RIMS Risk Maturity Model FAQ

Why is the RIMS Risk Maturity Model® important for organizations?

The RIMS Risk Maturity Model® is a valuable tool for your business planning and decision making by improving your organization's risk management competency. By creating a common risk management approach, your organization can uncover dependencies and break down silos. This leads to a more effective, integrated and informed risk management  organizational capability for addressing uncertainty. Greater certainty leads to improved strategic planning and adaptability, we well as more smoothly run operations, where people can focus on proactive activities rather than reactive fixes. At the end of the day, this could result in a better bottom line, up to a 25% improved firm value according to researchers. The RIMS Risk Maturity Model® provides standardized criteria by which organizations can benchmark risk management strategies in order to assess program maturity levels, strengths and weaknesses, and develop next steps in the evolution of their ERM programs.

How is the RIMS Risk Maturity Model® relevant for you?

Developed jointly as a risk management resource between RIMS and LogicManager, the RIMS Risk Maturity Model® (RMM) is a best-practice framework and free online assessment tool intended for individuals with risk management responsibilities. It’s a resource designed to help implement and sustain enterprise risk management programs. The RIMS RMM is an educational, planning and measurement resource for boards of directors, chief executive officers, chief financial officers, chief risk officers and other risk management professionals, as well as chief audit executives and consultants, to evaluate the effectiveness and efficiency of an organization’s ERM program.

What are the basic principles of the RIMS Risk Maturity Model®?

The RIMS RMM model consists of 68 key readiness indicators that describe twenty-five competency drivers for seven attributes that create ERM’s value and utility in an organization. The RMM maturity ladder is organized progressively from “ad hoc” to “leadership” and depicts corresponding levels of risk management competency in seven attributes: ERM-based Approach, ERM Process Management, Root Cause Discipline, Risk Appetite Management, Uncovering Risks,  Performance Management and Business Resiliency and Sustainability. The RIMS RMM helps you and your leadership team plot a roadmap to the successful integration of ERM. A unique feature of the Model is its applicability regardless of the specialized frameworks and standards that your organization is using, whether it be the international ISO 31000:2018 standard, the COSO ERM Framework 2017, COBIT, Standard & Poor’s risk management guidelines or some combination.

What is the theoretical basis for the RIMS Risk Maturity Model®?

The Risk Maturity Model® is based on the Capability Maturity Model, a methodology founded by the Carnegie Mellon University Software Engineering Institute (SEI) in the 1980’s. Originally, the model was used to advance software engineering processes. Since then the theory behind the Maturity Model has been applied to other corporate operations such as supply chain and people management, and embraced by some organizations within technology, finance and defense industries. Enterprise risk managers from various business sectors joined forces with RIMS and LogicManager to develop the RIMS Risk Maturity Model® for ERM in order to apply this accepted methodology to improve processes within the risk management discipline.

How do I use RIMS Risk Maturity Model®?

In order to get the most out of RIMS Risk Maturity Model®, we encourage you to take the free online Risk Maturity Assessment in order to get a snapshot of where your risk program stands today. You can then compare your personalized assessment against the full guidelines to identify gaps, and develop a plan for continuous improvement. Strengthen your risk management approach by putting your plan into action. Repeat the assessment periodically to re-evaluate progress and changes in your organization’s competencies.