IIRM

Risk Management Maturity Model

(RMMM)

Improving risk management maturity

IIRM Risk Management Maturity Model (RMMM) Investors in Risk Management

www.iirmglobal.com

www.iirmglobal.com

Overview of the Risk Management Maturity Model (RMMM)

In evaluating the effectiveness of the risk management frameworks, the IIRM Risk Management
Maturity Model (RMMM) forms the cornerstone of our risk management maturity assessment
methodology.

Core Areas
RMMM covers the following eight core areas with each category having an individual assessment
that is then aggregated up to provide an overall maturity level:
1.
2.
3.
4.
5.
6.
7.
8.

Risk context
Risk culture
Risk identification
Risk assessment
Risk treatment
Communication and reporting
Review
Risk management systems

IIRM Risk Management Maturity Model (RMMM) Investors in Risk Management

www.iirmglobal.com

Risk Maturity Levels

To rate the level of risk maturity, all eight core areas of RMMM assessed with each category having
an individual assessment that is then aggregated up to provide an overall risk maturity rating for the
organisation. The Model consists of five risk management maturity levels to gauge maturity,
Core areas 1-8 are graded using the five-point scale described below. The statements identify the
systems/evidence organisations have in place to assess risk management maturity.

Level

Level Name Description

Very Basic

Basic

Emerging

Mature

Advanced

Minimal or no awareness and understanding / No process in place /

Unsatisfactory
Applied inconsistently / Some formal processes in place /
Satisfactory
Implemented consistently across the organisation/ Not all the
processes implemented fully / Good
Consistently and fully implemented. / Processes are reviewed for
improvements / Very Good
Risk management is considered a value driver / Advanced processes
are used / Excellent

Overall assessment Levels / Rating

Levels

Score % Descriptor

1. Very Basic

1-20

2. Basic

21-40

3. Emerging

41-60

4. Mature

61-80

5. Advanced

81-100

The organisation has minimal or no awareness and understanding of

risk management. Risk management is performed on an ad hoc basis by
individuals. No processes in place.
Risk management applied inconsistently with limited standardisation.
Some formal processes in place.
A risk management framework exists with defined and documented risk
management principles. Risk management applied consistently
throughout the organisation. Not all processes have been fully
implemented.
The organisation is proactive in risk management. Risk management is
consistently and fully implemented across the organisation. Key risk
indicators are used for major risks. Risk management processes are
monitored and reviewed for continuous improvements.
Risk management is considered a value driver and is proactively used
for day to day decision making and pursuit of opportunities. KRIs and
predictive risk analytics are proactively used to identify and monitor
risks. Advanced and sophisticated risk management processes are used.

IIRM Risk Management Maturity Model (RMMM) Investors in Risk Management

www.iirmglobal.com

6Summary Maturity Level by Core Areas

5
4
3

Year 1

Year 2
Year 3

1
0

IIRM Risk Management Maturity Model (RMMM) Investors in Risk Management

www.iirmglobal.com

IIRM Risk Management Maturity Model (RMMM) Investors in Risk Management

www.iirmglobal.com

IIRM RMMM Levels and their distinguishing features

Very Basic (Level 1)

Emphasis on
protecting assets
Focus on physical
and financial assets
Risks managed
within functional
silos
Inconsistent
approaches
No formal risk
management
processes
Not being able to
distinguish between
positive and
negative risk
No systematic
attention to risk
management
No formal risk
management policy

Basic (Level 2)

Understand that
risks require formal
management
Establishes basic risk
management
processes
Narrow scope of risk
management,
generally restricted
to addressing critical
and pure risks
Identifying regular
risks and
establishing
insurance as the
unique strategy
Tends to be
influenced less by
formal risk
management
processes than by
the repetition of
activities and
practices that have
worked out for the
organisation before
Demonstrate an
isolation of the risk
management
function
Uses the same
measures or risk
responses that were
used the period
before
Policies would not
be reviewed nor
would the treated
risks be evaluated
Risk would be
considered a static
phenomenon
instead of a dynamic
one

Emerging (Level 3)

