Professional Documents
Culture Documents
net/publication/319218604
CITATIONS READS
9 27,352
4 authors, including:
José Borbinha
University of Lisbon
196 PUBLICATIONS 1,133 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Diogo Proença on 16 December 2018.
Authors Name/s per 1st Affiliation (Author) Authors Name/s per 2nd Affiliation (Author)
line 1 (of Affiliation): dept. name of organization line 1 (of Affiliation): dept. name of organization
line 2-name of organization, acronyms acceptable line 2-name of organization, acronyms acceptable
line 3-City, Country line 3-City, Country
line 4-e-mail address if desired line 4-e-mail address if desired
Abstract— Risk Management, according with the ISO Guide and systematic way of doing business which usually involve
73 is the set of “coordinated activities to direct and control an people, organizations, and processes. There has been a great
organization with regard to risk”. In a nutshell, Risk popularization of these tools in the last years using maturity
Management is the business process used to manage risk in models in several domains, for example: data management,
organizations. ISO 31000 defines a framework and process for information security, and project management. In maturity
risk management. However, implementing this standard without models, the evolutionary path is described through discrete
a detailed plan can become a burden on organizations. This stages, to reach the next level it is necessary to achieve the
paper presents a maturity model for the risk management objectives of the desired level and all previous levels.
process based on ISO 31000. The purpose of this model is to
provide an assessment tool for organizations to use in order to get The goal of this paper is to develop an artifact (a maturity
their current risk management maturity level. The results can model) by using an established approach to contribute to the
then be used to create an improvement plan which will guide RM body of knowledge. As a result, Design Science Research
organizations to reach their target maturity level. This maturity (DSR) was chosen as it combines the practical dimension and
model allows organizations to assess a risk management process
according to the best practices defined in risk management
the scientific dimension. The maturity model focuses on the
references. The maturity model can also be used as a reference ISO 31000, which prescribes a RM process and framework, to
for improving this process since it sets a clear path of how a risk define a maturity model for RM. In this paper we target our
management process should be performed. attention in answering two research questions (RQ), as
follows:
Keywords— Risk Management, Maturity Model, ISO 31000.
RQ1 - What are the key activities for a risk management
I. INTRODUCTION process according to the ISO 31000?
Risk is the effect of uncertainty on the achievement of
objectives. Therefore, all organizations are subject to risk and RQ2 – How could a maturity Model specific to RM be
uncertainty, and the need to manage risk in a structured way is designed which targets the challenges of different
increasingly recognized. Risk management (RM) consists of organizations and industries?
"coordinated activities to direct and control an organization
with respect to risk" [18]. Often, organizations use different To address these research questions, this paper is structured in
risk management practices and do not always do so in a seven sections. First, the key terms and concepts are explained
systematic way. To help organizations, manage risk more in Section II. This is followed by Section III, where the
efficiently, several risk management frameworks have been research methodology is outlined. Section IV, details the
created. One of them, ISO 31000 is recognized as a consensual findings from a literature review in existing RM Maturity
reference, which has influenced some organizations that models and a comparison between the existing maturity
develop risk management structures to review their work to be models for the RM domain. Then Section V, presents the RM
aligned with ISO 31000. ISO 31000 is comprehensive and can Maturity model and the iterative development method used.
be used in all industries and for all types of risk, regardless of The evaluation of the RM Maturity Model is presented in
their nature. Consequently, this reference does not prescribe a Section VI which evaluates the mapping between the RM
risk management system, merely supporting and integrating Maturity Model Levels and the ISO 31000. Finally, Section
risk management into the overall management system of an VII details the conclusions and the limitations of the RM
organization. The implementation of the risk management
Maturity Model.
process is not always easy and some organizations give up
without achieving the desired outcomes. This may because
they are unable to carry out the risk management process in a
consistent and predictable way over time. Maturity models are
tools that represents a path towards an increasingly organized
II. BACKGROUND The concept of process is fundamental in the course of this
This section explains the key terns and concepts within this paper, and can be defined as a "set of interrelated activities
paper, such as, “maturity models” and “risk management” to that transforms inputs into outputs" [19]. Process area is
ensure a common understanding. defined by SEI as "a set of related practices within an area
The history of early maturity models goes back to theories of that, when implemented together, satisfy a set of objectives
the hierarchy of human needs (Maslow 1954), economic considered important to make improvements in this area" [19].
growth Kuznets (1965) and the progression of information The SEI also defines maturity model applied to processes as "a
technology in organizations (Nolan 1979). Given that these model that contains the essential elements of effective
types of models describe the development of an entity over processes for one or more areas of interest and which
time [1]. These types of models are based on product quality describes a path of evolutionary improvement from an ad hoc
principles developed during the "quality revolution" by state, immature processes to disciplined processes, Mature
authors such as Shewart, Deming, Juran and Crosby [22]. In processes with good quality and effectiveness" [19]. Maturity
1986, the US Department of Defense needed a method to models applied to processes can have two types of
assess the capabilities of the software companies with whom it representations: continuous and staged. In step-by-step
worked, so Watts Humphrey, the SEI team and Miter representations, there are maturity levels that correspond to the
Corporation were tasked with this task [1]. In 1991 was degree of process improvement across the set of predefined
released the first version, the CMM maturity model of process areas in which all objectives are met or achieved [19].
capabilities. This model has achieved remarkable success and In continuous representations, capacity levels are used that
has been revised and improved having evolved into CMMI, represent the achievement of process improvement in
the currently integrated capability maturity model integration individual process areas. This type of representation allows
version 1.3 [19]. organizations to gauge the capability of each individually
Due to the success obtained, the principles used to develop the selected process, and also allows to choose different capacity
SEI maturity models served as inspiration to other authors, levels for different process areas, whereas in the step
both academics and practitioners, and there are now hundreds representation the maturity level corresponds to the level of
of models applied to different domains [1]. Currently, the two the process areas as a whole. However, continuous
major references of maturity models are CMMI and ISO representation is more limited when comparing the
15504 [7], both of which are related to Software Engineering organization overall with other organizations. Despite the
processes. differences between the continuous and staged representations,
In general, maturity can be defined as "an evolutionary the maturity models that have both representations usually
progression in the demonstration of a specific skill or in the contain ways of converting the various levels of capacity of
achievement of an objective from an initial state to a desired the individual process areas of the organization into a maturity
final state" [6]. In addition to the general definitions, there are level corresponding to the set of process areas.
many definitions of maturity that are directly related to the
domain to which this term refers. As this work will develop a ISO 31000 was created to establish general principles for risk
maturity model applied to a process of risk management, it is management, regardless of the scope. Therefore, it applies to
also important to define maturity applied to a process. any type of risk regardless of its nature and consequence
Maturity can then be defined as the "degree to which an (positive or negative). The standard establishes a risk
organization executes processes that are explicitly and management vocabulary, a set of performance criteria, a
consistently documented, managed, measurable, controlled, comprehensive process for risk identification, analysis,
and continuously improved. Maturity can be measured evaluation and treatment, and guidance on how the risk
through appraisals" [19]. Another fundamental concept is management process should be integrated into an
capability that is defined as "an organization's competence to organization[20]. Note that ISO 31000 does not describe a
perform a specific activity or achieve the desired performance prescriptive risk management system but rather defines a set
in a predictable and consistent manner" [4]. According to of common principles and guidelines to implement risk
Loon [21], a maturity model is a sequence of maturity levels management. Part of the process of implementing risk
for certain objects, usually people, organizations or processes. management in an organization is to establish the context and
In these models is represented the evolutionary path, understand where it requires domain-specific risk management
anticipated, desired or typical, through discrete levels. In practices, methods or techniques..
