November 27, 2006
RIMS Risk Maturity Model (RMM) for
Enterprise Risk Management
To benchmark your ERM program and receive a personalized
assessment, go to http://www.RIMS.org/RMM
p.2
© 2006 by Risk and Insurance Management Society, Inc.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by
any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission.
Preface and History
The Risk and Insurance Management Society, Inc. (RIMS) is a nonprofit organization dedicated to
advancing risk management, a profession that protects physical, financial and human resources.
Founded in 1950, RIMS represents nearly 3,900 industrial, service, nonprofit, charitable and govern-
ment entities. The society serves about 9,600 risk management professionals around the world.
RIMS has adopted Enterprise Risk Management (ERM) as a core competency and will dedicate signifi-
cant resources to it. To build an Enterprise Risk Management community, RIMS has launched the
Enterprise Risk Management Center for Excellence. This provides educational and networking opportu-
nities for members and coordinates important ERM resources. John Phelps, a RIMS board member, is
chairman of the RIMS ERM Development Committee. The ERM Committee recognized the need for
ERM education and a mechanism for measuring ERM maturity, so it created a Risk Maturity Model to
let organizations reach risk management’s next level.
The ERM Committee recognized the value of partnering with an expert ERM solutions provider to tap
RIMS’ practitioners’ expertise and create the RIMS Risk Maturity Model. RIMS selected
LogicManager, a leading developer of Enterprise Risk Management solutions and creator of its own
innovative risk maturity model. LogicManager, based in Boston, donated its intellectual property,
expertise and services and the RIMS Risk Maturity Model was born.
This RIMS Risk Maturity Model is primarily an educational and benchmarking resource for Chief Risk
Officers and other risk professionals to collaborate with their Board of Directors, senior management,
operations management and managers from support functions of IT, internal audit, compliance, etc.
p.3
© 2006 by Risk and Insurance Management Society, Inc.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by
any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission.
Acknowledgements
ERM Development Committee
ERM Development Committee Chair
John Phelps, Director of Risk Management,
Blue Cross and Blue Shield of Florida, Inc.
ERM Development Committee Vice Chair
Carol Fox, Senior Director, Risk Management,
Convergys Corporation
ERM Development Committee Liaison
Mary Roth, Executive Director, Risk and
Insurance Management Society, Inc. (RIMS)
1065 Avenue of the Americas, 13th Floor,
New York, NY 10018 Phone: 212.286.9292
ERM Development Committee Members
Eric Benson, Principal Risk Analyst, Corporate
Risk Management, Allianz Life Insurance Co.
of NA
Roy Fox, Enterprise Risk Management
Manager, Bonneville Power Administration
Dan Kugler, Assistant Treasurer, Risk
Management, Snap-on Inc.
Michael Maida, Corporate Risk Manager,
Agricore United
Joanna Makomaski, P. Eng., Manager, Risk
Management, Enbridge Gas Distribution Inc.
Julie Pemberton, ARM, Manager, Enterprise
Risk Management, Chiquita Brands
International Inc.
Beaumont Vance, Senior Enterprise Risk
Manager, Sun Microsystems Inc.
ERM Risk Maturity Model Developer
Steven Minsky, Chief Executive Officer,
LogicManager, Inc. (www.logicmanager.com)
30-31 Union Wharf, Boston, MA 02109
Phone: 617.649.1320
We welcome your feedback. Please provide us
your comments and questions on the RIMS
Risk Maturity Model to:
steven.minsky@logicmanager.com.
Board of Directors Members
President
Michael Liebowitz, Director of Insurance and
Risk Management, New York University
Vice President
Janice Ochenkowski, Managing Director,
Jones Lang LaSalle
Treasurer
Deborah Luthi, Director, Risk Management
Services, University of California, Davis
Secretary
Joseph Restoule, Senior Risk Consultant,
NOVA Chemicals Corporation
Directors
Janet Barnes, Snohomish County PUD No. 1
Karen Beier, Vice President, Risk
Management, Shaklee Corporation
Scott Clark, Risk & Benefits Officer, Miami-
Dade County Public Schools
Terry Fleming, Director, Division of Risk
Management, Montgomery County, Maryland
Michael Gaona
Jackie Hair, Corporate Director, Worldwide
Risk Management, Ingram Micro Inc.