Define and
implement a formal
risk management
process.
Define policies and
procedures that
could guide risk
management
Seek to formalise
the risk
management
function within the
organisation
Identify risks in a
systematic manner
Analyse risks
considering their
probability and
impacts
Insurance is not the
only response to
risks
Internal and
operational risks are
identified and
included in the risk
management policy
Consider
reputational risks as
well as risks related
to the damage
inflicted on a third
party
Would mention
explicitly which
responses they have
taken for each
specific analyzed risk
Establish a clear
objective for the risk
management policy
Determine a
procedure for
reviewing and
evaluating the risk
management
program
Establish
responsibilities and
roles

Mature (Level 4)

Facilitate the
implementation of
the risk
management
perspective
Look for the
application of the
wider perspective of
risk management
Extend risk
management
processes
throughout the
organisational
hierarchy and across
all functional
boundaries
Implement a
monitoring process
to have a clear view
of the effectiveness
of the risk
management
program
Participation of top
management in
defining risk policy
and reports
Review of risk
management
process
Setting up goals,
strategies and
practices of the best
practices of risk
management
May have difficulties
adapting to the
challenges that the
context imposes on
them

IIRM Risk Management Maturity Model (RMMM) Investors in Risk Management

Advanced (Level 5)

Board/executive
support of risk
management
Clear
accountabilities
Appropriate risk
oversight structures
Dedicated risk
management
coordinator
Explicit
consideration of
both operational
and strategic risks
Risk management
integrated with
operational and
general
management
processes
Clear
accountabilities and
timeframes for
treatment of risks
Differentiated risk
reporting tailored to
specific stakeholders
Regular reviews of
risk and risk
management
processes

www.iirmglobal.com

Features of Maturity by core areas

1

Context

1.1

The board and executives have expressed their support for a risk
management programme.
The organisation has identified a person who will be responsible for
implementing and controlling risk management.
The risk manager (or equivalent) has reasonable access to staff and
management personnel across the organisation.
The organisation has identified its internal and external stakeholders.
The organisation has a documented ERM Strategy.
The risk process is integrated with other organisational planning processes
- for example, risks are considered during the strategic planning, budgeting
and audit planning processes.
The risk committee (or equivalent) and the board have approved the risk
strategy.
The organisation has agreed what types and levels of risks are acceptable
(Risk appetite/tolerance).
There is a clear organisational strategy (or objectives) articulated for the
organisation.
A risk policy has been defined.
The risk committee (or equivalent) and the board have approved the risk
policy.
The organisation has defined risk management roles and responsibilities.
The job descriptions for the organisation include responsibilities for risk
management.
The organisation has an existing risk profile/ risk register.
The current approach to risk recording and reporting is meeting
organisational needs.
The organisation has defined categories of risk relevant to the organisation
and industry.
The risk categories reflect all strategic and operational risk areas of the
business.
The organisation has defined and agreed a likelihood scale to assess the
potential for risks to occur throughout the organisation.
The organisation has defined and agreed a consequence scale to help
assess risk impacts across the organisation.
The organisation's consequence scale describes both financial and nonfinancial impacts.
The risk management framework considers the effectiveness of controls or
risk treatments.
There is an agreed template or format for recording risks and risk
treatment information (a risk register).
A mechanism is in place to identify, assess, treat and review risks on
projects.
There is an agreed format/template for reporting on risk.
There is a process and/or template where new risks can be recorded.

1.2
1.3
1.4
1.5
1.6

1.7
1.8
1.9
1.10
1.11
1.12
1.13
1.14
1.15
1.16
1.17
1.18
1.19
1.20
1.21
1.22
1.23
1.24
1.25

IIRM Risk Management Maturity Model (RMMM) Investors in Risk Management

www.iirmglobal.com

Culture

1 2 3 4 5

2.1

The mission, vision, and purpose of the organisation promote a culture of

risk-awareness.
2.2 Risks are managed on a day-to-day basis as part of the application of
organisational values.
2.3 Risk management systems and processes enable effective and efficient risk
management.
2.4 The process for managing risk has been/is integrated with day-to-day
processes.
2.5 The structure enables risk-based decision-making without bureaucracy,
making jobs easier and facilitating better outcomes.
2.6 Leadership skills and attributes around risk management are fostered,
rewarded and implemented across the business.
2.7 Poor behaviours or practices around risk management are not tolerated by
leaders.
2.8 Jobs have been designed to reflect risk management and risk policies.
2.9 Various job definitions include the performance expectations around risk
management.
2.10 The accountabilities with regard to risk and risk management have been
clearly articulated.
2.11 There is a clearly articulated consensus around desired behaviours across
the business.
2.12 Desired behaviours are modelled by leaders and workers are responsive to
these behaviours.

