How To Design Your Own Risk Maturity Model

My new book Risk Maturity Models: How to assess risk management effectivenessopens the opportunity for any size organization to design and build their own tailored Enterprise Risk Management (ERM) maturity model - at low cost and effort and with a host of accessible resources.

A powerful tool for any organization.

An organization’s size, resources or budget should not stop it from tailor-designing its own risk maturity model. The highest purpose is to gap-assess risk management system effectiveness to your unique organization. It does not mean you have to create something absolutely new, perfect or become a creative genius. It does mean understanding some basics then synthesizing what models and using the treasure trove of reference sources available to arrive at what you need to get started. Designing means a plan to show the construction, function and workings of the risk maturity model. Tailoring means its fit-to-organization objectives, internal and external context and risk profiles.

You can start by using a simple spreadsheet matrix format to build up basic content components in three steps. We can summarize them in this sequence as: Components = Domains + Capabilities + Scales + Levels.

Design step 1: Matrix your preferred capabilities

Open up a new spreadsheet matrix and title it. Enter your choice of ERM capabilities on your spreadsheet as rows along the y-axis (left side). To start ‘bottom-up’, create a long list of unsorted capabilities of interest to your organization down your first column. If they lend themselves over time, sort them into a sequence if one follows another by their nature and/or sort into groups by any shared themes (such as People, Technology and Process).

Alternatively, you may start ‘top-down’ with themed capability modules then break these down into underlying capabilities and add more over time. For example, the ISO 31000:2009 standard has a core process called Risk Assessment. This can be broken down into three sub-processes of Risk Identification, Risk Analysis and Risk Evaluation.

An easy alternative is to adapt an existing spreadsheet model that is already built, web-accessible and easily tailored to your own organization. For example, you can download a Supply Chain Risk Maturity Model in soft spreadsheet format for free (with the kind permission of The Supply Chain Risk Leadership Council (SCRLC) website at http://www.scrlc.com/) and adapt its content.

Design step 2: Rating using rating scales

Here is one simple rating approach. Enter a date for the latest rating. Rate each capability with a current score between 0 and 4. The numbers 0-4 represents five-point scales which are typical in the market (also called Likert Scales). These can be sub-totaled (sub-index) and given a percentage completion score for each module, then an overall maturity score (total index).

The trick here is to ensure that the five-point scales are given clear text descriptions so that assessors can stay true to a common scoring system.

One readily available guidance for the five-scale rating is the HB158:2010 recommended scales. In summary, they are:

• None = score 0 - Very little or no compliance with the capability requirements in any way.
• Very Little = 1 - Only limited compliance with the requirement. Management supports the intent, but compliance in practice is poor.
• Some = 2 - Limited compliance with element statement. Certainly agree with the intent, but limited compliance in practice.
• Good = 3 – Management completely subscribes to the intent, but there is partially complete compliance in practice.
• Complete = 4 - Absolute compliance with the element statement — in intent and in practice — at all times and in all places.

Design step 3: Rating your maturity levels

Now denote your aspirational or target risk maturity levels. Total up your ratings of 0-4 to a ‘Total Assessed / Total Potential Assessed = % Index score’. Divide the 100% overall potential score into five blocks of percentiles (called quintiles) and assign an ascending maturity level title with its criteria to each block.

Define your own set of tailored maturity levels. There are a host of these accessible by Google search. Now, where does your actual rating place your organization by maturity level? A simple example is below:

1. 80-100% RiskSmart: Embedded practice consistent with recommended practice. Continuous improvement.
2. 60-79% Mature: Observed practice consistent with recommended practice. Limited need for further development. Monitor.
3. 40-59% Maturing: Some ability to demonstrate recommended practice. Some opportunity for improvement.
4. 20-39% Immature: Material gap between current and recommended practice. Substantial opportunity for improvement.
5. Under 20% Ad hoc: Inability to demonstrate adherence to recommended practice. Fundamental need to address.