How to Measure Risk Culture Maturity
How to assess the level of maturity of Risk Management in your company
By Horst Simon
All companies are practicing some level of risk management, either on a formal basis, with policies, processes and systems; or on an informal basis, without any risk management structure. Those who are not good at risk management or doing nothing about risk management will be exploited by those who are good at it, so it is time to do some “stock-taking” of your risk management capabilities.
To start this process an organisation first needs to get an accurate picture of the current level of risk culture maturity in the organisation. Various attempts have been made to do this and generally most revert to some kind of questionnaire or checklist approach linked to a scoring sheet that is eventually tabulated to quantify an overall score which is linked to a perceived level of maturity.
Although most inputs in any kind of maturity assessment are subjective, there is value in using a combination of approaches, but generally the outcome, due to human nature and perception, is always mid-point or average. These processes generally fail to identify specific weaknesses or action plans. There is no standard definition for the different levels of maturity, but an interesting aspect is that most practitioners working on this use the concept of 5 different levels of maturity, this in itself also contributes to most consolidated assessment results ending up at mid-point.
The five levels of Risk Culture maturity have been defined as follows:
1. In a bad risk culture, people will NOT do the right things regardless of risk policies and controls
2. In a typical risk culture, people will do the right things when risk policies and controls are in place
3. In a good risk culture, people will do the right things even when risk policies and controls are not in place
4. In an effective risk culture every person will do something about the risks associated with his/her job on
By Horst Simon
All companies are practicing some level of risk management, either on a formal basis, with policies, processes and systems; or on an informal basis, without any risk management structure. Those who are not good at risk management or doing nothing about risk management will be exploited by those who are good at it, so it is time to do some “stock-taking” of your risk management capabilities.
To start this process an organisation first needs to get an accurate picture of the current level of risk culture maturity in the organisation. Various attempts have been made to do this and generally most revert to some kind of questionnaire or checklist approach linked to a scoring sheet that is eventually tabulated to quantify an overall score which is linked to a perceived level of maturity.
Although most inputs in any kind of maturity assessment are subjective, there is value in using a combination of approaches, but generally the outcome, due to human nature and perception, is always mid-point or average. These processes generally fail to identify specific weaknesses or action plans. There is no standard definition for the different levels of maturity, but an interesting aspect is that most practitioners working on this use the concept of 5 different levels of maturity, this in itself also contributes to most consolidated assessment results ending up at mid-point.
The five levels of Risk Culture maturity have been defined as follows:
1. In a bad risk culture, people will NOT do the right things regardless of risk policies and controls
2. In a typical risk culture, people will do the right things when risk policies and controls are in place
3. In a good risk culture, people will do the right things even when risk policies and controls are not in place
4. In an effective risk culture every person will do something about the risks associated with his/her job on