IIRM Risk Management Maturity Model (RMMM) Investors in Risk Management

www.iirmglobal.com

Risk Identification

1 2 3 4 5

3.1

The executive and board have considered risks relating to the achievement
of key organisational goals and objectives.
3.2 Research has been performed to understand common industry-specific
risks.
3.3 A risk brainstorming workshop (or workshops) has been conducted.
3.4 Information has been gathered from different sources to identify risks.
3.5 The organisation has applied a set of risk identification tools and
techniques.
3.6 The organisation has used risk categories for comprehensiveness.
3.7 People with appropriate knowledge have been involved in identifying
possible risks.
3.8 The organisation has documented all identified risks.
3.9 The organisation has documented the risk identification process.
3.10 The organisation has assessed the effectiveness of the risk identification
process.
3.11 The organisation has identified the risk drivers for identified risks.

Risk

1 2 3 4 5

4.1

The organisation has considered the history of events and incidents in the
organisation during the risk assessment process.
4.2 Existing controls have been identified and evaluated for risks during the
risk assessment process.
4.3 The perceived effectiveness of controls has been assessed by a person who
understands the risk and the controls in place.
4.4 The risk register is updated throughout the year to reflect changes in risks.
4.5 The organisation has determined the risk likelihood for the identified risks.
4.6 The organisation has determined the risk impacts for the identified risks.
4.7 The organisation has ranked the risks based on the outcome of the risk
assessment process.
4.8 The organisation has developed a list of priority risks.
4.9 The organisation has considered the overall risk profile.
4.10 The Key Risk Indicators (KRIs) have been defined and agreed for key risks/
risk areas.
4.11 The organisation has documented the risk assessment process.

IIRM Risk Management Maturity Model (RMMM) Investors in Risk Management

www.iirmglobal.com

Risk Treatment

5.1

It is clearly specified who is accountable for every identified risk (the 'risk
owner').
It is clearly specified who is accountable for each control and action to
treat the risks.
The organisation has identified possible actions/treatment plans that could
help to reduce the risk level.
The benefits of a treatment approach have been compared to the potential
cost of the risk to determine the appropriateness of the treatment
strategy.
Risk treatment plans or action plans have been documented and approved
for important risks.
Due dates/completion dates have been agreed for risk treatment actions
and plans.
The organisation's physical assets are appropriately insured.
A Business Continuity Plan (BCP) is in place for critical organisational
functions/processes.

5.2
5.3
5.4

5.5
5.6
5.7
5.8

6
6.1
6.2
6.3
6.4
6.5
6.6
6.7
6.8
6.9
6.10
6.11
6.12
6.13
6.14
6.15
6.16
6.17

Communication and Reporting

1 2 3 4 5

1 2 3 4 5

The organisation has established a stakeholders communication plan.

The organisation has developed key messages and identified their purpose.
The organisation has identified communication owners and senders.
The organisation has identified appropriate communication channels.
The organisation has determined the timing of communication.
The organisation has determined the frequency of communication.
Staff members know to whom they should report/escalate risks.
Managers or supervisors know that they are responsible for managing risk
in their area/s of responsibility.
The executive and the board have provided guidance on what information
they would like to see in risk reports,
There is agreement on when and how often risk reports will be produced.
The recipients of risk reports have been identified and agreed.
Different risk reports can be produced to meet different needs of
stakeholder groups.
Responsibility for managing/treating specific risks has been assigned and
communicated to those who are responsible.
Staff members are encouraged and motivated to report risk or suggest risk
reduction strategies.
Reports contain current and updated quality information.
Reports are easily understandable.
Reports contain the right level of detail and are supported by detailed
underlying risk information, where appropriate.

IIRM Risk Management Maturity Model (RMMM) Investors in Risk Management

www.iirmglobal.com

Review

7.1

The organisation has established a monitoring and review cycle.

