Home > Risk > Isn’t it time our ideas on risk maturity grew up?

Isn’t it time our ideas on risk maturity grew up?

December 28, 2015 Leave a comment Go to comments

Today, I am going to share a guest post by my good friend and, in many ways my mentor, Grant Purdy. I have great respect for my learned friend. Not only has he served with distinction as Chief Risk Officer for one of this world’s largest companies, but he was influential in the development of Australia/New Zealand’s standards for risk management – and later in the development of the ISO 31000:2009 global risk management standard.

Please consider this post. I have a few comments of my own, which follow his reflections.


Isn’t it time our ideas on risk maturity grew up?

Grant Purdy, Associate Director, Broadleaf Capital International

The confected expressions ‘risk maturity’ and ‘risk management maturity’ (which typically are used interchangeably despite having entirely different meanings) have gained currency with apparently little thought as to their meaning or inherent validity.

 Used variously as both a descriptor of a desirable state of affair and as an arbitrary continuum for use as a measure of what ‘good’ risk management looks like, the question is whether these expressions, and their related dogma and systems, are actually helping or hindering organisations achieve their objectives through better decision making – which, of course, is the sole purpose of risk management.

We all deal with uncertainty, every day, as an intuitive part of making decisions before we act. Some of us are better at it than others and most of us could improve – if we knew how.

In organisations, decisions are always made in the context of the organisation’s external and internal environments and so inevitably involve some uncertainty as to the actual effect of any decision. The effect of that uncertainty on the organisation’s objectives is what is commonly described as ‘risk’.  Detecting, understanding and (if beneficial to do so) modifying ‘risk’ (and having the intent and capacity to do so) is what, by habit, we call risk management.

Risk management – concerned as it is with both consideration of uncertainty and with the organisation having the intent and capacity to do so – is something that organisations either do well or not so well; they can do it intuitively or deliberately and either always or sometimes.

As with income and expenditure data, production figures, and other organisational performance measures, it is helpful for organisations to be clear about how good is their ‘risk management’. Otherwise, they cannot enjoy the confidence of knowing that decisions will lead to the intended outcomes which, after all, is the basis of good governance.

However, as with other types of organisational performance measures (such as considering actual against budgeted revenue), it is necessary to know what ‘good’ risk management looks like before organisations can understand their shortcomings and plan improvements.

The proponents of ‘risk maturity’ concepts envisage that ‘good’ = ‘mature’. But is that valid? If ‘maturity’ is used just to characterise ‘good’ then, in itself, it adds nothing and it would be better to use the normal word ‘good’ instead.

Defining ‘good’ risk management is, in fact, quite simple because, if its ultimate purpose is to enhance decision-making, it must deliver three key things:

  1. When decisions are finalised, the ‘risk’ associated with the decision is fully understood.
  2. The type and magnitude of that risk is acceptable, i.e., optimal, taking into account those aspects that facilitate objectives and those that might detract from them.
  3. Changes inside or outside the organisation that occur after a decision has been made, and are of a type that could have the effect of modifying the risk, are detected, the resulting risk assessed and, if warranted, the decision is amended and the subsequent actions are revised.

These three criteria for ‘good’ need to be satisfied for every decision because, as with the links of a chain, it doesn’t matter that the risk associated with 99 decisions meets the criteria if there is one decision in which an unacceptable risk went undetected, was misunderstood, or was not modified to ensure it was acceptable. This is very similar to the preparation of a profit and loss statement that comes down to similar matters of fact: (1) were all elements of expense and revenue captured and, (2) are the arithmetic and accounting treatment of each item correct?

In summary, ‘good’ risk management is only concerned with its universal application to decision-making and its consistent, technically competent application and, as can be seen, such criteria, like the links of a chain, do not lend themselves to measurement using arbitrary scales or matrices.

If risk management is not satisfying the above criteria of ‘good’ then the organisation should remedy any specific shortcomings in:

  • the organisation’s intentions (i.e. whether or not it intends to consider the effect of uncertainty on its objectives of its decisions throughout the organisation), and;
  • its capacity to give effect to those intentions (e.g. individuals having clear instructions, skills and relevant tools and there being a system of performance measures).

Remedying shortcomings in intent or capacity in an efficient way requires very specific and tightly constrained remedies such as revised instructions, improved explanation, targeted training, improved tools and improved surveillance.

So ‘good’ has nothing to do with ‘maturity’ but all to do with being ‘effective’, which has the ordinary meaning of ‘having the effect intended’.

George Orwell wrote:

the slovenliness of our language makes it easier for us to have foolish thoughts[1]

Isn’t it about time we abandoned using the slovenly expression ‘maturity’ as an expression of ‘good’ and instead use the simple and accurate word ‘effective’? And, at the same time, avoid the deceptive use of any form of maturity scale. Instead, shouldn’t we just focus on the selection and implementation of actions that, quite simply:

  • monitor and test the application of approaches that discover, understand and, if necessary, modify uncertainty as part of decision-making;
  • monitor and test the technical adequacy of such activities;
  • design and monitor remedial actions?


[1] George Orwell: Politics and the English Language, Horizon, London, 1946.


