2.4 Review of Related Literature

2.4.15 Risk Maturity and the Risk Maturity Models (RMMs)

Risk maturity models (RMMs) are the most commonly used measurement concept among the majority of ERM researchers (Hillson 1997 and 2019; Hopkin 2012; KPMG 2021; RIMS 2006; Deloitte 2006 &

2019; Abrams, et al. 2007; Lundquist 2015; Hoseini, Hertogh and Bosch-Rekveldt 2019). Risk maturity is a term defined differently by different researchers and ERM and QA focused entities. Marsh and other similar prominent organisations argue that risk maturity as a concept is a measurement tool adopted by an organisation to help them better understand where they fit in terms of risk management and therefore define their overall risk position or status including the value created from risk management initiatives.

Since, in terms of risk management, it is the intention and ultimate goal of institutions, whether academic or otherwise, to avoid negative risks (threats) and invest on positive ones (opportunities); it is important to implement a model which approaches and measures risk management clearly and formally.

Wieczorek-Kosmala 2014 (p. 134) concluded in her paper that “grounded on a strategic (holistic) approach to manage risk in organisations, Risk Maturity Models are presented as a valid tool, supporting risk management procedure by providing so called ‘hallmarks’ of advancement”. Those institutions, which are already implementing such models, are also invited to improve their existing approaches and models to risk management (Hoseini, Hertogh and Bosch-Rekveldt 2019, p. 1). According to the authors, the adoption of such models also requires a clear definition of institutional objectives, proper planning and resourcing, as well as effective monitoring and control. In this context, a measurement tool is much needed which helps institutions identify areas of improvement and measure the progress of risk management implementation and processes improvement. Therefore, a risk maturity model (or what is known as RMM) is such a tool which can be utilised to achieve that purpose.

In addition to research in the field, the global market has witnessed a good deal of corporate, finance and even academic institutional service providers which promise to offer tailored professional ERM health checks as well as maturity level assessment tools. Through the document analysis process, the researcher concluded that some of the UAE HEIs resorted to such universally accredited service providers to help them write up as well as adopt a solid ERM policy for a better implementation, and a more effective process for risk periodical reviews and risk health check and risk maturity assessment updates. The cyber world is currently abundant in a myriad of such service providers, examples are KPMG (2021), CIMA, the National Association of College and University Attorneys (NACUA), the University Risk Management and Insurance Association (URMIA), and LRQA. These providers are web-based organisations which provide solid and clear risk policies and manuals writing support and other related ERM services. They also provide convenient risk maturity assessment tools tailored to fit the organisational structure and requirements of any institution.

On their website, KPMG (2021), for example, states that their “ERM Maturity Assessment Tool offers support when determining the maturity of risk management in an organization. The Tool considers a broad spectrum of parameters including but not limited to risk appetite, risk governance, risk culture, risk identification and assessment, risk monitoring, risk reporting and usage of data, and technology in risk management. The risk maturity model is based on the ERM framework, comprising seven key components. It is aligned with COSO and ISO 31000: 2018 ERM framework”. KPMG (2021) RMM relies on a process of risk compliance check, ERM health check, and ERM maturity assessment. The document analysis of this study showed that at least two of the three public universities and three of the private universities have done so, where KPMG was stated as the writer of their ERM manuals and procedure policies. On the other hand, CIMA provides HEIs board of directors and senior executive teams with tailored and adaptive tools of ERM identification, assessment and evaluation. In their approach to ERM and ISO 31000 requirements, CIMA states that their tool is organised in such a way as to cover the common areas of risk management implementation process. In this sense, their tool is organised as to cater for “Risk culture, Risk identification, Risk assessment, Articulation of risk appetite, Risk response, Risk reporting Integration with strategic planning, Assessment of ERM effectiveness”

(Collier, et al. 2006).

In the context of higher education, some researchers have shed light on the importance of adopting such RMMs by academic stakeholders (Wieczorek-Kosmala 2014; Lundquist 2015; Hillson 2019). Away from the finance, business and insurance markets, Wieczorek-Kosmala (2014) argues that it is “highly important to promote and discuss ways in which non-financial companies may implement and then control their efforts in managing risk”. The author went further to discuss ways of the application and utility of RMMs in certain non-financial or non-profit institutions. Lundquist 2015 (p. 38) posited that numerous authors, researchers and organisations have discussed and summarised different RMMs and identified programs through which RMMs can be measured and evaluated in HEIs (e.g., Hillson, 1997 and 2019; Hopkinson, 2000; RIMS, 2006; Ciorciari & Blattner, 2008 Mehta, 2010; Deloitte, 2006 &

2019; Abrams, et al., 2007; Aon, 2014; Marks, 2011; Battenburg, Neppelbroech, & Shahim, 2014).

