How Mature is Your Risk & Control Program?

During the past decade, many significant events occurred that placed greater demands on how companies manage their risks.  At the beginning of the decade, we experienced the financial downturn associated with the bursting of the high tech/internet bubble.  Then, we had the after effects of the September 11th terrorist attacks.  Corporate accounting scandals at Enron and WorldCom created new financial reporting challenges in the form of the Sarbanes-Oxley Act of 2002.  Now, we are finally beginning to emerge from one of the greatest financial meltdowns in American history.  All the while, companies have been trying to keep pace with ever increasing levels of risk and regulation.

Much of the fallout from the financial crisis of 2008 can be attributed to the lack of coordination and integration of risk management practices at individual firms as well as across entire industries.  To be successful at managing risk going forward, companies must begin to examine how they are currently focusing their efforts and how they need to evolve their overall risk and control program.

The evolution path for most risk and control programs can be broken into four distinct stages – Developing, Implementing, Improving and Integrating (see figure below).   As companies begin to take a more focused approach to managing risk, they usually begin by simply reacting to regulatory demands or recent negative events that have occurred.   In this initial “Developing” stage, companies may create ad hoc task forces or assign individual teams to address the risks.

However, most companies begin to see the need for a more formal, enterprise-wide approach and enter the “Implementing” stage.  Here, a risk champion is typically named, standards are created and the various teams begin to align and share information.  Once the sharing of information begins, both horizontally and vertically through the company, inefficiencies and gaps become apparent.

Companies then move to the “Improving” stage in order to streamline processes and adopt best practices.  Finally, once the program has matured into an efficient mechanism on its own, it should be fully integrated into the business itself – at all levels.  It is this “Integrating” stage of evolution that is the holy grail of Enterprise Risk Management.

Where is your company on the evolution path?  What obstacles are you facing as you look to progress from one stage to another? Wheelhouse Advisors can provide both unique insight and practical solutions to help you reach the desired level of maturity.  To learn more, visit


About Wheelhouse Advisors
Wheelhouse Advisors LLC is the publisher of The ERM Current™, an online publication and blog dedicated to providing the latest updates on current trends in Enterprise Risk Management & Control. Wheelhouse Advisors provides cost-effective Enterprise Risk Management & Control solutions to both large and mid-size corporations. To learn more about Wheelhouse Advisors, please visit our web site at

One Response to How Mature is Your Risk & Control Program?

  1. John Kelly says:

    Great blog John, with out the integration stage, organizations do not have a complete picture or profile of their risk exposure.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: