www.riskmaturitymodel.org Open in urlscan Pro
34.66.57.223  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Skip to content

The Risk Maturity Model

Official Site of the RMM Community

Menu
 * About Collapse child menu
   * RMM Background
   * RMM Explained
 * Testimonials
 * Recognition Program Expand child menu
   * About the RMM Recognition Program
   * Recognition Program Evaluation Criteria
 * Resources
 * Take Assessment


THE RMM EXPLAINED




RISK MANAGEMENT BENCHMARKING AND PROGRESS

The Risk Maturity Model (RMM) outlines key indicators and activities that
comprise a sustainable, repeatable and mature enterprise risk management (ERM)
program. Taking the risk maturity self-assessment, organizations benchmark how
in line their current risk management practices are with the RMM indicators.
Once completed, each organization is provided with a maturity score for their
program, starting at the earliest stage and lowest risk maturity level, Ad-Hoc
(Level 1), and progressing to the most advanced, risk maturity level, Leadership
(Level 5). The following will outline each component of the RMM’s risk maturity
assessment, how each gets scored, and the results of taking the assessment.




SEVEN ATTRIBUTES

The Risk Maturity Model (RMM) identifies seven key attributes for effective
enterprise risk management. These attributes cover the planning and governance
of an ERM program, as well as the execution of assessments, and aggregation and
analysis of risk information.


The seven attributes, or components of a best practice ERM program, are as
follows:


 * ADOPTION OF ERM-BASED PROCESS
   
   This attribute measures the organization’s risk culture, and considers the
   degree of executive or board-level support for enterprise risk management.


 * ERM PROCESS MANAGEMENT
   
   This attribute measures the extent to which the organization has adopted an
   ERM methodology throughout its culture and business decisions, and how well
   the risk management program follows best practice steps to identify, assess,
   evaluate, mitigate, and monitor risks.


 * RISK APPETITE MANAGEMENT
   
   This attribute evaluates the level of awareness around risk-reward
   trade-offs, accountability for risk, defining risk tolerances, and whether
   the organization is effective in closing the gap between potential and actual
   risk.


 * ROOT CAUSE DISCIPLINE
   
   This attribute assesses the extent to which an organization identifies risk
   by source, or root cause, versus the symptoms and outcomes they produce.
   Focusing on the root cause of a risk and classifying them accordingly will
   strengthen response and mitigation efforts.


 * UNCOVERING RISKS
   
   This attribute measures the quality and coverage of your risk assessments. It
   examines the method of collecting risk information, the risk assessment
   process, and whether enterprise-wide trends and correlations can be uncovered
   from the risk information.


 * PERFORMANCE MANAGEMENT
   
   This attribute determines the degree to which an organization executes on its
   visions and strategy. It evaluates the strength in planning, communicating,
   and measuring core enterprise goals with a risk-based process, and the extent
   to which progress deviates from expectations.


 * BUSINESS RESILIENCY AND SUSTAINABILITY
   
   This attribute evaluates the extent to which business continuity, operational
   planning, and other sustainability activities are approached with a
   risk-based methodology.

Competency Drivers & Indicators

Each attribute includes a set of competency drivers which outline the key
readiness indicators (or activities) involved in achieving each driver. These
driver/indicator pairs cover the entire risk management process including
administration, outreach, data collection and aggregation, and analysis of risk
information. Below is a sample of the 25 competency drivers and indicator
pairings which comprise the RMM’s risk maturity assessment:

Executive ERM Support

 * Are risk priorities and progress reported to the board of directors or senior
   leadership?
 * Are risk assessments required for new initiatives (i.e. projects, operational
   changes, vendor on-boarding, etc.)?
 * Is risk management education and comprehension considered in employee
   performance reviews?

Information Classification

 * Is there a standardized process or classification model for identifying risk?
 * Do business areas identify organizational goals and track progress towards
   achievement?
 * Are risks identified by root-cause or their source?

Business Process Definition and Risk Ownership

 * Do business areas identify process-related risks?
 * Do process owners manage their risks, threats, and opportunities within
   regular planning and strategizing?
 * Are all risks, threats and opportunities communicated and acted upon in a
   timely manner?

 


SCORING METHODOLOGY

All competency drivers are scored on a scale of 1-10 for each of the three
following assessment dimensions:


 * EFFECTIVENESS
   
   Measures the frequency and effectiveness of key risk management activities.
   (i.e. Are assessments ad-hoc or completed annually? Are high risks reviewed
   at least quarterly?)


 * PROACTIVITY
   
   Measures the nature of risk management, whether it is proactive or reactive.
   (i.e. Does the organization wait until an adverse event occurs to mitigate
   risk or are future scenarios planned for?)


 * COVERAGE
   
   Measures the breadth and depth of risk management within the organization.
   (i.e. Does responsibility span across all departments and all vertical levels
   of the organization?)

Once completed, a maturity score is provided for each driver as well as an
overall maturity score for the entire risk management program. Scoring is based
on a 5-level scale, with Level 1 indicating the lowest risk maturity and a Level
5 representing the highest maturity. With a maturity score for each factor,
organizations can prioritize time and resources on improving the weakest areas
of their risk management process while retaining the strongest practices.

Based on proven best practice activities, organizations who implement the RMM
indicators, are able to create and experience the benefit of effective risk
management. Aiding organizations in bridging the gaps and maturing their risk
management programs, LogicManager provides a number of resources and methods of
assistance.


HOW TO TAKE THE RMM RISK MATURITY ASSESSMENT

Typically, organizations take two routes when completing the RMM’s risk
management maturity assessment: Either a single individual completes the
assessment on behalf of the ERM program (someone central to the risk management
program and practices), or several individuals take the assessment and aggregate
the scores from multiple assessors involved in different areas of the ERM
program.

There are two versions of the RMM: the standard version is designed to be taken
by a leader in the organization who’s looking to get an overall sense of their
ERM maturity. The second version, the RMM for the Frontline, is designed to be
taken by employees directly carrying out the day-to-day operations and processes
that power the organization. The difference between the standard RMM and the RMM
for the Frontline are the competency drivers (the former will be asked questions
about more high level enterprise concerns, while the latter will examine areas
they’re more closely related to). While one method may be better suited than the
other depending on each ERM program’s structure, both produce meaningful
maturity scores and reports to leverage when improving an ERM program.

To take the free, online RMM assessment, visit this link! Once completed, the
assessment provides a personalized report of your scores including a comparison
between your report and the success factor guidelines. This helps you identify
and prioritize gaps, as well as develop an action plan advance your risk
management program. The assessment requires no prior experience, takes about 30
minutes to complete and is completed through an online, easy-to-use assessment
wizard. Click here to take the RMM assessment!

If you have any questions about the RMM assessment or would like to set up a
meeting to discuss your results, please email communications@logicmanager.com.

 * For more information on the Risk Maturity Model (RMM) visit the RMM Resource
   Center.
 * For further guidance on effective enterprise risk management practices, visit
   the complimentary ERM Resource & Knowledge Center.