Skip to Content

Measuring the Maturity of Risk Management

I am in the process of writing an article on assessing risk management and wanted to include an example of a maturity model. It would have to be one that is clear, and the vision embodied in the highest level would have to be something that I agree is both aspirational and achievable.

One source is the oft-referenced Carnegie Mellon University Capability Model. Another risk management maturity model resource is the Risk and Insurance Management Society (RIMS).  The RIMS Maturity Model assesses defined attributes of the risk management program and places each at one of six maturity levels, from Non-Existent to Leadership.

The maturity model I included (shown below) is derived from multiple sources, including the Chelan County Public Utility District, Washington. The risk management program as a whole is assessed based on five levels:

Level 1: Ad hoc. Undocumented; in a state of dynamic change; depends on individual heroics

Level 2: Preliminary. Risk defined in different ways and managed in silos. Process discipline is unlikely to be rigorous.

Level 3: Defined. A common risk assessment/response framework is in place. Organization-wide view of risk is provided to executive leadership. Action plans implemented in response to high priority risks.

Level 4: Integrated. Risk management activities coordinated across business areas. Common risk management tools and processes used where appropriate, with enterprise-wide risk monitoring, measurement and reporting. Alternative responses analyzed with scenario planning. Process metrics in place.

Level 5: Optimized. Risk discussion is embedded in strategic planning, capital allocation, and other processes and in daily decision-making. Early warning system to notify board and management to risks above established thresholds.


  1. Do you like the model?
  2. Can you share a reference to a better model?
  3. What are your experiences using maturity models for risk management?
  4. Where does your program lie?
You must be Logged on to comment or reply to a post.
  • I like your maturity model. I just wonder if we have the tools ready for risk management for the higher maturity levels. We started some research on integrating risk management into BPM systems (e.g. SAP Netweaver BPM). There is nearly nothing out there. We have developed an approach (to be prototyped), where you can define risk rules. The monitoring system evaluates the risk of currently executed business processes (by predicting their future execution). If the risk is over a certain threshold then counter-measures are initiated (e.g. stopping process, initiate mitigation process or inform risk owner).
    Do you think this is interesting?
  • Joern, that’s an interesting question. I believe we do have the tools, but first the organization has to embrace the vision. Then, you can identify the risks to monitor and manage and see how you can do so effectively. I personally believe BI has a major part to play, but so does integration between and among various SAP enterprise applications – such as Strategy and Risk.