Dada Enterprises Risk Management Maturity Matrix

Welcome to Dada Enterprises Risk Management Maturity Matrix.

Please complete all sections of the Matrix
0
Hover over for Instructions
Mean
1-5
Category Total Risk Management
Sum Total Value Maturity Matrix
1 Process 0 9
0.0 Process
2 Adoption
Adoption
0 4
Culture Visibility &
3 Culture 0 3
Control
5.0
4 Visibility 0 3
0.0 Minimum Value in range
4.0 1 Process 0
2 Adoption 0
0.0 3 Culture 0
3.0 4 Visibility 0
Min 0
0.0
2.0
Risk Maturity Score:
0.0
1.0

0.0

Copyright of Dada Enterprises This sample model is released purely for educational and demonstration purposes Page 1
 Dada Enterprises' Risk Management Maturity Matrix
1 Process
1.1 Development of Risk Process

Learner 0
Level 1 Level 2
Development of the risk process. No process documentation.
People at all levels are unclear what process they should follow. 1

Developer
Level 1 Level 2
Several incomplete processes exist but there is no integration No single, current, process document for the programme.
or consistency with each other or with other processes. Sub-groups have different thoughts/ ideas and are working in slightly different ways – forms, reviews, priorities, registers etc. 2
Evidence – several part/patching processes exit
Performer
Level 1 Level 2
Single, rationalised, generic process exists and is Process document such as Project Execution Document (PER) and Project Execution Requirements (PER) exists.
documented. It may be too generic or lacking in content to be fully workable, and the programme team may have developed informal work-arounds in some areas and
tailored for the programme.
It will not be widely read/ understood by the team, and they will either not be very interested, or else will want to change it. 3
Intermittent use/ following.
Process may not be sufficiently flexible to incorporate suppliers/partners

Contender
Level 1 Level 2
Process development based on internal lessons learnt. The Process document (PED, PER etc.) exists, and is practical, useable and has been compiled using lessons learnt from other programmes.
process is integrated with other programme management > The team all understand and use the process and believe in it.
processes > Evidence should exist of which other programmes were used for lessons learnt. 4
> A change process exists to improve the process.
> The process is flexible and is integrated with the programme management process.

World Class
Level 1 Level 2
External benchmarking used to continually review and > As for Contender, but the process author will be continuously benchmarking against internal and external processes/ practices, in a cycle of continuous
update the process. The process is integrated with other improvement. 5
business processes. > Evidence of what/where bench marked should be available.

Copyright of Dada Enterprises Ltd Risk assessment date: 02/25/2021 2 of 20

 Dada Enterprises' Risk Management Maturity Matrix
1 Process
1.2 Risk Register

Learner 0
Level 1 Level 2
Lack of defined / consistent parameters, leading to poor > Standard risk register, but no definitions and people don’t understand what to write in the fields.
quality data and much missing data. > Many blank fields or various sub group- level risk registers of differing formats/fields. 1

Developer
Level 1 Level 2
Parameters defined, but inconsistent usage, and some > Format for single risk register defined.
> Team members not clear on how to fill in all fields and hence some missing data. 2
data missing.
Performer
Level 1 Level 2
Parameters defined, but not regularly updated. Reports > Format for single risk register defined and communicated.
generated, but of limited use. > Most fields completed, but few risks have moved beyond first registration – this is not a live document.
> Big time lapse between updates. 3
> Risk register may only be updated in a reactive manner.

Level 1
Clearly defined and integrated risk register. Updated
regularly and used to generate reports to aid
management decisions.
Contender
Level 2
> Format for single risk register defined and communicated.
> All necessary fields completed and risks have been recently reviewed – this really is a live document – evidence that it has been updated in a proactive
manner.
> Used by management team to help manage programme and risk.
> All team members have a route to update risks on the register. 4
> Risk history maintained.
> All changes should be traceable to the individual who made the change.

World Class
Level 1 Level 2
Clearly defined and integrated risk register, which > As for Contender and used by whole team to manage risk and opportunity.
encompasses opportunities. Updated regularly and > Contains opportunities or is fully integrated with an opportunity register.
used as a management tool by the whole programme 5
team.

Copyright of Dada Enterprises Ltd Risk assessment date: 02/25/2021 3 of 20

 Dada Enterprises' Risk Management Maturity Matrix
1 Process
1.3 Risk Metrics

Learner 0
Level 1 Level 2
No risk metrics in place. > No metrics 1
Developer
Level 1 Level 2
Risk metrics exist, but aren’t used. > Metrics defined within Client and programme documentation but not used by programme team.
> No buy-in from the programme team. 2
> Risk metrics used (but not valued) as a reporting tool, because senior management request it, but no usefulness seen by team.

