Over the last week or so we have been in touch with approximately 67 organisations from across the private, public and third sector to discuss the formation of a BS31100 Benchmarking Group.
The key points of feedback are summarised below.

The feedback I have received has been very positive and encouraging. Clearly the view that there is a need for some external validation is shared. However there was a strong feeling that the proposed BS31100 Benchmarking Group must be more than a ‘talking shop’ and must add real value to participants.

External validation & peer comparisons

The main motivation for creating the proposed BS31100 Benchmarking Group would be to provide a way for organisations to easily gauge the status of their risk management practices compared with the BS31100 standard and peer organisations. Many we spoke with, felt having access to these comparisons would be valuable. However there was also a desire to be able to do internal benchmarking. The internal benchmarking would enable comparisons between departments or functions and provide trends over time to show improvements, helping prioritise ongoing improvement efforts.

Nature of the group

Initially we thought that the BS31100 Benchmarking Group would be a web-based group only with a dedicated website made up of a range of collaborative tools. Everyone could see the benefits of a web-based group however many people felt that there would be more value in the group if participants met regularly to exchange thoughts, insights and knowledge. If there were to be regular meetings, as per many requests, these won’t all be held in London.

Purpose of the group

The purpose of the proposed BS31100 Benchmarking Group was initially to be simply to provide a method for organisations to validate their risk management practices, compare them with peer organisations and provide a forum for discussion around the standard. However, the feedback suggests that the function needs to be a little wider to include a clear, unambiguous link between BS31100 and regulatory requirements. For example, a financial services organisation suggested that any assessment must be translated and presented to meet the needs of the credit rating agencies. (Standard and Poor’s recently announced it was increasing the importance of Enterprise Risk Management when assessing credit worthiness). Feedback from a number of public sector organisations suggested that any assessment should support the government regulatory requirement such as those from the Audit Commission.

Assessment

A key part of the proposed BS31100 Benchmarking group will be assessment against BS31100 practices. Originally it was thought that the assessment process would simply be a web-based self-assessment with a report showing gaps and comparisons. However feedback suggests that while this process would be a good starting point, there should be some further in-depth assessment options particularly focused on what actions to take to close identified gaps and generate culture change in participant organisations. Additionally, it was felt that a simple report was not sufficient and there was a desire to incorporate assessment results into a maturity model, which could demonstrate improvements over time. There were mixed views on which maturity model to use and this seems to be driven by industry.

Working with other relevant groups

There was strong feedback that the proposed BS31100 Benchmarking group should be both independent of, but work alongside, other relevant groups, such as IRM and ALARM.

This is the initial feedback and we would welcome further comments.