See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/319218604

Risk Management: A Maturity Model Based on ISO 31000

Conference Paper · July 2017

DOI: 10.1109/CBI.2017.40

CITATIONS READS

9 27,352

4 authors, including:

Diogo Proença Ricardo Vieira

Inesc-ID Technical University of Lisbon
33 PUBLICATIONS   193 CITATIONS    28 PUBLICATIONS   163 CITATIONS   

SEE PROFILE SEE PROFILE

José Borbinha
University of Lisbon
196 PUBLICATIONS   1,133 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

SHAMAN (Sustaining Heritage Access through Multivalent Archiving), View project

4C Project View project

All content following this page was uploaded by Diogo Proença on 16 December 2018.

The user has requested enhancement of the downloaded file.

 Risk Management
A Maturity Model based on ISO 31000
Authors Name/s per 1st Affiliation (Author)
line 1 (of Affiliation): dept. name of organization
line 2-name of organization, acronyms acceptable
line 3-City, Country
line 4-e-mail address if desired
Abstract— Risk Management, according with the ISO Guide
73 is the set of “coordinated activities to direct and control an
organization with regard to risk”. In a nutshell, Risk
Management is the business process used to manage risk in
organizations. ISO 31000 defines a framework and process for
risk management. However, implementing this standard without
a detailed plan can become a burden on organizations. This
paper presents a maturity model for the risk management
process based on ISO 31000. The purpose of this model is to
provide an assessment tool for organizations to use in order to get
their current risk management maturity level. The results can
then be used to create an improvement plan which will guide
organizations to reach their target maturity level. This maturity
model allows organizations to assess a risk management process
according to the best practices defined in risk management
references. The maturity model can also be used as a reference
for improving this process since it sets a clear path of how a risk
management process should be performed.
Keywords— Risk Management, Maturity Model, ISO 31000.
I. INTRODUCTION
Risk is the effect of uncertainty on the achievement of
objectives. Therefore, all organizations are subject to risk and
uncertainty, and the need to manage risk in a structured way is
increasingly recognized. Risk management (RM) consists of
"coordinated activities to direct and control an organization
with respect to risk" [18]. Often, organizations use different
risk management practices and do not always do so in a
systematic way. To help organizations, manage risk more
efficiently, several risk management frameworks have been
created. One of them, ISO 31000 is recognized as a consensual
reference, which has influenced some organizations that
develop risk management structures to review their work to be
aligned with ISO 31000. ISO 31000 is comprehensive and can
be used in all industries and for all types of risk, regardless of
their nature. Consequently, this reference does not prescribe a
risk management system, merely supporting and integrating
risk management into the overall management system of an
organization. The implementation of the risk management
process is not always easy and some organizations give up
without achieving the desired outcomes. This may because
they are unable to carry out the risk management process in a
consistent and predictable way over time. Maturity models are
tools that represents a path towards an increasingly organized
Authors Name/s per 2nd Affiliation (Author)
line 1 (of Affiliation): dept. name of organization
line 2-name of organization, acronyms acceptable
line 3-City, Country
line 4-e-mail address if desired
and systematic way of doing business which usually involve
people, organizations, and processes. There has been a great
popularization of these tools in the last years using maturity
models in several domains, for example: data management,
information security, and project management. In maturity
models, the evolutionary path is described through discrete
stages, to reach the next level it is necessary to achieve the
objectives of the desired level and all previous levels.
The goal of this paper is to develop an artifact (a maturity
model) by using an established approach to contribute to the
RM body of knowledge. As a result, Design Science Research
(DSR) was chosen as it combines the practical dimension and
the scientific dimension. The maturity model focuses on the
ISO 31000, which prescribes a RM process and framework, to
define a maturity model for RM. In this paper we target our
attention in answering two research questions (RQ), as
follows:
RQ1 - What are the key activities for a risk management
process according to the ISO 31000?
RQ2 – How could a maturity Model specific to RM be
designed which targets the challenges of different
organizations and industries?
To address these research questions, this paper is structured in
seven sections. First, the key terms and concepts are explained
in Section II. This is followed by Section III, where the
research methodology is outlined. Section IV, details the
findings from a literature review in existing RM Maturity
models and a comparison between the existing maturity
models for the RM domain. Then Section V, presents the RM
Maturity model and the iterative development method used.
The evaluation of the RM Maturity Model is presented in
Section VI which evaluates the mapping between the RM
Maturity Model Levels and the ISO 31000. Finally, Section
VII details the conclusions and the limitations of the RM
Maturity Model.
 II. BACKGROUND
This section explains the key terns and concepts within this
paper, such as, “maturity models” and “risk management” to
ensure a common understanding.
The history of early maturity models goes back to theories of
the hierarchy of human needs (Maslow 1954), economic
growth Kuznets (1965) and the progression of information
technology in organizations (Nolan 1979). Given that these
