Risk & Strategy
Renee Murphy Image
Renee Murphy
Distinguished Evangelist

The enterprise risk management maturity model explained

February 15, 2024
0 min read
Two colleagues analysing the ERM maturity model

In the face of ever-evolving risks, the enterprise risk management (ERM) maturity model is a tool organizations can use to weather the storm. Done right, an ERM maturity model helps organizations understand — and improve — how well they identify and respond to risk across the enterprise. That “across the enterprise” piece is particularly important; the more interconnected businesses become, the more likely it is that risk in one part of the organization can sink the entire ship.

The right ERM maturity model, on the other hand, can help organizations plug risk-related holes across the entire company to ward off not only current risks but also those that emerge over time. This article will help you select and implement an ERM maturity model by explaining:

  • What ERM maturity is
  • What an ERM maturity model is
  • ERM maturity model examples
  • How the right ERM maturity model boosts performance

What is ERM maturity?

ERM maturity refers to how skilled an organization is at identifying, monitoring and mitigating risks. In highly mature organizations, these processes will be comprehensive and integrated. In organizations with less ERM maturity, these processes may be reactive, siloed and inconsistent.

Like with anything, organizations that lack strategic risk management need to start somewhere. However, the goal should always be to evolve ERM practices over time to achieve a more mature, effective approach that benefits the entire business.

The ERM ladder most organizations climb includes five levels:

The 5 levels of risk maturity

There are five levels of risk maturity. Different models use different names, but what’s most important to understand is the components that characterize each level:

Maturity levelInitialEmergingConformingAdvancingLeading
ERM characteristicsLacks understanding of risk management, no documented ERM strategy, reactive and ad hocRisk management applied, but not strategically, siloed and inconsistentDocumented ERM framework and processes, lack of visibility across the organization, most processes are consistentERM integrated across the enterprise, ERM tools implemented and ERM monitored and improvedStrategic ERM integrated across the enterprise, ERM tied to value creation and optimized risk-ROI value protection

Understanding where you fall in the above levels is a critical part of choosing an ERM maturity model that will support your organization now and in the future.

What is the ERM maturity model?

An ERM risk maturity model is the assessment organizations can use to determine their risk maturity and effectiveness at achieving ERM goals. When fully integrated with the ERM program, the maturity model acts as the north star for the ERM strategy. In simpler terms, your strategy for improving ERM maturity should match the ERM maturity model you've selected for your organization.

Most organizations choose an established and accepted framework to serve as their ERM maturity model.

The 4 ERM maturity model types

There are four different types of ERM maturity models, each emphasizing different combinations of ERM outcomes and approaches. These are:

  • Capability: In this model, an organization focuses on its capabilitiy in different ERM areas. A higher number of capabilities is associated with increased ERM maturity.
  • Activity: Organizations focusing on ERM activities will match activity benchmarks to maturity levels and use evolving ERM practices to prove maturation.
  • Hybrid: This model assesses capabilities and ERM activities side by side to identify which activities are needed in which capability areas at each maturity level.
  • Capability and activity: Using this model, organizations identify activities and expected outcomes of their activities to measure their ERM maturity.

The purpose of an ERM maturity model

The primary purpose of an ERM maturity model is to help organizations understand how effectively they manage risk across their organization. At its best, ERM maturity can be its own competitive advantage, setting an organization apart from those in its sector that lack strategic risk management practices.

Organizations that prioritize continuous improvement using an ERM maturity model:

  • Make better risk-based decisions
  • Understand their risk management capabilities and identify opportunities to improve
  • Centralize reporting on the information and insights needed to manage risk
  • Create repeatable processes
  • Track and improve ERM

Examples of ERM maturity models and frameworks

An ERM maturity model isn’t something you build.It’s something you choose. Following an established standard is critical to objectively assessing your ERM maturity. Some common ERM maturity models include:

  • ISO 31000: This is a cyclical international standard, meaning it gets reviewed every five years to ensure it still holds up against current risks. It includes both guidelines and principles for ERM.
  • COSO: The COSO framework is comprehensive, including its own ERM guidance as well as principles that adhere to the SOX Act’s financial reporting requirements.
  • RIMS Risk Maturity Model: This model offers criteria organizations can use to benchmark their ERM strategy and identify areas for improvement.
  • NIST: Many organizations that work with the government follow the NIST framework because it emphasizes cybersecurity risks.

Choosing an ERM maturity model

Given the various types of ERM maturity models — and the vast number of accepted ERM standards — choosing a model can be challenging. It’s an important decision because the maturity model you choose will act as the blueprint for your entire ERM program.