John Hughes, Director, Risk Management,
Alex Lee, Inc.
Kim Hunton, Risk Manager, City of Ottawa
Daniel Kugler, Assistant Treasurer, Risk
Management, Snap-on Inc.
Janice McGraw, Manager, Risk Management &
Insurance, McGill University
John Phelps, Director of Risk Management,
Blue Cross and Blue Shield of Florida, Inc.
Ellen Vinck, Vice President, Risk Management
& Benefits, BAE Systems Ship Repair
Risk and Insurance Management Society, Inc. (RIMS) wishes to recognize:
p.4
© 2006 by Risk and Insurance Management Society, Inc.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by
any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission.
Overview
Smart, dedicated workers aren’t enough. The
Software Engineering Institute (SEI) at Carnegie-
Mellon University, which pioneered the Maturity
Model concept in the mid-1980s, said,
“Everyone realizes the importance of having a
motivated, quality work force and the latest tech-
nology, but even the finest people can’t perform
at their best when the process is not understood
or operating at its best.” Enterprise Risk
Management (ERM) is a process. What is lacking,
is a tool for objective and consistent measure-
ment of its effectiveness. The RIMS ERM
Development Committee and LogicManager
stepped in to develop this missing link -- the
RIMS Risk Maturity Model. A benchmarking
framework designed to create clear, precise crite-
ria, RIMS Risk Maturity Model (RMM) facilitates
thorough planning and communication and
guides monitoring and control.
The role of the RIMS Risk Maturity Model for
Enterprise Risk Management
If Enterprise Risk Management is the weapon,
the RIMS Risk Maturity Model (RMM) is the plan
of attack. The RIMS RMM provides ERM practi-
tioners with a way to combine all the best ele-
ments from the most important models and stan-
dards. This applies to all industries and across
the risk spectrum. This RIMS RMM is a ladder of
progressively organized and mature performance
levels, a way to evaluate and set goals.
Focus the risk picture
While the risk officer ranks fill up rapidly, most
learn on the job. They come to risk management
with a variety of backgrounds -- legal, finance,
internal audit, risk management, compliance or
IT. Their views tend to align with their back-
grounds and responsibilities. Rigorous controls
might take precedence for the internal auditor,
for instance, while regulations might be a priority
for the compliance team. Security might be key
for the information technology group and brand
and company reputation could be a top goal
for marketing.
The smart risk officer recognizes the importance
of all of those, but doesn’t stop there. The team
must also be led to balanced, big-picture deci-
sions. The RIMS RMM crystallizes the risk pic-
ture by analyzing best practices and setting
goals. This lets the risk officer and stakeholders
build consensus about priorities and tactics. A
common approach ensures results – efficiencies
in the short term, reduced uncertainty in routine
decisions in the mid-term and, in the long term,
a competitive advantage gained by making big
bets on emerging trends. For both veteran risk
managers and novices, RIMS RMM is an indis-
pensable tool that provides a game plan for pro-
gram development and enhances risk manage-
ment. And it also speeds the delivery of a rock-
solid ERM Process, building a foundation for
improving programs, strengthening objectivity and
prioritizing resources for allocation.
Benefits of using a Maturity Model
The Maturity Model approach is a method that’s
proven across a variety of industries. Based on
extensive case studies in which a Maturity Model
approach was used over the past 25 years, the
evidence shows that with each step up in maturi-
ty level, organizations get concrete results. A
Maturity Model is a structured way of highlighting
aspects of effective ERM Processes.
Benefits for Practitioners
• Build consensus and establish milestones.
• Benchmarking from best practices.
• Communicate clearly to the board,
regulators, rating agencies, executive
management, process owners, support
functions (back office groups such as
internal audit, IT and compliance), etc.
Benefits for ERM stakeholders
• Streamline the ERM Process.
• Eliminate duplication of efforts and connect
support functions with process owners.
• Measure ERM value, based on priorities.
• Create a shared language and vision.
Benefits for Organizations
• Tackle inadequately addressed risks
and opportunities.
• Resolve business process inefficiencies.
• Build a repeatable and scalable process for
better decision making
Reduce costs
Understanding a risk’s root cause is much
cheaper than simply treating the symptom.
