This is a performance ladder or framework for Enterprise Risk Management. It can be used as an audit tool, a maturity model, a benchmarking tool or a model for creating a plan of action.

1. Using the LTRC Risk Management
Performance Ladder
Liz Taylor
LIZ TAYLOR RISK CONSULTING

2. Performance ladder based on EFQM Model
The EFQM model for risk management is;
– A framework for helping management
manage risks successfully
– Helps to manage all aspects of Enterprise
Risk Management
– Is a balanced model showing inputs and
outputs

3. Risk Management and EFQM

4. How should it be used?
• It can be used for;
– Self assessment
– Benchmarking your organisations performance in
RM against others
– A tool for creating an action plan and developing RM
further
– A framework for creating a conversation about the
way in which risk is managed

5. Let’s look at it in detail
Framework divided into two areas; capabilities
and results
Leadership
Strategies
&
Policies
People
Partner
ships &
resources
process
Risk
Handling
outcomes
Capabilities Results

6. The detail
Framework measured on four scales
Level 1 Awareness and understanding
Level 2 implementation in progress for all key areas
Level 3 Embedding and improving
Level 4 Excellent capability established

7. Risk Leadership
• Sets style for culture of risk management
• Sets out the leadership style whether
managing status quo or through a change
process
• Helps to structure risk management within
the organisation
• Engages stakeholders

8. Risk Leadership
Level 1
Awareness and
understanding
Top management are aware of need to manage uncertainty & risk &
have made resources available to improve.
Level 2
implementation in
progress for all
key areas
Senior Managers act as role models and take the lead to ensure that
approaches for addressing risk are being developed & implemented
consistently & thoroughly across the organisation.
Level 3
Embedding and
improving
Top-down commitment with embedding & integrating risk
management as routine business practice. Senior Managers ensure
that staff are suitably skilled to achieve continuous improvement.
Level 4 Excellent
capability
established
Senior Managers reinforce & sustain risk capability, organisational &
business resilience & commitment to excellence. Leaders invited to
speak about their success. There is strong support and reward from
Senior Managers for seizing opportunities & for well managed risk
taking.

9. Strategy & Policies
Sets out
– The overt statement of risk leadership
– The resources behind managing risk
– Roles and responsibilities for leading, managing, training,
coaching, supporting, developing and auditing risk
management
– States risk appetite
– The integration of risk management into
• Programme and project management
• Partnerships and contracts
• Change management
• Performance management
• Business planning at all levels

10. Strategy and Policies
Level 1
Awareness and
understanding
Policies & strategies are reviewed against risk principles.
Level 2
implementation in
progress for all
key areas
Risk management principles are being reflected in the organisation’s
policies & strategies, communicated effectively & made to work
through a framework of processes.
Level 3
Embedding and
improving
Risk handling is inherent feature of all policies & strategy making
processes. Overall risk appetite achieves balance between
opportunities and threats.
Level 4 Excellent
capability
established
Risk management capability in policy & strategy making is reviewed
and improved. Role model status.

11. People
Sets out the measurements for developing people
in the organisation who will manage and embed
risk management.

12. People
Level 1
Awareness and
understanding
Key people are aware of need to assess & manage risks & understand
risk concepts & principles.
Level 2
implementation in
progress for all
key area
Core group of people have skills & knowledge to manage risk
effectively. Suitable guidance is being made available & training
programmes being implemented to develop risk capability.
Level 3
Embedding and
improving
People encouraged & supported to be more innovative. Regular
training is available for people to enhance their risk skills. CPD
training in place for core group of people.
Level 4 Excellent
capability
established
All staff are risk aware & capable of using basic risk skills, tools &
techniques. They feel empowered to take well managed risks. Core
group of people are highly skilled in managing risk effectively.
Specialised risk training an integral part of on-going personal
development plans.

13. Partnerships and resources
This is about managing partnerships and resources
such as
– How external partnerships are managed to minimise
the risk to the organisation
– Managing finance to manage risks
– Management of building equipment and materials to
manage risks
– Management of technology
– Management of information and knowledge

14. Partnerships and resources
Level 1
Awareness and
understanding
Key people are aware of areas of potential risks with partnerships,
suppliers & management of significant resources & understand the
need to agree approaches to manage these risks.
Level 2
implementation in
progress for all
key areas
Risk with partners is being managed consistently for all key areas &
across organisation. There are boundaries for managing assets &
financial & other resources.
Level 3
Embedding and
improving
Sound governance arrangements established; partners & suppliers
selected on basis of risk capability & compatibility. Resources are
well managed.
Level 4 Excellent
capability
established
Information integrity and asset security are assured. Financial and
other resources are effectively managed. Organisation is regarded as
a role model.

15. Risk Management processes
This is the actual way in which risk management
is implemented including
– The framework (at Board level)
– The systems (at senior management level)
– The processes (at operational level)

16. Risk Management processes
Level 1
Awareness and
understanding
Some stand-alone risk processes have been identified.
Level 2
implementation in
progress for all
key areas
Risk management processes being implemented in key areas. Risk
capability self-assessment tools being used in some areas.
Level 3
Embedding and
improving
Risk metrics are collected. Risk management standards applied in
some areas. Staff accept risk management as standard requirement
of good management.
Level 4 Excellent
capability
established
Management of risk & uncertainty is well integrated with all business
processes. State-of-the-art tools & methods are used. Selected as a
benchmark site by other organisations. Arrangements in place to
identify opportunities which might be available if risks are well
managed.

