November 27, 2006

Executive Summary

Risk Maturity Model (RMM) for

Enterprise Risk Management
To benchmark your ERM program and receive a personalized
assessment, go to https://www.riskmaturitymodel.org/
 Preface and History

LogicManager’s Risk Maturity Model (RMM) since 2006 has become the global standard for
benchmarking the effectiveness of Enterprise Risk Management and is on the forefront of evidence-
based research on corporate governance. In 2008, the RMM maturity index scores were the first to
prove a direct correlation between the maturity of an ERM Program’s infrastructure and higher
corporate credit ratings. In 2014, The Journal of Risk and Insurance (JRI) published the research
findings of our partnership with Queens University that an organization’s index scores on the Risk
Maturity Model are directly correlated to a 25% market value premium. In 2023, LogicManager has
partnered with the University of Pennsylvania’s Wharton School to research the correlation between
risk maturity and the success of ESG programs. Read more about LogicManager’s Risk Maturity
Model (RMM).

© 2006 by LogicManager.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by
any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission. p.2
 Risk Maturity Model (RMM) for Enterprise Risk Management

Overview
Smart, dedicated workers aren’t enough. The in the short term, reduced uncertainty in routine
Software Engineering Institute (SEI) at Carnegie- decisions in the mid-term and, in the long term,
Mellon University, which pioneered the Maturity a competitive advantage gained by making big
Model concept in the mid-1980s, said, bets on emerging trends. For both veteran risk
“Everyone realizes the importance of having a managers and novices, RMM is an indispensable
motivated, quality work force and the latest tech- tool that provides a game plan for program
nology, but even the finest people can’t perform development and enhances risk manage-ment.
at their best when the process is not understood And it also speeds the delivery of a rock-solid
or operating at its best.” Enterprise Risk ERM Process, building a foundation for improving
Management (ERM) is a process. What is lacking, programs, strengthening objectivity and
is a tool for objective and consistent measure- prioritizing resources for allocation.
ment of its effectiveness. The ERM Development
Committee and LogicManager stepped in to
develop this missing link -- the Risk Maturity Benefits of using a Maturity Model
Model. A benchmarking framework designed to The Maturity Model approach is a method that’s
create clear, precise crite-ria, Risk Maturity Model proven across a variety of industries. Based on
(RMM) facilitates thorough planning and extensive case studies in which a Maturity Model
communication and guides monitoring and approach was used over the past 25 years, the
control. evidence shows that with each step up in maturi-
ty level, organizations get concrete results. A
The role of the Risk Maturity Model for Enterprise Maturity Model is a structured way of highlighting
Risk Management aspects of effective ERM Processes.
If Enterprise Risk Management is the weapon, the
Risk Maturity Model (RMM) is the plan of attack. Benefits for Practitioners
The RMM provides ERM practi-tioners with a way • Build consensus and establish milestones.
to combine all the best ele-ments from the most
important models and stan-dards. This applies to • Benchmarking from best practices.
all industries and across the risk spectrum. This • Communicate clearly to the board,
RMM is a ladder of progressively organized and regulators, rating agencies, executive
mature performance levels, a way to evaluate and management, process owners, support
set goals. functions (back office groups such as
internal audit, IT and compliance), etc.
Focus the risk picture
While the risk officer ranks fill up rapidly, most Benefits for ERM stakeholders
learn on the job. They come to risk management • Streamline the ERM Process.
with a variety of backgrounds -- legal, finance,
internal audit, risk management, compliance or • Eliminate duplication of efforts and connect
IT. Their views tend to align with their back- support functions with process owners.
grounds and responsibilities. Rigorous controls • Measure ERM value, based on priorities.
might take precedence for the internal auditor, • Create a shared language and vision.
for instance, while regulations might be a priority
for the compliance team. Security might be key Benefits for Organizations
for the information technology group and brand
• Tackle inadequately addressed risks
and company reputation could be a top goal
and opportunities.
for marketing.
• Resolve business process inefficiencies.
The smart risk officer recognizes the importance • Build a repeatable and scalable process for
of all of those, but doesn’t stop there. The team better decision making
must also be led to balanced, big-picture deci-
Reduce costs
sions. The RMM crystallizes the risk pic-ture by
Understanding a risk’s root cause is much
analyzing best practices and setting goals. This
cheaper than simply treating the symptom.
lets the risk officer and stakeholders build
ERM uncovers and attacks the root cause.
consensus about priorities and tactics. A common
Example: a global energy company tried to
approach ensures results – efficiencies
save 10 percent on maintenance costs, but

