GRC Professional - February 2015 Edition | Page 32

SURVEY Do you feel your risk management or GRC function is: Principle Nine: Risk Management is transparent and inclusive How would you assess your competency and maturity level for this principle? Under resourced Over resourced About right Principle Four: Risk Management explicitly addresses uncertainty How would you assess your competency and maturity level for this principle? Level 1 – Absent: Only some employees are involved in the risk management process and its implementation and most are not sure how or why it has been developed. Level 2 – Reactive: Employees are invited to participate in use of the risk framework when issues arise that impact upon their area of the business only. Level 3 – Foundation: Employees understand and participate in the risk management process as it applies directly to their business unit or part of the business they operate in. Level 4 – Proactive: All employees are made to feel that they have ownership of the risk framework and are encouraged to ensure they use it as part of their day to day decision making processes. Level 1 – Absent: The potential impact risk has upon organisational objectives is ignored. Level 2 – Reactive: Business decisions are altered in response to changing market conditions and external uncertainties as they arise. Level 3 – Foundation: Uncertainty is a consideration when making business decisions and allocating resources. Level 4 – Proactive: Uncertainty is viewed within the context of the of the established risk appetite, assessed to ascertain if it falls within accepted parameters and its impact is used to determine the ultimate decision that is taken. Level 5 - Embedded: The differences between the risk appetite of the organisation and that of the individuals within it are clearly distinguished. The risk management system or framework is tailored to the organisation. The data used is accurate and current. Risk tolerances are clearly mapped against the business strategy and represented in all measures of success. 30 GRC Professional • February 2015 Level 5 - Embedded: Careful stakeholder selection is undertaken – to ensure full representation across the business and they are involved in the formulation of the risk management framework. The framework is subject to internal / external audit and review. Open sharing of information across the company, in particular successes, failures, near misses is encouraged. Risk KPIs are incorporated for all; in particular all leaders must ‘walk the talk’. Few risk managers believe their program is embedded fully into the business across the eleven principles.