Level 1
Risk metrics used to meet senior management
requirements, - not meaningful or useful to the
programme team.
Probably only a single metric
Level 1
Risk metrics, (covering a broad spectrum of risk
management), used and seen to be of value by a small
number of the progamme team.
Level 1
Risk metrics used by the programme team to affect
improvement, aid decision-making and motivate the
programme team.
Performer
Level 2
> Risk metrics used and seen as valuable by management team but not seen to be of value by the rest of the programme team.
> Management team are aware, understand and supportive of the metrics and are motivated by them.
> Metrics used to set targets for the programme team. 3
> The rest of the team are unaware of the metrics.
Contender
Level 2
> A broad range of risk metrics are used to motivate the whole of the programme team.
4
World Class
Level 2
> Risk metrics used, understood and seen to be of value by whole team.
> Team members able to interpret the metrics, see the benefits gained from the metrics.
> For example, risk budget vs pro-active funding of mitigation, cost of materialised risks versus budget/spend on mitigation, numbers of: - open risks, risks 5
with aversion strategies, closed risks, averted risks, etc.

Copyright of Dada Enterprises Ltd Risk assessment date: 02/25/2021 4 of 20

 Dada Enterprises' Risk Management Maturity Matrix
1 Process
1.4 Software Risks Tools

Learner 0
Level 1 Level 2
No risk tools in place. > No tools. 1
Developer
Level 1 Level 2
Limited application of a single tool, (risk analysis e.g. > Either a tool is there or imported through a consultant rather than through an in-house competency.
quantitative Monte Carlo tool or risk register tool but > Examples of how the tool has been used to either manage or analyse risk should be evident in sample report outputs. 2
not both). > If a consultant is used, they are used at arms length and not fully integrated into the programme team.

Performer
Level 1 Level 2
Risk analysis e.g. quantitative Monte Carlo tool and > As for Developer but for both tools.
risk register tool used, but they are not integrated with > Able to detail how the programme gets added value from the tools. 3
each other. > If a consultant is used, they are an integrated part of the programme team.

Contender
Level 1 Level 2
Tools consistently applied and integrated with each > As for Performer but able to demonstrate how the two tools are linked via user intervention through project management software.
> Analysis tool used for schedule risk analysis (and cost risk analysis) if required. 4
other by manual intervention.
World Class
Level 1 Level 2
Collection of leading-edge tools used appropriately > As for Contender but with fully automatic integrated tools across the programme and compatible with appropriate customer and supplier tools.
and automatically integrated with the programme 5
planning and control systems.

Copyright of Dada Enterprises Ltd Risk assessment date: 02/25/2021 5 of 20

 Dada Enterprises' Risk Management Maturity Matrix
1 Process
1.5 Risk Schedule Risk Allowance - Origin

Learner 0
Level 1 Level 2
No schedule risk contingency was identified as part of the > The programme timescales were based on similar projects (in size or scope) with a known history of completing on time and to cost, or -
programme. > No need recognised for the existence of a robust schedule or else – 1
> The need for a programme is recognised, but business process is not in place to facilitate its evaluation.

Developer
Level 1 Level 2
Top down; ’finger in the wind’. > Risk identification has started, but only for obvious risks.
> The schedule allowance is normally associated with contingency as a percentage of the total duration value. 2

Performer
Level 1 Level 2
Risk to the schedule are identified for a small number > Risk register is raised for known high risks only.
3
of high-level risk areas.
Contender
Level 1 Level 2
Robust process for schedule risk allowance identified > All risks in register used to calculate the schedule risk allowance to the programme, which is derived from a rigorous probability/schedule analysis, e.g.
Monte Carlo for rolled-up reporting through risk-sets. 4
risks at all levels.
World Class
Level 1 Level 2
Robust process is used to cost identified risks and > Risks identified on the register are also linked into the project plan for schedule impact and residual risk in time and cost.
make provision for unidentified risks. > The need for Mitigation funding to manage unforeseen risk is recognised and catered for using a justifiable method. 5

Copyright of Dada Enterprises Ltd Risk assessment date: 02/25/2021 6 of 20

 Dada Enterprises' Risk Management Maturity Matrix
1 Process
1.6 Schedule Risk Allowance- Usage

Learner 0
Level 1 Level 2
Schedule risks are absorbed through available float in the > Risk budget doesn’t exist, - so no utilisation. 1
programme or otherwise in programme slippage.
Developer
Level 1 Level 2
Schedule contingency used as an extra source of time > Risk register not really used.
> No spending of contingency funding to mitigate risk, - instead it is used to fund overspends after the event. 2
to carry out tasks
Performer
Level 1 Level 2
The need to use the budget for risk mitigation is > No formal method in place to release money for risk mitigation, - so little spending to mitigate risks.
recognised, but not well practised, and the budget is > Inappropriate amount of money spent on risk mitigation due to poor or non-existent cost/benefit justification.
too often used to pay for risks that have happened with 3
consequential programme slippage.
Contender
Level 1 Level 2
Risk budget used to manage away risk in advance. > Risk owners empowered to mitigate risks.
Everyone understands the available schedule risk > Evidence exists that the budget is spent pro-actively to mitigate risk.
contingency for tasks, but this available float is > Cost/benefit justifications are used to prioritise the spending of the risk budget and schedule contingency.
> An overall programme programme viewpoint is not taken to optimise the overall benefit to the programme programme as a whole. 4
apportioned and held by individual teams within the
programme, and not optimised for overall programme
benefit