© 2006 by LogicManager.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by
any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission. p.3
 pipeline leaks cost them billions of dollars set of common values about how we manage risk
in clean-up costs and damage to their and uncertainty. The culture within an organiza-
reputation. ERM connects the root cause tion greatly affects the drives the effectiveness of
to the ultimate cost and improves decision an ERM program including how we value skepti-
making at a fraction of the cost. cism and doubt, and how clearly we understand
influences that impact our judgment. The Risk
Increase top line revenue Maturity Model (RMM) defines the elements and
A compliance issue can lead to rethinking characteristics, called attributes, that make up a
business strategy and finding an opportuni- strong risk management competency within the
ty to generate revenue. Example: a bank organization’s culture. The RMM defines these
responds to a government regulation seven attributes on a scale of five maturity levels.
requiring it to switch from paper checks to Each level ranks an organization according to its
digital images. It uses ERM to uncover a achievement of Enterprise Risk Management best
strategy to acquire customers nationally, practices in its processes. A chain is only as
rather than regionally, by expanding where strong as its weakest link. A strong risk
it once had no infrastructure to transport management cultural competency is demonstrated
paper checks. ERM helps managers by the highest level on each of the Risk Maturity
Model Attributes.
think strategically.
RMM Professional Development Courses
LogicManager offers professional development
Reduce variance on plan achievement reporting.
courses that provide the methodology of how to
Planning is essential to success and allocating
maximize the RMM to build stronger ERM
resources. Uncertainty in planning leads to bad
programs and achieve success by evolving a
decisions. Volatility of earnings effects stock
stronger risk management competency within an
prices because it undermines confidence in the
organization’s existing culture. Measuring where
planning cycle. ERM uncovers the uncertainty
you are in the development process is the first
and helps managers
step to set goals and measure progress this
plan better, creating

“ ERM – considering
risk in a new way.
more reliable results.
Example: Bad weather
organizational compe-tency. The LogicManager
courses help risk managers per-form a gap
analysis between capabilities and best practices

” doesn’t make workers

late, but ignoring the
weather forecast and not leaving extra time for
outlined in the RMM to achieve higher capability.
Objective evaluation criteria and a scoring
methodology provide the basis to evaluate use of
inevitable delays does. ERM is about using the risk management best practices. The concept of a
weather report that lets workers understand the cost-benefit analysis helps man-agers prioritize
likelihood that a storm will occur. The impact is goals within their ERM programs to increase their
the size of the storm and the controls’ effective- capabilities and maturity level.
ness are the alternate routes to work.
In utilizing the RMM, everyone assesses their own
To determine how these benefits apply to your business areas, contributes to ERM goals and
organization, conduct a baseline assessment and plans how to achieve them. Often, it’s the way
use real observations and details to create an information is collected and used that influences
effective ERM process that produces results. choices, not the information itself. With the RMM,
all stakeholders are involved in the process,
How to use the RMM meaning everyone rallies around the final results.
Culture is the way we think, believe and behave.
A risk management competency is made up of a

1 2 3 4

Participate in the Receive a personalized Take a LogicManager Become a customer

Benchmarking Assessment Report and Professional Develop- of LogicManager
Exercise download the Risk ment Course to apply and receive a full
Maturity Model the Risk Maturity Model version of the RMM
(RMM) to your organization

Stronger risk management cultural competency

© 2006 by LogicManager.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by
any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission. p.4
 Risk Maturity Model (RMM) Definition of Terms

Enterprise Risk Management (ERM) Framework

The culture, processes and tools to identify strategic opportunities and reduce uncertainty. The
framework establishes communication and consultation methods with respect to critical risks in order
to achieve an organization’s business objectives. It formalizes process and content accountability.
The ERM Process is the time-tested foundation of risk management methodology, pioneered by the
risk management discipline and detailed in the Associate in Risk Management (ARM) designation
program. It was later adopted and enhanced by other standards organizations1

The ERM Process

A sequential process that supports the reduction of uncertainty and promotes the exploitation of
opportunities. The ERM Process steps are detailed below.

Plan Focus - Establish external, internal and risk management criteria for evaluating risk.

Identify where, when, why and how business model, market, events, and operations, etc.
1 associated with business changes, issues, and others – whether known or under-reported
– might prevent, degrade or support goals.

Assess perceived risk through consistent, objective and pervasive evaluation criteria of
2 impact, likelihood and effectiveness of controls to quantify the risk level. Potential oppor-
tunity is measured by impact, timeliness and assurance to examine the performance
level. This creates a way to calculate an internal index. This analysis considers the range
of potential consequences, and how to prioritize risks and opportunities. The residual risk
or potential gain is determined.

Evaluate risk tolerance to determine acceptable risk and opportunity levels and consider
3 the balance between potential benefits and drawbacks. Decide on scope, priorities
and timelines.