Norman’s Comments

I understand and agree, to a large extent, with Grant’s views. I too write about effective risk management enabling better decisions, at all levels of the extended enterprise.

I have sympathy for Grant’s position that we must be clear when we talk about matureeffective, or good risk management.

I divert from Grant’s stated position (although it may be more a matter of semantics) when it comes to what constitutes an acceptable level of risk management – what I would refer to as ‘effective’. (I don’t know what ‘good’ risk management is and don’t talk about it).

My position is that the risk management capability, including framework and processes, can only provide a reasonable level of assurance that the desired level of risk will be taken. Incorrect or misguided, even misinformed decisions will still be made. Perfection is not achievable.

What I say in World Class Risk Management is that risk management can be considered world-class when the likelihood and extent of a failure to manage risk at desired levels is acceptable. Please see the book for a detailed explanation of this new concept.

So, what do you think?


  1. December 28, 2015 at 8:50 PM

    How disappointing that there is no implicit recognition of reward, just risk. That is the biggest missing piece of this discussion or “word” blog.

    • Norman Marks
      December 28, 2015 at 8:59 PM

      Interesting point, Michael. Grant and I both see the effects of uncertainty as positive, adverse, or a combination of both.

      In fact, there is no certainty, only a possibility of reward – just as there is only a possibility of an adverse consequence.

      Frankly, not nearly enough is written about reward. Thanks for raising the point.

  2. December 28, 2015 at 10:00 PM


    The ‘rewards’ we are all seeking is to be successful – however we define that in terms of our objectives. Effective risk management helps us achieve success by ensuring that the decisions we make are soundly based.

    Your question does make me wonder how you choose to define risk – and whether this is only in terms of detrimental consequences. When I use the term risk I mean the effect of uncertainty on objectives as per ISO 31000. These effects can, of course, detract from our objectives. However, they can also be supportive and risk modification through controls is aimed at ‘enabling’ so there is greater certainty we will achieve our objectives.

    Risk is ultimately an abstract concept that is neither inherently good nor inherently bad. What I’ve tried to discuss in this article is how, to be successful, an organisation must possess the necessary capacity to detect and understood risk as part of decision making and then take steps modify it as necessary – in the most efficient way possible. Arriving at the desired modifications must, or course, involve the balancing of costs (and disadvantages) and benefits.

  3. December 28, 2015 at 10:00 PM

    I personally like the post because it clearly links risk management to decision quality and decision analysis domains. To me this is the only way to make risk management useful for an organization.

  4. December 29, 2015 at 10:31 PM

    Words help to visualise and establish positions. Maturity enables a look at an evolution of the Risk Management System. A good or effective use gives only a yes or no position or partly yes/no. While a maturity can provide a road map and thus may be a preferred term.

  5. December 29, 2015 at 11:34 PM


    But a ‘maturity’ based model may give organisations a false sense of security. Just because an organisation has some of the necessary components for effective risk management in place does not mean that it is making well-supported decisions that will help ensure it achieves its objectives.

    The ideal evaluation process for all organisations is one that contains both a gap analysis and a diagnostic assessment of effectiveness of the vital components. The ‘maturity’ models I’ve seen generally don’t do that: they are a checklist of components where the maturity level depends on the components that are supposedly present. Then they generally don’t assess the effectiveness of the components that are present by comparing with tangible performance requirements. For example, you can get a ‘tick in a box’ for having a risk policy statement or a risk appetite statement, whether or not those documents are coherent, useful, are used in practice or are even necessary.

    • December 29, 2015 at 11:37 PM

      Agree. A maturity scale with effectiveness criteria or a value would be ideal. A tick mark process is definitely not ideal.

    • December 30, 2015 at 12:32 PM

      I would agree that a simple ‘tick box’ approach to risk maturity is not sufficient but it is necessary to assess the risk maturity of an organisation prior to planning audits in order to assess the extent to which the auditor can trust the completeness of the controls in place. My approach, based on IIA Guidance Note – An Approach to Implementing Risk Based Internal Auditing, is to carry out audit tests to assess the risk maturity of the area being audited (appendix F Book 1 and section E Book 4 from http://www.internalaudit.biz). I think this addresses the final point you make above.

      • Norman Marks
        December 30, 2015 at 1:05 PM

        I think we have to be careful to define not only our terms but the roles of the players we are referring to. David, I agree that before internal audit can place reliance on management’s risk-related activities, they need to be assessed. I am less sure that a maturity model is how you assess their effectiveness, although I do like to use a model when discussing the state of risk management with the board and top executives. I assess risk management in terms of whether it meets the needs of the organization, which amounts to enabling better, informed decisions.

        However, it is my belief that management, preferably the CEO, provide the board with his or her assessment of the adequacy of risk management. He or she should not look to internal audit as the sole source for that assessment.

        The players:
        – the board
        – top management
        – the risk officer
        – internal audit

        Who should have an opinion/assessment of the effectiveness of risk management? All of the above. Do they all assess the same way, perhaps not.

  6. January 8, 2016 at 5:43 AM

    Great insight.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: