http://rims.logicmanager.com/LogicERM/index.html?

param=2581CEEC5A
http://www.slideshare.net/IFAC_Multimedia/what-is-rims-doing
modelo de madurez de riesgo integral.
qualification
1. Fully managed
2. Very managed
3. Managed
4. Somewhat managed
5. Partially managed
6. Partially ad-hoc
7. Somewhat ad-hoc
8. Ad-hoc
9. Very ad-hoc
10.Fully ad-hoc
Tribal y heroic:
Ad Hoc / Catico
Depende de heroes individuales, capacidades y sabidura verbal.

Especialistas silos:
Reaccin a eventos a eventos adversos por especialistas.
Roles discretos establecidos para un pequeo set de riesgos
Tpicamente finanzas, seguros, cumplimiento.

Top-down:
Tone at the top
Polticas, procedimiento y autoridad definida y comunicada
Funcin de negocio
Primariamente cualitativa
Reactiva

Sistemtico:
Respuesta integrada ante eventos adversos
Desempeo vinculado a mtricas

Rpido escalamiento
Transformacin cultural
Bottom-up
Proactivo

Adoption of ERM-based approach

Are operational risk priorities reported to the Board of Directors or other

similar oversight group?
Are qualitative risk asssesments required for every project, new product,
business practice changes, etc,? Effectiveness
Is risk management competence part of all managers performance reviews?
Are business processes defined with process-specific risks?
Are risk issues communicated and acted upon effectively in a timely manner?
Do owners manage their risks and opportunities within regular planning
cycles?
Do process owners use the ERM process to improve their functions?
Are risk assessments conducted in all business areas?
Are risk management issues clearly communicated to all levels?
Do business units and departments create and evaluate long term plans to
drive risk management activities?

Business resiliency and sustainability

Are logistics, security, resources and response procedure well documented?

http://rims.logicmanager.com/LogicERM/index.html?param=2581CEEC5A

How frequent and effective are your risk management activities? How well are your
policies documented? How are your risk policies enforced? How do you measure
effectiveness?

Effectiveness

How frequent and effective are your risk management activities? How well are your
policies documented? How are your risk policies enforced? How do you measure
effectiveness?

Very Managed to Fully Managed:

o Linked closely to strategy and governance
o Frequent follow-up and monitoring including review of assumptions
o Consistent, well-documented and cost-effective controls with periodic
testing
o Communication is consistent, understood and accountability is set-up
o Goals are set, measures are defined, activities are aligned and goals
are periodically re-evaluated

Somewhat Managed to Managed:

o Linked to strategy and governance
o Adequate follow-up and monitoring
o Consistent and documented controls with prior testing
o Communication is consistent, understood and actionable
o Goals are set and measures are defined and most activities are aligned

Partially Ad Hoc to Partially Managed:

o Insufficient links to strategy and governance?
o Infrequent follow-up and incomplete monitoring?
o Adequate controls?
o Communication is consistent and mostly understood?
o Goals are set but measures arent well defined and not all activities are
linked?

Somewhat Ad Hoc to Ad Hoc:

o Not linked to strategy and governance?
o Infrequent follow-up and no monitoring?
o Lack of consistent, measurable controls?
o Communication is inconsistent and not always understood?
o Some goals and measures are defined but activities arent linked?

Fully
o
o
o
o
o
o

Ad Hoc to Very Ad Hoc:

Tactical, not linked to strategy and governance?
Insufficient follow-up, no monitoring?
Insufficient controls?
Communication is inconsistent or misunderstood?
Goals or measures ill-defined?
Does the organization promote self-governance

1. Attribute: Adoption of ERM-based approach: Degree of executive support for

an ERM-based approach within the corporate culture. This goes beyond
regulatory compliance across all processes, functions, business lines, roles
and geographies. Degree of integration, communication and coordination of
internal audit, information technology, compliance, control and risk
management.
a. Factor Assessment: Executive ERM Support
i. People Executive ERM Support
1. Does the organization promote self-governance (e.g.
corporate ethics, whistleblower programs, etc.?) to ensure
that promise makers are held accountable?
2. Is risk management competence part of all managers'
performance reviews?
3. Are qualitative risk assessments required for every big
project, new product, business practice changes, etc.?
4. Are operational risk priorities reported to the Board of
Directors or other similar oversight group?
b. Factor Assessment: Business Process Definition and Risk Ownership
i. Process Business Process Definition and Risk Ownership
1. Are business processes defined with process-specific
risks?
2. Are risk issues communicated and acted upon effectively
in a timely manner?
3. Do process owners use the ERM process to improve their
functions?
4. Do owners manage their risks and opportunities within
regular planning cycles?
c. Factor Assessment: Front Line and Support Process Owner Participation
i. Process Front Line and Support Process Owner Participation)
1. Are risk management issues clearly communicated to all
levels?
2. Are risk assessments conducted in all business areas?
d. Factor Assessment: Far-sighted Risk Management Vision
i. Relationships Far-sighted Risk Management Vision
1. Do business units and departments create and evaluate
long term plans to drive risk management activities?
2. Attribute: ERM process management: Degree of weaving the ERM Process
into business processes and using ERM Process steps to identify, assess,
evaluate, mitigate and monitor. Degree of incorporating qualitative methods
supported by quantitative methods, analysis, tools and models.
a. Factor Assessment: ERM Program Oversight
i. (People ERM Program Oversight)
1. Indicator: Is accountability for risk management assigned
throughout the organizational structure (processes,
support functions, business lines, geographies, etc.?)
2. Indicator: Do operational managers actively participate in
the ERM program?