addition to the above, these models provide the necessary There are two supporting documents for ISO 31000: Guide 73:
criteria to reach each of the model's maturity levels. Thus, 2009, which defines a risk management vocabulary, and ISO
maturity models allow us to see at what level of the 31010, which provides guidance on the application and
evolutionary process certain objects meet. The maturity levels selection of systematic techniques for risk assessment.
are organized from an initial level of lower capacity to an ISO 31000 is sometimes referred to as the “umbrella standard”
advanced level corresponding to the maximum capacity of the because there are more than 60 references in the field of risk
reality in question. In order to reach higher maturity levels it is management that are aligned with this standard. Some known
necessary that there is a continuous progression of the examples are: ISO 9000 - Quality Management, ISO 27000 –
capability of a given object. Information security management systems, or ISO 28000 –
Specification for security management systems for the supply context should be established in order to identify internal and
chain. Given ISO 31000 widespread application in the vast external factors that can influence the remaining activities of
majority of countries in the world and the fact that there are so the process. Risk assessment is the sub-process of identifying
many risk management frameworks aligned with it, the existing risks in the pre-defined context, analyzing the
following definitions of terms related to risk management in identified risks typically regarding its severity, and evaluation
ISO Guide 73 are accepted in a semi-canonical way: where identified risks are compared using the previous
1. Risk: "Effect of uncertainty in achieving objectives" [17]. analysis in order to prioritize treatment. Using the output of
Since an effect is considered a deviation from what is risk assessment, in risk treatment, stakeholders define a risk
expected, it can be positive or negative. Normally, risk is treatment plan that consists of a set of controls (actions) that
expressed as a function of the probability of a particular mitigate the identified risks. Throughout the mentioned
event occurring and of its potential consequences. activities is essential that all relevant stakeholders are
Uncertainty is associated with the state of information consulted and informed (communication and consultation
deficiency (even if only partial) necessary for the phase) to assure accurate identifications and estimations.
understanding and knowledge of a given event, its Additionally, the risk information defined in each activity
consequence or probability; should be constantly monitored (monitoring and review phase)
2. Risk Management: "Coordinated activities to direct and in order to assure that is constantly updated. According to the
control an organization with regard to risk" [17]; ISO 31000, the Risk Management Process (Figure 1) consists
3. Risk Management Framework: “Set of components that of the "systematic application of management policies,
provide the foundations and organizational arrangements procedures and practices to the activities of communication,
for designing, implementing, monitoring, reviewing and consultation, establishment of the context and identification,
continually improving risk management throughout the analysis, treatment and monitoring and risk review". [18] The
organization” [17]. risk management process must be integrated both in the
Similarly, the risk management process defined in Figure 1 is management of the organization and in the practices and
accepted as a standard regarding which activities should culture of the organization and must be adapted to each
comprise a risk management process. Therefore, risk organization and its own processes. Risk management
management is an iterative process where, as the first step, the activities should be documented and properly recorded [18].
maturity level 5 an organization follows all the criteria for ISO at level 5 is based on chapter 4.6 which is called continual
