The material in this document should not be construed as audit guidance.
103
b. Agency ERM Maturity Model (Example)
Level 1: Initial/Ad-hoc Level 2: Fragmented/Early Stages Level 3: Defined/Coordinated
Level 4: Institutionalized/Instilled
Level 5: Optimized/Predictive Maturity Level
No formal ERM governance exists Informal ERM governance exists Formal ERM governance exists Embedded ERM governance exists Effective ERM governance exists 5
No centralized risk management roles/
responsibilities
Some centralization of ERM responsibilities
built into existing roles or siloed in various
LOBs
Generally centralized ERM roles and
responsibilities
Centralized and institutionalized ERM
roles and responsibilities
Fully centralized ERM roles and
responsibilities with CRO reporting
directly to the top executive
ERM program does not facilitate
knowledge sharing or leverage
opportunities for informed risk taking
ERM program facilitates some knowledge
sharing and opportunities for informed risk
taking
ERM program generally facilitates knowledge
sharing and opportunities for informed risk
taking
Advanced ERM program that facilitates
knowledge sharing and opportunities for
informed risk taking
ERM program fully facilitates
knowledge sharing and leverages
opportunities for informed risk taking
Ineffective ERM framework and
processes exist
Developing ERM framework and processes
Standardized ERM framework and processes
exist with periodic monitoring for framework
improvements
Managed ERM framework and processes
exist and are regularly monitored and
reviewed for improvements
Optimal ERM framework and processes
exist and are proactively monitored
and reviewed to prepare for the future
Ad hoc enterprise risk management Early stages of enterprise risk mangement Coordinated ERM program and practices
Instilled ERM program and practices
integrated with internal tools and data
Predictive ERM program which
leverages external data sources that
enhance insight and internal/external
horizon scanning to identify emerging
risks
Initial activities defined
Emerging enterprise risk management
discipline
Defined ERM processes yet not fully
integrated
Optimal ERM discipline, recognized as
best in class
Reactive monitoring and reporting exists Informal monitoring and reporting exists
Formal monitoring and reporting exist to
support risk prioritization
Embedded monitoring and reporting exist
and considers forward-looking/emerging
risk areas to support risk prioritization and
decision-making
Effective and efficient monitoring and
reporting exist to support forward-
looking risk taking, aligned with risk
appetite, strategy and budget
No enterprise risks are measured or
managed
Some enterprise risks are measured and
managed
Enterprise risks are routinely
measured/managed, primarily qualitatively
Majority of enterprise risks are measured
quantitatively and qualitatively, with
interdependencies identified and
effectively managed
Enterprise risks are fully measured and
managed (e.g., through risk
modeling/scenarios)
No risk appetite in place Fragmented risk appetite in place Defined risk appetite in place
Institutionalized risk appetite and
tolerances in place
Optimal risk appetite and tolerances
established, clearly understood with
alerts in place when thresholds
exceeded
Risk responses are reactive Risk responses are developing
Risk responses are tactical, supported by
action plans implemented in response to high
priority risks, and focused on prevention
Risk response is strategic Risk response is proactive 3
Workforce has no understanding of ERM
and risk concepts
Workforce has some understanding of ERM
and risk concepts
Workforce generally understands ERM and
risk concepts
Workforce understands ERM and risk
concepts and is encouraged to discuss risk
in an open and inclusive environment
Workforce fully understands and
embraces ERM and risk concepts and
believes that risk management is
everyone's job. There is an open
environment that fosters objective
discussions about risk across the
enterprise
3
Unaware of ERM value to mission
Low perceived value to mission Moderate perceived value to the mission
High perceived value to mission such as
preventing issues and creating value
Transformational value to mission 4
Some benefit, compliance driven
Generally beneficial, informs priorities for
risk-based decision-making
Consistently informed risk taking aligned
with enterprise strategy (e.g., by
identifying and documenting enterprise
risk/rewards trade off)
Fully beneficial; proactively informs
risk taking, as well as; provides
platform for enterprise agility and
innovation
Backward-looking and does not respond
to opportunity and change
Slow to adapt to change Readily adapts to change Agile and resilient; adaptable to change Anticipates change; forward-looking 3
Negligible executive engagement Fragmented executive engagement Formal executive engagement High executive engagement Optimal executive engagement 5
Ad-hoc risk discussions/dialogue at the
executive level
Some routine risk discussions/ dialogue at
the executive level
Routine risk discussions/dialogue at the
executive level
Managed and active risk
discussions/dialogue at the executive
level that consider strategic planning,
resource allocation, and decision-making
based on risk reward and trade-off issues
Integrated risk discussions/ dialogue
that embeds risk sensing into strategic
planning, resource allocation, and
decision-making based on risk reward
and trade-off issues
No understanding of ERM and minimal
risk awareness
Emerging understanding of ERM and risk
awareness
General understanding and awareness of ERM
and risks, initial training in ERM
Advanced understanding and awareness of
ERM and risk. Executive ownership at
enterprise level
Optimal understanding and awareness
of ERM and risk
For illustration purposes only
OCC Enterprise Risk Management (ERM) Maturity Model Vers. 1.0
(Adapted from Federal ERM Model)
Institutionalized/Instilled
Overall Score and Level of Maturity
Institutionalized/Instilled