Risk Management Maturity Model

I am working on a Thesis involving RM Maturity Model.

Found the RKSM model within CMMi and the M_o_R model.

Additionally I found some "commercial" Maturity Models.


Anyone who can give me some references or pointers?




You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

Votes: 0
Email me when people reply –


  • The maturity of an organisation's Risk Management processes should be tracked from no formal process to organisations where Risk Management is fully integrated into all Business aspects of the Organisation and this should be able to cover all types of Organisations.


    Normally there are 4 levels of Risk Management processes as given below depending on the stage of maturity. Risk Management culture is best at Level 4.


    Level 1 - Adhoc

    Level 2 - Initial

    Level 3 - Repeatable

    Level 4 - Managed


  • Stef,

    In ISACA's Risk IT Framework you find maturity models for each of the three domains:

    • Risk Governance
    • Risk Evaluation
    • Risk Response

    Boards and executive management need to consider how effective their enterprises are at managing IT risk and should be able to answer these related questions:

    • What are the enterprise's peers doing to manage IT risk, and how does the enterprise compare to them?
    • What are the proven good practices in IT risk management, and how does the enterprise compare to them?
    • Based on these comparisons, is the enterprise doing enough?
    • How does the enterprise identify what it needs to do to reach the level of IT risk management that is sought?

    It can be difficult to obtain meaningful answers to these questions. Management is constantly looking for benchmarking and self-assessment tools in response to the need to know what to do to achieve the best results. One such tool is maturity modelling, which can enable the enterprise to rate itself from the least mature level (having non-existent or unstructured processes) to the most mature (having adopted and optimised the use of good practices).

    When modelling maturity, it is useful to identify a limited number of levels. A larger number would render the system difficult to use and suggest a precision that is not justifiable. In general, the purpose is to identify where enterprises are for certain activities and suggest how to set priorities for improvements.

    The Risk IT maturity levels are designed as profiles in which an enterprise can identify symptoms or descriptions of its current and possible future states. Each enterprise will recognise that many of its processes are at different maturity levels; for example, some processes may be at level 1, some at level 3 and others at level 4. In this way, the maturity models are designed to enable management to focus on key areas needing attention, rather than on trying to get all processes stabilised at one level before moving to the next.

    Using the Risk IT maturity models, management can identify:

    • The actual performance of the enterprise - Where the enerprise is today
    • The enterprise's target for improvement - Where the enterprise wants to be

    In ISACA's Risk IT Framework for each domain, both high-level and detailed versions of the maturity model are provided. The detailed versions are built around the following attributes, each of which evolves through the categories:

    • Awareness and communication
    • Responsibility and accountability
    • Goal setting and measurement
    • Policies, standards and procedures
    • Skills and expertise
    • Tools and automation

    The maturity model scales can help management understand where shortcomings exist and set targets for where they need to be. The most appropriate maturity level for an enterprise will be influenced by the enterprise’s business objectives, the operating environment and industry practices. Specifically, the level of IT risk management maturity will depend on the enterprise’s dependence on IT, its technological sophistication and, most important, the future role its executives and management foresee for information technology.

    Best regards


  • I have used risk management maturity models for some time. Happy to compare notes. They are very useful for setting a risk management strategy and happy to exchange ideas over email.
  • In my research center we use the ISO 15504 maturity model.

    Some of my colleagues applied them to Basel II requirements.

    It may interest you.



  • Try www.rims.com - they have very good one.



  • ISACA material "Risk IT Framework" is useful.



    more detail is available from


    (ISACA members only)

This reply was deleted.

[Free COVID-19 Framework] What's the path to recovery look like?

We created a free presentation (attached), which discusses both global and organizational impacts of the COVID-19 pandemic, along with critical actions organizations should take immediately. This presentation introduces a framework that helps regions and organizations navigate a path to recovery via 9 potential scenarios. These scenarios capture outcomes related to GDP impact, public health response, and economic policies. The presentation also breaks down 6 immediate and critical actions…

Read more…
3 Replies · Reply by Boris Agranovich Jan 2
Views: 66

If risk management is about decision making, are current risk management solutions irrelevant?

Now that the updated COSO and ISO risk management standards emphasize a connection to enterprise objectives and decision making, does this mean ERM and GRC solutions focused on risk registers and regulatory compliance are missing the true value of risk management?Will current risk management solutions evolve to integrate more decision support functionality or will standalone prescriptive analytics and other technology solutions take a more prominent role in enabling risk-informed…

Read more…
3 Replies
Views: 41

A question related to classification of instruments between trading and banking book.

We have an interesting question from one of our members.       "We usually perform OTC FX transactions with clients backed-to-back on the market (with Banks). Now we are going to perform a FX swap (i.e. Spot + forward) JPY/EUR for the Bank account for 1 week at the longest. The purpose is to get EUR place @ CB for LCR compliance purpose (no trading purposes). Bank's Management think that this should be considered as a trading position and therefore be classified within the Bank's trading book.…

Read more…
4 Replies
Views: 100

Plunging oil prices: curse or blessing in disguise?

The recent sudden crash of oil prices has had a major impact on the world economy, leading to many troubled faces in the international arena. The Russians fear the effects of yet another powerful hit on their economy, Venezuela seems to be considering default and the Americans are weary of the consequences for its young and emerging shale oil industry. And then you have the Middle East, where the smallest match is enough to ignite the largest fire. But are these worries really justified or…

Read more…
1 Reply
Views: 16

Introducing the Global Risk Series - Book 1 Risk Management How Tos

Dear GlobalRisk Community member, Our community’s mission is to foster business, networking and educational explorations among members. Learn from some of the top experts in the industry as they clearly explain how to approach the most important Risk management concepts. Check out their expert tips and use the link at the end of each article to navigate back to the website to leave your comment or ask a question. Some of the topics include: How do you Explain Risk Appetite?  How to Prepare a…

Read more…
12 Replies
Views: 189

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!