The Risk and Insurance Management Society (RIMS) has recently introduced its Risk Maturity Model (RMM) to help organizations better utilize Enterprise Risk Management. The purpose of the RIMS Risk Maturity Model is to serve as a benchmarking and educational tool for risk practitioners responsible for ERM  planning and communication throughout the organization.  The RMM incorporates the best elements from existing ERM models and standards and is meant to be applicable to all industries. The RIMS Risk Maturity Model identifies seven key attributes for effective Enterprise Risk Management.  Each attribute is evaluated using the following scale of five maturity levels:

Maturity Levels:

  • Nonexistent
  • Level 1: Ad hoc
  • Level 2: Initial
  • Level 3: Repeatable
  • Level 4: Managed
  • Level 5: Leadership

Seven Attributes of the RIMS Risk Maturity Model

The RMM using the five-level maturity model to assess an organization’s ERM practices along the following seven core ERM attributes:

1. Adoption of ERM-based approach: This attribute focuses on the organization’s risk culture and degree of executive buy-in for an ERM-based approach.

2. ERM process management: This attribute focuses on the extent to which ERM is embedded throughout the company’s culture and key business processes and the extent ERM processes are explicit and repeatable.

3. Risk appetite management: This attribute focuses on the level of awareness concerning risk/ reward tradeoffs, the entity’s risk tolerance, and gaps between perceived and actual risks.

4. Root cause discipline: This attribute focuses on the emphasis placed on searching for root causes of risks, including classifying risks, uncovering risk sources, and focusing on improving internal control responses to risks.

5. Uncovering risks: This attribute focuses on the scope of risk assessment and risk information sources, including the extent of documentation concerning risks and opportunities.

6. Performance management: This attribute focuses on the extent company risk goals and measures are communicated throughout the organization, and how ERM information is integrated into planning. It also considers the degree to which performance indicators incorporate quantitative and qualitative measures.

7. Business resiliency and sustainability:  This attribute assesses the extent ERM information used for operational planning, disaster recovery planning, and other scenario analyses.

The maturity level framework provides risk practitioners with a benchmark for evaluating their organization’s progress in achieving objectives related to each attribute. The combined assessed maturity levels across all seven attributes assists risk professionals in assessing the extent ERM is embedded throughout the organization.

Veteran risk managers and novices alike will find the RIMS Risk Maturity Model useful for enhancing risk management within their organization by providing a road map for ERM program development.

More information about RIMS Risk Maturity Model can be found at RIMS’ website. Go to to find out more.

Click below for a link to the description of the model.

Link: Risk and Insurance Management Society, November 2006, New York.

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

ERM Enterprise Risk Management Initiative 2006-11-01