3. Indicator: Are process owners and risk ownership are

clearly defined?
b. Factor Assessment: Risk Culture, Accountability and Communication
i. (People Risk Culture, Accountability and Communication)
1. Indicator: Is the purpose and procedures for Risk
management clearly defined at every level?
2. Indicator: Are opportunities evaluated as risk plans
develop?
c. Factor Assessment: ERM Process Steps
i. (Process ERM Process Steps)
1. Indicator: Are sequential and iterative steps of risk
identification, assessment, evaluation, mitigation and
monitoring used to improve decision-making and
performance?
2. Indicator: Is risk management intelligence dynamic,
available and shared across departments?
3. Indicator: Do qualitative assessments determine the need
and priority for further quantitative analysis or modeling?
d. Factor Assessment: Repeatability and Scalability
i. (Process Repeatability and Scalability)
1. Indicator: Does an enterprise risk committee or equivalent
regularly reviews risk plans?
2. Indicator: Are risk and performance assumptions included
in qualitative assessments and periodically revisited for
accuracy?
e. Factor Assessment: Risk Management Reporting
i. (Relationships Risk Management Reporting)
1. Indicator: Are periodic reports measuring ERM progress
and activities provided to stakeholders?
3. Attribute: Risk appetite management Level 2 Description: Degree of
understanding the risk-reward tradeoffs within the business. Accountability
within leadership and policy to guide decision-making and attack gaps
between perceived and actual risk. Risk appetite defines the boundary of
acceptable risk and risk tolerance defines the variation of measuring risk
appetite that management deems acceptable.
a. Factor Assessment: Risk Portfolio View
i. (Process Risk Portfolio View) Indicator: Is risk assessment
information aggregated, analyzed and dependencies addressed?
1. Indicator: Are differences between defined risk tolerance
and actual risk regularly addressed?
2. Indicator: Is risk tolerance formally defined for each
aspect of risk?
3. Indicator: Is the organizational view of risk dynamic (by
business process, risk category, strategic goal, or
combination)?
b. Factor Assessment: Risk-reward Tradeoffs
i. (Process Risk-reward Tradeoffs)

1. Indicator: Are risk-reward tradeoffs understood and guide

actions of leadership?
2. Indicator: Is operational risk reassessed when
performance and risk metrics change?
3. Indicator: Are appropriate amounts of the risk-reward
balance considered throughout the ERM process?
4. Indicator: Is resources allocation based on risk-reward
analysis?
5. Indicator: Is actual risk is compared against assessed risk?
Indicator: Is the expected effect of mitigation measured
against the risk tolerance?
4. Attribute: Root cause discipline: Degree of discipline applied to measuring a
problems root cause and binding events with their process sources to drive
the reduction of uncertainty, collection of information and measurement of
the controls effectiveness. The degree of risk from people, external
environment, systems, processes and relationships is explored.
a. Factor Assessment: Risk and Opportunity Information Collection
i. (Process Risk and Opportunity Information Collection)
1. Indicator: Are scenario analyses performed throughout
planning?
2. Indicator: Are causes of events recorded and measured to
determine effectiveness of controls?
b. Factor Assessment: Root Cause Consideration
i. (Process Root Cause Consideration)
1. Indicator: Is a root cause approach used in each ERM
process step to ensure that the problem and not the
symptom is addressed?
2. Indicator: Are root cause categories used to distinguish
between risks (e.g. external vs internal fraud) within risk
assessments?
3. Indicator: Is the cause and effect chain from the top-down
and the bottom-up understood?
c. Factor Assessment: Dependencies and Consequences
i. (Systems Dependencies and Consequences)
1. Indicator: Are incidents and loss events tracked back to
root causes to evaluate the cost benefit for improvement?
2. Indicator: Does risk analysis identify potential financial
losses and gains as well as effects on goals?
3. Indicator: Are dependencies and consequences acrossdepartments transparent and understood by
stakeholders?
d. Factor Assessment: Information Classification
i. (Systems Information Classification)
1. Indicator: Are organizational and business unit goals
documented, measured, reported and managed?
2. Indicator: Are credit, solvency and equity risks
investigated, classified, quantified, monitored and
reported on?