31000. To understand the numbering of the ISO 31000 improvement of the framework.
chapters used in Table 2 and the relation to the overall RM
framework and process see Figure 1. According to Becker et al. [8], the evaluation step of the
For maturity level 1, criterion 1.1 can be mapped to chapter maturity model also includes the “conception of transfer and
5.4 which details the risk assessment phase of the RM process, evaluation” [8]. This means that there should be a description
the output of this phase is what is called a risk management of the rationale behind the development of the questionnaire to
report which details all the finds of this phase. The criteria be used to assess an organization’s RM maturity. For this
identified for level 2 were deduced from chapters 4.2 and 4.3. purpose we created a questionnaire that contains a question for
Chapter 4.2 is called mandate and commitment, and it states each of the maturity level assessment criteria detailed in
that in order to achieve an effective risk management an Figure 4. Each question contains the following information:
organization needs a strong commitment at all levels as well
as strategic and rigorous planning achieve this. Chapter 4.3 1. ID: Which identifies the maturity level that question
concerns the design of the framework to manage risks and is belongs to, as well as, number of the question in the
divided in seven steps: understanding the organization and its overall questionnaire (As an example, question “3.10” is
context, establishing a risk management policy, accountability, the tenth question for maturity level 3);
integration into organizational processes, resources, 2. Title: Which depicts the main topic the question refers to;
establishing internal communication and reporting 3. Question: Which details the question itself;
mechanisms, establishing external communication and 4. Objective: Which details the objective of that question,
external mechanisms. Most of the criteria used in level 3 what knowledge the question intends to capture;
came from chapters 5.2-5.6, which are named after the 5. Notes: Which either clarifies some aspects and/or terms of
activities of the risk management process described in chapter the question or details examples of evidence to substantiate
III. So, chapters 5.2-5.6 respectively have recommendations the answer for the question;
on: communication and consultation, establishing the context, 6. Answers: Which depicts the five possible answers to the
risk assessment, risk treatment, and monitoring and reviewing. question;
In this level there are also some criteria from chapter 4.4 7. Source: Which details the source from which that specific
named implementing risk management which consists of question originates.
implementing the stated process and the previously designed
framework. The criteria to achieve maturity at level 4 come An example of a question from the assessment questionnaire is
from chapter 4.5, this chapter has recommendations on how to detailed in Table 3. This is the third questions used to assess
monitor and review the risk management framework. Maturity maturity level 4 of RM Maturity. Its focus is on “process
performance analysis”. As can be seen by looking at the [3] T. Mettler, P. Rohner, R. Winter, "Towards a Classification of Maturity
Models in Information Systems," In A. D'Atri, M. De Marco, A. M.
source this is one of the questions that is based on the Braccini and F. Cabiddu: Management of the Interconnected World,
guidance from the “Organizational Process Performance” Physica-Verlag, Heidelberg, 2010.
process area from CMMI [19] that was adapted to fit the RM [4] J. Poeppelbuβ, B. Niehaves, A. Simons, J. Becker, "Maturity Models in
Maturity Model. Information Systems Research: Literature Search and Analysis,"
The questionnaire was developed as a self-assessment Communications of the Association for Information Systems, vol. 29,
2011.
questionnaire which is available on-line so that organizations
[5] M. Röglinger, J. Pöppelbuß, “What makes a useful maturity model? A
that want to assess their current RM practice can freely access framework for general design principles for maturity models and its
the questionnaire, fill the answers and get a detailed report on demonstration in business process management,” In proceedings of the
their current maturity level for RM. 19th European Conference on Information Systems, Helsinki, Finland,
June. 2011.
[6] T. Mettler, “A design science research perspective on maturity models in
VII. CONCLUSION information systems,” St. Gallen: Institute of Information Management,
Universtiy of St. Gallen. 2009.
[7] A. Maier, J. Moultrie, P. Clarkson, “Assessing Organizational
The aim of this paper is the development of a maturity model Capabilities: Reviewing and Guiding the Development of Maturity
for the RM process. The latter can serve as a governance Grids,” In IEEE transactions on engineering management, vol. 59, no. 1.
2012.
instrument that could be used by the RM function to analyze
[8] J. Becker, R. Knackstedt, J. Pöppelbuβ, “Developing maturity models
and evaluate the current strengths and weaknesses of the RM for IT management: A procedure model and its application,” Business
process. However, the model is not restricted to analytical and Information Systems Engineering, Vol. 3, pp 213-222. 2009.
purposes only. It can also be used to derive a roadmap towards [9] A. Hevner, S. Ram, S. March, J. Park, "Design Science in Information
an evolutionary improvement of the RM function regarding its Systems Research," MISQ, vol. 28, pp. 75-105, 2004.
capabilities and its effectiveness and efficiency. The first part [10] A. Hevner, S. Chatterjee, “Design Research in Information Systems:
of the paper elaborates the RM activities which were used as a Theory and Practice,” Springer, Heidelberg, 2010.
reference baseline to investigate whether existing maturity [11] P. Zou, Y. Chen, and T. Chan, “Understanding and Improving Your
Risk Management Capability : Assessment Model for Construction
models are capable of holistically assessing a RM process Organizations,” no. August, pp. 854–864, 2010.