types of models describe the development of an entity over
time [1]. These types of models are based on product quality
principles developed during the "quality revolution" by
authors such as Shewart, Deming, Juran and Crosby [22]. In
1986, the US Department of Defense needed a method to
assess the capabilities of the software companies with whom it
worked, so Watts Humphrey, the SEI team and Miter
Corporation were tasked with this task [1]. In 1991 was
released the first version, the CMM maturity model of
capabilities. This model has achieved remarkable success and
has been revised and improved having evolved into CMMI,
the currently integrated capability maturity model integration
version 1.3 [19].
Due to the success obtained, the principles used to develop the
SEI maturity models served as inspiration to other authors,
both academics and practitioners, and there are now hundreds
of models applied to different domains [1]. Currently, the two
major references of maturity models are CMMI and ISO
15504 [7], both of which are related to Software Engineering
processes.
In general, maturity can be defined as "an evolutionary
progression in the demonstration of a specific skill or in the
achievement of an objective from an initial state to a desired
final state" [6]. In addition to the general definitions, there are
many definitions of maturity that are directly related to the
domain to which this term refers. As this work will develop a
maturity model applied to a process of risk management, it is
also important to define maturity applied to a process.
Maturity can then be defined as the "degree to which an
organization executes processes that are explicitly and
consistently documented, managed, measurable, controlled,
and continuously improved. Maturity can be measured
through appraisals" [19]. Another fundamental concept is
capability that is defined as "an organization's competence to
perform a specific activity or achieve the desired performance
in a predictable and consistent manner" [4]. According to
Loon [21], a maturity model is a sequence of maturity levels
for certain objects, usually people, organizations or processes.
In these models is represented the evolutionary path,
anticipated, desired or typical, through discrete levels. In
addition to the above, these models provide the necessary
criteria to reach each of the model's maturity levels. Thus,
maturity models allow us to see at what level of the
evolutionary process certain objects meet. The maturity levels
are organized from an initial level of lower capacity to an
advanced level corresponding to the maximum capacity of the
reality in question. In order to reach higher maturity levels it is
necessary that there is a continuous progression of the
capability of a given object.
The concept of process is fundamental in the course of this
paper, and can be defined as a "set of interrelated activities
that transforms inputs into outputs" [19]. Process area is
defined by SEI as "a set of related practices within an area
that, when implemented together, satisfy a set of objectives
considered important to make improvements in this area" [19].
The SEI also defines maturity model applied to processes as "a
model that contains the essential elements of effective
processes for one or more areas of interest and which
describes a path of evolutionary improvement from an ad hoc
state, immature processes to disciplined processes, Mature
processes with good quality and effectiveness" [19]. Maturity
models applied to processes can have two types of
representations: continuous and staged. In step-by-step
representations, there are maturity levels that correspond to the
degree of process improvement across the set of predefined
process areas in which all objectives are met or achieved [19].
In continuous representations, capacity levels are used that
represent the achievement of process improvement in
individual process areas. This type of representation allows
organizations to gauge the capability of each individually
selected process, and also allows to choose different capacity
levels for different process areas, whereas in the step
representation the maturity level corresponds to the level of
the process areas as a whole. However, continuous
representation is more limited when comparing the
organization overall with other organizations. Despite the
differences between the continuous and staged representations,
the maturity models that have both representations usually
contain ways of converting the various levels of capacity of
the individual process areas of the organization into a maturity
level corresponding to the set of process areas.
ISO 31000 was created to establish general principles for risk
management, regardless of the scope. Therefore, it applies to
any type of risk regardless of its nature and consequence
(positive or negative). The standard establishes a risk
management vocabulary, a set of performance criteria, a
comprehensive process for risk identification, analysis,
evaluation and treatment, and guidance on how the risk
management process should be integrated into an
organization[20]. Note that ISO 31000 does not describe a
prescriptive risk management system but rather defines a set
of common principles and guidelines to implement risk
management. Part of the process of implementing risk
management in an organization is to establish the context and
understand where it requires domain-specific risk management
practices, methods or techniques..
There are two supporting documents for ISO 31000: Guide 73:
2009, which defines a risk management vocabulary, and ISO
31010, which provides guidance on the application and
selection of systematic techniques for risk assessment.
ISO 31000 is sometimes referred to as the “umbrella standard”
because there are more than 60 references in the field of risk
management that are aligned with this standard. Some known
examples are: ISO 9000 - Quality Management, ISO 27000 –
Information security management systems, or ISO 28000 –
Specification for security management systems for the supply
