Risk maturity model: How it works and how to use one

What is risk maturity?

Risk maturity is a measure of how well an organization identifies, assesses, manages and monitors risk. It refers to the quality and integration of an organization's risk management practices. An organization with a high level of risk maturity will be effective at making risk-informed decisions and achieving desired risk management outcomes.

A mature organization understands its risk appetite and risk tolerance and can effectively manage an acceptable level of risk. It can gather data on risks from all parts of the organization and communicate effectively to all stakeholders, providing actionable information to business leadership.

What is a risk maturity model, and why should you use one?

A risk maturity model (RMM) is an assessment tool for evaluating an organization's progress toward its enterprise risk management (ERM) program goals. For risk and corporate governance professionals, risk maturity models can be useful resources when planning, implementing and updating an ERM strategy, as well as for improving communication about the strategy more broadly throughout the organization.

RMMs are often based on established risk management standards, such as ISO 31000 and the COSO ERM framework. They also mirror other established maturity models, such as the Capability Maturity Model framework used in software development.

Organizations should use an RMM to do the following:

• Assess current risk management capabilities against an established standard.
• Identify areas for improving risk management programs.
• Establish repeatable ERM policies and procedures.
• Consolidate ERM workflows across disparate departments.
• Make intelligent risk-based decisions quickly.
• Implement a comprehensive ERM technology stack to centralize risk information and automate risk policy enforcement.
• Continuously track ERM programs over time.

Many companies use ERM initiatives and their risk maturity as a competitive advantage in addition to avoiding business pitfalls. The pitfalls -- the negative risks a company faces -- could be anything from operational issues to financial, legal, regulatory compliance and reputational problems, among others. One risk that companies across industries face is the threat of weather-related disasters. Another more IT-specific risk is cybercrime.

But chief risk officers and their teams can also use a risk maturity model to help generate more profitable business opportunities through the effective management of positive risks. Those are risks that can increase business value if managed successfully, such as introducing new products. In addition, RMMs can be used to benchmark against business peers and industry best practices.

Levels of risk maturity

Risk maturity level designations and definitions vary somewhat by model, but there are generally four or five levels of maturity that an organization can attain, as in the following examples of two foundational frameworks for measuring risk maturity.

Hillson's 4 stages of risk maturity

Risk management thought leader David A. Hillson, aka the Risk Doctor, specified four separate risk maturity levels in his article "Towards a Risk Maturity Model" in the spring 1997 edition of The International Journal of Project and Business Risk Management:

1. Naïve. The organization is largely unaware of the concept of risk and does not have a formal approach to deal with uncertainty. Management processes are reactive and repetitive. There is little to help management learn from the past or prepare for the future.
2. Novice. The organization is intent on developing a risk management strategy but has no formal processes in place. Risk management efforts are uncoordinated.
3. Normalized. Risk management is fully integrated into business practices and consistently applied throughout the organization. The benefits of risk management are understood because it is embedded in all levels of the organization and its culture.
4. Natural. There is a proactive approach to risk management and risk-aware culture in all parts of the organization. The organization uses risk information to improve business processes and gain competitive advantages.

Hillson's four levels apply to an organization's culture, its business processes, the experience level of employees and the application of processes. Another way to frame these categories is governance, process, people and technology.

Minsky's 5 stages of risk maturity

Another RMM iteration -- coined by Steven Minsky, founder and CEO of risk management software provider LogicManager -- features five levels of maturity:

1. Ad hoc. Risk management is unstructured, undocumented and largely dependent on individual efforts.
2. Initial. Risk management efforts are inconsistent and managed in silos. There is sparse, if any, top-down management.
3. Repeatable. The organization has a risk assessment framework in place. Leadership has risk awareness, and a formal risk management process exists but is not fully integrated. Governance and guidance are documented.
4. Managed. Risk management activities are integrated across the business. Risk management tools aid with monitoring, measuring and reporting on risk. Management is more tactical than strategic. The organization can make quantifiable risk decisions.
5. Leadership. Risk management is implemented in the context of broader enterprise objectives. A risk management strategy is instituted at all levels and geared toward continuous improvement. The ERM strategy creates new opportunities for business growth in addition to supporting risk mitigation.

