As organizations shift towards an integrated approach to risk and incident management, leaders want to guide their teams in the right direction with confidence; this can be a challenge when you’re breaking new ground. Benchmarking is a great way to gain insight into what leading performers and competitors are doing, and see how your organization stacks up. Join us for an interactive session where you, the audience, will vote on the benchmark results and topics that are important to you, guiding the path of the presentation.
7. Our Goals with the Survey
Terminology
Does the concept of IRM
resonate with
customers?
Collaboration Risk Maturity
How do organizations
collaborate and report on
risk?
Where are organizations
on the risk maturity
curve?
18. Collaboration
How often do they work together and collaborate?
2
16
22
44
11
0
5
10
15
20
25
30
35
40
45
50
Every 6 months - 1
year
Not sure Once a month Once a week or more Once per quarter
20. Collaboration
When collaboration between people and teams does happen, at which level does it most often occur?
37
3
13
26
16
0
5
10
15
20
25
30
35
40
All Levels C-Suite Level Employee Level Manager Level VP or Director Level
21. Collaboration
If collaboration between teams never occurs, why do you believe this is the case?
22
24
18
31
0 5 10 15 20 25 30 35
Difficult to measure tangible benefits
No integrated vision from execs
No time for cross collaborating
Other (please specify)
22. Collaboration
If collaboration across teams became commonplace, what potential impact would that have?
Reduce Redundancies
Reduce the time it takes to
complete projects
Clearer view of overall
organizational risks
Alignment on organizational
goals
1 (Strongly Disagree)
2
3
4
5 (Strongly Agree)
24. Reporting
How do the teams present reports to the Board?
11%
27%
62%
Other (please specify)
Present one consolidated report
Present separate reports, specific to each
team
25. Reporting
If teams report separately, are there areas of overlap within your report data?
0
5
10
15
20
25
30
35
40
45
No Not Sure Yes
27. RISK MATURITY MODEL
A framework to evaluate where your organization’s risk management
practices are and where they need to go.
Ad hoc/chaotic:
depends primarily on
individual heroics,
capabilities and verbal
wisdom
Tribal and Heroic
Stage 1
Reaction to adverse
event by specialists
Discrete roles
established for small
set of risk
Typically finance,
insurance, compliance
Specialist Silos
Stage 2
Tone set at the top
Policies, procedures,
risk authorities defined
and communicated
Business function
Primarily qualitative
Reactive
Top-down
Stage 3 Integrated response to
adverse events
Performance-linked
metrics
Rapid escalation
Cultural transformation
underway
Bottom-up
Proactive
System
Stage 4
Built-in decision making
Risk interactions
managed with
incentives
Intelligent risk taking
Sustainable
“Risk management is
everyone’s job”
Risk-Intelligent
Stage 5
Unrewarded Risk Rewarded Risk
Source: Deloitte. https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Governance-
Risk-Compliance/dttl-grc-riskintelligent-erm-doneright.pdf
RISK MATURITY MODEL
A framework to evaluate where your organization’s risk management
practices are and where they need to go.
Ad hoc/chaotic:
depends primarily on
individual heroics,
capabilities and verbal
wisdom
Tribal and Heroic
Stage 1
Reaction to adverse
event by specialists
Discrete roles
established for small
set of risk
Typically finance,
insurance, compliance
Specialist Silos
Stage 2
Tone set at the top
Policies, procedures,
risk authorities defined
and communicated
Business function
Primarily qualitative
Reactive
Top-down
Stage 3 Integrated response to
adverse events
Performance-linked
metrics
Rapid escalation
Cultural transformation
underway
Bottom-up
Proactive
System
Stage 4
Built-in decision making
Risk interactions
managed with
incentives
Intelligent risk taking
Sustainable
“Risk management is
everyone’s job”
Risk-Intelligent
Stage 5
Unrewarded Risk Rewarded Risk
Source: Deloitte. https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Governance-
Risk-Compliance/dttl-grc-riskintelligent-erm-doneright.pdf
28. IRM Maturity Level
How would you describe your organization’s Integrated Risk Management maturity level?
6
31
15
7
15
0
5
10
15
20
25
30
35
Tribal & Heroic: Ad hoc /
chaotic; depends primarily
on individual heroics,
capabilities and verbal
wisdom.
Specialist Silos: Reaction to
adverse events by specialists,
typically finance, insurance,
compliance.
Top-down: Tone set at the
top. Policies, procedures, risk
authorities defined and
communicated.
System: Integrated response
to adverse events.
Performance linked metrics.
Rapid Escalation. Bottom-up.
Risk-Intelligent: Built in
decision making. Sustainable.
“Risk Management is
everyone’s job.”
30. What are the right next steps?
Suggested Next Steps
▪ Understand that being prepared
for a risk event is a multi-
disciplined process
▪ Specialized silos need to exist to
respond to all elements of the
program
▪ Establish specialized teams
Specialized
Silos
Tribal
31. What are the right next steps?
Suggested Next Steps
▪ Get to know the experts in the
other silos
▪ Start to coordinate with each
other
▪ Get support from management
to establish policies and process
that improve efficiency and risk
coverage by working together
Top Down
Specialized
Silos
32. What are the right next steps?
Suggested Next Steps
▪ Work on establishing a good risk
culture
▪ Combine Pre and Post event
work to reduce risk exposure
▪ Use risk occurrences, loss events,
incidents to provide feedback
into the controls and counter
measures that work
SystemTop Down
33. What are the right next steps?
Suggested Next Steps
▪ Consider risk in decision making,
what is the right amount of risk
for the objective?
▪ Look for opportunities around
risk events
▪ Organization-wide participation
in risk management aligned to
the organizational risk appetite
Risk
Intelligent
System