Is your Risk Management maturity fit for future purpose?

Is your Risk Management maturity fit for future purpose?

As all best practice operators know, the effective implementation of risk management processes is critical to the achievement of shareholder value, customer satisfaction, operational efficiency and protection of health, safety and the environment. But, when considered collectively, are they delivering the optimum impact to directly support the future ambitions of the business?

Risk identification, management controls, and emergency responsiveness are nothing new to chemical industry operators, who are compelled to function within a highly regulated environment (COMAH, DSEAR, REACH). However, in many organisations risk management is still considered and executed in silos. For example, financial and operational risks are often inadequately connected to strategy and business performance measurement. Coordinated governance is critical to successful risk management.

With the continued emphasis on embedding risk management processes and a risk aware culture within an organisation, engineers and management should proactively verify that the organisation’s risk profile and appetite are integrated, current, and that the risk management response is robust, well managed and communicated. This will help ensure risks remain tolerable to the business and are operationally as low as reasonably practicable. Wider consideration of risk management will stimulate the typically robust safety management systems (OHSAS 18001 and similar) to fully support business resilience. (NB Safety and environmental regulators typically hold no remit to maintain or consider the operator’s business resilience).

A well-considered risk transfer approach to suppliers and insurers is also critical, as is collaborating with these organisations to ensure risks are understood and responsibilities for control and response are clear. Any incidents occurring at a chemical facility or business are likely to be heavily scrutinised by the public, media, politicians, and regulators, irrespective of controls and transfer strategies being in place. Therefore, engineers and managers should work together to ensure plant, process, and people are resilient in the event of an incident in order to mitigate first and third party consequences and to be seen to behave in an ethical and socially responsible manner.

A useful starting point to determine risk management effectiveness is by conducting a risk management maturity review. This will identify the gaps between the organisation’s current state and its optimum future state risk management practices. The resulting gaps identified for closure can then be analysed, prioritised, and managed through to completion.

Marsh has a well-developed approach to risk management maturity reviews, which we conduct in collaboration with clients using a systematic framework. This covers all the key elements of risk management practices, ranging from risk appetite and strategy, governance, and framework at one end of the scale, through to the specific processes and tools used to manage risk at the other.

The scope of the framework covers the management of all risks in each organisation. Specific practices with regard to the management of operational, strategic, financial, and hazard risks are also considered in detail.

The risk management maturity framework is assessed against a scale of five levels: 1.underdeveloped, 2. formalising, 3. established, 4. embedded, 5. optimised, based on the state of the policies, processes, and systems of the organisation within each part of the framework. The review allows the strong quality, safety, health, and environment (QSHE) culture in the chemical industry to drive the wider risk management strategy of the business.

From the completed exercise (see graphic) Marsh makes recommendations, appropriate to each client’s existing structure, culture, and management style, that will provide a basis for achieving the defined future state and highlights areas for improvement in the short (less than one year), medium (two years), and longer term (more than three years).

The achievement of a chemical sector organisation’s business success necessitates a thorough appraisal of key areas of risk combining horizon scanning, resilience, stress testing, and insurance. A risk management maturity review will enable the formulation and testing of robust controls to support loss prevention and the sustainable return to business as usual following a significant or catastrophic event.

David Stark is the UK Practice Leader of Enterprise Risk and Resilience at Marsh.
To contact David, please email:

Simon Thompson is the UK Chemical & Life Sciences Practice Leader at Marsh.
To contact Simon, please email:

COMAH (Control of major accident hazards)

DSEAR (Dangerous Substances and Explosive Atmospheres Regulations 2002)

REACH (Registration, evaluation, authorisation, and restriction of chemicals)

OHSAS (Occupational health and safety assessment series)