Those five maturity levels are assigned to a set of 25 "success components" across the following seven attributes of effective ERM initiatives upon evaluation to produce an overall maturity score:

• Adoption of an ERM-based approach.
• ERM process management.
• Risk appetite management.
• Root cause discipline.
• Uncovering risks.
• Performance management.
• Business resiliency and sustainability.

No matter the specific maturity model framework, the levels in an RMM typically progress from reactive to proactive as the organization becomes more risk mature. Many newer iterations closely resemble the Minsky and Hillson models but use other designations to describe the different stages of maturity, such as Ad hoc, Preliminary, Defined, Integrated and Optimized in an RMM created by risk management thought leader Norman Marks.

How to assess your level of risk maturity

Start by auditing the company's risk maturity against the criteria laid out in the RMM. Assign the organization the appropriate level of maturity for each attribute. The model will show management where the organization excels and where it needs improvement.

An organization can use a risk maturity assessment to make enterprise-wide improvements toward its own goals. The organization can also use an assessment to rate itself against competing organizations and improve to gain a competitive advantage.

Some ERM software providers offer their own RMMs and guide client organizations through a managed risk maturity assessment. Industry groups also make online assessment tools available. For example, the Risk and Insurance Management Society (RIMS) offers one that was jointly developed with LogicManager based on Minsky's model.

In using an RMM to assess risk maturity, consider the following questions throughout the process to help determine areas where the organization is succeeding on risk management and where improvement might be necessary:

• How effective is the organization's root cause discipline when it comes to analyzing risk? A root cause discipline is the process for identifying the underlying causes of risks. Determine whether your organization focuses on surface-level risk indicators or systematically investigates the source of vulnerabilities and other issues.
• How effective are risk detection capabilities? Gauge the organization's ability to gather and process information about risks. This applies to detection of new risks and changes to known ones.
• What is the process for communicating risk? Assess the organization's formal channels for communicating risk information to leadership based on frequency, format and actionability.
• What is the organization's risk response time? Assess the organization's ability to quickly implement mitigation strategies in response to identified risks.
• Are risk and performance management integrated? Find the degree to which risk metrics are integrated with the measurement, communication and planning of organizational goals. Is risk-informed decision-making recognized and rewarded?
• Do risk management efforts support organizational resilience? Determine whether the risk management program supports the organization's ability to anticipate disruptions, adapt to changing conditions and maintain critical functions during an adverse event.
• Does risk analysis influence strategic planning? Determine the degree to which risk analysis is embedded in the organization's culture. Does leadership treat risk as a fundamental strategic consideration or a compliance exercise?
• What is the company's threshold for acceptable risk? Evaluate established risk appetite, risk tolerance and risk awareness across different business processes and units.

How to act on your risk maturity assessment

Organizations can use their risk maturity assessment to help gain a competitive advantage, improve internal processes, avoid disasters and improve investment decisions.

Depending on an organization's standing maturity level, different actions can be taken to advance its risk maturity. Here are some suggested actions for companies at the different stages of Minsky's risk maturity model.

If you are in the ad hoc stage of risk maturity

Ad hoc organizations need to focus on implementing the beginnings of a risk management program. An ad hoc organization in the beginning stages of risk maturity should do the following:

• Create a risk management office or dedicated department.
• Define the different categories of risk it faces at a high level.
• Identify an ERM implementation framework.
• Design a training program.

If you are in the initial stage of risk maturity

Organizations at the initial stage should work on turning fragmented ERM processes into standardized, repeatable ones. They should do the following:

• Define a risk governance structure.
• Assign roles and responsibilities for ERM processes.
• Develop an ERM implementation plan.
• Establish templates for creating a risk profile and a risk register.

If you are in the repeatable stage of risk maturity

Organizations at the repeatable stage should work to formalize standardized ERM processes across the business and secure support from senior leadership. They should do the following:

• Formalize the ERM training program.
• Define a methodology for aligning ERM with internal processes.
• Formally define the company's risk profile, appetite and tolerances.
• Make risk-related information visible and accessible across the organization.

