We're sorry but your browser is not supported by Marsh.com.au

For the best experience, please upgrade to a supported browser:



Risk Maturity: Are You On The Right Journey?

Blog Author Costa Zakis 14 December 2017

Across risk management functions in organisations of all sizes, there has been a gradual but steady shift in the way risk is understood and managed. We are seeing organisations move away from the static risk register and traditional process-driven approach, to give greater focus on integrating risk management into business processes, forming something of a decision-guiding tool at all levels of the business.


Most standards and textbooks have traditionally focused on process and reporting, often depicting risk management as another element of compliance or internal audit. 

The concept of risk maturity is therefore one that has largely developed outside of the academic realm. It has come to be understood as the measure adopted by organisations to help them better understand their overall risk position including the value created from risk management initiatives. Despite lacking a clear or universal definition, risk maturity is a concept that is becoming better understood (and ultimately finding favour) amongst senior management. 

Companies develop their risk maturity over time by building on the origins of their risk framework and experience to evolve to where they need to be. This journey typically embraces the 11 principles of risk management outlined in ISO 31000, the international standard for risk management. 

During a recent presentation at the 2017 RIMS Risk Forum in Sydney, Marsh offered a view on the four key pillars that we believe ultimately underpin an organisation’s risk maturity: 

  • Culture – Defined by organisational behaviours and actions, particularly behaviours that are rewarded versus those that are not tolerated.

  • People – Overall ability and competency of people and how risk management is integrated into the organisational structure.

  • Process – Textbook approach which has historically been over-represented in risk management standards; has its place and purpose but has also been the basis of some companies’ limited approach to risk management.

  • Application – Measuring how well risk management is applied and the value it creates. 


A global study showed that companies in the top 20% of risk maturity generated three times the level of EBITDA as those in the bottom 20%. 

Although it was traditionally lacking in risk maturity conversations, we are starting to see the “application element of the four pillars become more prominent as companies begin to appreciate the value of investing in ERM. With evidence that financial performance is tightly correlated to the level of integration and coordination across risk, control and compliance functions, many organisations are now actively working to embed a risk culture throughout their business. While the ultimate aim is to fuel better performance and achieve a competitive advantage, along the road, many are developing ways to measure the value and benefit created from risk management initiatives.              


Because risk maturity is relative, its measure is also variable. For some organisations, risk maturity is about increased simplicity and invisibility of risk management, and for others it’s an immersive integration of risk management into all core business processes. Ultimately, risk maturity needs to be measured against an organisation’s own operating environment. 

The measure of risk maturity becomes a function of ascertaining any return on investment (ROI) from current ERM initiatives, as well as assessing potential impact of future initiatives. As risk advisors, Marsh typically approaches this task by addressing risk in three dimensions: 

  1. Presenting a global view of risk via external risk perception studies to challenge an organisation’s own understanding of risk in a broader business/stakeholder/environmental context.

  2. Providing tools and advice that allow an organisation to assess its maturity based on their own context and goals. Internal risk initiatives, performance and ROI can be tracked and used to design how an organisation can incentivise and reward risk management performance.

  3. Utilising global database to benchmark an organisation’s risk maturity against its peers. 

How a company should approach enterprise risk management to create value and drive strategic benefit can take a variety of forms. It will depend on how advanced an organisation is within its own journey to risk maturity, and where it ultimately wants to be. 


Disclaimer: The information contained in this publication provides only a general overview of subjects covered, is not intended to be taken as advice regarding any individual situation, and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. LCPA No: 17/0124

Costa Zakis

Marsh Pty Ltd (ABN 86 004 651 512, AFSL 238983) (“Marsh”) arrange this insurance and is not the insurer. The Discretionary Trust Arrangement is issued by the Trustee, JLT Group Services Pty Ltd (ABN 26 004 485 214, AFSL 417964) (“JGS”). JGS is part of the Marsh group of companies. Any advice in relation to the Discretionary Trust Arrangement is provided by JLT Risk Solutions Pty Ltd (ABN 69 009 098 864, AFSL 226827) which is a related entity of Marsh. The cover provided by the Discretionary Trust Arrangement is subject to the Trustee’s discretion and/or the relevant policy terms, conditions and exclusions. This website contains general information, does not take into account your individual objectives, financial situation or needs and may not suit your personal circumstances. For full details of the terms, conditions and limitations of the covers and before making any decision about whether to acquire a product, refer to the specific policy wordings and/or Product Disclosure Statements available from JLT Risk Solutions on request. Full information can be found in the JLT Risk Solutions Financial Services Guide.