World Class
Level 1 Level 2
Risk budget held centrally and used in advance to > The budget would be held centrally and an overall programme viewpoint would be taken to enable funding to be flowed to the risk owners for early
manage risk for the overall good of the programme. mitigation where a cost/benefit case is justified.
Changes to the schedule are managed through Change 5
Control and reflected through changes to the Baseline.

Copyright of Dada Enterprises Ltd Risk assessment date: 02/25/2021 7 of 20

 Dada Enterprises' Risk Management Maturity Matrix
1 Process
1.7 Customer

Learner 0
Level 1 Level 2
No risk management involvement with the programme. > Risks associated with the Customer may have been identified but not communicated to them.
> Customer is not aware of Client's perceived level of risk on the programme.
> Customer has no visibility of the risk management process or risk exposure and lacks confidence that the programme is actively managing risks. 1
> Customer may request information on risk but does not receive a satisfactory response.

Developer
Level 1 Level 2
Customer reports risk management concerns. > The Customer may request information either formally or informally on aspects of the programme and the response is ad-hoc, uncoordinated and comes
programme responds in an unstructured way. from any team member.
> Little / no visibility at senior programme level of what Customer concerns are or the programme response. 2
> Process is Customer driven.

Performer
Level 1 Level 2
Programme plan identifies how risks will be managed > Programme respects the need for two-way communication with the Customer on risks and their management.
with the Customer. > Process set up within the programme to manage both inputs and outputs with respect to Customer issues irrespective of their route into the programme
i.e. structured liaison. 3
> Regular risk reviews established with the Customer at selected levels.

Contender
Level 1 Level 2
Programme and Customer share risks but separate risk > Joint assessment of risks at all levels.
registers held. Discussions on risk management take > Continual improvement of the risk process and plan with the Customer.
place at all levels. > Formal risk meetings held at different levels within the programme and Customer organisations with appropriate escalation and delegation.
> Both parties agree where ownership of key risks lie within each organisation. 4
> High-level risk data and progress is shared but the detail is not.
> Risk register will show both Customer and programme stakeholders as appropriate for shared risks.

Level 1
Customer and programme have a joint risk register and
top level meetings to progress risk mitigation to
achieve joint programme strategic objectives.
World Class
Level 2
> Discussions of completion dates and performance compliance with Customer include risk.
> Shared database with the Customer, although certain fields may not be accessible to each other for competitive reasons.
> Escalation process allows senior management attention from both sides i.e. no surprises. 5
> An overall view of the programme’s objectives is taken by both sides to maximise success e.g. joint programme plan.
> All risk data is shared where it is mutually beneficial.

Copyright of Dada Enterprises Ltd Risk assessment date: 02/25/2021 8 of 20

 Dada Enterprises Risk Management Maturity Matrix
1 Process
1.8 Supplier

Learner 0
Level 1 Level 2
No risk management involvement with the Customer > Programme has not identified their key supplier’s i.e. those suppliers who impact on meeting objectives.
or programme. > Risks associated with the supplier have not been identified by the programme and therefore cannot be used for selection or management of risk.
> Supplier is not aware of the Customers’ perceived level of risk on the programme. 1
> The programme is unaware of the supplier’s perceived level of risk.

Developer
Level 1 Level 2
Programme independently identifies and assesses risks > Ad hoc discussions take place on major risk areas in a reactive way i.e. not embedded within the risk plan.
from suppliers without their involvement > The programme has not verified risk exposure with the supplier and therefore lacks confidence that the supplier is actively managing the risks. 2
> Little / no visibility at senior programme level of what the risks are.

Performer
Level 1 Level 2
Programme involves supplier in identifying and > Risks are identified with the supplier and the impact assessed.
> The programme and supplier agreed mitigation actions. 3
assessing risks.
Contender
Level 1 Level 2
Programme and supplier work together, sharing > Formal opportunity for programme and supplier to work the risk process together for areas of mutual concern.
information to develop and manage risk mitigation > Appropriate access to both parties’ databases e.g. range from no access to extensive access.
plans. > Proactive management of risks from both parties; owners may be identified from both sides.
> Relevant / critical issues escalated to senior management for joint review or re-direction. 4
> Formal risk meetings held at different levels within the programme and supplier organisations.
> Both parties agree where joint management of key risks would be beneficial and these form part of the regular reviews.