chain. Given ISO 31000 widespread application in the vast
majority of countries in the world and the fact that there are so
many risk management frameworks aligned with it, the
following definitions of terms related to risk management in
ISO Guide 73 are accepted in a semi-canonical way:
1. Risk: "Effect of uncertainty in achieving objectives" [17].
Since an effect is considered a deviation from what is
expected, it can be positive or negative. Normally, risk is
expressed as a function of the probability of a particular
event occurring and of its potential consequences.
Uncertainty is associated with the state of information
deficiency (even if only partial) necessary for the
understanding and knowledge of a given event, its
consequence or probability;
2. Risk Management: "Coordinated activities to direct and
control an organization with regard to risk" [17];
3. Risk Management Framework: “Set of components that
provide the foundations and organizational arrangements
for designing, implementing, monitoring, reviewing and
continually improving risk management throughout the
organization” [17].
Similarly, the risk management process defined in Figure 1 is
accepted as a standard regarding which activities should
comprise a risk management process. Therefore, risk
management is an iterative process where, as the first step, the
Figure 1. ISO 31000 RM Framework and Process [18]
context should be established in order to identify internal and
external factors that can influence the remaining activities of
the process. Risk assessment is the sub-process of identifying
existing risks in the pre-defined context, analyzing the
identified risks typically regarding its severity, and evaluation
where identified risks are compared using the previous
analysis in order to prioritize treatment. Using the output of
risk assessment, in risk treatment, stakeholders define a risk
treatment plan that consists of a set of controls (actions) that
mitigate the identified risks. Throughout the mentioned
activities is essential that all relevant stakeholders are
consulted and informed (communication and consultation
phase) to assure accurate identifications and estimations.
Additionally, the risk information defined in each activity
should be constantly monitored (monitoring and review phase)
in order to assure that is constantly updated. According to the
ISO 31000, the Risk Management Process (Figure 1) consists
of the "systematic application of management policies,
procedures and practices to the activities of communication,
consultation, establishment of the context and identification,
analysis, treatment and monitoring and risk review". [18] The
risk management process must be integrated both in the
management of the organization and in the practices and
culture of the organization and must be adapted to each
organization and its own processes. Risk management
activities should be documented and properly recorded [18].
 III. RESEARCH METHODOLOGY
In order to address the research questions of this paper, we
selected DSR [9] [10]. DSR can be seen as “a designer
answering questions relevant to human problems via the
creation of innovative artifacts, thereby contributing new
knowledge to the body of scientific evidence. The designed
artifacts are both useful and fundamental in understanding that
problem” [10]. The major advantage of DSR is the fact that it
“addresses real-world problems and simultaneously
contributes to the body of knowledge” [10]. However, the
development of maturity models within the RM domain is not
new and has been popular for some time [11]. In other
domains, Mettler et al. [3] count more than 100 models in the
information systems domain, Poeppelbuβ et al. [4] count even
more. One significant fault within this domain is the lack of
specific contributions regarding how to develop maturity
models. Moreover, most authors rarely describe their
development process. In literature, there are only a few
development procedures for maturity models. The
development procedures of Becker et al. [8] and De Bruin et
al. [23] are popular among the domain based their citation
counts. For the development of the RM Maturity Model, we
decided to use the development procedure of Becker et al. [8]
to develop our maturity model because it is based on DSR and
therefore provides a suitable methodological foundation to use
in our research approach. Additionally, Becker et al. provide a
rigorous and reliable development process according to the
DSR guidelines of Hevner et al. [9].
Becker et al. [8] argue that maturity models are artifacts that
serve to solve the problem of appreciating capacity and obtain
improvement measures. According to Hevner et al. [10]
design science allows you to create artifacts such as
constructs, models, methods, and instantiations that help
improve problem-solving capabilities. Thus, the authors state
that the methodology of design science is appropriate for the
Figure 2. MM Development Method based on Becker et al. [8]
development of maturity models. Therefore, based on this
methodology, [8] the following eight maturity models
development requirements were developed:
 R1 (Comparison with existing models) - existing maturity
models should be analyzed and compared as a way to
support the need to develop a new maturity model or
simply to improve an old maturity model.
 R2 (iterative procedure) - the development of maturity
models must follow an iterative process.
 R3 (Assessment) - the principles, premises, utility, quality
and effectiveness of maturity models must be evaluated
iteratively.
 R4 (a multi-method procedure) - several methodologies
should be used in the development of maturity models, and
these must be duly substantiated.
 R5 (Identifying the relevance of the problem) - it should be
demonstrated how important the solution of the problem is
for researchers and / or practitioners.
 R6 (Problem definition) - before starting the development
of a model, the application domain, the application
conditions and the expected benefits of the maturity model
