Alex Sidorenko at G31000 Dubai 2017 – full presentation on risk maturity



The Global Institute for Risk Management Standards (G31000) has developed a Risk Management Maturity Model (RMM) for organizations that seek to improve the quality of decision making across all levels of the organization. RMM has been designed to closely align with the principles of ISO31000:2018 risk management standard. It provides guidelines, benchmarking and assessment criteria and can be used by the risk management function, the internal audit function, external consultants and the Board.

The ISO 31000:2018 risk management standard identified a number of principles for effective risk management. They communicate the value and explain the intent and purpose of risk management. The G31000 Risk Management maturity model is structured around the ISO31000:2018 principles, framework and process.

The G31000 Risk Management maturity model is designed to assist organizations on the road to embed risk management into all activities throughout the organization, including decision-making. It defines levels of maturity against which an organization can measure its current status and identify actions for continual improvement. The overall scoring system is based on a detailed questionnaire linked directly to identified sub-components for all the elements of the risk management framework and is mapped to a 3-level risk maturity scale.


Scope and application

The G31000 Risk Management Maturity Model can be used by any public, private, governmental or community enterprise, association, group or individual. It can be used in a self-assessment or a detailed benchmarking activity by an independent assessor to determine the current state of risk management and assist in identifying key areas for improvement for progress to the next level of maturity.

This model is not specific to any industry or sector and can be applied to any type of risk, whatever its nature and whether it would have positive or negative consequences, or a combination of both. The model can be applied throughout the life of an organization and to a wide range of activities within an organization.

The G31000 Risk Management maturity model is not tied to any specific risk management legislation or jurisdiction, and can, therefore, be used throughout the world.

Assessing the progress of risk management and its integration into the organization is an important element of continual improvement. Stakeholders need to evaluate the effectiveness of how risk is being managed and measure progress towards the integration of the risk management principles, framework and processes into all business activities, including decision making. This evaluation should lead to the creation of plans to advance and evolve.

As risk management is tailored to each organization, there is no single right approach to determine whether an organization’s risk management principles, framework and process are effective. However, benchmarking against the risk management principles and framework provided in ISO 31000:2018 can be used to measure progress and demonstrate evidence of risk management effectiveness.

Seeking evidence of how an organization demonstrates that risk management framework is integrated into all activities and functions enables an assessment of the maturity of the organization’s risk management program. It is important that the evidence selected to demonstrate support is specific to the organization’s internal and external context.

The review may be conducted by an individual or a team, through a compilation of individual interviews or surveys, or completed by a group of stakeholders in a workshop setting. The reviewers should base their decision on objective and unbiased evidence such as:

  • an examination of any documents that describe how business activities or decision-making practices are performed;
  • evidence and records that confirm that the risk management principles are applied as described in the written documents;
  • interviews with relevant personnel which explore whether activities match the documented requirements, and whether there are any opportunities for improvement; and
  • observations of the workplace to confirm that it is really happening.

RISK-ACADEMY offers online courses

+ Buy now

Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!

+ Buy now

ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.

+ Buy now

Управление рисками

В этом коротком и очень увлекательном курсе, Алексей Сидоренко расскажет о причинах внедрения риск менеджмента, об особенностях принятия управленческих решений в ситуации неопределенности и изменениях в новом стандарте ИСО 31000:2018.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.