3. Indicator: Are operational risks' root causes investigated,

defined, quantified and routinely monitored?
4. Indicator: Is classification of risk information within the
ERM process fully implemented?
5. Attribute: Uncovering risks: Degree of quality and penetration coverage of
risk assessment activities in documenting risks and opportunities. Degree of
collecting knowledge from employee expertise, databases and other
electronic files (such as Microsoft Word, Excel, etc) to uncover
dependencies and correlation across the enterprise.
a. Factor Assessment: Adverse Events as Opportunities
i. (External Adverse Events as Opportunities)
1. Indicator: Are strategic opportunities identified and
explored concurrently with adverse event planning?
b. Factor Assessment: Follow-up Reporting
i. (Process Follow-up Reporting)
1. Indicator: Are risk mitigation activities monitored to
ensure that desired outcomes (e.g. reduced risk) are
achieved?
2. Indicator: Does organizational follow-up consider both the
upside and downside of identified risks?
c. Factor Assessment: Formalized Risk Indicators and Measures
i. (Process Formalized Risk Indicators and Measures)
1. Indicator: Are risk indicators in particularly sensitive areas
(e.g. critical processes, high risk projects) analyzed and
revisited by front line risk owners?
2. Indicator: Is standardized evaluation criteria such as of
impact, likelihood and control effectiveness used to
prioritize risk for follow-up?
d. Factor Assessment: Risk Ownership by Business Area
i. (Process Risk Ownership by Business Area)
1. Indicator: Do front-line risk owners identify risks that are
specific to their business areas and processes to create
meaningful context for their risk mitigation activities?
6. Attribute: Performance management: Degree of executing vision and
strategy, working from financial, customer, business process and learning
and growth perspectives, such as Kaplans balanced scorecard, or similar
approach. Degree of exposure to uncertainty, or potential deviations from
plans or expectations.
a. Factor Assessment: Communicating Goals
i. (People Communicating Goals)
1. Indicator: Is accountability for goals and risks fully
understood by all personnel?
2. Indicator: Are resource allocation decisions based on
formalized evaluation criteria, such as an initiative's
impact, timing and confidence that the positive result can
be achieved?

3. Indicator: Are organizational goals tied to specific

performance measures, and are all performance
measures linked with goals?
4. Indicator: Do employees understand how a risk-based
approach helps them achieve goals? Are the implications
of certain risks to strategic goals communicated to all
employees?
b. Factor Assessment: ERM Information and Planning
i. (Process ERM Information and Planning)
1. Indicator: Is risk management competency part of
compensation and career development discussions at all
levels across the organization?
2. Indicator: Is ERM part of the Strategic Planning process?
c. Factor Assessment: ERM Process Goals and Activities
i. (Process ERM Process Goals and Activities)
1. Indicator: Are deviations from plans or expectations
measured against corporate and business unit-level
goals?
2. Indicator: Is risk management a formal part of goal
setting?
3. Indicator: Does the organization measure and report on its
management of uncertainties and risky opportunities?
4. Indicator: Are cross functional effects (such as financial,
customer, compliance, and strategic) considered within
business units when developing business unit level goals?
5. Indicator: Do employees at all levels use a risk-based
approach to achieve goals?
7. Attribute: Business resiliency and sustainability: Extent to which the ERM
Processs sustainability aspects are integrated into operational planning. This
includes evaluating how planning supports resiliency and value. The degree
of ownership and planning beyond recovering technology platforms.
Examples include vendor and distribution dependencies, supply chain
disruptions, dramatic market pricing changes, cash flow volatility, liquidity,
etc.
a. Factor Assessment: Resiliency and Operational Planning
i. (External Resiliency and Operational Planning)
1. Indicator: Do business units report on how external and
internal events impact their business models?
2. Indicator: Are root cause risk categories (people, process,
external environment, relationships, systems, etc.)
considered in operational planning?
3. Indicator: Do business units use long term scenario
analysis when documenting key drivers of resiliency and
sustainability?
4. Indicator: Are logistics, security, resources and response
procedures well documented?
b. Factor Assessment: Understanding Consequences
i. (People Understanding Consequences)

1. Indicator: Do risk assessments by front-line risk owners

determine business continuity needs for analyses and
planning?
2. Indicator: Are the dependencies and consequences of
business area processes and related resources considered
during the ERM Process?
c. Factor Assessment: Risk-based Planning
i. (Process Risk-based Planning)
1. Indicator: Is balance between quarterly deliverables and
longer-term value aligned to business priorities?