must be defined.
 R7 (Presentation of results to a target audience) - The
conditions of application and the needs of the users are
reflected in the presentation of the maturity model.
 R8 (Scientific documentation) - there must be a correct
documentation of the process of construction of the
maturity model, which must be detailed, covering each step
of the process, the parties involved, the methods used and
the results.
In the same study [8], the author proposes a procedure for the
development of maturity models composed of eight steps. All
steps should be documented according to R8. The steps in the
model are:
1) Definition of the problem, which should include R5 and
R6;
2) Comparison with existing maturity models, as stipulated in
R1;
3) Determination of a model design strategy;
4) Iterative development of the maturity model (R2), which in
turn is composed of sub-steps: selection of the drawing
level that establishes the architecture of the maturity
model, selection of the approach (R4), drawing of the
model section and the test of Results (R3);
5) Transfer and evaluation concept (R4);
6) Implementation of means of transfer (R7);
7) Evaluation (R3) of the maturity model. If you have a
positive result you should go to the first step to do a new
iteration of the procedure;
8) Rejection in case of evaluation has a negative result. You
should reject the maturity model and document the reasons
for its rejection.
Figure 2 details the application of the maturity model
development procedure from Becker et al. [8] to the
development of the RM Maturity Model. As a first step we
identified the problem, a brief introduction to the problem is
present in section I, which is then detailed in section IV. The
used technique for the problem identification was a literature
review for the Risk Management domain in which we reached
the conclusion that implementing and measuring a Risk
Management which follows the recommendations from ISO
31000 is a complex task and a maturity model for that purpose
will provide a comprehensible yet easy way of planning for
improvement. During this step we also defined our maturity
levels, which will follow the structure and definition from the
CMMI [19].
In the second step we compared existing maturity model in the
risk management domain. For this comparison we collected
the RM process activities from the ISO 31000. As discussed
previously, this standard details a RM process as is depicted in
Figure 1. Following that process we deducted seven activities
which are detailed further on section IV. Then we collected
existing maturity models from RM and using a Likert-scale we
provide a comparison between these maturity models against
the deducted activities.
The third section is where the iterative maturity model
development is detailed. We conducted two iterations to reach
the RM Maturity Model presented in this paper. The first
iteration where as a proof of concept we focused on the Risk
Assessment phase and then in the second iteration we captured
the whole risk management process. This step is detailed in
Section V and the Risk Management Maturity Model is
presented in Figure 4.
Finally, the last step of the Maturity Model development
procedure we show an evaluation of the RM Maturity Model.
For this purpose we mapped the assessment criteria for each
maturity level with the sections from ISO 31000 to show that
the RM Maturity Model not only covers the RM process but
also the RM framework which goal is to “provide the
foundations and organizational arrangements for designing,
implementing, monitoring, reviewing and continually
improving risk management throughout the organization”
[18]. Also as part of the model evaluation step, we show how
the assessment questionnaire is structured by providing an
example of a question within the questionnaire.
IV. ANALYSIS
In order to provide a consistent and precise problem
definition, we gathered the risk management process activities
from ISO 31000.
According to the ISO 31000 the activities for a Risk
Management Process can be summarized as follows:
 A1: Establish the Context – “defining the external and
internal parameters to be taken into account when
managing risk, and setting the scope and risk criteria for
the risk management policy”. [18]
 A2: Risk identification – “process of finding, recognizing
and describing risks”. [18]
 A3: Risk analysis – “process to comprehend the nature of
risk and to determine the level of risk”. [18]
 A4: Risk evaluation – “process of comparing the results of
risk analysis with risk criteria to determine whether the
risk and/or its magnitude is acceptable or tolerable”. [18]
 A5: Risk treatment – “process to modify risk”. [18]
 A6: Monitoring and Reviewing - “continual checking,
supervising, critically observing or determining the status
in order to identify change from the performance level
required or expected”. [18]
 A7: Communication and consultation – “Continual and
iterative processes that an organization conducts to
provide, share or obtain information and to engage in
dialogue with stakeholders and others regarding the
management of risk”. [18]
These are the activities that risk management process must
perform in order to be aligned with the recommendations of
the ISO 31000.
The activities are used as a reference baseline to assess the
appropriateness of several existing RM Maturity Models.
Based on the results of the literature review we conducted
within the RM domain, we identified several papers dealing
with maturity models. We selected maturity models that used
different methodological approaches. Then, each maturity
model was analyzed according to the degree to which they
cover and fit to the previously defined reference baseline.
Each maturity model was ranked for every activity according
to the degree of matching, using a Likert-scale, from 1 (very
low matching) to 5 (very high matching). After this analysis,
we concluded that only four maturity models scored an
aggregate of at least 15 points according to the defined
activities baseline:

