Risk Maturity

The Risk Management Programme will become increasing effective as the risk environment develops and operates for an extended period. Therefore, in order to understand how effective it is, it is important that the maturity of Risk Management within the business is clearly known and understood from the outset, and can be measured at any given point in time thereafter, to avoid any misconceptions, or incorrect assumptions being made in relation to the overall credibility and reliability of the programme. There are a wide range of methodologies that might be used to assess risk maturity, however, GRMSi’s view is that the straightforward approach supported by the IRM and the Institute of Internal Auditors is appropriate. This provides an assessment of the overall maturity of risk, which are, in order of increasing maturity:


  •  Risk Naïve - there is no formal approach developed for Risk Management within the business. Risk based internal auditing cannot be undertaken.
  • Risk Aware – there is a scattered, silo approach to Risk Management. No complete organisation level risk register will be available, and not all managers will have completed risk reviews. Internal Audit will need to facilitate improvements by the Risk function within the business to implement and embed a common Risk Management framework and system. Risk based internal audit will be ineffective, except in cases where individual risks are well defined and understood.
  • Risk Defined – there will be common policies and strategies in place, and most – but not all – management level risk assessments and registers will be completed. The quality of risk assessment across the business will be inconsistent. Internal Audit will need to focus on (a) acting as a catalyst for completion of risk reviews (b) facilitate continued improvements by the Risk Function (c) emphasise the level of risk maturity across the various functions being audited.
  • Risk Managed – the level of maturity is similar to ‘risk enabled’ (see below) but there will be specific areas of focus and improvement.
  • Risk Enabled – Risk Management is mature and sophisticated, and it is unlikely that audits will uncover any material, core issues. The organisation’s risk registers will be comprehensive and complete and immediately available for review. The overall confidence in the systems of Risk Management will be such that Internal Audit can undertake a full spectrum of audit reviews – from individual risks, through to complete entity (or subsidiary) level reviews.

GRMSi, through interviews and examination of the evidence, provides a fact-based review and assessment of the maturity of your Risk Management environment, and provides a set of recommendations to take the environment to the next level of maturity.