0 Items: 0

Want to start reading immediately? Get a FREE ebook with your print copy when you select the "bundle" option.Ā T&Cs apply.

Risk Maturity Models and ISO 31000

My new book Risk Maturity Models: How to assess risk management effectiveness opens the opportunity for organizations to realize the benefits of tailoring their own Enterprise Risk Management (ERM) maturity model to the ISO 31000:2009 ā€“ Risk Management Principles and Guidelines standard. How so?

ISO 31000 risk maturity strategy requirement

There is only one official standard and voluntary code for truly international risk management: ISO 31000:2009. Whilst ISO 31000 is not for certification or audit, it does lend itself to providing valuable guidance and content for a robust ERM system maturity model. It outlines a set of organization capabilities for effective ERM.

ISO 31000 Principle (k) ā€˜Risk management facilitates continual improvement in the organizationā€™ is one of eleven Principles (p8). It requires strategies to improve risk management maturity alongside all other organization aspects.

To rephrase, it requires organizations to improve their maturity of risk management system capabilities as an integrated part of organization management system capabilities.

The best tool to deliver a risk maturity strategy is a risk maturity model

Members of the ISO 31000 fraternity support risk maturity, albeit in an informal way. A so-called ā€œISO 3004ā€ companion guideline to ISO 31000 has been mooted to include risk maturity but internal politics has not seen its fruition to date. However, in his illuminating presentation called ā€˜Transitioningā€™, Kevin W. Knight, the current Chairman of the international Technical Committee ISO TC 262 refers to the 'risk journey' and to the two key outputs for risk oversight (Knight, 2010). The first is risk maturity, being the maturity and performance of the risk management framework. The second is the risks and their risk profile(s) and how/why these have changed.

The ISO 31000 risk maturity hierarchy

But the ISO 31000 story for risk maturity is more complex than the above. ISO cites the need to assess the effectiveness of risk management (4.1 and 5.6) but it does not specify how.

However, ISO 31000 does point the way. A reductive analysis of the 24 pages of ISO 31000 (to dis-aggregate or ā€˜un-packā€™ all content and then re-aggregate the content as themed capabilities in a rough order of implementation sequence) does indicate a maturity hierarchy. ISO 31000 implies a three-tier ā€˜proto-risk maturity modelā€™, being:

1. a base-tier of three ā€˜foundation componentsā€™ (eg mandate and commitment)
2. a mid-tier of seven ā€˜organization arrangementsā€™ (eg risk management plan), and
3. a top tier of five ā€˜attributes of enhanced risk managementā€™ in Annex A pp 22-2 that are clearly about risk maturity capabilities (eg continuous improvement).

Leveraging ISO 31000 for your own tailored risk maturity model

These above ā€˜foundation componentsā€™, ā€˜organization arrangementsā€™ and ā€˜attributes of enhanced risk managementā€™ represent a total of fifteen (15) core organization ERM system capabilities. As such, any or all of these, are useful inputs both for those designing their own first tailored risk maturity model, or modelers looking to enhance an existing model or to ā€˜cross-walkā€™ their model to ISO 31000 (as is my own practice).

Get exclusive insights and offers

For information on how we use your data read ourĀ privacy policy


Related Content

Article
Risk Management, Cybersecurity, Digital & Technology
Video
Business Improvement, Risk Management, Compliance & Regulation
Video
Business Improvement, Risk Management, Compliance & Regulation


Subscribe for inspiring insights, exclusive previews and special offers

For information on how we use your data read ourĀ privacy policy