This capability maturity model can be used to measure the maturity of an organization’s enterprise risk management process and to assist its progress from the initial/ad-hoc state toward the optimized state.
The capability maturity model describes a maturity curve on these capability levels: INITIAL, which describes a poorly aligned function with non-documented strategies, manual management processes, lack of integrated systems and heavy reliance on spreadsheets/manual documents; REPEATABLE, which describes a loosely aligned function supported by informal policies applied to processes performed by personnel with mixed skill levels; DEFINED, which describes a strategic management structure in place with well-defined processes supported by an organized and highly trained team; MANAGED, which describes a function aligned with the organizational strategic plan and personnel; and OPTIMIZED, which describes a management process performed at an optimal level with best practices in full use.
In this sample, an OPTIMIZED organization’s integrated risk measurement systems are improved continuously.
The capability maturity model is a framework that describes an improvement path from an ad-hoc, immature process to a mature, disciplined process focused on continuous improvement. The CMM defines the state of a process using a common language that is based on the Carnegie Mellon Software Engineering Institute Capability Maturity Model.
Note: The concept of enterprise risk management (ERM) helps to redefine the value proposition of risk management by elevating its focus from the tactical to strategic level. ERM is about designing and implementing capabilities for managing the risks that matter. If you are looking for additional ERM content, we also recommend reviewing Protiviti’s Guide to Enterprise Risk Management and COSO’s Guidance on Enterprise Risk Management.