World Class
Level 1 Level 2
Supplier and programme mitigate risks to achieve > Severity of risks cascaded up and into the programme / business through Risk Sets reporting.
programme objectives. > Where suppliers impact on key objectives, joint involvement in the programme plan is achieved. 5
> Proactive Incentivised risk sharing in place within commercial / competitive constraints.

Copyright of Dada Enterprises Plc 9 of 20

 Dada Enterprises' Risk Management Maturity Matrix
1 Process
1.9 Business Risk

Learner 0
Level 1 Level 2
The programme does not consider the overall impact on the > Where the impact of the risk lies outside the programme, this is not formally identified or communicated with the programme organisation.
programme organisation of their risks and the programme > The impact of the organisation strategy on the programme is overlooked. 1
organisation does not seek information

Developer
Level 1 Level 2
The programme escalates strategic risks within the > A mechanism exists within the programme for communicating and sharing risks across different programme organisational entities and generally within
programme in an unstructured way. The organisation the organisation.
seeks appropriate business information. > However, the mechanism is unstructured and data received is in different formats. 2

Performer
Level 1 Level 2
Top level risks within the programme are identified > The programme senior team has a mechanism for prioritising the consolidated risks through Risk Sets reporting.
and appropriately managed. > Appropriate senior managers own key risks.
> Risks having a major impact on the organisation of the company as a whole are communicated to the Head Office and Client as an integral part of the
governance process. 3
> These exposures are considered when making business decisions.
> The programme senior team share top-level risk information.

Contender
Level 1 Level 2
Shared top-level information used to formulate > Top-level Management Team in the programme team proactively manages risk mitigation to reduce exposures.
strategy to reduce business risk to Client and the > Top risks analysis used to drive the business. 4
programme team. > Effective communication process exists integrating the organisation.

World Class
Level 1 Level 2
Programme and Client Business strategy linked to risk > Risk analysis across the organisation used to identify further business opportunities as well as minimising exposures.
> Current exposures and previous experience are fed into programme and Client business strategy. 5
analysis.

Copyright of Dada Enterprises Ltd Risk assessment date: 02/25/2021 10 of 20

 Dada Enterprises' Risk Management Maturity Matrix
2 Adoption
2.1 Awareness

Learner 0
Level 1 Level 2
Lack of awareness of what risk management is and how it > No Risk Management Plan or process guideline being followed within the project.
might be used. > Project Manager is unaware of the benefits of Risk Management 1
> No organisation process in place.
Developer
Level 1 Level 2
Some key individuals within project aware of risk > Work stream LeadS are aware of some of the benefits of undertaking risk management but do not really follow a particular process or the programme's
management and its benefits. process guidelines, or Project Execution Document (PED) or Project Execution Requirements (PER). 2
> Some key programme individuals are able to convince other within the programme of the benefits of effective applied risk management.

Level 1
Key individuals and some working level programme
staff aware of risk management and its benefits. The
need for a formal process is recognised.
Performer
Level 2
> Programme Work stream Teams are conversant in risk management tools and techniques and how they should be suitably applied in the project.
> Evidence of a formal risk management plan or a project approach to risk management or an organisational process guideline. 3
> Evidence that risk management is an agenda items at all key project progress meetings and is discussed to some depth with these meetings.

Contender
Level 1 Level 2
Everyone on the programme has appropriate education > A risk management training package has been delivered to all key programme staff and this course has been tailored to meet the needs of the project.
and is fluent in risk terminology and procedures. > The training plan is available to new staff when they join the organisation and/ or project.
> Clear risk management responsibilities have been identified.
4
> A risk management metric is used to track the efficiency of the risk training and how successfully it is being implemented.

Level 1
Everyone on the programme has appropriate education
and is risk aware and integrates risk management into
the day job, which in turn feeds into the overall project
goals.
World Class
Level 2
> Everyone on the project understands and is practising their relevant risk management responsibilities.
> The programme team is working collectively to achieve common goals and programme aims, and as a result they are reducing the overall risk exposure
to the organisation.
5
> Work stream team members should understand the implications of risk mitigation activities on the whole organisation.
> Work stream team members understand the threat caused by a risk, not only to themselves and their Work stream, but the whole programme

Copyright of Dada Enterprises Ltd Risk assessment date: 02/25/2021 11 of 20

 Dada Enterprises' Risk Management Maturity Matrix
2 Adoption
2.2 Practice

Learner 0
Level 1 Level 2
Risk management not used meaningfully within the project > No active ownership of the risk management process.
> There may be risk owners assigned but they are not actually doing any management of their risks.
> Risk management if deployed is done on a purely random unstructured fashion and individuals do not understand how their tasks fit into the whole 1
picture.

Developer
Level 1 Level 2
Risk identification taking place as a means of > Lack of ownership
recording issues and how they might be managed. > Team uses the risk management process to identify risk, but there is little management of these risks
> Little reporting on risk status
> No risk prioritisation 2
> No development of risk mitigation strategies
> A risk register would consist of a large list of issues with little or no proof of actions actually taking place.