At the same time, some maturity models are more complex than others. Implementing a capabilities and activities model, for example, requires a high level of detail and strategic execution, while a capabilities-only model requires relatively fewer resources.

When choosing an ERM maturity model, choose one that suits your:

  1. Resources: Consider the time, expertise, financial, human and other resources you have to dedicate to ERM. For example,if you have fewer ERM resources, you may start with a lower-lift model you can effectively implement now — not a high-lift model that’ll overwhelm your entire team.
  2. Data: Every ERM model needs inputs. That means lots of data — data about your risks, risk management practices, and so much more. Pick a model that you can support through high-quality data of some kind.
  3. ERM environment: How complex is your current ERM landscape? If your organization is large, your value chain is dynamic and risk and compliance are complicated, then your model will need to be more sophisticated.
  4. Budget: Every ERM maturity model will benefit from the right ERM tool. However, your must-have capabilities will determine how comprehensive the tool needs to be — as will the budget you have allocated to your ERM program.

How to use your maturity model to enhance performance

When you effectively execute your ERM maturity model, performance follows. Successful ERM is data-driven, dynamic, and always-on — characteristics that your maturity model will help you master.

This does take time, and there will be a learning curve. But the light at the end of the ERM tunnel is a centralized view of risk that allows you to quickly identify both big-picture problems and ad hoc-risk, offer management and the board insight into the risks you face and the data to take action and continuously monitor risk so threats won’t catch you unawares.

In this way, ERM performance isn’t just about risk — it’s about establishing and protecting your competitive edge as the risk landscape evolves.

From initial to leading: Moving through the maturity scale

Now that we've established the levels of ERM maturity and you understand the types of maturity models and how to choose one, it's time to learn how to push your organization to the next rung on the ERM ladder. Using the five levels of maturity we described above, here are our recommendations at each stage:

  1. Initial: You may do an annual risk assessment, take ad hoc requests from the board or outsource the work to a third party. The most important thing to propel your organization out of this early stage is to better understand the benefits of ERM and begin to document a strategy. Find out how to get started by downloading From chaos to control: 3 steps to ERM success.
  2. Emerging: At this point, you've gotten your ERM program off the ground, and now it's time to dream big. Maybe audit is responsible for your risk program, or you simply don't believe that your organization is large enough to expand the scope of your enterprise risk management strategy. Here, it's essential to understand that you can and should move at a comfortable pace for your organization. Are there barriers holding you back? Probably. But combining the right strategies with ERM technology that scales with your organization, you can turn those challenges into opportunities quicker than you ever thought possible.
  3. Conforming: Your processes are documented and consistent, but something is missing. Is siloed data between departments holding you back and making reporting to the board more manual and time-consuming than it needs to be? If you've already implemented an ERM solution (or maybe you have multiple solutions across your organization), it's time to unify ERM across departments and add board reporting software that allows leaders to get an up-to-date, enterprise-wide picture of risk.
  4. Advancing: So you have an established enterprise-wide ERM strategy, and things are running pretty smoothly. Here's where it really starts to get interesting. Did you know that you can seamlessly provide your board with automated real-time monitoring for more actionable insights? Risk intelligence tools make it possible to monitor negative news, screen and monitor sanctions, and more without overwhelming your team with extra work.
  5. Leading: Your organization has already expertly implemented an ERM strategy. You understand that an effective ERM strategy equates value creation with greater ROI, and your business lives by this reality. So where do you go from here? Take a look at the solutions you've implemented to tackle ERM within your organization. Are there multiple software packages causing some risks to slip through the cracks? Do they effectively leverage AI with the ability to not only pinpoint risk but to predict it? At this point, it's time to implement a GRC platform solution that provides a single-source of truth and unprecedented consistency and control for better insights and a greater competitive advantage.

Unlock more proactive enterprise risk management

If you’re ready to move the needle on ERM, there’s truly no time like the present. Whether you’ve just started to research ERM maturity models, found a model that meets your maturity level or are already using ERM technology to de-silo your approach, there’s always an opportunity to improve — particularly in terms of proactivity.

The ability to proactively mitigate risks is what sets leading ERM programs apart. It’s also turns ERM into a value driver for your entire organization. Learn about how ERM technology and a unified GRC solution can help you take the next step.


Your Data Matters

At our core, transparency is key. We prioritize your privacy by providing clear information about your rights and facilitating their exercise. You're in control, with the option to manage your preferences and the extent of information shared with us and our partners.

© 2024 Diligent Corporation. All rights reserved.