If you are in the managed stage of risk maturity

Managed organizations are successful at tactically dealing with risk and can focus on making ERM more proactive and strategic. They should do the following:

• Implement mature supporting processes across the business.
• Develop key risk indicators (KRIs) that enable predictive capabilities.
• Use risk reporting tools to aid in decision-making.

If you are in the leadership stage of risk maturity

Leadership organizations find ways to create business value in the ERM program. They should do the following:

• Link risk to performance measurements.
• Make risk a general budget criterion.
• Integrate risk into broader digital transformation plans.
• Implement KRIs and predictive capabilities.

Examples of RMMs and frameworks

RMMs help organizations develop ERM programs that adhere to risk management frameworks and generate value for the organization. The following are some examples of risk management frameworks:

• COSO ERM framework. The COSO framework for enterprise risk management defines main ERM principles and concepts and provides a common language for communicating about ERM. It also provides guidance for ERM programs. Formally known as the Committee of Sponsoring Organizations of the Treadway Commission, COSO defines ERM as "the culture, capabilities and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving and realizing value."
• ISO 31000. ISO 31000 provides principles, processes and a framework to guide organizations through risk management. Developed by the International Organization for Standardization, commonly known as ISO, the standards help identify opportunities and threats, allocate resources and achieve risk objectives.
• BS 31100. This British Standard provides a process for implementing and maintaining concepts in ISO 31000, such as identifying, assessing, responding to, reporting and reviewing risks. It's paired with a U.K. version of ISO 31000. Similarly, the American National Standards Institute offers a U.S. version of the ISO standard.
• FAIR. Factor Analysis of Information Risk is a model that evaluates factors that make up different types of cyber-risk and quantifies them as a dollar value. In the model, developed by the FAIR Institute, risk is defined by probable frequency and probable magnitude for future loss.
• NIST Risk Management Framework. The NIST RMF provides a seven-step process for integrating cybersecurity, privacy and supply-chain risk management processes in accordance with broader NIST standards and guidelines. The framework helps programs comply with the Federal Information Security Modernization Act.
• Control Objectives for Information Technologies (COBIT). ISACA, formally known as the Information Systems Audit and Control Association, sponsors COBIT, which is an IT governance framework used to ensure the quality, control and reliability of information systems. The framework also helps organizations align business goals with IT goals, maintain compliance with the Sarbanes-Oxley Act and avoid risk related to data retention. The latest version, as of this writing, is COBIT 2019, which adds guidance for digital transformation.

RMMs cover the principles codified in the risk management frameworks. Some examples of RMMs include the following:

• RIMS Risk Maturity Model. This is a best practice framework and online assessment tool for risk management professionals from RIMS. It helps ERM professionals and stakeholders measure, plan and educate others about ERM programs. It was last updated in April 2022. As mentioned previously, it was developed in conjunction with software provider LogicManager, which also offers an online risk maturity assessment tool based on the RMM.
• OECD Enterprise Risk Management Maturity Model. The Organisation for Economic Co-operation and Development's ERM maturity model provides government tax administrations with a framework for self-assessment and improvement of risk management processes.
• Origami Risk ERM Maturity Assessment. Origami Risk is another risk management platform vendor that provides a tool for assessing organizations' stages of risk maturity.
• ProSight Risk Maturity Framework. Jointly developed by ProSight Financial Association, a financial services industry group, and software vendor SRA Watchtower, this framework is designed to help firms evaluate their maturity across nine areas, including risk governance and management of risks at both the enterprise and departmental levels.
• IIRM Risk Management Maturity Model. The RMMM, developed by accreditation and advisory services firm Investors in Risk Management (IIRM), provides a maturity model with eight individual assessments in the areas of risk context, culture, identification, assessment, treatment, reporting and review, plus risk management systems.
• Capability Maturity Model Integration. CMMI is a model that helps improve and streamline business processes. While primarily a tool for assessing and enhancing business processes, it can be used as an RMM to help improve risk management.

Ben Lutkevich is site editor for Informa TechTarget Software Quality. Previously, he wrote definitions and features for Whatis.com.