17. Risk Handling
This is the framework in which risk management
effectiveness is measured such as
– Audits of application of process
– Cross fertilisation of ideas
– Peer review
– Benchmarking

18. Risk Handling
Level 1
Awareness and
understanding
No clear evidence that risk management is being effective.
Level 2
implementation
in progress for
all key areas
Some evidence that risk management is being effective in at least most
relevant areas if not in all relevant areas.
Level 3
Embedding and
improving
Clear evidence that risk management is being effective in all areas and
that risk opportunities are being pursued.
Level 4
Excellent
capability
established
Excellent evidence that risk management is being highly effective in all
areas & improvement is being pursued. Higher risk opportunities being
successfully pursued.

19. Results
This is the output from risk management such as
– Fewer risks and lower impact risks are occurring
– Value for money improved
– Better innovation achieved
– Culture is one of taking managed risk

20. Results
Level 1
Awareness and
understanding
No clear evidence of improved outcomes or any opportunities
identified.
Level 2
implementation
in progress for all
key areas
Some evidence of risk management contributing to improvement in
outcome performance, demonstrated by measures including, where
relevant, stakeholders’ perceptions and potential for new
opportunities.
Level 3
Embedding and
improving
Clear evidence of risk management contributing to significantly
improved performance for all relevant outcomes, better value for
money, showing positive & sustained improvement & new
opportunity achievement.
Level 4 Excellent
capability
established
Excellent evidence of risk management contributing to markedly
improved outcome performance, better value for money & new
opportunity realisation, which compares favourably with other
organisations employing best practice.

21. Embedding an Effective Risk Management Framework
The Performance Ladder
Capabilities Results
Level4
Excellentcapabilityestablished
Senior Managers reinforce &
sustain risk capability,
organisational & business
resilience & commitment to
excellence. Leaders invited
to speak about their success.
There is strong support and
reward from Senior
Managers for seizing
opportunities & for well
managed risk taking.
Risk management
capability in policy &
strategy making is
reviewed and improved.
Role model status.
All staff are risk aware &
capable of using basic risk
skills, tools & techniques. They
feel empowered to take well
managed risks. Core group of
people are highly skilled in
managing risk effectively.
Specialised risk training an
integral part of on-going
personal development plans.
Information integrity and
asset security are assured.
Financial and other
resources are effectively
managed. Organisation is
regarded as a role model.
Management of risk &
uncertainty is well
integrated with all
business processes.
State-of-the-art tools &
methods are used.
Selected as a
benchmark site by other
organisations.
Arrangements in place
to identify opportunities
which might be
available if risks are
well managed.
Excellent evidence that
risk management is
being highly effective in
all areas &
improvement is being
pursued. Higher risk
opportunities being
successfully pursued.
Excellent evidence of risk
management contributing to
markedly improved outcome
performance, better value for
money & new opportunity
realisation, which compares
favourably with other organisations
employing best practice.
Excellent
Level3
Embedding&
Improving
Top-down commitment with
embedding & integrating risk
management as routine
business practice. Senior
Managers ensure that staff
are suitably skilled to achieve
continuous improvement.
Risk handling is
inherent feature of all
policies & strategy
making processes.
Overall risk appetite
achieves balance
between opportunities
and threats.
People encouraged & supported
to be more innovative. Regular
training is available for people to
enhance their risk skills. CPD
training in place for core group
of people.
Sound governance
arrangements established;
partners & suppliers
selected on basis of risk
capability & compatibility.
Resources are well
managed.
Risk metrics are
collected. Risk
management standards
applied in some areas.
Staff accept risk
management as
standard requirement of
good management.
Clear evidence that risk
management is being
effective in all areas
and that risk
opportunities are being
pursued.
Clear evidence of risk
management contributing to
significantly improved performance
for all relevant outcomes, better
value for money, showing positive
& sustained improvement & new
opportunity achievement.
Good
Level2
Implementationin
progressforallkeyareas
Senior Managers act as role
models and take the lead to
ensure that approaches for
addressing risk are being
developed & implemented
consistently & thoroughly
across the organisation.
Risk management
principles are being
reflected in the
organisation’s policies
& strategies,
communicated
effectively & made to
work through a
framework of
processes.
Core group of people have skills
& knowledge to manage risk
effectively. Suitable guidance is
being made available & training
programmes being implemented
to develop risk capability.
Risk with partners is being
managed consistently for
all key areas & across
organisation. There are
boundaries for managing
assets & financial & other
resources.
Risk management
processes being
implemented in key
areas. Risk capability
self-assessment tools
being used in some
areas.
Some evidence that risk
management is being
effective in at least most
relevant areas if not in
all relevant areas.
Some evidence of risk
management contributing to
improvement in outcome
performance, demonstrated by
measures including, where
relevant, stakeholders’ perceptions
and potential for new opportunities.
Satis-factory
Level1
Awareness&
understanding
Top management are aware
of need to manage
uncertainty & risk & have
made resources available to
improve.
Policies & strategies
are reviewed against
risk principles.
Key people are aware of need
to assess & manage risks &
understand risk concepts &
principles.
Key people are aware of
areas of potential risks
with partnerships,
suppliers & management
of significant resources &
understand the need to
agree approaches to
manage these risks.
Some stand-alone risk
processes have been
identified.
No clear evidence that
risk management is
being effective.
No clear evidence of improved
outcomes or any opportunities
identified.
Unsatis-factory
Risk Leadership Risk Strategy &
Policies
People Partnerships &
Resources
Risk Management
Processes
Risk Handling Outcomes

22. Liz Taylor FIRM, FBCI, Chartered Insurance Practitioner
Managing Partner
LIZ TAYLOR RISK CONSULTING
PO Box 340
Newton Abbot
Devon TQ12 5ZX
e: liz.taylor@liztaylorriskconsulting.co.uk
t: +44 (0) 1626 337626
m: +44 (0) 775 3607676
f: +44 (0) 1626 330557
w: www.liztaylorriskconsulting.co.uk