Risk Maturity Models and ISO 31000
12th July 2016 | Domenic Antonucci
My new book Risk Maturity Models: How to assess risk management effectiveness opens the opportunity for organizations to realize the benefits of tailoring their own Enterprise Risk Management (ERM) maturity model to the ISO 31000:2009 – Risk Management Principles and Guidelines standard. How so?
ISO 31000 risk maturity strategy requirement
There is only one official standard and voluntary code for truly international risk management: ISO 31000:2009. Whilst ISO 31000 is not for certification or audit, it does lend itself to providing valuable guidance and content for a robust ERM system maturity model. It outlines a set of organization capabilities for effective ERM.
ISO 31000 Principle (k) ‘Risk management facilitates continual improvement in the organization’ is one of eleven Principles (p8). It requires strategies to improve risk management maturity alongside all other organization aspects.
To rephrase, it requires organizations to improve their maturity of risk management system capabilities as an integrated part of organization management system capabilities.
The best tool to deliver a risk maturity strategy is a risk maturity model
Members of the ISO 31000 fraternity support risk maturity, albeit in an informal way. A so-called “ISO 3004” companion guideline to ISO 31000 has been mooted to include risk maturity but internal politics has not seen its fruition to date. However, in his illuminating presentation called ‘Transitioning’, Kevin W. Knight, the current Chairman of the international Technical Committee ISO TC 262 refers to the 'risk journey' and to the two key outputs for risk oversight (Knight, 2010). The first is risk maturity, being the maturity and performance of the risk management framework. The second is the risks and their risk profile(s) and how/why these have changed.
The ISO 31000 risk maturity hierarchy
But the ISO 31000 story for risk maturity is more complex than the above. ISO cites the need to assess the effectiveness of risk management (4.1 and 5.6) but it does not specify how.
However, ISO 31000 does point the way. A reductive analysis of the 24 pages of ISO 31000 (to dis-aggregate or ‘un-pack’ all content and then re-aggregate the content as themed capabilities in a rough order of implementation sequence) does indicate a maturity hierarchy. ISO 31000 implies a three-tier ‘proto-risk maturity model’, being:
1. a base-tier of three ‘foundation components’ (eg mandate and commitment)
2. a mid-tier of seven ‘organization arrangements’ (eg risk management plan), and
3. a top tier of five ‘attributes of enhanced risk management’ in Annex A pp 22-2 that are clearly about risk maturity capabilities (eg continuous improvement).
Leveraging ISO 31000 for your own tailored risk maturity model
These above ‘foundation components’, ‘organization arrangements’ and ‘attributes of enhanced risk management’ represent a total of fifteen (15) core organization ERM system capabilities. As such, any or all of these, are useful inputs both for those designing their own first tailored risk maturity model, or modelers looking to enhance an existing model or to ‘cross-walk’ their model to ISO 31000 (as is my own practice).