Risk Management Maturity Model

In evaluating the effectiveness of the risk management frameworks, the IIRM Risk Management Maturity Model (“RMMM”) forms the cornerstone of our risk management maturity assessment methodology.

Core Areas

RMMM covers following eight core areas with each category having an individual assessment that is then aggregated to provide an overall maturity level:

  1. Risk context
  2. Risk culture
  3. Risk identification
  4. Risk assessment
  5. Risk treatment
  6. Communication and reporting
  7. Review
  8. Risk management systems

Risk Maturity Levels

To rate the level of risk maturity, all eight core areas are examined through desk based review and meetings with relevant management and staff. The RMMM describes an improvement path from a very basic and immature Risk Management function to a mature and advanced function focused on continuous improvements.  The Model consists of following five risk management maturity levels to gauge risk maturity:

Level

Level Name

Description

1

Very Basic

Minimal or no awareness and understating / No process in place / Unsatisfactory

2

Basic

Applied inconstantly / Some formal processes in place / Satisfactory

3

Emerging

Implemented consistently  across the organisation/ Not all the processes implemented fully / Good

4

Mature

Consistently and fully implemented. / Processes are reviewed for improvements / Very Good

5

Advanced

Risk management is considered a value driver / Advanced processes are used / Excellent

 Overall assessment Levels / Rating

Level

Score

 Descriptor

       1. Very Basic

 

1-20

The organisation has minimal or no awareness and understating of risk management. Risk management is performed on an ad hoc basis by individuals.  No processes in place.

  1. Basic

21-40

Risk management applied inconsistently with limited standardisation.  Some formal processes in place.

  1. Emerging

41-60

A risk management framework exists with defined and documented risk management principles. Risk management applied consistently throughout the organisation.  Not all processes have been fully implemented.

  1. Mature

61-80

The organisation is proactive in risk management. Risk management is consistently and fully implemented across the organisation.  Key risk indicators are used for major risks. Risk management processes are monitored and reviewed for continues improvements.

  1. Advanced

81-100

Risk management is considered a value driver and proactively used for day to day decision making and pursuit of opportunities. KRIs and predictive risk analytics are proactively used to identify and monitor risks. Advanced and sophisticated risk management processes are used.

Related Downloads

© 2016 Investors in Risk Management