Mitigate risk and exploit opportunities. Develop risk or opportunity activities for reducing

4 uncertainty, increasing potential benefits and reducing potential costs. Collaborate with
stakeholders and leverage expertise (Six Sigma2, compliance, internal audit and others) to
design improvement, transfer, control and other action activities. Weigh the cost of
activities against the expected value of future uncertain events3

Monitor timeliness and effectiveness of mitigation activities by risk owners. Gauge

5 program to ensure changing circumstances do not alter priorities and escalate issues.
Unacceptable tolerance and mitigation should be reported to the appropriate manager.

Business Process Owner

the individual (s) responsible for process design and performance. The process owner is accountable
for sustaining the gain and identifying risk and future improvement opportunities on the process

Risk Owner
the individual who is accountable for the validation, assessment and action plan to care for a
particular risk4

Risk Plan
the basic communication for each specified Plan Focus that is used throughout the ERM Process to
gather, organize and report information. Its items might also include contacts, activities, journal
entries, notes and documents.

© 2006 by LogicManager.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by
any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission. p.5
 Attributes
Similar to individual employee performance evaluations, the RMM provides a set of attributes that
drive business value. The RMM Attributes are designed to be compatible with various specialized
frameworks, such as the Australian/New Zealand Risk Standard, COSO ERM, COBIT 4.0, Standard &
Poor’s ERM, Sarbanes-Oxley, etc.5

Maturity Levels
Detailed descriptions for each Attribute provide five maturity levels ranging from Non-existent to
Leadership. Organizations measure their ERM Process against these maturity levels and set
improvement targets.

Benchmarking
Using the Risk Maturity Model, LogicManager sponsors cross-industry benchmarking to identify
emerging trends. LogicManager has provided its Risk Maturity Model to the risk community since
2005 and all practitioners are invited to participate in this global exercise. Comparing maturity levels
of other organizations highlights ERM priorities and evolving industry requirements. For more
information on participating in the benchmarking survey, go to the Risk Maturity Model website.
(https://www.riskmaturitymodel.org/)

1
Standards Australia International Ltd and Standards New Zealand (The AS/NZL 4360), The Institute of Risk Management (IRM),
The Association of Insurance and Risk Managers (AIRMIC) and ALARM The National Forum for Risk Management in the Public
Sector, ISO/IEC Guide 73, JIS Q 2001 Japanese Industrial Standards Committee “International Risk Management Standard”,
COSO Enterprise Risk Management Integrated Framework 2004 “Treadway commission”, Canadian BIP 2012, CAN/CSA Q850-
07, etc.
2
Six Sigma definition, Trademark of Motorola corporation
3
Taking into consideration whatever is appropriate for the organization to approve an action plan including capital at risk, Risk
Adjusted Return on Capital (RAROC), cost benefit analysis, time value of money discounted in net present value, etc.
4
For the context of this document Process Owners are assumed to be Risk Owners. However, in some organizations the risk owner
may or may not be the same as the process owner. For example in the case where a process is outsourced, the risk owner remains
within the corporation.
5
Examples of specialized approaches: COSO ERM Framework: Internal Environment, Objective Setting, Event Identification, Risk
Assessment, Risk Response, Control Activities, Information & Communication, Monitoring; Standard & Poor’s ERM: Risk
Management Culture, Risk Controls, Extreme-event Management, Risk and Capital Models, Strategic Risk Management; COBIT
Report Framework: Awareness and Communication, Policies, Standards and Procedures, Tools and Automation, Skills and
Expertise, Responsibility and Accountability, Goal Setting and Measurement.

© 2006 by LogicManager.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by
any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission. p.6
 The Risk Maturity Model:

Attributes
These core competencies measure how well risk management is embraced by management and
ingrained within the organization. A maturity level is determined for each attribute and ERM maturity
is determined by the weakest link.

