How to measure risk management maturity? When you look at companies who are doing risk management well, what do you see? Embedded processes, dedicated and trained staff? Senior management buy in, and PMO support?
Wherever you are on your journey to improving risk management maturity in your organization, rest assured that what you see elsewhere was not the result of a single intervention. Companies develop maturity in risk management over time, building on their foundations and previous experiences to evolve to where they need to be.
Where are you on your journey? Here are the stages that companies go through in order to be fully integrated with the most mature risk management practices.
Ad hoc
What it looks like: In an ad hoc environment there’s not much risk management happening and certainly nothing in a structured way. Different project and program managers apply their own individual approaches to managing risk on their projects and that could mean some of them do nothing.
Equally, you’ll probably have ‘hero’ project managers who go above and beyond when a risk is identified. It’s great to have people dedicated to the company’s objectives but this type of firefighting is not sustainable or desirable.
Risks: The biggest challenge in a project environment with hardly any risk management is that there are a lot of surprises. Problems that you weren’t aware of can hinder progress in every area. Ad hoc risk management is also very costly as you don’t have the information to plan for risks when they could possibly be dealt with more cheaply and easily.
Putting in place the basic process will avoid the frustrations of working in an ad hoc environment.
Basic
What it looks like: In a culture with basic risk management you have rudimentary processes in place. These focus mainly on what happens within projects.
Project managers may, or may not choose to use the processes. There’s not much information available about what they are doing to manage risks and this isn’t regularly discussed in Project Board meetings, although some project managers may be doing that.
Risks: Having some information available to you is often more dangerous that having none at all. The piecemeal application of risk management at this level can mean larger problems are overlooked while management focuses on the reports they do have – which could be about issues that are simple enough to resolve.
Documenting processes and ensuring the risk management work begins before the project starts will help move your teams to the next level of maturity.
Defined
What it looks like: When you reach a defined level of risk management maturity you have made great inroads into standardization. Processes are documented and there is more consistent application. Risk management is included in quality audits. It is on the radar for the PMO, so they are able to check and support project teams in risk management tasks.
The management teams or senior project managers may use some limited predictive modelling to improve their risk assessments and provide deeper, more quantitative information about risk impacts.
At this level, we’d expect to see senior management involvement in risks, so a clear escalation path for when project teams are unable to deal with a risk alone. You’ll also have customers and suppliers involved in the process, so there is open and transparent conversation about risks and their potential impacts.
Risks: This is a good solid level of performance, but risk management is still not mandated across the business or integral to the way projects are selected. The risks here are around making unwise investment decisions because the risk profile of a project is unknown. Finally, management teams can become complacent: they are getting risk reports and basic information and feel that is adequate.
Making risk management an integral part of investment decisions and project prioritization is the next step to building maturity.
Improving
What it looks like: This step takes everything at the levels before and builds on it. Risk management practices are used early on during project identification. Risks are included in business cases in enough detail to ensure that investment decisions are viewed through a lens of complete information.
Project and program managers follow the mandated, structured processes and their senior managers understand and support their work. The risk reporting can be tailored to the audience and used to inform decisions on a project.
Risks: Again, a major risk here is complacency. Having said that, many organizations will reach this level and feel that they have done enough to meet their corporate goals. If it’s right for you to stop here, then that’s a decision to make with your executive teams.
It’s useful to understand what the most mature organizations look like before you decide if that’s the right course of action for your business.
Optimized
What it looks like: At this, the top level of risk management maturity, managing risk is part of the fabric of the company.
Risk management processes and practices are fully integrated. Project and program managers know how to deal with risks of all shapes and sizes and they know who to ask for help when it’s required. Risk reporting is cascaded up and down the organization, with the right people getting the right information for their needs at the right times.
Lessons learned – both from positive experiences and those that went less well – are fed into the organizational knowledge repository so that future projects can benefit.
Risks: With such advanced levels of risk maturity there is always a risk that senior managers will take it for granted that processes are followed. New staff need to be on-boarded and quickly brought up to speed with what is expected of them with regards to risk management. New senior managers need to understand their role. Continual reiteration of the processes takes work, but it’s worth it to maintain the benefits of a fully optimized risk management environment.