AFERM Member/Professor Ernest Forman Seeks Your Input and Perspective

Adapting Capability Maturity Models for Increasing Risk Maturity

By Ernest Forman, Professor, George Washington University

Capability maturity models have a rich heritage – starting with DoD asking Carnegie Melon University to develop a Capability Maturity Model (CMM) to assess the quality and capability of their software contractors. CMM expanded to other and integrated areas, such as services, acquisitions and people and became known as CMMI (integrated).

Recently, Proença, et al1, proposed a Risk Maturity Model based on ISO 3100, the purpose of which is … “to provide an assessment tool for organizations to use in order to get their current risk management maturity level. The results can then be used to create an improvement plan which will guide organizations to reach their target maturity level. This maturity model allows organizations to assess a risk management process according to the best practices defined in risk management references. The maturity model can also be used as a reference for improving this process since it sets a clear path of how a risk management process should be performed.”

While, in theory, the Proença’s risk maturity model is a good way for organizations to conceptualize how they would like to improve risk management over time, their model lacks enough detail to be useful. In conducting a review of risk management and analytics, I have mapped a comprehensive and scientifically valid framework that can be merged with the Proença framework to produce useful, measurable benefits that can be documented via specific techniques, tactics, processes and projects.
Proenca’s Risk Maturity Model has five levels of maturity:

Level 1 – Initial21
Level 2 – Managed3
Level 3 – Defined4
Level 4 – Quantitatively Managed5
Level 5 – Optimization6

Modifying the five levels a bit and adding some detail that are necessary and sufficient for comprehensive, scientifically valid risk analysis and management results in the following:

Level 1 – Intuitive: Organization recognizes a need to identify risks and ways to reduce it
Level 2 – Ad-hoc measurement and categorization

  • Measure and categorize using spreadsheet-based processes
  • Measure risk by assessing the likelihood and impact of events using traditional ordinal rating (1-5) scales
  • Heat Maps with rectangular regions

Level 3 – Organization Wide Risk Management

  • An enterprise wide collaborative process for identifying, categorizing, assessing and communicating risk
  • Manage risks within and across organization silos

Level 4 – Comprehensive & Scientifically Valid Processes

  • Include risks to a comprehensive set of organizations objectives, both quantitative and qualitative
  • Combine data and judgment with measurement methods that are scientifically sound

Level 5 – Optimization

  • Optimally allocate resources so as to achieve the maximum risk reduction subject to resource, legal and organization constraints
  • Facilitate management in making informed decisions involving tradeoffs between long-term and short-term risk tolerance and resources devoted to risk management

I’d like to engage in discussions with interested AFERM members and discuss risk maturity models in general; to what extent they are being employed in AFERM member organizations; and possible modifications to the revised model I’ve suggested above. As an example, should Level 3 and Level 4 be reversed so that Comprehensive and Scientifically Valid Processes capability come before, or at least in parallel with Level 3 – Organization Wide capability? Are organizations currently endeavoring to institute organization wide processes that may not be comprehensive and scientifically valid? If so, what are the consequences?

I’m very interested in obtaining input and perspective from colleagues in AFERM and hope you’ll reach out to me at forman@gwu.edu. Thank you!


1 Proença, Diogo & Estevens, Joao & Vieira, Ricardo & Borbinha, José. (2017). Risk Management: A Maturity Model Based on ISO 31000. 99-108. 10.1109/CBI.2017.40.

2 Initial: Perception of need; Some risk management activities but mostly ad-hoc and chaotic.

3 Managed: Organization makes effort to plan and perform risk management in line with the risk management policy established by the organization with its stakeholder.

4 Defined: Risk management process characterized, understood, and described in standard procedures, tools and methods.

5 Quantitatively Managed: Organization applies quantitative and statistical methods to manage measure and evaluate the risk management process

6 Optimization: The risk management process is continuously improved based on the data gathered in the previous levels. Make scientific contributions to the development of risk management

Leave a Reply

Your email address will not be published. Required fields are marked *