Performer
Level 1 Level 2
Risk identification and analysis used in some areas on > Risks reviewed separately to other Work stream and the programme issues.
a pro-active basis to make some project decisions. > Little communication of risks outside the individual Work stream to the wider programme.
> Risk not estimate in all Work stream and the programme decisions. 3
> A continual risk identification process in place .
> Clear ownership of the risk management process within the programme.

Level 1
Risks are considered when making most project
decisions. Proactive risk management action taken to
mitigate risks.
Contender
Level 2
> The risks are reviewed at the most relevant level.
> The risk status is reviewed and updated at key points in the programme.
> Risks are shared across the project and the business where appropriate.
> Risks are potentially past onto the project’s customers, suppliers and partners.
> An owner is assigned to measure and improve the risk management process and how it is practised.
> The practice should be clearly documented and reviewed to match what is actually happening. 4
> The benefits of undertaking an individual risk reduction exercise are clearly understood from the outset. These activities are then monitored to check that
what was expected to happen actually occurred.
> Individual Work stream Managers empowers their staff to manage individual risks.

World Class
Level 1 Level 2
Risk management used as a key project management > Project risks are assessed throughout the business and project area executives are able to make decisions on the cumulative impact of all the risks.
tool to achieve project goals, and can be shown to have
direct benefits to the programme and the programme 5
organisation.

Copyright of Dada Enterprises Ltd Risk assessment date: 02/25/2021 12 of 20


2 Adoption
2.3 Capture of Lessons Learnt
Level 1
Need for lessons learnt not recognised.
Level 1
Need recognised. The programme process in place as
defined in the programme Execution Document (PED)
and the Programme Execution Requirements (PER).
Level 1
The programme shares positive aspects of lessons
learnt throughout the programme.
Level 1
The programme records and shares lessons, both
positive and negative, on a continuous basis.
Level 1
The programme maintains a lessons learnt register,
which is appropriately managed and continually
assessed.
Copyright of Dada Enterprises Ltd
Dada Enterprises' Risk Management Maturity Matrix
Learner 0
Level 2
> There may be a slight awareness of lesson learnt, but it is not being practised to any extent within any area of the programme. 1
Developer
Level 2
> There is a definite awareness that the need to capture lesson learnt is a good idea, however there is unlikely to be a process in place. If there is a process
in place it is likely to be out of date or redundant. 2
> The input of data into the lessons learnt log only occurs at the end of the programme and is unlikely to record any negative lesson learnt.
Performer
Level 2
> Lessons learnt outside of the programme are recorded within a central area.
> The programme is still only likely to record positive lesson learnt. However this may not be exclusively. 3
> It would be expect that lesson learnt are captured at the completion of a major milestone or the programme goal.
Contender
Level 2
> Look for evidence of the use of the lesson learnt and see when the last entry was added to the lesson learnt log. There should be a learning experience
with the last month or so for the programme to be in the contender category.
> The data from the lesson learnt would be expected to be of a high quality with recommendations of what to do when faced with the problem again.
> A structured process is in place for capture of any potential lesson learnt. These should be draw on experience from many different areas.
> The lessons learnt are likely to be collected and collated purely within the local environment, this may just be the programme. 4
> The lessons learnt are assessed and the process monitored and reviewed and actions taken where appropriate.
World Class
Level 2
> The programme lessons learnt logs feeds into a higher level mechanism for recording the entire business lesson learnt.
> The process should be assessed and reviewed and changes made where appropriate. 5
> The use of lesson learnt should also be monitor to check if the mechanism is working across the entire business.
Risk assessment date: 02/25/2021 13 of 20
 Dada Enterprises' Risk Management Maturity Matrix
2 Adoption
2.4 Use of Lessons Learnt

Learner 0
Level 1 Level 2
Need for lessons learnt not recognised. > Lessons learnt are not used, due to either lack of knowledge of their importance or either lack of a process for capturing them. 1
Developer
Level 1 Level 2
Unstructured use of lessons learnt within local Works > Lessons learnt are mainly undertaken on a reactive basis to get the individual Work stream through a particular problem.
> The lessons learnt are used purely with the local environment, where information is placed through personal contacts or location. 2
streams
Performer
Level 1 Level 2
Structured use of lessons learnt within local Work > There might be some kind of structure in place for using lessons learnt. However the process is likely to be reactive. Therefore lessons learnt not used
streams. until a particular problem or a risk is imminent.
> There might well be a generic risk list to help in identification of the risks and possibly strategies for their management. 3
> During the risk identification phase at the outset of a Work stream an outside list of lesson learnt is used to help define and potentially design the
programme.

Contender
Level 1 Level 2
Putting things in place from lessons learnt in business > A proactive structure in place for the take up of lessons learnt.
unit. > A structured prompt list is in place that is tailored and researched for the programme, to enable a better risk identification process.
> There should be available a central file of risk mitigation strategies which could be re-used for similar programmes and risks. 4
> Metrics should be collected on the use and take up of lessons learnt.