(RQ1). The findings revealed that existing maturity models [12] L. Shah, A. Siadat, and F. Vernadat, “Maturity assessment in risk
cover the entire reference baseline insufficiently, since they management in manufacturing engineering,” 2009 3rd Annu. IEEE Syst.
only selectively address the activities. Hence, no existing Conf., pp. 296–301, 2009.
maturity model is able to solve the identified problem. Finally, [13] I. Cienfuegos, Developing a Risk Maturity Model for Dutch
municipalities, PhD Thesis, 2013.
we decided to design a new maturity model in consistency to
[14] Y. Ren and K. Yeo, “Risk management capability maturity model for
the defined research strategy. In the second part of the paper, complex product systems (CoPS) projects,” 2004 IEEE Int. Eng. Manag.
we described the development of a maturity model for RM, Conf. (IEEE Cat. No.04CH37574), vol. 2, pp. 807–811, 2004.
including the model itself as well as its evaluation to address [15] D. Hillson, “Towards a risk maturity model,” Int. J. Proj. Bus. Risk
the second research question: “How could a maturity Model Manag., vol. 1, no. 1, pp. 35–45, 1997.
specific to RM be designed which targets the challenges of [16] R. Chapman, Simple tools and techniques for enterprise risk
different organizations and industries?” (RQ2). The developed management, 2nd ed. Chichester: Wiley, 2011.
model is based on existing maturity model structures and [17] ISO/Guide 73:2009, “Risk management — Vocabulary.” [Online].
Available: https://www.iso.org/obp/ui/#iso:std:iso:guide:73:ed-1:v1:en.
inherits concepts and methodologies of the ISO 31000. We
[18] ISO 31000:2009, “Risk Management – Principles and Guidelines,”
took care during the development to provide a useable 2013.
research result. Naturally, the applied research approach [19] CMMI Product Team, “CMMI for Development, Version 1.3,”
comes along with certain limitations. In order to extend the Carnegie Mellon Univ., no. November, p. 482, 2010.
research aspect of the maturity model, we suggest evaluating [20] G. Purdy, “ISO 31000:2009—Setting a New Standard for Risk
and refining the RM maturity model within different industry Management,” Risk Anal., vol. 30, no. 6, pp. 881–886, 2010.
sectors, this would lead to a more generic RM maturity model [21] H. van Loon, “Process Assessment and Improvement: A Practical
Guide,” Jan. 2015.
and would enable benchmarking across different industries.
[22] M. Paulk, B. Curtis, M. Chrissis, and C. Weber, “Capability maturity
model, version 1.1,” IEEE Softw., vol. 10, no. 4, pp. 18–27, 1993.
REFERENCES [23] T. De Bruin, R. Freeze, U. Kaulkarni and M. Rosemann, “Understanding
the Main Phases of Developing a Maturity Assessement Model,” In
Proceedings of the Australasian Conference on Information Systems
[1] D. Ahern, A. Clouse, R. Turner, “CMMI Destilled: A Pratical (ACIS), 2005.
Introduction to Integrated Process Improvement, Third Edition,” Addson [24] Office of Commerce, Management of risk: guidance for practitioners.
Wesley Professional, 2008. AXELOS, 2010.
[2] ISO/IEC 15504:2004, “Information technology - Process assessment,” [25] D. Antonucci, “Risk Maturity Models: How to assess risk management
International Organization for Standardization and International effectiveness,” Kogan Page, 2016.
Electrotechnical Commission Std. 2004.