The Critical Relationship Between ERM Maturity and Value Creation: Buyer Beware, and a Call to Action (Part I)

The Maturity Model Approach to Benchmarking ERM Capabilities

Friday, July 2, 2021

By David Fisher


I recently had the opportunity to speak with a senior executive at a large financial institution who was wondering aloud why he wasn't getting more value out of his investment in enterprise risk management (ERM). He shared with me the all too common refrain about having put a staff and infrastructure in place to implement ERM, and that he was aware that the team had poured a lot of energy into the effort. In fact, some managers from across the organization had complained about all the work they and their teams were being asked to do to comply with the program.

Nevertheless, this executive wasn't seeing the value. I immediately remarked that his observation was nothing new, and that many leaders in both the public and private sectors share his frustration. Given that the highly regarded definition from the COSO ERM Framework (ERM: Integrating with Strategy and Performance) culminates with the imperative for “creating, preserving, and realizing value,” clearly something is awry.

We delved a little deeper in our conversation to recognize that while the organization had invested heavily in activities related to establishing its ERM capability, it was struggling to advance beyond the most basic components of a total ERM solution. They had established governance, but it wasn't probing deeply into organizational risks that truly mattered. They had executed an enterprise risk assessment to create a risk profile, but it wasn't integrated with the strategic objectives and performance activities driving the most important elements of the organizational mission.

As a result, the list wasn't terribly insightful, or useful.

They had established tools, but they weren't widely used outside of the core ERM team. They had defined a risk appetite statement, but it was not widely known or understood, and therefore not driving behavior or decision-making. They had a couple of key folks who had taken some ERM training, but the knowledge transfer across the organization was minimal.

The ERM team wasn't truly empowered. Importantly, the culture had yet to embrace the concepts or engage in the desired practices.

Beyond the Basics

After we finished this walk-through, the executive had a greater appreciation for the lack of value emanating from the organization's investment in ERM. They were going through the motions and had all the right intentions, but they were stuck - stuck in a low-level of ERM maturity that was inhibiting value generation.

They are also not alone. Far too many organizations have stalled in their ERM journey about the same place as this organization, frustrated at the lack of return despite significant investment of time and energy. We talked through a number of the more robust capabilities available in the ERM toolkit, and how those additions, on top of the foundation they had already begun to establish, could lead them to a path toward value generation. This would come in the form of enhanced decision-making thanks to meaningful insights that are currently unavailable relative to the risks associated with the achievement of the most strategic objectives of their enterprise. We also talked about the different kind of skills and organizational focus needed to break through their stagnant position in ERM development. We talked about going beyond the basics with the kind of commitment which can, indeed, generate the value he is seeking.

The message really started to resonate when I began drawing a couple of pictures. I've used ERM maturity models for years as a valuable tool to assess as-is conditions, forecast target capabilities, and establish an evolutionary path to achieve desired states. bThese models provide the means to benchmark against industry standards at a point in time, and to re-assess against those standards as programs evolve. And while there are seemingly endless variations on these models, they tend to share common elements for providing relatively straightforward characteristics and visual cues for understanding the state of an ERM program.

Despite these advantages, I've often been reticent to interpret the results of an ERM maturity model-based assessment. The inherent limitation in this analysis is determining the underlying value proposition of moving from one level of maturity to the next. I've wondered, frankly, whether it was worth it to help lead an organization from Level 3 to Level 4, for example, or Level 4 to Level 5.

Most ERM maturity models are capabilities-based, identifying specific characteristics for each dimension at each level of maturity. But it occurred to me that the value of evolving from one maturity level to the next is not equivalent. And without the relative sense of value generation associated with this maturity progression, the users of these models may lack sufficient information to guide the path forward for their particular ERM program.


David Fisher, Partner and ERM Practice founder, Guidehouse

Defining Value

At this point, it's important to understand what I mean by “value.” In this context, it is defined as the net result of “benefits” minus “costs.”

A synonym for value in this circumstance would be “net benefit.” Costs and benefits are clearly both monetary and non-monetary, the latter being much more difficult to quantify. Opportunity costs may be as prevalent, if not more so, than out-of-pocket costs when it comes to ERM. Benefits may accrue in terms of achieving better outcomes or by avoiding worse outcomes, once again the latter being difficult to measure.

