Risk Management Maturity Models: Not a One-size Fits All

Risk Management Maturity Goals

Risk Management maturity models seem to be prerequisites for almost any and every industry.

Most imply, if not explicitly stating that it is the ultimate goal of any organization to reach the highest stated capability in every component or factor of the framework or model.

This is the case in the NIST Cybersecurity Framework where it is the implied goal that an organization should have more “Adaptive” tiers than “Partial” tiers, as well as the goal of the RIMS (The Risk Management Society) Risk Maturity Model where it is the goal of an organization to score highest in the model’s seven “key attributes”, i.e. “Leadership”, as opposed to the lowest level, i.e. “Ad-Hoc”.

One-size fits all?

Yet, I would dare say that this is a blatant flaw when it comes to maturity models, as many refuse, or choose not to consider the inherent uniqueness of the varied risk management landscapes that make up all of the businesses out there.

In my role as part of the customer success team at RiskLens, I have the opportunity to work with almost all of our clients.  If it wasn’t apparent already, I know first-hand that the organizations we work with come in all shapes and sizes, are comprised of a wide range of cultures and are a part of a multitude of different industries that focus on both broad and niche markets.

With such a broad cross section of clientele, it would be absurd to think that all organizations are subject to the same risk landscape, making roughly the same risk management decisions and execute upon them uniformly.  While there are similarities between organizations, especially those within the same industry, differences still exist.  The threats facing an organization, and resulting impact from loss will vary from organization to organization. The risk appetite, capabilities and resources to enact risk management policies, and procedures vary, as well as an organization’s awareness and motivation to comply with those aforementioned policies and procedures.

Defining your specific maturity goals

This is to say that the goal of an organization should not be to blindly strive for the highest stated capability within a maturity model. Instead, the goal should be to right-size their maturity based upon their unique needs and capabilities.  Regardless of where a maturity model places an organization, it has always been my opinion that the truly mature organizations are those that realize this fact, and understand where and when to allocate their resources.

RiskLensCyber Risk Maturity application can help organizations get a sense of how well they are achieving this goal, by assessing how well they are managing risk over time and what their visibility into their controls environment is.