The value of measuring and acting upon risk maturity in an organisation

Terence Murasiki, Director & Head of Research at ABMI Institute and the author of the Attribute-Based Maturity Index for risk implementation and competency development, explains the model to Junita Rose and emphasises its bias towards action rather than tick-box complacency.

Implementing risk management and developing required management competencies is critical for any organisation’s long-term growth and survival – as the unforeseen Covid-19 pandemic and its dramatic consequences have reminded us.

What has also been highlighted is that a one-size-fits-all, tick-box document that gathers dust in a filing cabinet for 11 months of the year will not save a business when hypothetical risk becomes harsh reality literally overnight. But knowing which risk management programmes to implement, when, at what level within the business, and how to drive meaningful action requires risk management professionals to understand the maturity of their organisation. The innovative Attribute-Based Maturity Index developed by ABMI Research Institute can give managers and consultants the tools to achieve this.

How the Index came about

Before we get into detail about the Index and what it can achieve, it is useful to get a perspective on how it came about. During my time as an auditor, a client, in a clarity-seeking moment pointed out that whenever he changed his auditor, new audit findings came up. No matter how competently he resolved the previous year’s issues, the next year there would be new ones to deal with. He then posed the question: Was his audit outcome derived from standard processes and protocols, or were they dependent on the bias of whomever was doing the audit?

When I became a risk management consultant, I started developing a risk maturity model that would be predictable, consistent and could be applied in such a way that an organisation would be able to take its results and meaningfully compare itself to any other establishment. The next step was to find an appropriate name and we eventually settled on the Attribute-Based Maturity Index. This is really about how you implement risk management and how you measure competencies. Then, having measured competencies, it needed to assist practitioners to develop the required improvement plan in order to implement improvements in a structured manner, for the benefit of the organisation.

In order to further provide clarity and eliminate confusion, every key principle needed to have a consistent understanding and application. For example, people often talk about ‘risk appetite’, but it can mean different things to different people and so a standard definition had to be put in place. This required and resulted in the development of practice guidelines for each attribute under the Index. A huge amount of reading and research was involved – I think I consulted something like 300 different sources in coming up with the initial index. Research work on ABMI started back in 2011. At that time, we had King 2009 and ISO 2009 to work from, but not the latest King and ISO reports. But there was at least some degree of best practice to look at. King was profound because it talked about the inseparability of strategy, risk, performance, and sustainability. Up until then, most people thought ‘sustainability’ was planting a few trees and telling the world about it. The major difficulty was finding additional reference material about risk management in a manner that would build a credible set of research conclusions. In order to figure this part out, I had to extend my research to as far back as the Great Depression of 1929 to 1939. My research journey took me through significant historical economic events and crises and in the realisation of risk as a key driver of variance to norms and objectives, it became ever clearer that there were instances of risk in history, but these have hardly been referred to as risks. The general misfortune of history remains true in latter times wherein risk events are seldom related to ineffective risk management or indeed, risk itself but rather viewed as issues, matters for concern, or irregular matters, depending on the desired soft-landing.

To bring us back to the discussion, out of that body of research flowed the ABMI Reference Library, which is the book that records the full knowledge behind the Index. More on that later.

Seven components and 26 attributes

Having analysed the research material and conclusions, we came up with seven components of the Index, listed as Component A to Component G:

  • A is Control Environment (which in the 2021 model will be changed to Risk Culture & Leadership).
  • B is Strategy Integration.
  • C is Performance Integration.
  • D is Sustainability Integration.
  • E is Risk Identification and Assessment.
  • F is Risk Mitigation and Control.
  • G is Monitoring and Communication.

The next challenge was defining the subsets of those components, but without falling into the trap of drawing up a process because the moment you do that, your model may not apply in every environment. I designed attributes – which is where the naming of the model itself comes from.

Under Component A (Control Environment), for example, there ended up being six attributes. These include Governance & Oversight, Risk Philosophy, Risk Culture, Risk Appetite, Risk Tolerance and Commitment to Competence.

Then, under Component B (Strategy Integration), there four attributes. Under Component C (Performance Integration) there are three attributes; and so on. In all, there are seven components and 26 attributes that fall within those seven components. In the upcoming 2021 model there will be revision to the number of attributes and the arrangement of the sub-attributes thereunder. More on that at a future date.