World Class
Level 1 Level 2
Benchmarking outside and looking externally for best > The programmes should be looking for lesson learnt outside of the organisation to maintain a World Class status.
practice. > The programmes should understand what they are undertaking by the lesson learnt from the beginning and how the lesson should be tailored to meet the
needs of the programme. 5
> There should be a number of controlled information exchanges with other companies.

Copyright of Dada Enterprises Ltd Risk assessment date: 02/25/2021 14 of 20


3 Culture
3.1 Leadership
Level 1
Neither the Work stream Manager nor anyone appointed by
them takes the lead on Risk Management.
Level 1
Need for Project Risk Management (PRM), in a
general sense, is recognised. Individuals take the lead
on PRM but in a reactive fashion. Process likely to fall
into disuse as other priorities dominate.
Level 1
Leadership by example is starting to emerge within the > Leadership of PRM is now becoming aligned with leadership of the project and there is a constant “pull” on Risk related information and activity.
PM team. This is mainly driven by the demands of > However, this “pull” is maybe mainly due to pressure from stakeholders external to the project, such as customer, partners or sponsors, rather than a
belief in the benefits of PRM within the project team.
stakeholders outside the project.
Level 1
PM and key team members lead by example. This is
now driven by a belief in the benefits of PRM which is
seen as an important competence within the project
management team. Project begins to lead Suppliers &
Partners.
Level 1
Leadership has successfully embedded a culture of risk
management and ‘hands-on’ steering is no longer
required. The project leads the development of PRM
with Suppliers & Partners and seeks to influence
customers.
Copyright of Dada Enterprises Ltd
Dada Enterprises' Risk Management Maturity Matrix
Learner 0
Level 2
> Risk is rarely on the agenda at top-level project reviews and, when it is, the meeting is primarily concerned with today’s problems, not Risks. (Raising
Risk at review meetings can be an important way to ‘pull’ PRM from the top).
> Any risk-related requests for information or action are dealt with reactively, on an ad-hoc basis, by different individuals. Other Work stream team 1
members are not aware of Project Risk Management (PRM) or its importance.
Developer
Level 2
In this situation, from time to time, some individuals will pick up the PRM ‘flag’ and run with it and in which there is a general message coming down
from the top that RM is a ‘good thing to do’.
> Any initiatives to launch Risk Management may produce a flurry of activity but this eventually dies off without anyone to maintain focus in the face of
new priorities.
> Leaders at project level recognise the need for PRM although reasons may be vague and possibly confused with other Risk Management activities such
as health & safety etc.
> The risk management leader has to fit in PRM activities around their ‘day job’ and they are likely to be asked to concentrate on other ‘more important’
priorities. 2
> Any initiatives to launch Risk Management may produce a flurry of activity but this eventually dies off without anyone to maintain focus in the face of
new priorities.
> Risk is covered on the agenda of business and project reviews but the information presented isn’t properly challenged or followed up – the main
emphasis is still on current problems rather than risks.
Performer
Level 2
3
Contender
Level 2
> The PM team effectively communicates the benefits of PRM to the team – in terms of meeting the project’s key success criteria – and presents a vision of
how it should be performed in the project.
> There is evidence that this vision is being cascaded through project teams with team leaders following the Leader’s example.
> Team members will, when necessary, actively seek the advice of PRM Leaders regarding implementation of the process.
> Team members who aspire to PM or leadership roles, seek to develop their own competence in PRM. 4
> Good PRM is recognised and rewarded by the organisation (and bad PRM can be a barrier to management career development) – performance in Risk
Management is included in personal performance reviews for project managers and leaders.
> The project team starts to try and change their environment by leading the development of PRM throughout the extended team.
World Class
Level 2
> PRM leadership is now fully aligned with project leadership and steps are being taken to maintain this.
> The project team is now leading the expansion of good PRM practice into the ‘extended enterprise’.
> There is clear evidence that the PRM process is operated, to a high standard, as second nature by all project teams.
> The project is cited as a benchmark for PRM culture and awareness by third parties from outside the project’s organisation. 5
Risk assessment date: 02/25/2021 15 of 20

