MeasureRISK®
Maturity Scoring Key
| Initial | Repeatable | Defined | Managed | Optimized |
|---|---|---|---|---|
20 |
40 |
60 |
80 |
100 |
Ad Hoc, unpredictable, poorly controlled, reactive |
Basic process management and repeatable tasks |
Defined and documented processes, proactive |
Integrated, measured and controlled processes |
Continued improvement and significant automation |
There are six levels of a risk management maturity model:
- Startup or no third-party risk management: new organizations beginning operations or organizations with no existing vendor risk management activities.
- Initial vision and ad hoc activity: third-party risk management activities performed on an ad hoc basis and considering how to best structure third-party risk activities.
- Approved road map and ad hoc activity: Management has approved a plan to structure activity as part of an effort to achieve full implementation.
- Defined and established: Organizations with fully defined, approved and established risk management activities where activities are not fully operationalized with metrics and enforcement lacking.
- Fully implemented and operational: Organizations where vendor risk management activities are fully operationalized with compliance measures, including reporting and independent oversight.
- Continuous improvement: Organizations striving for operational excellence with clear understanding of best-in-class performance levels and how to implement program changes to continuously improve the process.
Understanding where your organization's risk management maturity level is a key part of understanding how to best manage risk and where you can improve