7.2

The organisation measures risk management performance.

1 2 3 4 5

7.3

The organisation reviews current risk management context to ensure it

remains aligned to the strategic intent of the organisation.
7.4 The risk process follows the steps described in the risk management
framework.
7.5 An internal audit function/process is in place.
7.6 The internal audit function or equivalent reviews risk management
processes.
7.7 Internal auditors focus their time and efforts on the most critical risks
recorded in the risk register.
7.8 The organisation tracks the changes in risk levels over time, in order to
understand trends/changes in risk levels.
7.9 The risk policy has been reviewed within the last year.
7.10 The risk committee (or equivalent) and the board have reviewed the risk
strategy.
7.11 The organisation detects changes in external and internal context,
including changes to the risk itself which may require revision of risk
treatments and priorities.
7.12 The organisation ensures that all risk control and treatment measures are
effective in both design and operation.

IIRM Risk Management Maturity Model (RMMM) Investors in Risk Management

www.iirmglobal.com

8
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
8.9
8.10
8.11
8.12
8.13
8.14
8.15
8.16
8.17
8.18
8.19
8.20
8.21
8.22
8.23
8.24
8.25
8.26
8.27
8.28
8.29
8.30
8.31
8.32
8.33
8.34

Risk Management Systems

1 2 3 4 5

The current risk register is easy to use and update.

The organisation is sufficiently large and complex to warrant the use of risk
management software.
The organisation has agreed a budget for risk management systems.
Risk rating scales (likelihood, consequence) can be customised by the user.
Risk categories can be defined by the user and sub-categories are allowed.
The organisational structure can be reflected in the risk assessment
hierarchy.
Risks can be linked to specific business processes.
Risks can be linked to one or more business objectives or strategies.
The system allows multiple access levels (view, modify, add etc.)
The system maintains an audit trail of changes to risk information over
time, notably previous risk assessment scores.
The system allows multiple users to access the data.
The system can be accessed via the web or intranet.
Multiple risk drivers (causes) can be linked to one or more risks.
Multiple impacts can be linked to each risk.
A risk can be linked to more than one area of the business.
A single risk can be rated by more than one person.
Risks can be assessed at both an inherent and residual level.
'Near-miss' information is recorded by the system.
The system supports the comparison of alternative mitigation strategies.
The system allows the user to define thresholds or rules for escalating risks.
Multiple risk treatments or action plans can be linked to a risk or risks.
More than one person can be allocated responsibility for a specific risk or
risk treatment.
Risk events or incident costs can be associated with a specific risk or risks.
Dates for action plans/risk reviews etc. can be captured and reported on.
The system allows for KRIs to be defined and linked to specific risks.
The user can easily define or customise risk reports.
The system contains an appropriate range of pre-defined risk reports.
The system supports graphical reporting (heat maps, matrices, graphs).
Risks can be reported by business units.
Risks can be reported by responsible persons.
Risks can be reported by severity (likelihood and consequence).
Risk trends can be reported on based on historical or previous risk
assessments.
The system allows for the progress of risk treatment plans to be tracked
and reported on.
Reminders can be sent to those responsible for risk treatments, for
example via email.

8.35 Data can be exported from or exported to other applications.

IIRM Risk Management Maturity Model (RMMM) Investors in Risk Management

www.iirmglobal.com

IIRM Risk Management Maturity Model (RMMM) Investors in Risk Management

www.iirmglobal.com

Investors in Risk Management

3 Oswin Road
Leicester, LE3 1HR
United Kingdom

T: 00 (44) 116 3664 011

[email protected]
www.iirmglobal.com

This document provides general information. The information contained in this document does not constitute advice and should not be relied upon as
such. Professional advice should be sought prior to actions being taken on any of the information.
Investors in Risk Management (IIRM) disclaim all responsibility and liability arising from anything done or omitted to be done by any party in reliance,
whether wholly or partially, on any of the information. Any party that relies on the information does so at its own risk.
2015 Investors in Risk Management Limited.
Registered Office: Investors in Risk Management Limited, 3 Oswin Road, Leicester, LE3 1HR

IIRM Risk Management Maturity Model (RMMM) Investors in Risk Management

www.iirmglobal.com
www.iirmglobal.com