ERM uncovers and attacks the root cause.
Example: a global energy company tried to
save 10 percent on maintenance costs, but
RIMS Risk Maturity Model (RMM) for Enterprise Risk Management
pipeline leaks cost them billions of dollars
in clean-up costs and damage to their
reputation. ERM connects the root cause
to the ultimate cost and improves decision
making at a fraction of the cost.
Increase top line revenue
A compliance issue can lead to rethinking
business strategy and finding an opportuni-
ty to generate revenue. Example: a bank
responds to a government regulation
requiring it to switch from paper checks to
digital images. It uses ERM to uncover a
strategy to acquire customers nationally,
rather than regionally, by expanding where
it once had no infrastructure to transport
paper checks. ERM helps managers
think strategically.
Reduce variance on plan achievement reporting.
Planning is essential to success and allocating
resources. Uncertainty in planning leads to bad
decisions. Volatility of earnings effects stock
prices because it undermines confidence in the
planning cycle. ERM uncovers the uncertainty
and helps managers
plan better, creating
more reliable results.
Example: Bad weather
doesn’t make workers
late, but ignoring the
weather forecast and not leaving extra time for
inevitable delays does. ERM is about using the
weather report that lets workers understand the
likelihood that a storm will occur. The impact is
the size of the storm and the controls’ effective-
ness are the alternate routes to work.
To determine how these benefits apply to your
organization, conduct a baseline assessment and
use real observations and details to create an
effective ERM process that produces results.
How to use the RIMS RMM
Culture is the way we think, believe and behave.
A risk management competency is made up of a
set of common values about how we manage risk
and uncertainty. The culture within an organiza-
tion greatly affects the drives the effectiveness of
an ERM program including how we value skepti-
cism and doubt, and how clearly we understand
influences that impact our judgment. The RIMS
Risk Maturity Model (RMM) defines the elements
and characteristics, called attributes, that make
up a strong risk management competency within
the organization’s culture. The RIMS RMM
defines these seven attributes on a scale of five
maturity levels. Each level ranks an organization
according to its achievement of Enterprise Risk
Management best practices in its processes. A
chain is only as strong as its weakest link. A
strong risk management cultural competency is
demonstrated by the highest level on each of the
RIMS Risk Maturity Model Attributes.
RIMS RMM Professional Development Courses
RIMS offers professional development courses
that provide the methodology of how to maximize
the RIMS RMM to build stronger ERM programs
and achieve success by evolving a stronger risk
management competency within an organization’s
existing culture. Measuring where you are in the
development process is the first step to set goals
and measure progress this organizational compe-
tency. The RIMS courses help risk managers per-
form a gap analysis between capabilities and best
practices outlined in the RIMS RMM to achieve
higher capability. Objective evaluation criteria
and a scoring methodology provide the basis to
evaluate use of risk management best practices.
The concept of a cost-benefit analysis helps man-
agers prioritize goals within their ERM programs
to increase their capabilities and maturity level.
In utilizing the RIMS RMM, everyone assesses
their own business areas, contributes to ERM
goals and plans how to achieve them. Often, it’s
the way information is collected and used that
influences choices, not the information itself.
With the RIMS RMM, all stakeholders are
involved in the process, meaning everyone rallies
around the final results.
p.5
© 2006 by Risk and Insurance Management Society, Inc.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by
any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission.
ERM – considering
risk in a new way.“ ”
1 2 3
Participate in the
Benchmarking
Exercise
Receive a personalized
Assessment Report
and download the full
version of the RIMS
Risk Maturity Model
(RMM)
Take a RIMS
Professional Develop-
ment Course to apply
the RIMS Risk
Maturity Model to
your organization
Stronger risk management cultural competency
RIMS Risk Maturity Model (RMM) Definition of Terms
Enterprise Risk Management (ERM) Framework
The culture, processes and tools to identify strategic opportunities and reduce uncertainty. The
framework establishes communication and consultation methods with respect to critical risks in order
to achieve an organization’s business objectives. It formalizes process and content accountability.
The ERM Process is the time-tested foundation of risk management methodology, pioneered by the
risk management discipline and detailed in the Associate in Risk Management (ARM) designation
program. It was later adopted and enhanced by other standards organizations1
The ERM Process
A sequential process that supports the reduction of uncertainty and promotes the exploitation of
opportunities. The ERM Process steps are detailed below.
