni- ty to generate revenue. Example: a bank responds to a government regulation requiring it to switch from paper checks to digital images. It uses ERM to uncover a strategy to acquire customers nationally, rather than regionally, by expanding where it once had no infrastructure to transport paper checks. ERM helps managers think strategically. Reduce variance on plan achievement reporting. Planning is essential to success and allocating resources. Uncertainty in planning leads to bad decisions. Volatility of earnings effects stock prices because it undermines confidence in the planning cycle. ERM uncovers the uncertainty and helps managers plan better, creating more reliable results. Example: Bad weather doesn’t make workers late, but ignoring the weather forecast and not leaving extra time for inevitable delays does. ERM is about using the weather report that lets workers understand the likelihood that a storm will occur. The impact is the size of the storm and the controls’ effective- ness are the alternate routes to work. To determine how these benefits apply to your organization, conduct a baseline assessment and use real observations and details to create an effective ERM process that produces results. How to use the RIMS RMM Culture is the way we think, believe and behave. A risk management competency is made up of a set of common values about how we manage risk and uncertainty. The culture within an organiza- tion greatly affects the drives the effectiveness of an ERM program including how we value skepti- cism and doubt, and how clearly we understand influences that impact our judgment. The RIMS Risk Maturity Model (RMM) defines the elements and characteristics, called attributes, that make up a strong risk management competency within the organization’s culture. The RIMS RMM defines these seven attributes on a scale of five maturity levels. Each level ranks an organization according to its achievement of Enterprise Risk Management best practices in its processes. A chain is only as strong as its weakest link. A strong risk management cultural competency is demonstrated by the highest level on each of the RIMS Risk Maturity Model Attributes. RIMS RMM Professional Development Courses RIMS offers professional development courses that provide the methodology of how to maximize the RIMS RMM to build stronger ERM programs and achieve success by evolving a stronger risk management competency within an organization’s existing culture. Measuring where you are in the development process is the first step to set goals and measure progress this organizational compe- tency. The RIMS courses help risk managers per- form a gap analysis between capabilities and best practices outlined in the RIMS RMM to achieve higher capability. Objective evaluation criteria and a scoring methodology provide the basis to evaluate use of risk management best practices. The concept of a cost-benefit analysis helps man- agers prioritize goals within their ERM programs to increase their capabilities and maturity level. In utilizing the RIMS RMM, everyone assesses their own business areas, contributes to ERM goals and plans how to achieve them. Often, it’s the way information is collected and used that influences choices, not the information itself. With the RIMS RMM, all stakeholders are involved in the process, meaning everyone rallies around the final results. p.5 © 2006 by Risk and Insurance Management Society, Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission. ERM – considering risk in a new way.“ ” 1 2 3 Participate in the Benchmarking Exercise Receive a personalized Assessment Report and download the full version of the RIMS Risk Maturity Model (RMM) Take a RIMS Professional Develop- ment Course to apply the RIMS Risk Maturity Model to your organization Stronger risk management cultural competency RIMS Risk Maturity Model (RMM) Definition of Terms Enterprise Risk Management (ERM) Framework The culture, processes and tools to identify strategic opportunities and reduce uncertainty. The framework establishes communication and consultation methods with respect to critical risks in order to achieve an organization’s business objectives. It formalizes process and content accountability. The ERM Process is the time-tested foundation of risk management methodology, pioneered by the risk management discipline and detailed in the Associate in Risk Management (ARM) designation program. It was later adopted and enhanced by other standards organizations1 The ERM Process A sequential process that supports the reduction of uncertainty and promotes the exploitation of opportunities. The ERM Process steps are detailed below. Plan Focus - Establish external, internal and risk management criteria for evaluating risk. Identify where, when, why and how business model, market, events, and operations, etc. associated with business changes, issues, and others – whether known or under-reported – might prevent, degrade or support goals. Assess perceived risk through consistent, objective and pervasive evaluation criteria of impact, likelihood and effectiveness of controls to quantify the risk level. Potential oppor- tunity is measured by impact, timeliness and assurance to examine the performance level. This creates a way to calculate an internal index. This analysis considers the range of potential consequences, and how to prioritize risks and opportunities. The residual risk or potential gain is determined. Evaluate risk tolerance to determine acceptable risk and opportunity levels and consider the balance between potential benefits and drawbacks. Decide on scope, priorities and timelines. Mitigate risk and exploit opportunities. Develop risk or opportunity activities for reducing uncertainty, increasing potential benefits and reducing potential costs. Collaborate with stakeholders and leverage expertise (Six Sigma2, compliance, internal audit and others) to design improvement, transfer, control and other action activities. Weigh the cost of activities against the expected value of future uncertain events3 Monitor timeliness and effectiveness of mitigation activities by risk owners. Gauge program to ensure changing circumstances do not alter priorities and escalate issues. Unacceptable tolerance and mitigation should be reported to the appropriate manager. Business Process Owner the individual (s) responsible for process design and performance. The process owner is accountable for sustaining the gain and identifying risk and future improvement opportunities on the process Risk Owner the individual who is accountable for the validation, assessment and action plan to care for a particular risk4 Risk Plan the basic communication for each specified Plan Focus that is used throughout the ERM Process to gather, organize and report information. Its items might also include contacts, activities, journal entries, notes and documents. p.6 © 2006 by Risk and Insurance Management Society, Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission. 1 2 3 4 5 Attributes Similar to individual employee performance evaluations, the RIMS RMM provides a set of attributes that drive business value. The RIMS RMM Attributes are designed to be compatible with various specialized frameworks, such as the Australian/New Zealand Risk Standard, COSO ERM, COBIT 4.0, Standard & Poor’s ERM, Sarbanes-Oxley, etc.5 Maturity Levels Detailed descriptions for each Attribute provide five maturity levels ranging from Non-existent to Leadership. Organizations measure their ERM Process against these maturity levels and set improvement targets. Benchmarking Using the RIMS Risk Maturity Model, RIMS sponsors cross-industry benchmarking to identify emerg- ing trends. RIMS and non-RIMS members are invited to participate in this global exercise. Comparing maturity levels of other organizations highlights ERM priorities and evolving industry requirements. For more information on participating in the benchmarking survey, go to the Enterprise Risk Management (ERM) Center of Excellence page on the RIMS website. (http://www.RIMS.org/ERM) p.7 © 2006 by Risk and Insurance Management Society, Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission. 1Standards Australia International Ltd and Standards New Zealand (The AS/NZL 4360), The Institute of Risk Management (IRM), The Association of Insurance and Risk Managers (AIRMIC) and ALARM The National Forum for Risk Management in the Public Sector, ISO/IEC Guide 73, JIS Q 2001 Japanese Industrial Standards Committee “International Risk Management Standard”, COSO Enterprise Risk Management Integrated Framework 2004 “Treadway commission”, Canadian BIP 2012, CAN/CSA Q850- 07, etc. 2Six Sigma definition, Trademark of Motorola corporation 3Taking into consideration whatever is appropriate for the organization to approve an action plan including capital at risk, Risk Adjusted Return on Capital (RAROC), cost benefit analysis, time value of money discounted in net present value, etc. 4For the context of this document Process Owners are assumed to be Risk Owners. However, in some organizations the risk owner may or may not be the same as the process owner. For example in the case where a process is outsourced, the risk owner remains within the corporation. 5Examples of specialized approaches: COSO ERM Framework: Internal Environment, Objective Setting, Event Identification, Risk A