In recent years, a number of ERM maturity models, have, in fact, adopted value curves that sit on top of the boxes containing the maturity levels and their dimension-specific characteristics. This is a step in the right direction. Unfortunately, I do not believe those curves have yet to offer an accurate depiction of the true nature of value generation emanating from an ERM program as organizations evolve through these levels of capability maturity.

The first part of this two-part article explores the foundational benefits that maturity models can provide in assessing and benchmarking an organization's current ERM capabilities. Part II will link these models to an exploration of value generated at each stage of progression through the capability development depicted in the model. The result of this analysis is a word of warning for organizations (like the one described above) that may be unable, or unwilling, to embrace the transformational capabilities necessary to achieve at least a full Level 3 in their ERM journey. If not, they may want to revisit starting their program in the first place.

The Levels and Dimensions of an ERM Maturity Model Matrix

Any discussion of ERM maturity models and their relationship with value generation needs to start with the basics. Recognizing that there is no industry standard model, one element in common with most is that they include five levels. Consulting firms and academic institutions have spent countless hours seeking to come up with the perfect one-word labels to precisely describe each level. Without passing judgment on any of them, for the sake of this discussion, I'll be utilizing the five levels as advocated by RIMS, the Risk Management Society: (1) Ad Hoc, (2) Initial, (3) Repeatable, (4) Managed and (5) Leadership.

Five Levels


Other terms can be equally (or even more) effective, but these labels should suffice for the purposes of this article. (At the end of this article, I'll provide my personal choice for the five best labels for the levels of an ERM maturity model.)

With the level names spanning the horizontal axis in our model, we can then turn to the vertical axis where we find what we refer to as the “dimensions.” The dimension labels are even more variable in terms of both number and names than the levels of maturity. Some of the most common approaches utilize five dimensions along the lines of Strategy, Governance, People, Process, and Technology. As adherents to the COSO ERM Framework, at Guidehouse we have sought to incorporate COSO characteristics into our model. However, for this perspective we found the five core components to be a little too limiting, and the 20 principles to be a bit overwhelming. As a result, we struck a balance and developed our ERM maturity model around 10 dimensions that are based on these COSO principles. Thus we have a 5x10 maturity model matrix:



Characteristics of ERM Maturity Models by Levels

While many of us relish the endless wordsmithing that goes into picking the precise handful of words that fit into each of the boxes in an ERM Maturity Model, the detailed characteristics associated with each dimension for each level are not necessary for the purposes of this assessment of the relationship between ERM maturity models and the generation of organizational value. Nevertheless, it is useful to have a general understanding for these progressive levels of maturity.

Level 1: Ad Hoc - Generally recognizes the as-is condition before the implementation of formal ERM capabilities. All organizations perform some form of risk management even without an ERM program. The Ad Hoc level embodies these uncoordinated, often unsophisticated, and non-standard risk management capabilities that are in place.

Level 2: Initial - The investment in ERM begins with an introduction of a number of basic components of the program. Foundational documents are created that identify initial ERM roles and responsibilities, governance, processes and reports, although standards are limited in their adoption. Formal risk identification and assessment activities are initiated, although most risk management is still largely performed at the business unit level. Aggregation at the enterprise level begins, but is rudimentary in nature. A culture of risk awareness and transparency as well as the linkage between risk and strategy are in embryonic states, often still encountering resistance and thereby limiting adoption.

Level 3: Repeatable - Standardization of ERM concepts emerges across the enterprise, often aided by the adoption of a board-approved ERM policy. Governance becomes more active in risk-based oversight and decision-making. Training is expanded and begins to take root for enhanced risk management at the business unit level as well as in an aggregated fashion for the enterprise. Risk appetite is introduced, although it still has limited adoption in driving behavior across the enterprise. Cultural adoption of ERM tenets begins to take root, and the linkage between strategy, performance, and risk becomes a more regular occurrence. Adoption of standard tools, although perhaps rudimentary, begins to take hold.

Level 4: Managed - Risk insight is now available to senior leaders in the context of managing performance activities in pursuit of strategic objectives. The upside of risk is considered in decision-making, not just downside risk mitigation. Risk governance is fully engaged at the enterprise level, benefitting from standard processes that provide timely risk information. Top-down leadership embraces risk transparency, and the bottom-up portion of the enterprise responds with greater risk insights. Risk responses are evaluated through an enterprise-wide portfolio view to include an assessment of the potential impact on the organization's reputation. Risk appetite is now driving behavioral change, more sophisticated risk indicators are employed, and enhanced tools are introduced to further extend the breadth and depth of risk management capabilities across the organization.