 Towards a Risk Maturity Model – Hillson (1997) [15];
 Understanding and Improving Your Risk Management
Capability: Assessment Model for Construction
Organizations – Zou et al. (2010) [11];
 The Risk Management Process Maturity Model –
Chapman (2006) [16];
 Risk Maturity Model – Cienfuegos (2013) [13].
The first risk maturity model identified in bibliography was
proposed by Hillson in 1997 [15] and was not design to any
specific domain. Hillson describes four levels of maturity
which he names: naive, novice, normalized, natural. To assess
maturity Hilson uses also four attributes: culture, process,
experience and application. Chapman proposed a similar
model in [16] with four levels also but with the attributes:
culture, system, experience, training and management. In 2008
Ciorciari [25] developed a maturity model according to the
principles of COSO 2004 Framework. The Office of
Commerce [24] also provides a maturity models to its M_o_R
framework.
There are also risk management models for specific domains
such as: complex product systems projects (CoPS) [14],
manufacturing engineering [12], construction organizations
proposed by Zou et al. [11]. Cienfuegos [13] developed a
maturity risk maturity model for Dutch Municipalities in wish
he takes into consideration for its construction the methods
suggested by Becker et al. [8].
One aspect to take into consideration is that most of these RM
maturity models were developed before the release of the ISO
31000 and as result are not properly aligned with this standard.
Table 1 details the assessment results of the above as the most
significant maturity models analyzed. Based on this set an
average score of 21,5 was achieved, the maximum score is 35.
The analysis of the score distribution along the activities
revealed that almost all maturity models only partially address
the activities.
V. MATURITY MODEL DESIGN
In accordance to the maturity model development approach of
Becker et al. [8] a new maturity model has to be developed, if
no existing or the advancement of an existing one is capable of
addressing the identified problem. So, based on the findings of
our analysis there is no maturity model which satisfactorily
fulfill the entire activities baseline. Therefore we will develop
a new maturity model.
Table 1. Existing RM Maturity Models fit Assessment
RM Maturity Model A1 A2 A3 A4
Hillson (1997) 2 2 2 2
Chapman (2006) 3 2 2 2
Zou et al. (2010) 5 5 5 2
Cienfuegos (2013) 5 4 4 4
Average 3,7 3,2 3,2 2,5
The newly developed maturity model presented in Figure 3
and Figure 4 adopts established structural elements, domains
and functions of the best practice in ISO 31000. As detailed
within the research methodology, we applied an iterative
process for the maturity model development. In total we
needed two iterations which can be detailed as follows:
First iteration: As a first step, we defined the characteristics
and structure of the maturity model. We started by proposing
five maturity levels, Initial, Managed, Defined, Quantitively
Managed, and Optimizing. These maturity levels can be found
in various established maturity models, such as, CMMI [19].
In this initial iteration, we focused in just a part of the ISO
31000 RM process namely the Risk Assessment step which
includes the Risk Identification, Risk Analysis and Risk
Evaluation steps. For each criterion of the maturity model we
modeled what was the manifestation of that criterion at the
different maturity levels. We then conducted a trial assessment
using the maturity model, which revealed some issues that will
be solved in the second iteration.
Second iteration: After a trial assessment using the maturity
model one relevant issue was identified. The approach of
modelling what was the manifestation of a criterion at the
different maturity levels is problematic as it creates a difficulty
in respondents to understand the difference between the
possible answered for each assessment question. For example,
respondents could understand what a “documented risk
analysis procedure” was but it was difficult for them to
understand what a “ad-hoc assessed risk analysis procedure”
was. This resulted in a complete revision of both the maturity
model and assessment questionnaire to solve this issue. The
maturity levels definition was maintained. However, instead of
modelling each criterion at each maturity level we opted by
identifying capabilities for each maturity level and dimension,
which resulted in an easily understandable maturity model that
is presented in Figure 3 and Figure 4.
The main goal of the RM Maturity Model is to improve the
impact of risk management on the business value of
organization. This impact will increase when going from a
lower to a higher maturity level, as depicted in Figure 3.
Moreover, the lack of procedures and policies in lower levels
results in low quality risk management and in turn can result
in the organization being at risk and not even realizing it.
Going to higher maturity levels reduces this risk as policies
and procedures become implemented, defined, documented
and assessed. At the highest maturity level (level 5) the
organization uses risk management to provide a competitive
advantage and it is fully integrated in the organizational
A5 A6 A7 
2 3 2 15
2 3 2 16
2 3 4 26
4 5 3 29
2,5 3,5 2,7 21,5
strategy. Figure 3 also shows the focus of risk management at
each maturity level, as well as, what results from an
organization being at each maturity level.
In addition to the already discussed, maturity levels 1–5, we
added level 0, which means that the organization is not
executing any RM process or task at all. Therefore, level 0 is
not explicitly mentioned within the RM maturity model.
Finally, this leads to the following maturity levels:
 Level 0 – Non-existent RM;
 Level 1 – Initial RM;
 Level 2 – Managed RM;
 Level 3 – Defined RM;
 Level 4 – Quantitatively Managed RM;
 Level 5 – Optimizing RM.
To move from level 0 to level 1, the organization needs to be
aware that a RM process is needed as a relevant function of
the organization. Furthermore, basic RM tasks are performed
with the aim of ensuring that risk is managed across the
organization. As a result, at maturity level 1 (Initial), the
organization does has a perception of the need for a risk
management process. The organization may apply some risk
management activities but are mostly ad-hoc and chaotic. This
actions tend to be reactive instead of preventive. The
organization does not provide a stable environment to
establish a risk management process. Risk management results
and unpredictable and hard to replicate and tend to depend
more on the competences of the people in the organization
than the use of a proven process.
At maturity level 2 (Managed), the organization makes an
effort to plan and perform the activities of risk management
process in line with the risk management policy established by
the organization with the stakeholders. Despite this efforts risk
management ends up being influenced by the repetition of
actions that have worked in the past instead of formal process.
Figure 3. RM Maturity Curve
Risk management activities are assigned to people with
capabilities, clear responsibilities, and enough resource to
produce repeatable in some extent.
At this level the organization lacks uniformization risk
management can be significantly different across department
within the organization.
At maturity level 3 (Defined), the Risk management process is
characterized, understood, and described in standard
procedures, tools and methods. The process is used to
establish consistency across the organization, and there is a
centralized approach to risk management. The risk
management process is improved over the time.
At maturity level 4 (Quantitatively Managed), the organization
applies quantitative and statistical methods to manage,
measure and evaluate the risk management process.
Finally, at maturity level 5 (Optimizing), the risk management
process is continuously improved based on the data gathered
in the previous levels. Everyone has a high level of
commitment and risk management is regarded as a strategic
tool. This kind of organization is always innovating and
developing the risk management process therefore
organizations at this maturity level make scientific
contributions to the development of risk management as
domain.
To improve from level X to level X+1, the organization must
comply with all the criteria from level X, which makes this
maturity model follow a “stages” approach. What an
organization can expect from progressing through the maturity
levels is that their RM process will become increasingly
managed, defined and optimized.
ISO 31000 gives general recommendations on how to
measure, evaluate, and continuously improve the risk
management which can be difficult to use for assessing the
RM process. As a result, in order to assess maturity at levels 4
(criteria 4.1-4.4), and at level 5 (criteria 5.1-5.5), we adopted
the guidance from the Process Areas for maturity levels 4 and
5 from CMMI.
 Figure 4. Risk Management Maturity Model

