Risk Management- what does good look like?

  1. Home
  2. >
  3. Blog
  4. >
  5. Risk Management
  6. >
  7. Risk Management- what does good look like?

You may already have a Risk Management Process in place, but is it effective? A lot of organisations have made the effort to introduce a standardised process, but that is unlikely to be enough to realise the full benefits of Risk Management and truly be a mature Risk-orientated organisation.

In this article, we’ll look at how to tailor your Risk Management strategy by determining your Risk Appetite and explain how you can build a model to measure how well it is implemented using a Risk Maturity Assessment.

Table of Contents

Do you have the stomach for Risk Management?

A good place to start for your organisation to derive the most value from risk management practice, is to understand how much Risk your team can tolerate, this is known as your Risk Appetite.

The world has never been more complex and volatile, as seen in the daily news and felt in Boardrooms. War, climate change, cyber-risks, the energy crises, the cost of living and the fallout from the pandemic is still sending shockwaves around all organisations..

Stephen Sidebottom, Institute of Risk Management Chairman

Understanding your Risk Appetite

Before effective risk management practices can be initiated and embedded, an essential process must be undertaken to understand your mission as a business and curate operational delivery to align with these values which will dictate your risk appetite, or level of acceptable risk in pursuit of organisational objectives, going forward.

Ultimately, all businesses from all sectors encounter risk and must accept a specific level of risk that is unique to their own business. If a business is geared towards growth and expansion, its risk appetite must be higher and therefore its risk culture, operating style, and decision-making will reflect this.


Is your current Risk Management process at risk?

How do we know if Risk Management is positively impacting project delivery whilst also ensuring Risk Management best practice is being evidenced throughout your organisation?  In the context of Risk Appetite, you may be willing to accept some ambiguity around your level of Risk but if not, you will want to have a way of knowing where your weak spots are. 

Implementing a Maturity Assessment

Some clients/businesses run Risk Management Maturity Assessment Models (RMMAM) to provide their Corporate Risk Functions/Project Sponsors with an evidence-based model to assess and baseline Risk Management maturity across projects/programmes.  

6 sections of 3-4 questions, sections being:  

  • People  
  • Leadership  
  • Partnering (industry or Customer)  
  • Processes  
  • Risk Handling  
  • Project Outcomes  

As mentioned, between 3 and 4 questions are asked per section to ascertain a rounded picture of individuals perceptions of Risk Management practices within the project delivery space with questions being scored 1-5 in terms of maturity:  

  1. Awareness and Understanding  
  2. Implementation planned and in progress  
  3. Implementation in all key areas 
  4. Embedding and improving 
  5. Excellent capability established   

In some respects, running the model is the easiest part! The Model is sent out as a Microsoft Forms Questionnaire which participants are required to complete individually, rather than collectively as a delivery team, to ensure the most honest and rounded picture of Risk Management can be elicited.  

Taking Responsibility for Risk Maturity

A certain degree of corporate responsibility is required in the sense of establishing the ‘to be’ position in terms of total maturing aligned to the maturity scoring above, for example in an organisation/project/programme that is well established we would most probably recommend striving for a ‘to be’ position of 4 – embedding and improving to show the constant development and implementation of risk management processes to enhance maturity. Whereas for a project in the initiation/kick-off/concept phase, we might expect to see a more realistic target maturity score of 2 – implementation planned and in progress to demonstrate the current position of the project and its resources.  

The final corporate responsibility centres around possibly the most contentious aspect – Who? The subject of Risk Management maturity can be a difficult concept depending on the organisation/sector in question, the attitude and behaviour from sector to sector, project to project varies so widely that no experience as a Risk Manager or even Project Manager will be the same. An organisation may choose to utilise a RACI (Responsible. Accountable, Consulted, and Informed) matrix to outline the project delivery functions whose input is required in the RMMAM to present the most rounded ‘as is’ position possible. However, every organisation varies so this list is by no means exhaustive, we would expect to see the organisation/corporate/project sponsor make the decision here.  

Who Cares!?

When it comes to the running of maturity models/audits/reviews often there is a question of – so what? What tangible outcome of running this? 

As mentioned, the RMMAM questionnaire is design to compare an ‘as is’ position against a corporate dictated ‘to be’ position and ultimately understand what actions are required to implement significant change/maintain the state of play to ensure adherence with this ‘to be’ position.  

Thanks to the specific questionnaire nature of the example used so far, the next steps in terms of results and ‘acting upon them’ are relatively simple. The raw data is manipulated to determine the overall level of maturity including several aspects: 

  • Every individual output from each of the Project Delivery Stakeholders identified above is carried out. 
  • Each question is scored by each of the stakeholders, this specific client then uses a minimum to give an overall maturity score per question. 
  • Each of the 6 sections then uses the same minimum to drive an overall section maturity score.  
  • The 6-section scores are then interpreted in a series of graphs to demonstrate any improvements/issues on the annual drumbeat of the RMMAM being conducted. 

The delta between the corporate dictated ‘to be’ position and the question/section maturity scores is what drives the ‘Action Plan’ – the ultimate output from the RMMAMIn the instance identified in this report, the client also utilises a free text area for every question allowing those completing the maturity questionnaire to provide evidence against the maturity score they allocate – this can be utilised in terms of specifically targeting areas of improvement in the Action Plan. 


Risk management, tools, and perceptions are different in every business and sector however, the need for engaged and ‘bought-in’ Project Delivery Professionals is common throughout.  

Your Risk process, like all processes, needs continuous improvement driven by iterative maturity assessments which must be approached in a holistic method to ensure that the perceptions of all those involved in Project Delivery, who feasibly engage with Risk Management processes, are captured. 

Clear assignment of roles and expectations is critical – Risk Management Maturity MAssessment Models is an integral tool that can be used to ensure individuals are held accountable for their understanding and engagement of Risk Management Processes. 

This article was written by Tim Samways, Senior Technical Manager and Josh Bailey, Delivery Manager.

Share on linkedin
Share on Linkedin