3 Culture
3.2 Roles
Level 1
Project roles and responsibilities for Project Risk
Management (PRM) are not defined.
Level 1
The Project or Organisation recognise the need for
PRM roles, in general terms. However, the scope of
these roles is not clearly set out and authority and
responsibilities are unclear or ill defined.
Level 1
Scope of PRM roles, including authority and
responsibilities are clearly defined. However, this may
not be consistently applied across the project and some
positions may remain vacant.
Level 1
All project team members understand the
responsibilities and scope of authority of those in PRM
roles. These are also recognised at BU level and the
project endeavours to ensure that all PRM posts are
kept filled.
Level 1
Clearly defined PRM roles and responsibilities extend
beyond the project to include interfaces with other
Work streams and other aspects of the business as well
as within the senior programme team.
Copyright of Dada Enterprises Ltd
Dada Enterprises' Risk Management Maturity Matrix
Learner 0
Level 2
> Nobody on the project is aware that they have any responsibility for Project Risk Management (PRM).
1
Developer
Level 2
> Any requests for risk related information or action are handled by various members of the project team on an ad hoc basis.
> Team members believe that PRM is ‘everyone’s responsibility’ but it’s not clear how this translates into practice.
> Those members of the team who work on PRM are unclear on their responsibilities in this area. 2
Performer
Level 2
> Any requests for risk related information or action are now handled by designated ‘risk contact(s)’ or risk expert(s) within the project.
> In the parts of the programme where these individuals exist they are fairly clear on their role and responsibility.
> In some parts of the programme however, there may be differences in interpretation of the nature of the role or the role may be left vacant. 3
> Roles may not be recognised by the business and the interfaces between the project and the rest of the business on Risk matters may be poorly defined.
Contender
Level 2
> Individual teams within the project all use the same roles for PRM with the same definitions.
> Generally people across the organisation know whom to approach in the projects on risk-related matters and interfaces between the project’s PRM roles
and Risk Management roles in the broader business context are starting to be defined.
> Personal development plans may include development of risk competencies with respect to the defined roles. 4
> Some individuals are specifically tasked with interfacing with customers; partners and suppliers on risk related matters.
> Risk Metrics demonstrate clearly that PRM roles are effective.
World Class
Level 2
> Succession planning takes place for key PRM roles.
> Individuals on the IPT interface with each other organisations as well as risk organisations within their own respective companies'.
> In addition to this, some individuals have defined roles and responsibilities for interfacing with customers, partners and suppliers on risk related matters.
> Work stream teams across the programme all speak the same language such that it is relatively easy to transfer staff involved with PRM between
5
projects.
Risk assessment date: 02/25/2021 16 of 20

3 Culture
3.3 Training
Level 1
No Project Risk Management (PRM) education or training is > Individuals may have had some prior Project Risk Management (PRM) training or, perhaps enrol themselves on external courses.
available in the organisation, the need not having been
recognised.
Level 1
Need for consistent education across the programme
team is recognised and material on generic PRM is
available for delivery.
Level 1
Generic PRM education is delivered by the
Organisation to project members on an ‘as requested’
basis. The need for customised training is being
addressed.
Level 1
Modularised education and training meets a variety of
needs for different projects and trainee level. Material
covers specific processes and tools used by the project.
Work stream managers proactively ensure delivery of
training to all team members.
Level 1
Training is delivered to all team members appropriate
to their experience and project role. There is a strategic
approach to training at senior management level.
Material is continually updated from lessons learned
etc.
Copyright of Dada Enterprises Ltd
Dada Enterprises' Risk Management Maturity Matrix
Learner 0
Level 2
> However, it is
the culture of the Work stream and the programme that is being measured here. 1
Developer
Level 2
> Project managers have identified that team members would benefit from having a greater level of awareness of risk management.
> Generic education material, covering the basics of PRM is available in or through the organisation.
> Material mostly delivered on an ad hoc basis rather than following a formal strategy. 2
> Material used across the programme may be inconsistent in style and content, with gaps / overlaps etc. in evidence.
Performer
Level 2
> Work stream team leaders can easily arrange awareness education for team members through the organisation.
> They are also making some attempt to assess and prioritise the needs of team members.
> Feedback is obtained regarding the means of delivery as well as the content, including applicability to organisation, project & team members with
different roles.
> From the feedback changes and additions to the material are being considered.
3
> Those requiring in-depth, specialist training (e.g. Work stream risk analysts or co-ordinators) are supported in finding external courses if they’re not
available in-house.
Contender
Level 2
> All team members can access appropriate training in line with their Personal Development Plan requirements etc.
> The different Risk Management Requirements of the different types of Work streams in the organisation have been analysed and incorporated in the
modular course structure and covered in the Project Execution Requirements (PER).
> Also, modules can be combined to form various levels of training from basic awareness to in-depth knowledge of specific tools and techniques.
> Within an individual Work stream there will be a basic strategy for risk training of team members. 4
> Work stream team members work with trainers in developing Work stream-specific elements of the training and actively support the delivery of these
elements.
World Class
Level 2
> There is a strategy for risk training and development both at organisational and project level which may include mentoring and moving staff between
projects.
> Regular workshops are held for sharing and learning from good practice, both within and outside the Senior Programme Organisation and training
material updated as appropriate. 5
> New training material is developed in parallel with the development and introduction of new Risk tools and techniques.
> The standard of the training is such that third parties might want to use it.
Risk assessment date: 02/25/2021 17 of 20
 Risk Management Maturity Matrix
4 Visibility & Control
4.1 Measurement