Wieczorek-Kosmala (2014, p. 138) defined RMMs structure in the format of “a matrix in which the levels of maturity are cross-referenced with the attributes reflecting the primary risk management practices. Each of the matrix’s field outlines the competences that indicate the attained or desired practices”, as shown in Figure 2.10:

Figure 2.10 – The Structure of Risk Maturity Model – Adopted from Wieczorek-Kosmala (2014, p. 139)

However, RMMs would normally contain either four or five levels of maturity indexes, and they are measured within the parameters of either one of three formats: 1) an attributes-maturity level matrix, 2) a questionnaire or 3) a combination of attributes-maturity level matrix and a questionnaire (Hoseini, Hertogh and Bosch-Rekveldt 2019, p. 3):

- The attributes-maturity model is presented in the form of a table in which the attributes are exhibited in the first column and the levels in the first row. The table provides explanations for each attribute in each level. The user can select a level of maturity based on the explanations provided for each attribute.

- The model with questionnaires comprises detailed questions to be answered by survey respondents.

The respondent may select a score between a Likert-scale-based 1-to-4 or 1-to-5 category, depending on the level of maturity at their institution.

- In the combined model, the attributes-maturity level matrix is used to better treat and score the questions of the questionnaire.

The researcher in this study adopted the second format presenting four maturity levels through questionnaires through the analysis of respondents’ perceptions towards the risk maturity level at their respective institution.

In all cases, all these RMMs would help classify institutions into four or five levels, starting with the utilisation of traditional or ad hoc approaches to risk management implementation and moving towards the higher level where risk management is fully implemented and integrated into the business and

organisational practices as well as the strategic objectives and decision-making of the institution. In this context, an ERM maturity continuum would contribute to shaping the responses to risk management compliance and perceptions (Abrams, et al. 2007; Lundquist 2015; Hillson 1997 & 2019; Hoseini, Hertogh and Bosch-Rekveldt 2019).

ERM research in higher education context showed that risk maturity in HEIs can be tested against different phases which mostly adopt linear processes of four or five progressive stages (Lundquist 2015, p. 140). However, the researcher would adopt a model similar to Lundquist (2015) adopted an ERM maturity model with numerous tasks associated with the four maturity levels of forming, developing, established, and integrated. Lundquist (2015) concluded that irrespective of what terminology is associated with each of these RMMs, there are common factors identified across all of them: “the capability to identify, gauge, prioritize and manage risks; the degree to which management decision- making has a risk component; the depth to which risk awareness is ‘embedded’ or ‘systematized’ in day- to-day operations; and the engagement of stakeholders in the ERM program” (p. 37):

Table 2.3 – Overview of Risk Management Maturity Models and Levels (Adopted from Lundquist 2015, pp. 37-38)

Author Traditional or

“pre” ERM Level 1 Level 2 Level 3 Level 4

Hillson (1997) Naïve Novice Normalised Natural

Hopkinson (2000) Naïve Novice Normalised Natural

RIMS (2006) Ad hoc Initial Repeatable Managed Leadership

Deloitte (2006) Tribal/ Heroic Specialist Silos Top-down Systematic Risk Intelligent Abrams, et al

(20007)

Comply Improve Improve Transform

Ciorciari &

Blattner (2008)

Very weak Poor Mid Good Optimized

Demindenko &

McNutt

Ad hoc/not in compliance

Isolated activities Coordinated Activities

Coordinated activities

Holistic ethical system

AON (0214) Initial Basic Defined/

Operational

Advanced Marks (2011) Ad hoc Preliminary Defined Integrated Optimized Batenburg,

Neppelenbroek, &

Shahim (2014)

Forming Developing Normalized/

Established

Optimized

In summary, by way of answering the RQ1 and obtaining respondents’ perceptions on the effectiveness of ERM implementation in their institution, the researcher availed from these RMMs and adopted a

questionnaire based RMM, based on four levels of risk maturity ratings in the questions, moving from the initial and the traditional (A/1; B/2) towards the mature, integrated and developed (C/3; D/4).