This attribute evaluates the extent to which business continuity, operational planning, and other

sustainability activities are approached with a risk-based methodology.

Very Basic (Level 1)

Emphasis on protecting assets

Focus on physical and financial assets

Risks managed within functional silos

Inconsistent approaches

No formal risk management processes

Not being able to distinguish between positive and negative risk

No systematic attention to risk management

No formal risk management policy

IIRM RMMM Levels and their distinguishing features

Basic (Level 2)

Understand that risks require formal management

Establishes basic risk management processes

Narrow scope of risk management, generally restricted to addressing critical and pure risks

Identifying regular risks and establishing insurance as the unique strategy

Tends to be influenced less by formal risk management processes than by the repetition of
activities and practices that have worked out for the organisation before

Demonstrate an isolation of the risk management function

Uses the same measures or risk responses that were used the period before

Policies would not be reviewed nor would the treated risks be evaluated

Risk would be considered a static phenomenon instead of a dynamic one

Emerging (Level 3)

Define and implement a formal risk management process.

Define policies and procedures that could guide risk management

Seek to formalise the risk management function within the organisation

Identify risks in a systematic manner

Analyse risks considering their probability and impacts

Insurance is not the only response to risks

Internal and operational risks are identified and included in the risk management policy

Consider reputational risks as well as risks related to the damage inflicted on a third party

Would mention explicitly which responses they have taken for each specific analyzed risk

Establish a clear objective for the risk management policy

Determine a procedure for reviewing and evaluating the risk management program

Establish responsibilities and roles

Mature (Level 4)

Facilitate the implementation of the risk management perspective

Look for the application of the wider perspective of risk management

Extend risk management processes throughout the organisational hierarchy and across all
functional boundaries

Implement a monitoring process to have a clear view of the effectiveness of the risk
management program

Participation of top management in defining risk policy and reports

Review of risk management process

Setting up goals, strategies and practices of the best practices of risk management

May have difficulties adapting to the challenges that the context imposes on them

Advanced (Level 5)

Board/executive support of risk management

Clear accountabilities

Appropriate risk oversight structures

Dedicated risk management coordinator

Explicit consideration of both operational and strategic risks

Risk management integrated with operational and general management processes

Clear accountabilities and timeframes for treatment of risks

Differentiated risk reporting tailored to specific stakeholders

Regular reviews of risk and risk management processes

To rate the level of risk maturity, all eight core areas are examined through desk based review
and meetings with relevant management and staff. The RMMM describes an improvement path
from a very basic and immature Risk Management function to a mature and advanced function
focused on continuous improvements. The Model consists of following five risk management
maturity levels to gauge risk maturity:

Level Level Name Description

Minimal or no awareness and understating / No process in place /

1 Very Basic
Unsatisfactory

Applied inconstantly / Some formal processes in place /

2 Basic
Satisfactory

Implemented consistently across the organization/ Not all the

3 Emerging
processes implemented fully / Good

Consistently and fully implemented. / Processes are reviewed for

4 Mature
improvements / Very Good

Risk management is considered a value driver / Advanced

5 Advanced
processes are used / Excellent

Overall assessment Levels / Rating

Level Score Descriptor

1. Very Basic The organisation has minimal or no awareness and understating of

1-20 risk management. Risk management is performed on an ad hoc
basis by individuals. No processes in place.

Risk management applied inconsistently with limited

1. Basic 21-40
standardisation. Some formal processes in place.

1. Emerging 41-60 A risk management framework exists with defined and documented
risk management principles. Risk management applied consistently
throughout the organisation. Not all processes have been fully
 implemented.

The organisation is proactive in risk management. Risk

management is consistently and fully implemented across the
1. Mature 61-80 organisation. Key risk indicators are used for major risks. Risk
management processes are monitored and reviewed for continues
improvements.

Risk management is considered a value driver and proactively used

for day to day decision making and pursuit of opportunities. KRIs
1. Advance
81-100 and predictive risk analytics are proactively used to identify and
d
monitor risks. Advanced and sophisticated risk management
processes are used.