Risk Management Maturity
Risk management allows your business to improve the way it delivers projects and programs. It helps to make sure the work you are doing is realistic and correctly estimated, with a level of business risk appropriate to both the work and the company’s appetite for taking risks.
But risk management isn’t something that stands still. As your business grows in size and capability, as new staff start and new projects begin, you’ll want to deepen the team’s understanding of risk management and build good practice into the way you deliver change.
The way a company implements and improves the way it handles risk is a measure of its risk management maturity.
If you’re not sure where to start with improving risk management in your business, a risk maturity assessment is a great place to gain solid insights into strengths and areas for improvements. Before we dive into that, let’s clarify what we mean by risk management maturity.
What is risk management maturity?
Risk management maturity is a journey to professional standards of risk management practice. It’s a way of developing how you manage enterprise and project risk by building a risk management framework that supports the way you want to do business.
Maturity is measured in levels. Your maturity level will take into account the processes, methods, culture, technology and governance structures of the organization.
What is a risk management maturity assessment?
A risk management maturity assessment is simply a way of assessing where the business is currently with regards to risk maturity. It’s a way of benchmarking your organization against best practice for risk management.
A Risk Management Maturity Assessment (RMMA) looks at a number of different areas to do with risk and assesses how well your organization is doing in meeting best practices. The RMMA we use looks at six different areas:
- Sponsor and management
- Risk identification
- Risk analysis
- Risk response planning
- Risk management and project management processes
- Environment and principles.
Each area is individual and reviewed separately, but when taken together they give you and your leadership teams a good understanding of how you are performing across the board.
Risk management capability maturity levels drop out of the assessment and will help you understand the next steps for deepening your practices and performance.
When you secure the support of experts to deliver an assessment, they may use a risk management maturity checklist as a starting point for the discussion. They’ll also probably want to see your teams in action, and may want to interview key members of staff.
Then they will write up their findings and present the results back to you, along with a full explanation of what the results mean.
What is a risk maturity model?
A risk maturity model is a way of categorizing different levels of risk maturity so that you can compare your performance against them. For example, the maturity model we use has five levels. If you are just starting out with risk management, you may expect your business to be assessed as ‘ad hoc’ or ‘basic’ in many areas. If you’ve spent a lot of time improving risk management across the organization, your assessment may report you as ‘defined’ or ‘improving’.
The results of a risk management maturity assessment are mapped against the maturity model to help you understand your current level of risk management performance. Using a model means it’s easy to see the next level, which you can choose to adopt as a target.
You might not be assessed as the same maturity level across all dimensions of an assessment. For example, you could be ranked as ‘defined’ in some areas, but ‘basic’ in others. It’s common for leadership teams to focus on areas where they can derive the most benefit, so don’t be surprised if your results reflect that.
Read next: Our article on how to measure risk maturity explains the five levels we use in assessments.
There’s a temptation to think that you have to rank ‘top’ in every aspect in order to be considered ‘mature’, but that isn’t always the case. You get to decide what level of risk management is appropriate for the business you run. You might not need to implement measures that would put you at the top of the maturity model – that might be overkill for your teams.
Understanding the risk maturity model can help you create a risk appetite statement that reflects where you want to be with your risk management practices.
What is a risk appetite statement?
A risk appetite statement describes the type and amount of risk an organization is willing to take (or avoid) as part of its day-to-day operations and project work. For example, a bank might describe the type of funds it is not prepared to invest in, or the amounts it is prepared to have under certain types of management. An IT firm making digital apps might describe how many clients it is prepared to work with at any one time to mitigate the risk of non-delivery.
You can craft a risk appetite statement to meet your own requirements – your risk management team or risk experts can help your organization come up with a statement that suits your organization. It’s not something to rush, as it forms the basis of risk-related decisions and needs full commitment from the senior management team.