Explaining risk maturity models and how they work

What is risk maturity?

Risk maturity is a measure of how well an organization identifies, assesses, manages and monitors risk. It refers to the level of quality and integration of an organization's risk management practices. An organization with a high level of risk maturity will be effective at making risk-informed decisions and achieving desired outcomes.

A mature organization understands its risk appetite and can effectively manage an acceptable level of risk. It can gather data on risks from all parts of the organization and communicate effectively to all stakeholders, providing actionable information to leadership.

What is a risk maturity model, and why use one?

A risk maturity model (RMM) is an assessment tool for evaluating an organization's progress toward its enterprise risk management (ERM) program goals. For risk and corporate governance professionals, they can be useful resources when planning, implementing and maturing ERM strategy as well as improving communication about the strategy more broadly throughout the organization.

RMMs are often based on established standards, such as the International Organization for Standards Organization's (ISO) 31000 Risk Management Standard and COSO. The RMM mirrors other established maturity models, such as the capability maturity model in software development.

Organizations should use an RMM to do the following:

• Assess current risk management capabilities against an established standard.
• Identify areas for improving risk management programs.
• Establish repeatable ERM policies and procedures.
• Consolidate ERM workflows over disparate departments.
• Make intelligent risk-based decisions quickly.
• Implement a comprehensive ERM technology stack that lets companies centralize risk information and automate risk policy enforcement.
• Continuously track ERM programs over time.

Many companies use ERM and risk maturity as a competitive advantage in addition to avoiding pitfalls. The pitfalls -- the risks a company face -- could be anything. One that companies across industries face is the threat of weather-related disasters. Another more IT-specific risk is cybercrime.

They can use it to benchmark against peers and the industry best practices. Chief risk officers can also use risk as a way to generate more profitable opportunities.

Levels of risk maturity

Risk maturity levels may vary slightly by model, but there are generally four or five levels of maturity that an organization can attain.

Risk management thought leader David A. Hilson, aka the Risk Doctor, specified four separate risk maturity levels in his article "Towards a Risk Maturity Model" in the spring 1997 edition of The International Journal of Project and Business Risk Management:

1. Naïve. The naïve organization is largely unaware of the concept of risk and does not have a formal approach to deal with uncertainty. Management processes are reactive and repetitive. There is little to help management learn from the past or prepare for the future.
2. Novice. The novice organization is intent on developing a risk management strategy but has no formal processes in place. Risk management efforts are uncoordinated.
3. Normalized. Risk management is fully integrated into business practices and consistently applied throughout the organization. The benefits of risk management are understood as it is embedded in all levels of the organization and its culture.
4. Natural. Proactive approach to risk management and risk-aware culture in all parts of the organization. The organization uses risk information to improve processes and gain a competitive advantage.

Hilson's four levels apply to an organization's culture, its business processes, the experience level of employees, and application of processes. Another way to frame these categories is governance, process, people and technology.

Another iteration of the RMM -- coined by Steven Minsky, founder of risk management software provider LogicManager -- features five levels of maturity:

1. Ad hoc. Risk management is unstructured, undocumented and largely dependent on individual efforts.
2. Initial. Risk management efforts are inconsistent and managed in silos. There is sparse, if any, top-down management.
3. Repeatable. The organization has a risk assessment framework in place. Leadership has risk awareness, and a formal risk management process exists, but it is not fully integrated. Governance and guidance is documented.
4. Managed. Risk management activities are integrated across the business. Risk management tools are used to aid with monitoring, measuring and reporting. Management is more tactical than strategic. The organization can make quantifiable risk decisions.
5. Leadership. Risk management is implemented in the context of broader enterprise objectives. Risk management strategy is implemented at all levels and geared toward continuous improvement. ERM strategy creates new opportunities for growth as well as mitigating existing risk.

Those five maturity levels are assigned to the following attributes upon evaluation:

1. Executive support for an ERM-based approach.
2. ERM process management.
3. Risk appetite management.
4. Root cause discipline.
5. Uncovering risks.
6. Performance management.
7. Business resilience and sustainability.

No matter the specific model framework, the levels in an RMM typically progress from reactive to proactive as the organization becomes more risk mature.

How to assess your level of risk maturity

Audit the company's risk maturity against the criteria laid out in the RMM. Assign the organization the appropriate level of maturity for each attribute. The model will show management where the organization excels and where it needs improvement.