mapping of the ISO 31000 to the RM Maturity Model

VI. MATURITY MODEL EVALUATION
The evaluation step is a main element of DSR. It is necessary
to show the “utility, quality, and efficacy of a design artifact”
[10]. To be compliant with these activities we evaluated the
RM Maturity Model by checking if there is a complete
proposed in this paper.
Table 2 shows, for each RM maturity level, a cumulative
mapping to the respective ISO 31000 chapters. This means
that the maturity level 2 will have the criteria for maturity
level 1 and 2, maturity level 3 will have the criteria for
maturity level 1, 2 and 3 and so on. This means that at
 Table 2. Mapping between the ISO 31000 activities and the maturity Levels in the proposed RM Maturity Model
Maturity Risk Management Framework Risk Management Process
Level 4.2 4.3 4.4 4.5 4.6 5.2 5.3 5.4.2 5.4.3 5.4.4 5.5 5.6
5 X X X X X X X X X X X X
4 X X X X X X X X X X X
3 X X X X X X X X X X
2 X X X X X
1 X X X

Table 3. Example of a question from the RM Maturity Model Questionnaire

ID 4.3
Title Process Performance Analysis
Question Is Process Performance analysed?
Purpose The purpose is to identify if the selected measures are analysed to characterize the performance of the
organizations’ RM process.
Notes Analyse the collected measures to establish a distribution or range of results that characterize the expected
performance of the organizations’ RM process. This analysis should include the stability of the RM process, and
the impacts of associated factors and context. Related factors include inputs to the RM process and other attributes
that can affect the results obtained. The context includes the business context (e.g., domain).
Answers No: Process Performance is not analysed.
Yes: Process Performance is analysed.
Source CMMI for Development 1.3 – Organizational Process Performance [19]

