The Global Institute for Risk Management Standards (G31000) has developed a Risk Management Maturity Model (RMM) for organizations that seek to improve the quality of decision making across all levels of the organization. RMM has been designed to closely align with the principles of ISO31000:2018 risk management standard. It provides guidelines, benchmarking and assessment criteria and can be used by the risk management function, the internal audit function, external consultants and the Board.
The ISO 31000:2018 risk management standard identified a number of principles for effective risk management. They communicate the value and explain the intent and purpose of risk management. The G31000 Risk Management maturity model is structured around the ISO31000:2018 principles, framework and process.
The G31000 Risk Management maturity model is designed to assist organizations on the road to embed risk management into all activities throughout the organization, including decision-making. It defines levels of maturity against which an organization can measure its current status and identify actions for continual improvement. The overall scoring system is based on a detailed questionnaire linked directly to identified sub-components for all the elements of the risk management framework and is mapped to a 3-level risk maturity scale.
Scope and application
The G31000 Risk Management Maturity Model can be used by any public, private, governmental or community enterprise, association, group or individual. It can be used in a self-assessment or a detailed benchmarking activity by an independent assessor to determine the current state of risk management and assist in identifying key areas for improvement for progress to the next level of maturity.
This model is not specific to any industry or sector and can be applied to any type of risk, whatever its nature and whether it would have positive or negative consequences, or a combination of both. The model can be applied throughout the life of an organization and to a wide range of activities within an organization.
The G31000 Risk Management maturity model is not tied to any specific risk management legislation or jurisdiction, and can, therefore, be used throughout the world.
Assessing the progress of risk management and its integration into the organization is an important element of continual improvement. Stakeholders need to evaluate the effectiveness of how risk is being managed and measure progress towards the integration of the risk management principles, framework and processes into all business activities, including decision making. This evaluation should lead to the creation of plans to advance and evolve.
As risk management is tailored to each organization, there is no single right approach to determine whether an organization’s risk management principles, framework and process are effective. However, benchmarking against the risk management principles and framework provided in ISO 31000:2018 can be used to measure progress and demonstrate evidence of risk management effectiveness.
Seeking evidence of how an organization demonstrates that risk management framework is integrated into all activities and functions enables an assessment of the maturity of the organization’s risk management program. It is important that the evidence selected to demonstrate support is specific to the organization’s internal and external context.
The review may be conducted by an individual or a team, through a compilation of individual interviews or surveys, or completed by a group of stakeholders in a workshop setting. The reviewers should base their decision on objective and unbiased evidence such as:
- an examination of any documents that describe how business activities or decision-making practices are performed;
- evidence and records that confirm that the risk management principles are applied as described in the written documents;
- interviews with relevant personnel which explore whether activities match the documented requirements, and whether there are any opportunities for improvement; and
- observations of the workplace to confirm that it is really happening.