Importance of the Index

Everything is coded. That is the model; it is about codified practices. If a risk manager or consultant talks about ‘A-1’, then you know it is a subset of Control Environment. People who use ABMI enjoy that because they are able to say: “I’m addressing risk appetite as in A-4. Not in respect of its application under B-3” for example. If you are a user of ABMI, you know exactly what they mean, because in B-3 maybe risk appetite is mentioned from the perspective of ‘how do you integrate it into strategic planning’. By codifying these practices, we’ve made it much easier for a person who is interacting with the knowledge base to be able to direct their thinking to the context and the subject.

When we took the checklist to market in 2013 it was highly innovative for its time and enabled organisations to complete an assessment and get their maturity score immediately. Up until then, you could wait months for an assessment outcome. An additional advantage of the Index from the very onset was the elimination of typical “Yes” and “No” responses to assessment questions. Instead, this model brought about the use of a layered response model and it a true display of its bias towards action, the mere existence of documentary proof is only capable to taking an organisation up to a maximum of 35% risk maturity. Actions speak much louder than un-implemented words when it comes to the Attribute-Based Maturity Index.

In 2017, we evolved the Attribute-Based Maturity Index a step further. This involved further research in each of the 26 attributes to develop 26 unique practice guidelines that elaborated upon each of the 26 attributes. As mentioned briefly earlier on, we collated and expanded the key research that was done when developing the Index and from that created the ABMI Reference Library, which is the reference book that supports the whole methodology.In 2017, we evolved the Attribute-Based Maturity Index a step further. This involved further research in each of the 26 attributes to develop 26 unique practice guidelines that elaborated upon each of the 26 attributes. As mentioned briefly earlier on, we collated and expanded the key research that was done when developing the Index and from that created the ABMI Reference Library, which is the reference book that supports the whole methodology.

The Library comes in two forms. There is what is called the Black Book of Risk Management, which is the printed, hard-bound copy. There is an e-book as well. Both versions can be acquired via our website:

The first version of the ABMI Reference Library was released in June 2018. We review everything every two to three years to ensure we are current. Readers can look forward to a refreshed and updated 2021 edition. Despite the high levels of research in developing the 2018 edition, in preparing the 2021 edition, we have consulted much wider, approaching 400 different referenced elements in the book. The book is also more detailed as it now includes my professional perspective on each of the attributes based on practical on the ground application. The 2021 edition will also feature more diagrammatic descriptions for easier interpretation as a result of demand from its readers. The 2021 edition has also been subjected to an additional layer of review by a panel of technical reviewers who come from academia, professional practice, and industry

Broader risk management factors

The Index brings about a realisation amongst practitioners that the job of a risk manager is never done as it unpacks 7 components into the attributes which are then further split into sub-attributes. Sub-attributes are then supported by key sources of evidence or reporting tools. Therefore, gone are the days of merely doing a risk assessment and a quarterly risk report – and then sitting back and saying “my job is done”. We need as practitioners to become and remain relevant to the organisation under changing circumstances and a volatile, uncertain, complex and ambiguous world.

As risk is mobile, ongoing, and constantly changing, so must our methods evolve and capability development remain a priority. When risk managers use the Index and the Library for the first time it is fascinating, because they then realise how much there is to be done and why they need to build capacity in the organisation.

Building organisational capacity of course requires that managing risk be a programme driven by the Governing Authority (Board, Accounting Officer/ Authority) and in a non-negotiable manner executed by executives rather than it being a back-office function led and executed by the risk practitioner. It therefore concerns me, as it would most practitioners and leaders I hope, to hear practitioners talking about the difficulty of “getting buy-in” from senior management and boards when it comes to risk management. To me, this is the first indicator of reckless leadership, because you should not be asked to ‘buy in’ to doing your job properly.

As an executive or a board member, you cannot tell me, a shareholder, that you think you are fulfilling your obligations properly when you ignore risk. You are, in effect, saying that you will deal with a problem when it hits you – which is a worrying attitude.

In summary, remember that risk maturity is a journey and not a destination. As a practitioner, do not become a complacent system administrator or programme manager. We need to be action-focused and we need to apply ourselves. We must ask the right questions, be present and visible, and be ready to run things when something does go wrong.

Leave a Comment

Your email address will not be published. Required fields are marked *