maturity level 5 an organization follows all the criteria for ISO
31000. To understand the numbering of the ISO 31000
chapters used in Table 2 and the relation to the overall RM
framework and process see Figure 1.
For maturity level 1, criterion 1.1 can be mapped to chapter
5.4 which details the risk assessment phase of the RM process,
the output of this phase is what is called a risk management
report which details all the finds of this phase. The criteria
identified for level 2 were deduced from chapters 4.2 and 4.3.
Chapter 4.2 is called mandate and commitment, and it states
that in order to achieve an effective risk management an
organization needs a strong commitment at all levels as well
as strategic and rigorous planning achieve this. Chapter 4.3
concerns the design of the framework to manage risks and is
divided in seven steps: understanding the organization and its
context, establishing a risk management policy, accountability,
integration into organizational processes, resources,
establishing internal communication and reporting
mechanisms, establishing external communication and
external mechanisms. Most of the criteria used in level 3
came from chapters 5.2-5.6, which are named after the
activities of the risk management process described in chapter
III. So, chapters 5.2-5.6 respectively have recommendations
on: communication and consultation, establishing the context,
risk assessment, risk treatment, and monitoring and reviewing.
In this level there are also some criteria from chapter 4.4
named implementing risk management which consists of
implementing the stated process and the previously designed
framework. The criteria to achieve maturity at level 4 come
from chapter 4.5, this chapter has recommendations on how to
monitor and review the risk management framework. Maturity
at level 5 is based on chapter 4.6 which is called continual
improvement of the framework.
According to Becker et al. [8], the evaluation step of the
maturity model also includes the “conception of transfer and
evaluation” [8]. This means that there should be a description
of the rationale behind the development of the questionnaire to
be used to assess an organization’s RM maturity. For this
purpose we created a questionnaire that contains a question for
each of the maturity level assessment criteria detailed in
Figure 4. Each question contains the following information:
1. ID: Which identifies the maturity level that question
belongs to, as well as, number of the question in the
overall questionnaire (As an example, question “3.10” is
the tenth question for maturity level 3);
2. Title: Which depicts the main topic the question refers to;
3. Question: Which details the question itself;
4. Objective: Which details the objective of that question,
what knowledge the question intends to capture;
5. Notes: Which either clarifies some aspects and/or terms of
the question or details examples of evidence to substantiate
the answer for the question;
6. Answers: Which depicts the five possible answers to the
question;
7. Source: Which details the source from which that specific
question originates.
An example of a question from the assessment questionnaire is
detailed in Table 3. This is the third questions used to assess
maturity level 4 of RM Maturity. Its focus is on “process
performance analysis”. As can be seen by looking at the
source this is one of the questions that is based on the
guidance from the “Organizational Process Performance”
process area from CMMI [19] that was adapted to fit the RM
Maturity Model.
The questionnaire was developed as a self-assessment
questionnaire which is available on-line so that organizations
that want to assess their current RM practice can freely access
the questionnaire, fill the answers and get a detailed report on
their current maturity level for RM.
VII. CONCLUSION
The aim of this paper is the development of a maturity model
for the RM process. The latter can serve as a governance
instrument that could be used by the RM function to analyze
and evaluate the current strengths and weaknesses of the RM
process. However, the model is not restricted to analytical
purposes only. It can also be used to derive a roadmap towards
an evolutionary improvement of the RM function regarding its
capabilities and its effectiveness and efficiency. The first part
of the paper elaborates the RM activities which were used as a
reference baseline to investigate whether existing maturity
models are capable of holistically assessing a RM process
(RQ1). The findings revealed that existing maturity models
cover the entire reference baseline insufficiently, since they
only selectively address the activities. Hence, no existing
maturity model is able to solve the identified problem. Finally,
we decided to design a new maturity model in consistency to