Level 5: Leadership - Risk management is deeply entrenched in the culture of the organization, with near real-time sharing of risk insight with relevant decision-makers in pursuit of enterprise-level strategic objectives. Top-down and bottom-up processes are finely tuned, enabling proactive risk management capabilities that fully consider risk-based opportunities as well as mitigation. Risk appetite is incorporated into strategic decision-making and considered in determining risk responses, including identifying business opportunities where taking on additional risk may lead to enhanced outcomes. Sophisticated enablers are employed through technology for the automation of quantifiable risk indicators in the context of performance thresholds for capturing and sharing risk information, and for proactive risk identification through methods such as machine learning and artificial intelligence. It must be noted that not all dimensions in an ERM Maturity Model are equally weighted in terms of value generation. Investments in governance and culture may provide greater benefits than investments in risk review or risk tools, and these conditions can vary by industry and individual organization. Nevertheless, an organization's progression through the broadly defined levels of ERM capability maturity does lend itself to a causal relationship between that maturity level and value generation.

Case Study of an Organization at a Level 4-5 of ERM Maturity

One business owner of a multibillion-dollar portfolio used data and reports from the ERM program to have a frank conversation with his leadership team at the beginning of the second quarter of the fiscal year. This leader reiterated his confidence in the strategic objectives that the team had formulated, and was increasingly confident in the risk insight that had been achieved since the stand-up and evolution of the ERM program. What he now realized, however, based on risk-informed performance assessments across the portfolio of strategic objectives, coupled with quantifiable inputs from established risk indicators, was that the performance activities that they had established at the beginning of the fiscal year were unlikely to overcome the identified risks to achieve their strategic objectives. The primary exposures were related to cross-functional dependencies that were highlighted via the identified risks but inadequately accounted for in the performance plans.

After discussion, he tasked his leaders to adjust specific elements of the planned performance activities to improve the likelihood of achieving those desired outcomes. The capabilities and mindset established by the ERM program were foundational to making these risk-informed determinations.

This analysis would not have been possible without a disciplined approach to identifying enterprise risks, and the insertion of this insight into a senior governance forum with its relevant context. Importantly, these observations occurred in just the fourth month of the fiscal year, providing sufficient time to make adjustments and improve the opportunity to achieve the desired outcomes. The re-prioritization, resourcing, and trade-off decisions made over the next two months greatly improved the organization's ability to achieve its planned targets for the year. This result not only avoided a bad outcome, it delivered a better outcome than originally planned.


It must be noted that not all dimensions in an ERM Maturity Model are equally weighted in terms of value generation. Investments in governance and culture may provide greater benefits than investments in risk review or risk tools, and these conditions can vary by industry and individual organization. Nevertheless, an organization's progression through the broadly defined levels of ERM capability maturity does lend itself to a causal relationship between that maturity level and value generation.

As will be seen in Part II of this article, not all investments in ERM provide positive returns. In fact, many organizations are likely stuck in non-value-generating levels for the ERM capabilities. These details will be explored in Part II: Linking ERM Maturity to Value Generation.


I close with the answer to my earlier question - the ideal naming convention for the five levels of an ERM maturity model. Given the lack of precision with every label in use across the myriad maturity models in the market today (and the enormous time spent coming up with them), I think the real answer is much more straightforward. The labels matter far less than the concepts behind them, which is why I prefer the ever so simple labeling for the five levels as: One, Two, Three, Four, and Five. Those are just as imprecise as the others, and are a lot easier to remember.

David Fisher ( is a partner at Guidehouse and founder of the firm's ERM practice. As the former chief risk officer at the Internal Revenue Service (IRS), he implemented the organization's first ERM program. Fisher spent nearly 10 years as a senior executive in the federal government, leading transformation efforts at the U.S. Department of Defense (DoD) and Government Accountability Office (GAO) as well as the IRS. He is the author of Optimize Now (or else!): How to Leverage Processes and Information to Achieve Enterprise Optimization (and Avoid Enterprise Extinction).


BylawsCode of ConductPrivacy NoticeTerms of Use © 2024 Global Association of Risk Professionals