Key message: don’t judge a organisation by its risk maturity level
Models have been developed and used to assess an organisation’s maturity in a variety of contexts. For example; Capability Maturity Model (CMM), E-learning Maturity Model (EMM), OPM3 (Organisational Project Management Maturity Model), People Capability Maturity Model, and P3M3 (Portfolio, Programme and Project Management Maturity Model), the more important amongst others. Most of these models require an assessment by independent authorities making a judgment against defined criteria resulting in a summarised maturity rating. In order to achieve a higher rating on the maturity scale there is a need to fulfill all of the criteria set at that level to that same level.
For example one of the criteria was the organization’s knowledge management system. This was rated as a 2.3 on a scale of 1 to 5. Another criterion was the organisation’s human resource management system. This was rated as 1.9. Overall the organisation was rated as a maturity level of 1 because the second criteria did not meet the level 2 standard and hence the overall rating could not be granted at the higher level of 2.
Courtesy of Wix
Contrast this with the excellence model approach which I am developing and testing. The risk management excellence model is based on a similar model and structure developed by Human Systems. Their Project Management model and hence my Integrated Risk Management model focuses on two dimensions; the approach and the deployment. The approach in this instance is all about the way the organisation should be performing its risk management functions. This is generally embodied in various policies, procedures, techniques, tools and templates.
On the other hand the deployment aspect looks at what is actually happening on the ground in relation to the application of risk management. Generally it has been found in organisations in which I have trialled this model, risk management is being applied (deployment) but inconsistently across the organisation and there is a lack of policy and procedures (approach).
This provides an opportunity for the organisation to improve in areas where there is an identified need and not simply to improve in all areas in order to achieve a higher level of maturity. The excellence model allows an organisation to be actually scored low against a number of criterions simply because it does not apply or is not a priority area. A judgement can then be made in terms of risk management excellence without it affecting the overall score. Therefore logic dictates that reading a risk management maturity score may not be a real indicator of risk management excellence.