Overview of maturity levels, quantitative risk management and risk assessments

Two decades ago, the maturity level for risk management was not particularly high. That’s why Frank Romeike, who was serving as Chief Risk Officer at IBM, founded RiskNET back in 1998 as a digital platform for risk managers to network and exchange experiences. The Risk Academy was established the following year and has since provided training to 20,000 people. Its affiliate, RiskNET Advisory, also supports companies as they further develop their maturity levels in risk management.

26 years ago, Romeike took on the position as the Chief Risk Officer at IBM, which at the time was on the brink of bankruptcy. The primary cause of this crisis was a disruption in the business model, triggered by new technologies and stronger competition in production from Asia. Lou Gerstner was the new CEO of IBM at the time and began to subsequently rebuild the company. Today, IBM ranks among the global leaders in the fields of quantum computing and artificial intelligence.

During this time, Romeike identified four essential factors for effective, successful risk management:

• Process: Creating a risk management cycle that is integrated in other processes
• Organization: Integrating areas instead of building different silos
• Methods: Building risk management systems on methods 
• Risk culture: Winning fans and gaining buy-in to instill risk awareness among all employees in everyday business. In Romeike’s opinion, this last factor is the greatest shortfall in real-world risk management.

To achieve higher levels of maturity, companies can follow a series of methods, which the expert describes as a tool box with three compartments:

• Collection methods: e.g. risk-control matrix and traditional checklists
• Analytic methods: e.g. failure mode and effects analysis (FMEA)
• Creativity methods: highly interesting, individual methods utilizing the creativity within the workforce

Companies need to decide which maturity level they wish to achieve. They can fulfill the minimal legal requirements on one hand or create a system that can be used for strategic management on the other. In the second case, risk managers must delve into quantitative methods. Companies are managed with a close eye on EBIT, profit, revenues and other KPIs – and not through qualitative targets. When companies want to generate added value from risk and opportunity management, they will need to strive for higher maturity levels.

One interesting example is the Challenger space shuttle tragedy. NASA should have cancelled the project after an initial quantitative risk and reliability calculation. Instead, it opted to run a qualitative method using FMEA. 73 seconds after the Challenger launch on January 28, 1986, a catastrophic explosion killed all seven members of the crew. The cause was traced back to an O-ring that was not frost-proof. The ring was used in spite of warnings from both the developing engineers and the manufacturer. After the tragedy, quantitative methods shifted to the focus once again.

Companies need to desire – and deal with – transparency. If not, strictly qualitative evaluations can conceal quite a lot.

The first GBTEC GRC Podcast was broadcasted in February 2019. This series focuses on all aspects of integrated GRC, enterprise risk management, internal control systems and information security management. Today, 6 episodes are available and can be streamed on leading platforms such as Soundcloud, Spotify and Apple Podcast.