the defined research strategy. In the second part of the paper,
we described the development of a maturity model for RM,
including the model itself as well as its evaluation to address
the second research question: “How could a maturity Model
specific to RM be designed which targets the challenges of
different organizations and industries?” (RQ2). The developed
model is based on existing maturity model structures and
inherits concepts and methodologies of the ISO 31000. We
took care during the development to provide a useable
research result. Naturally, the applied research approach
comes along with certain limitations. In order to extend the
research aspect of the maturity model, we suggest evaluating
and refining the RM maturity model within different industry
sectors, this would lead to a more generic RM maturity model
and would enable benchmarking across different industries.
REFERENCES
[1] D. Ahern, A. Clouse, R. Turner, “CMMI Destilled: A Pratical
Introduction to Integrated Process Improvement, Third Edition,” Addson
Wesley Professional, 2008.
[2] ISO/IEC 15504:2004, “Information technology - Process assessment,”
International Organization for Standardization and International
Electrotechnical Commission Std. 2004.
View publication stats
[3] T. Mettler, P. Rohner, R. Winter, "Towards a Classification of Maturity
Models in Information Systems," In A. D'Atri, M. De Marco, A. M.
Braccini and F. Cabiddu: Management of the Interconnected World,
Physica-Verlag, Heidelberg, 2010.
[4] J. Poeppelbuβ, B. Niehaves, A. Simons, J. Becker, "Maturity Models in
Information Systems Research: Literature Search and Analysis,"
Communications of the Association for Information Systems, vol. 29,
2011.
[5] M. Röglinger, J. Pöppelbuß, “What makes a useful maturity model? A
framework for general design principles for maturity models and its
demonstration in business process management,” In proceedings of the
19th European Conference on Information Systems, Helsinki, Finland,
June. 2011.
[6] T. Mettler, “A design science research perspective on maturity models in
information systems,” St. Gallen: Institute of Information Management,
Universtiy of St. Gallen. 2009.
[7] A. Maier, J. Moultrie, P. Clarkson, “Assessing Organizational
Capabilities: Reviewing and Guiding the Development of Maturity
Grids,” In IEEE transactions on engineering management, vol. 59, no. 1.
2012.
[8] J. Becker, R. Knackstedt, J. Pöppelbuβ, “Developing maturity models
for IT management: A procedure model and its application,” Business
and Information Systems Engineering, Vol. 3, pp 213-222. 2009.
[9] A. Hevner, S. Ram, S. March, J. Park, "Design Science in Information
Systems Research," MISQ, vol. 28, pp. 75-105, 2004.
[10] A. Hevner, S. Chatterjee, “Design Research in Information Systems:
Theory and Practice,” Springer, Heidelberg, 2010.
[11] P. Zou, Y. Chen, and T. Chan, “Understanding and Improving Your
Risk Management Capability : Assessment Model for Construction
Organizations,” no. August, pp. 854–864, 2010.
[12] L. Shah, A. Siadat, and F. Vernadat, “Maturity assessment in risk
management in manufacturing engineering,” 2009 3rd Annu. IEEE Syst.
Conf., pp. 296–301, 2009.
[13] I. Cienfuegos, Developing a Risk Maturity Model for Dutch
municipalities, PhD Thesis, 2013.
[14] Y. Ren and K. Yeo, “Risk management capability maturity model for
complex product systems (CoPS) projects,” 2004 IEEE Int. Eng. Manag.
Conf. (IEEE Cat. No.04CH37574), vol. 2, pp. 807–811, 2004.
[15] D. Hillson, “Towards a risk maturity model,” Int. J. Proj. Bus. Risk
Manag., vol. 1, no. 1, pp. 35–45, 1997.
[16] R. Chapman, Simple tools and techniques for enterprise risk
management, 2nd ed. Chichester: Wiley, 2011.
[17] ISO/Guide 73:2009, “Risk management — Vocabulary.” [Online].
Available: https://www.iso.org/obp/ui/#iso:std:iso:guide:73:ed-1:v1:en.
[18] ISO 31000:2009, “Risk Management – Principles and Guidelines,”
2013.
[19] CMMI Product Team, “CMMI for Development, Version 1.3,”
Carnegie Mellon Univ., no. November, p. 482, 2010.
[20] G. Purdy, “ISO 31000:2009—Setting a New Standard for Risk
Management,” Risk Anal., vol. 30, no. 6, pp. 881–886, 2010.
[21] H. van Loon, “Process Assessment and Improvement: A Practical
Guide,” Jan. 2015.
[22] M. Paulk, B. Curtis, M. Chrissis, and C. Weber, “Capability maturity
model, version 1.1,” IEEE Softw., vol. 10, no. 4, pp. 18–27, 1993.
[23] T. De Bruin, R. Freeze, U. Kaulkarni and M. Rosemann, “Understanding
the Main Phases of Developing a Maturity Assessement Model,” In
Proceedings of the Australasian Conference on Information Systems
(ACIS), 2005.
[24] Office of Commerce, Management of risk: guidance for practitioners.
AXELOS, 2010.
[25] D. Antonucci, “Risk Maturity Models: How to assess risk management
effectiveness,” Kogan Page, 2016.