Learner 0
Level 1 Level 2
Measurement of risk is patchy and incomplete and there is > Some Work streams have measurements from which risk status can be derived.
no drive to improve. > The available measures within the organisation are not consistent. 1

Developer
Level 1 Level 2
Some benefit of measuring risk is understood and > Most Work streams areas have measurements from which the risk status can be derived.
some areas of the programme > The organisation is putting pressure on the projects to improve measurement methods. 2

Performer
Level 1 Level 2
The current risk exposure within a Work stream or the > All Work stream areas have measures which implicitly or explicitly express the risk status.
overall programme can be determined. > From a detailed analysis of all measures within the organisation it is possible to derive a current programme exposure. 3
> The measures are based on past performance and therefore do not address forward results.

Contender
Level 1 Level 2
Relevant measures from the organisation allow a > Work stream area measures are relevant, consistent and explicitly measure risk on key programme objectives.
current risk exposure profile to be determined. > There is some evidence that measurements consider forward results 4
> It is simple to derive a current risk exposure profile for the overall programme.
World Class
Level 1 Level 2
The programme can clearly see their full risk exposure > Work stream measures are simple and consistent allowing the risk exposure for the programme to be readily determined.
and use this information to manage new and existing > The measures provide both current state and forward projections. 5
business opportunities. > The measures give the guidance on future business opportunities and confidence that these can be managed.

02/25/2021 18 of 20
511500026.xls
 Risk Management Maturity Matrix
4 Visibility & Control
4.2 Reporting

Learner 0
Level 1 Level 2
Information on risk exposures and status is not reported. > There is no requirement or perceived need to report on risk status from the project / business areas.
> The organisation relies upon independent sources e.g. internal audit, consultants to define risk exposures. 1

Developer
Level 1 Level 2
Some Work streams report on risks when prompted. > Risks are reported on an ad-hoc basis prompted by a request or relevant event occurring.
> Senior management are aware of some top level risks but have not reflected the requirement to report the management of these risks at the appropriate 2
frequency.
Performer
Level 1 Level 2
Risks are reported as a minimum to comply with > All Work streams report on risk as they perceive them but this is seen as an additional activity.
Corporate Governance requirements. > The standard of information varies considerably and frequently information overload happens where it is difficult to determine what the key risks are and
their current status. 3
> Corporate Governance dictates that management of risk is an element of managing the business but as yet, the process of reporting against key exposures
is not integrated.

Level 1
The benefit of clear, concise reporting on risks is
understood and is done as part of the standard
programme period reporting cycle.
Contender
Level 2
> It is a simple process to derive the organisation status from the individual project reports.
> It is clear from the reports what the key risks are. 4
> Risk reporting is embedded within the standard programme reporting and is done naturally and regularly as per the Project Execution Requirements
(PER) and Project Execution Document (PED).

World Class
Level 1 Level 2
Work stream reporting naturally includes relevant risk > Senior management can clearly see where the “hot spots” are and gain confidence that the overall risk management process is operating effectively
information that allows the senior programme team to allowing key business objectives to be met. 5
manage the programme effectively. > The content of the report allows areas for business growth to be identified.

02/25/2021 19 of 20
511500026.xls
 Risk Management Maturity Matrix
4 Visibility & Control
4.3 Controls

Learner 0
Level 1 Level 2
The controls are seen as bureaucratic and do not add value. > Most controls have been in place for years and are followed slavishly “because we have always done it this way”.
> New controls are put in place after an event. 1
> Limits of authority are set too high in the organisation and result in programme delays as Work streams do not need to refer back to the senior
programme team to approve changes to the Project Management Baseline through the Base Change Control (BCR) process.

Developer
Level 1 Level 2
The need for some controls is challenged and changes > Inconsistent levels of authority exist e.g. managers & team leaders can authorise significant investments but cannot authorise minor travel.
are seen. > The need for and application of existing controls is challenged as to whether they are adding value. When challenged the control or its application will 2
be altered.

Performer
Level 1 Level 2
Essential controls are in place but do not necessarily > Essential controls are in place to cover schedule over-run, financial expenditure, capital investment, recruitment, personal development etc.
change with the business. > New controls are put in place in response to legislative requirements. 3
> As the business changes, inappropriate controls are highlighted.
Contender
Level 1 Level 2
Controls are reviewed regularly and are appropriate to > Regular review of effectiveness of controls using information from external sources and organisations
> Controls are reviewed in light of organisational, process and legislative changes. 4
the current state of the business.
World Class
Level 1 Level 2
The controls assist the business to perform and grow. > The controls in place reflect the organisation’s declared “appetite for risk” / balance between risk taking and risk control.
> The controls do not stifle innovation. 5
> The controls are consistent with the level of authority / accountability in the organisation.

02/25/2021 20 of 20
511500026.xls