How Mature Is Your Risk Capability?

Known globally as The Risk Doctor, David has been working in risk management for about 30 years. He has worked in 48 countries on every continent except the Antarctic (too cold!), with clients in most industries.

  Risk Management   ProjectsAtWork  

How can an organization tell whether its management of risk is good enough? This framework describes four levels of capability based on four attributes: culture, process, experience and application.

Risk management is too important for us to do it poorly. We need to assess and monitor our risk management capability, compare ourselves with best practice, identify areas of shortcoming that require improvement, and keep developing.

Risk maturity models provide a framework to benchmark risk management capability and compare existing approaches with best practice. The first such model in the risk area was the Risk Maturity Model (RMM) developed in 1997. This framework describes four levels of increasing risk capability, termed Naïve, Novice, Normalized and Natural.

The Naïve risk organization is unaware of the need for management of risk, and has no structured approach to dealing with uncertainty. Management processes are repetitive and reactive, with little or no attempt to learn from the past or to prepare for future threats or opportunities.

The Novice risk organization has begun to experiment with risk management, usually through a small number of nominated individuals, but it has no formal or structured generic processes in place. Although aware of the potential benefits of managing risk, the Novice organization has not effectively implemented risk …

Please log in or sign up below to read the rest of the article.