I am in the process of writing an article on assessing risk management and wanted to include an example of a maturity model. It would have to be one that is clear, and the vision embodied in the highest level would have to be something that I agree is both aspirational and achievable.
One source is the oft-referenced Carnegie Mellon University Capability Model. Another risk management maturity model resource is the Risk and Insurance Management Society (RIMS). The RIMS Maturity Model assesses defined attributes of the risk management program and places each at one of six maturity levels, from Non-Existent to Leadership.
The maturity model I included (shown below) is derived from multiple sources, including the Chelan County Public Utility District, Washington. The risk management program as a whole is assessed based on five levels:
Level 1: Ad hoc. Undocumented; in a state of dynamic change; depends on individual heroics
Level 2: Preliminary. Risk defined in different ways and managed in silos. Process discipline is unlikely to be rigorous.
Level 3: Defined. A common risk assessment/response framework is in place. Organization-wide view of risk is provided to executive leadership. Action plans implemented in response to high priority risks.
Level 4: Integrated. Risk management activities coordinated across business areas. Common risk management tools and processes used where appropriate, with enterprise-wide risk monitoring, measurement and reporting. Alternative responses analyzed with scenario planning. Process metrics in place.
Level 5: Optimized. Risk discussion is embedded in strategic planning, capital allocation, and other processes and in daily decision-making. Early warning system to notify board and management to risks above established thresholds.
- Do you like the model?
- Can you share a reference to a better model?
- What are your experiences using maturity models for risk management?
- Where does your program lie?