1. ERM-based approach - Degree of executive support for an ERM-based approach within the corpo-
rate culture. This goes beyond regulatory compliance across all processes, functions, business lines,
roles and geographies. Degree of integration, communication and coordination of internal audit,
information technology, compliance, control and risk management.
2. ERM process management - Degree of weaving the ERM Process into business processes and using
ERM Process steps to identify, assess, evaluate, mitigate and monitor. Degree of incorporating qual-
itative methods supported by quantitative methods, analysis, tools and models. See ERM Process
definitions.
3. Risk appetite management – Degree of understanding the risk-reward tradeoffs within the business.
Accountability within leadership and policy to guide decision-making and attack gaps between per-
ceived and actual risk. Risk appetite defines the boundary of acceptable risk and risk tolerance
defines the variation of measuring risk appetite that management deems acceptable.
4. Root cause discipline - Degree of discipline applied to measuring a problem’s root cause and bind-
ing events with their process sources to drive the reduction of uncertainty, collection of information
and measurement of the controls’ effectiveness. The degree of risk from people, external environ-
ment, systems, processes and relationships is explored.
5. Uncovering risks - Degree of quality and penetration coverage of risk assessment activities in docu-
menting risks and opportunities. Degree of collecting knowledge from employee expertise, databases
and other electronic files (such as Microsoft® Word, Excel®, etc) to uncover dependencies and cor-
relation across the enterprise.
6. Performance management - Degree of executing vision and strategy, working from financial, cus-
tomer, business process and learning and growth perspectives, such as Kaplan’s balanced score-
card, or similar approach. Degree of exposure to uncertainty, or potential deviations from plans or
expectations.
7. Business resiliency and sustainability – Extent to which the ERM Process’s sustainability aspects
are integrated into operational planning. This includes evaluating how planning supports resiliency
and value. The degree of ownership and planning beyond recovering technology platforms. Examples
include vendor and distribution dependencies, supply chain disruptions, dramatic market pricing
changes, cash flow volatility, business liquidity, etc.

Maturity Levels
Five maturity levels for each RMM Attribute with diminishing maturity from level 5 to level 1. ERM is
a process and the Attributes below evaluate its quality and determine a maturity level.

Key Drivers
Profiling issues that best differentiate maturity levels within an attribute. Key drivers for each attribute
summarize the Maturity Model. The full Maturity Model attributes measure an ERM Process and help
set goals for improvement.

© 2006 by LogicManager.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by
any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission. p.7
 Attributes Maturity Levels
Level 5: Level 4: Level 3: Level 2: Level 1: Nonexistent
Leadership Managed Repeatable Initial Ad hoc

1Adoption of Key Drivers: Degree of …

• support from senior management, Chief Risk Officer
• business process definition determining risk ownership
ERM-based • assimilation into support area and front-office activities
approach • far-sighted orientation toward risk management
• risk culture’s accountability, communication and pervasiveness

Key Drivers: Degree of …

2ERM process • each ERM Process step (see definition)
• ERM Process’s repeatability and scalability
management • ERM Process oversight including roles and responsibilities
• risk management reporting
• qualitative and quantitative measurement

Key Drivers: Degree of …

3Risk appetite • risk-reward tradeoffs
• risk-reward-based resource allocation
management • analysis as risk portfolio collections to balance risk positions

Key Drivers: Degree of …

4Root cause • classification to manage risk and performance indicators
• flexibility to collect risk and opportunity information
discipline • understanding dependencies and consequences
• consideration of people, relationships, external, process and systems views

Key Drivers: Degree of …

5Uncovering risks • risk ownership by business areas
• formalization of risk indicators and measures
• reporting on follow-up activities
• transforming potentially adverse events into opportunities

Key Drivers: Degree of …

6Performance • ERM information integrated within planning
• communication of goals and measures
management • examination of financial, customer, business process and learning
• ERM process goals and activities

Key Drivers: Degree of …

7Business • integration of ERM within operational planning
• understanding of consequences of action or inaction
resiliency and • planning based on scenario analysis
sustainability

© 2006 by LogicManager.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by
any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission. p.8
 Conclusion

Enterprise Risk Management has evolved over the last two decades from a compelling new concept to
a risk management requirement. Now a roadmap for implementing and benchmarking Enterprise Risk
Management programs is crucial. No company can confidently say that it has embraced Enterprise
Risk Management if there’s no way to measure the program. And a set of solid empirical guidelines for
measuring Enterprise Risk Management competency is fundamental. These guidelines, designed to
deliver business value and compatible with existing frameworks, also provides a way to benchmark
ERM progress.

By using the Risk Maturity Model, risk managers can finally gauge their ERM program’s results. This
does not just measure how well an organization has adopted ERM. It also provides an unprece-dented
way to evaluate the ERM process, adjust it as needed and ensure that the intended benefits are
delivered.

Adopting ERM is a major undertaking. It requires an enterprise to examine how to manage risk
comprehensively. That’s how you can achieve competitive advantage even as business risk keeps
increasing. For organizations that gauge their ERM program’s maturity, the ERM journey is much
easier to navigate, and much more likely to deliver business value.

LogicManager encourages you to maximize the Risk Maturity Model. Each organization’s ERM
approach varies depending on its particular risks, risk appetites and priorities. This makes adapting
ERM a very dynamic and challenging journey, and one that benefits most from powerful tools like the
Risk Maturity Model.

To benchmark your ERM program and receive a personalized assessment, go to

https://www.riskmaturitymodel.org/

We welcome your feedback. Please provide us your comments and questions on the Risk Maturity
Model to: [email protected]

© 2006 by LogicManager.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by
any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission. p.9