In evaluating the effectiveness of the risk management frameworks, the IIRM Risk Management Maturity Model (“RMMM”) forms the cornerstone of our risk management maturity assessment methodology.
RMMM covers following eight core areas with each category having an individual assessment that is then aggregated to provide an overall maturity level:
To rate the level of risk maturity, all eight core areas are examined through desk based review and meetings with relevant management and staff. The RMMM describes an improvement path from a very basic and immature Risk Management function to a mature and advanced function focused on continuous improvements. The Model consists of following five risk management maturity levels to gauge risk maturity:
Level |
Level Name |
Description |
1 |
Very Basic |
Minimal or no awareness and understating / No process in place / Unsatisfactory |
2 |
Basic |
Applied inconstantly / Some formal processes in place / Satisfactory |
3 |
Emerging |
Implemented consistently across the organisation/ Not all the processes implemented fully / Good |
4 |
Mature |
Consistently and fully implemented. / Processes are reviewed for improvements / Very Good |
5 |
Advanced |
Risk management is considered a value driver / Advanced processes are used / Excellent |
Level |
Score |
Descriptor |
1. Very Basic
|
1-20 |
The organisation has minimal or no awareness and understating of risk management. Risk management is performed on an ad hoc basis by individuals. No processes in place. |
|
21-40 |
Risk management applied inconsistently with limited standardisation. Some formal processes in place. |
|
41-60 |
A risk management framework exists with defined and documented risk management principles. Risk management applied consistently throughout the organisation. Not all processes have been fully implemented. |
|
61-80 |
The organisation is proactive in risk management. Risk management is consistently and fully implemented across the organisation. Key risk indicators are used for major risks. Risk management processes are monitored and reviewed for continues improvements. |
|
81-100 |
Risk management is considered a value driver and proactively used for day to day decision making and pursuit of opportunities. KRIs and predictive risk analytics are proactively used to identify and monitor risks. Advanced and sophisticated risk management processes are used. |