Plan Focus - Establish external, internal and risk management criteria for evaluating risk.
Identify where, when, why and how business model, market, events, and operations, etc.
associated with business changes, issues, and others – whether known or under-reported
– might prevent, degrade or support goals.
Assess perceived risk through consistent, objective and pervasive evaluation criteria of
impact, likelihood and effectiveness of controls to quantify the risk level. Potential oppor-
tunity is measured by impact, timeliness and assurance to examine the performance
level. This creates a way to calculate an internal index. This analysis considers the range
of potential consequences, and how to prioritize risks and opportunities. The residual risk
or potential gain is determined.
Evaluate risk tolerance to determine acceptable risk and opportunity levels and consider
the balance between potential benefits and drawbacks. Decide on scope, priorities
and timelines.
Mitigate risk and exploit opportunities. Develop risk or opportunity activities for reducing
uncertainty, increasing potential benefits and reducing potential costs. Collaborate with
stakeholders and leverage expertise (Six Sigma2, compliance, internal audit and others) to
design improvement, transfer, control and other action activities. Weigh the cost of
activities against the expected value of future uncertain events3
Monitor timeliness and effectiveness of mitigation activities by risk owners. Gauge
program to ensure changing circumstances do not alter priorities and escalate issues.
Unacceptable tolerance and mitigation should be reported to the appropriate manager.
Business Process Owner
the individual (s) responsible for process design and performance. The process owner is accountable
for sustaining the gain and identifying risk and future improvement opportunities on the process
Risk Owner
the individual who is accountable for the validation, assessment and action plan to care for a
particular risk4
Risk Plan
the basic communication for each specified Plan Focus that is used throughout the ERM Process to
gather, organize and report information. Its items might also include contacts, activities, journal
entries, notes and documents.
p.6
© 2006 by Risk and Insurance Management Society, Inc.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by
any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission.
1
2
3
4
5
Attributes
Similar to individual employee performance evaluations, the RIMS RMM provides a set of attributes
that drive business value. The RIMS RMM Attributes are designed to be compatible with various
specialized frameworks, such as the Australian/New Zealand Risk Standard, COSO ERM, COBIT 4.0,
Standard & Poor’s ERM, Sarbanes-Oxley, etc.5
Maturity Levels
Detailed descriptions for each Attribute provide five maturity levels ranging from Non-existent to
Leadership. Organizations measure their ERM Process against these maturity levels and set
improvement targets.
Benchmarking
Using the RIMS Risk Maturity Model, RIMS sponsors cross-industry benchmarking to identify emerg-
ing trends. RIMS and non-RIMS members are invited to participate in this global exercise. Comparing
maturity levels of other organizations highlights ERM priorities and evolving industry requirements. For
more information on participating in the benchmarking survey, go to the Enterprise Risk Management
(ERM) Center of Excellence page on the RIMS website. (http://www.RIMS.org/ERM)
p.7
© 2006 by Risk and Insurance Management Society, Inc.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by
any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission.
1Standards Australia International Ltd and Standards New Zealand (The AS/NZL 4360), The Institute of Risk Management (IRM),
The Association of Insurance and Risk Managers (AIRMIC) and ALARM The National Forum for Risk Management in the Public
Sector, ISO/IEC Guide 73, JIS Q 2001 Japanese Industrial Standards Committee “International Risk Management Standard”,
COSO Enterprise Risk Management Integrated Framework 2004 “Treadway commission”, Canadian BIP 2012, CAN/CSA Q850-
07, etc.
2Six Sigma definition, Trademark of Motorola corporation
3Taking into consideration whatever is appropriate for the organization to approve an action plan including capital at risk, Risk
Adjusted Return on Capital (RAROC), cost benefit analysis, time value of money discounted in net present value, etc.
4For the context of this document Process Owners are assumed to be Risk Owners. However, in some organizations the risk owner
may or may not be the same as the process owner. For example in the case where a process is outsourced, the risk owner remains
within the corporation.
5Examples of specialized approaches: COSO ERM Framework: Internal Environment, Objective Setting, Event Identification, Risk
A