An organization can use a risk maturity assessment to make improvements toward its own goals. The organization can also use an assessment to rate itself against competing organizations and improve to gain a competitive advantage.

Some ERM software providers offer their own RMMs and guide client organizations through a managed risk maturity assessment. The Risk and Insurance Management Society (RIMS) also offers a free online assessment tool.

How to act on your risk maturity assessment

Organizations can use the risk maturity assessment to gain a competitive advantage, improve internal processes, avoid disasters and improve investment decisions.

There are different actions an organization can take to advance its risk maturity, depending on its standing maturity level.

• Ad hoc organizations need to focus on implementing the beginnings of a risk management program. An ad hoc organization in the beginning stages of risk maturity should do the following:
  • Create a risk management office or dedicated department.
  • Define the different categories of risk at a high level.
  • Identify an ERM implementation framework.
  • Design a training program.
• Organizations at the initial stage should work on turning fragmented ERM processes into standardized repeatable ones. They should do the following:
  • Define a risk governance structure.
  • Assign roles for ERM processes.
  • Develop an ERM implementation plan.
  • Establish templates for risk profiling and registering.
• Organizations at the repeatable stage should work on formalizing standardized ERM processes across the business and secure support from senior leadership. They should do the following:
  • Formalize the training program.
  • Define a methodology for aligning ERM with internal processes.
  • Formally define the company's risk profile, appetite and tolerances.
  • Make risk-related information visible and accessible across the organization.
• Managed organizations are successful at tactically dealing with risk and can focus on making ERM more proactive and strategic. They should do the following:
  • Implement mature supporting processes across the business.
  • Develop key risk indicators that enable predictive capabilities.
  • Use risk reporting tools to aid in decision making.
• Leadership organizations find ways to create value in the ERM program. They should do the following:
  • Link risk to performance measurements.
  • Make risk a general budget criterion.
  • Integrate risk into broader digital transformation plans.
  • Implement key risk indicators and predictive capabilities.

Examples of RMMs and frameworks

RMMs help organizations develop ERM programs that adhere to risk management frameworks and generate value for the organization. Some risk management frameworks include the following:

• COSO ERM integrated framework. COSO defines main ERM principles and concepts and provides a common language for communicating about ERM. It also provides guidance for ERM programs. COSO defines ERM as "the culture, capabilities and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving and realizing value."
• ISO 31000. ISO 31000 provides principles, processes and a framework to guide organizations through risk management. The standards help identify opportunities and threats, allocate resources and achieve objectives.
• British Standard (BS) 31100. This standard provides a process for implementing and maintaining concepts in BS ISO 31000, such as identifying, assessing, responding, reporting and reviewing risks.
• The Factor Analysis of Information Risk framework. FAIR is a model that evaluates factors that make up different types of IT risk and quantifies them as a dollar value. In FAIR, risk is defined by probable frequency and probable magnitude for future loss.
• National Institute of Standards and Technology (NIST) Risk Management Framework. This framework provides a seven-step process for integrating cybersecurity, privacy and supply-chain risk management processes in accordance with broader NIST standards and guidelines. The standard helps programs comply with the Federal Information Security Modernization Act.
• Control objects for information and related technologies. ISACA, also known as the Information Systems Audit and Control Organization, sponsors COBIT, which is a governance framework used to ensure the quality, control and reliability of information systems. It is most used to maintain compliance with the Sarbanes-Oxley Act. The framework can be used to avoid risk related to data retention.

RMMs cover the principles codified in the risk management frameworks. Some examples of RMMs include the following:

• RIMS Risk Maturity Model. This is a best practice framework and free online assessment tool for risk management professionals from RIMS. It helps ERM professionals and stakeholders measure, plan and educate others about ERM programs. It was last updated in April 2022.
• OECD ERM. The Organization for Economic Cooperation and Development's Enterprise Risk Management Maturity Model provides tax administrations a framework for self-assessment and improvement.
• ROAR. A RiskOptics platform that provides an RMM product that automates some aspects of the risk assessment and manages an organization's path to risk maturity.
• Origami ERM maturity tool. Origami is another platform that provides support for organizations at all stages of risk maturity.
• IIRM RMMM. The Investors in Risk Management's Risk Management Maturity Model provides a maturity model with eight individual assessments in the areas of risk context, culture, identification, assessment, treatment, reporting, review and risk management systems.
• CMMI. The Capability Maturity Model Integration is a model that helps improve and streamline business processes. It can be used to decrease risks in product development.