Risk Maturity Modeling is a technique that provides a path forward on perceived risks and enables your organization to periodically assess where it is along that path. A good analogy is with our educational system. We begin at first grade and mature through twelve grade levels for our basic education. One can only move up a grade (maturity) level after completing the current level. Adding maturity modeling to your risk management processes will provide the ability to benchmark your risk program and define a path forward. The following diagram shows a risk maturity modeling for five levels.
How Many Maturity Levels?
The decision to establish the number of maturity levels is driven by the risk complexity level the organization desires to establish. For example, a key business operational area to incorporate risk maturity modeling is in cybersecurity and vendor risk management.
How many maturity levels shall be used? Current industry practices typically use three or five maturity levels. As an example, the Cybersecurity Maturity Model Certification (CMMC) program includes cyber protection standards for companies in the defense industrial base in support of the US Defense Department. By incorporating cybersecurity standards into acquisition programs, CMMC provides the Department assurance that contractors and subcontractors are meeting DoD’s cybersecurity requirements. The CMMC standard began with five maturity levels in the initial version and the subsequent version reduced the number of levels to three.
The CMMC risk assessment standards are documented in National Institute of Standards and Technology (NIST) SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations specification.
https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
Have a Report Card
To further leverage analyzing the maturity of a program each risk domain has its own maturity level target. Back to our education analogy is knowing what the level is for the program but also specifically the curriculum/subject/domain level. For example, the following domain maturity dashboard view illustrates the maturity level for each cyber risk domain which is based on NIST cybersecurity control domains.
The maturity level can be determined by established risk control target attainments. In other words, a percentage of target attainment for each domain. The following risk assessment summary displays the individual domain category, risk score, top risk, target attainment and maturity level. Just like a report card from a school.
Maturity modeling is a benchmarking and educational tool for improving risk management practices and communication throughout an organization. Achieving each level of added maturity indicates an organization’s success in achieving its business objectives and improving performance through the utilization of a risk-based methodology.
ARETE’s Risk Assessment Profiler (RAP) leverages risk maturity modeling throughout its Integrated Risk Management platform. Specifically, the RAP Cyber and RAP Vendor applications leverage risk maturity modeling concepts.
Contact the ARETE team at (888) 99-ARETE or info@arete-inc.com to learn more and see RAP’s Integrated Risk Management platform in action!
