Risk Management Maturity Model

In evaluating the effectiveness of the risk management frameworks, the IIRM Risk Management Maturity Model (“RMMM”) forms the cornerstone of our risk management maturity assessment methodology.

Core Areas

RMMM covers following eight core areas with each category having an individual assessment that is then aggregated to provide an overall maturity level:

  1. Risk context
  2. Risk culture
  3. Risk identification
  4. Risk assessment
  5. Risk treatment
  6. Communication and reporting
  7. Review
  8. Risk management systems

Risk Maturity Levels

To rate the level of risk maturity, all eight core areas are examined through desk based review and meetings with relevant management and staff. The RMMM describes an improvement path from a very basic and immature Risk Management function to a mature and advanced function focused on continuous improvements.  The Model consists of following five risk management maturity levels to gauge risk maturity:


Level Name



Very Basic

Minimal or no awareness and understating / No process in place / Unsatisfactory



Applied inconstantly / Some formal processes in place / Satisfactory



Implemented consistently  across the organisation/ Not all the processes implemented fully / Good



Consistently and fully implemented. / Processes are reviewed for improvements / Very Good



Risk management is considered a value driver / Advanced processes are used / Excellent

 Overall assessment Levels / Rating




       1. Very Basic



The organisation has minimal or no awareness and understating of risk management. Risk management is performed on an ad hoc basis by individuals.  No processes in place.

  1. Basic


Risk management applied inconsistently with limited standardisation.  Some formal processes in place.

  1. Emerging


A risk management framework exists with defined and documented risk management principles. Risk management applied consistently throughout the organisation.  Not all processes have been fully implemented.

  1. Mature


The organisation is proactive in risk management. Risk management is consistently and fully implemented across the organisation.  Key risk indicators are used for major risks. Risk management processes are monitored and reviewed for continues improvements.

  1. Advanced


Risk management is considered a value driver and proactively used for day to day decision making and pursuit of opportunities. KRIs and predictive risk analytics are proactively used to identify and monitor risks. Advanced and sophisticated risk management processes are used.

Related Downloads

© 2016 Investors in Risk Management