RISK MATURITY OF AN ORGANISATION

RISK MATURITY OF AN ORGANIZATION

• Some organizations especially those in a fast growth mode have an organizational culture which promotes operational managers to remain at the risk naïve/ risk aware level. This means that the line managers are not expected to identify risks and if they do, it is confined to their personal knowledge or within their functional team. 
• The internal control environment may be well defined but again it is to be operated by the staff management (such as the accounts manager), the logic being that line managers need to spend maximum time in operations and not be defocused by unnecessary paper work or issues other than their operations.
•  In this mindset, coordinating activities and problem solving is considered as operations while risk assessment and management is considered a staff function. This model works well in a supply side market wherein the organization sells whatever it produces but flounders in a competitive and dynamic market wherein new risks arise periodically and the staff management who are not market facing are not fast enough to incorporate new controls to address these risks. 
• A risk naïve/risk aware organization in today's dynamic environment exhibits inefficiencies as a continuous long list of pending issues at all times with the line manager or even mundane issues as goods received but unreconciled with Purchase Orders, delayed supplier payments resulting in line managers chasing accounts department for release of payment, etc., wherein the root cause is usually a risk which has not been addressed.
•  In a risk aware organization, the silo approach culture wherein the manager tracks and addresses new risks related to his department only rather than in the business process usually throws up big losses arising out of customer dissatisfaction or failure of an enterprise wide activity such as implementing ERP. 
• The audit strategy depends upon the organization's risk-maturity. Organizations at low risk maturity levels may require internal auditors to consult by promoting and advising on identification of and response to risks.
•  For organisations with high risk maturity, the internal auditor would need to concentrate more on carrying out process audits of the risk management processes and especially reviewing the risk assessment process wherein the inherent risk (untreated) are identified, estimated (scored) and evaluated (compared with risk appetite).

 http://www.comgurukul.com/educational-books/gst-book/