Risk Maturity Model Recognition Program Evaluation Criteria

RMM Recognition Program

The RMM Recognition Program seeks to recognize organizations that have achieved the minimum threshold of acceptable ERM, as outlined by regulatory and agency standards for risk management. As defined by the RMM assessment, this includes all programs which have received a Maturity Level of 3 or above, indicating they have a scalable, repeatable, and sustainable ERM process in place. The RMM Recognition Program aims to highlight leaders and establish industry standards, with the ultimate goal of enhancing the discipline of enterprise risk management.

RMM Scoring MethodologyRisk Maturity Model RMM Assessment Structure

The Risk Maturity Model outlines seven attributes, or components of a successful enterprise risk management program, which breaks into 25 competency drivers. During the RMM assessment, organizations score how well they embody each of the drivers using three dimensions:

(1) Effectiveness – Measures the frequency and effectiveness of key risk management activities (i.e. Are assessments ad-hoc or completed annually? Are high risks reviewed at least quarterly?)

(2) Proactivity – Measures forward-looking risk management versus reactive after events occur (i.e. Is risk management part of employee training? Are emerging risks regularly considered?)

(3) Coverage – Measures the breadth and depth of risk management within the organization (i.e. Does responsibility span across all departments and all vertical levels of the organization?)

Once all drivers are assessed, the RMM scores an organization’s ERM program, ranking its maturity and alignment with best practices. On a 5-level scale, receiving a score of (1) ad hoc or (2) initial, indicates a very basic or non-existent ERM program, whereas achieving the upper levels, (3) repeatable, (4) managed, and (5) leadership, indicates ERM programs that are established and increasingly aligned with industry standards.

Program Qualifications, Evaluation & Considerations

Organizations that achieve a RMM Maturity Level of 3 or above are nominated to receive the RMM Recognition. From the nomination stage, organizations who opt to continue are affirmed through a brief review with an RMM Coordinator. This review process aims to affirm that organizations have completed the RMM assessment accurately and have implemented a scalable, repeatable and sustainable ERM process as defined by the RMM. The review process for nominees is as follows:

  1. Minimum Qualification Requirements:
    1. The nominee received a RMM maturity level of 3, 4, or 5
    2. The nominee’s most recent RMM assessment was completed within the 12 months prior to the RIMS ERM conference
    3. The nominee successfully completes the review process (explained below)
  1. Review Process: A brief conversation about the nominee’s ERM program and process, affirming the (3) requirements above are in place. Questions during this review process may include the following:
    1. How many risk assessments are completed annually? How many individuals across the organization participate in these risk assessments?
    2. Is there a corporate risk management policy or program overview? Is it shared with employees across departments?
    3. Do business areas and departments consider risk when engaging in new initiatives (i.e. vendor on-boarding, projects, product development, operational changes, etc.)?
    4. Does the ERM program report to the board or executive leadership at least annually?
    5. Are responsibilities within the risk management program clearly defined and communicated?
  1. The following individuals, entities or organizations are disqualified from the program:
    1. Risk management and GRC software provider organizations
    2. Other disqualified parties include: risk consulting and professional service firms, students, professors, retirees, and former employees of a qualified organization
    3. RMM results completed by non-professional or unverified email addresses (i.e. not associated with a qualified organization or emails ending with gmail.com, yahoo.com, etc.)
    4. Exclusion of RMM results with unlikely repetitive answer sets (i.e. 1,1,1,1 or 10,10,10,10 etc.)
    5. Exclusion of RMM results with unlikely pattern sets (i.e. 1,2,3,4 or 2,1,2,1 or 2,4,6,8 etc.)

RIMS Risk Maturity Model helps add 25% to organization's bottom line valueValue of Maturity

In 2014, Queens University in Europe conducted an independent research study on the RIMS Risk Maturity Model (RMM). Published as a comprehensive report, the Queens University study found that as organizations achieve higher levels of maturity, as defined by the RMM, they can experience up to a cumulative growth of 25% to their bottom line value.

Benefits of Recognition

With expectations for enterprise risk management spanning from the financial services industry, through energy, retail, and so on, organizations are increasingly concerned with adhering to evolving best practices. Organizations who receive the RMM Recognition will have access to a network of other successful peers, and best-practice knowledge driven by risk management standards such as the RMM.

Benefits for recipients include, but are not limited to, the following:

  • RMM community involvement
  • Advanced RMM reporting
  • Network with other distinguished risk management professionals
  • Access to the RMM knowledge base, community & expert portal


Organizations that accept and receive the RMM Recognition will be acknowledged at the annual RIMS ERM Conference. Attendance to the conference is not required or expected in order to receive this recognition, and those who do not attend will still be acknowledged and will be sent their certificate of recognition via mail.

Click to learn more about the 2016 and 2015 Recipients.