ERM Maturity Survey Results

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.


While I am keeping the survey open (please participate if you have not already and I will update my report if there are sufficient additional responses), I want to share the results and discuss what they mean.

80 people answered the survey:

  • 45% were in financial services (15% in insurance and 9% in banking).
  • 30% were with organizations based in the U.S., 21% in Europe (6% in the U.K.), 11% from Canada, and 6% from Australia/New Zealand.
  • 45% of the respondents were internal auditors, 31% risk officers, and 10% were consultants or external auditors.

The survey asked people to assess their enterprise risk management program on this maturity scale:

  • Ad hoc: Risk management processes and frameworks are undocumented; there is a state of dynamic change; reliance is placed on individual heroics.
  • Preliminary: Risk defined in different ways, in silos.
  • Defined: The organization has a common risk framework with an organization-wide view of risk. Action plans are implemented in response to high priority risks.
  • Integrated: ERM activities are coordinated. Common tools and processes are used, with enterprise-wide risk monitoring, measurement and reporting. Scenario planning and process metrics are in place.
  • Optimized: Risk discussion is embedded in strategic planning, capital allocation, etc. and in daily decision-making. The organization has an early warning system in place to notify board and management to risks above established thresholds.

The chart below reflects the overall results.


The results are fairly consistent with those COSO found in its 2010 Report on ERM (PDF), although COSO’s survey only had four maturity levels, omitting Optimized.

Given that I would expect the majority of participants to be with organizations that have a risk management program (most people would have heard about the survey from my postings in LinkedIn risk management, governance, and audit groups), I am not surprised to see just under 14% self-assess as in the Ad Hoc risk management stage. In a more representative sample, I would expect more people to be at this or the Preliminary level and fewer in Optimized.

I am also not surprised to see that only a small number (even of this select group) have moved beyond the Defined stage to implement the risk monitoring and other features of the Integrated stage, let alone embedded risk management into business processes as envisaged by the Optimized stage.

My concern is that companies will get to the Defined stage and stop — not realizing the value and promise of the higher maturity levels.

Questions that I think need to be answered (please let me know if there are more) are:

  1. Is the maturity different for financial services companies?
  2. Is there a difference by geography?
  3. Is there a difference when the response is by a risk officer?

The survey says: financial services companies are, in general, at higher maturity levels.


  Overall All Financial
Banking Insurance Other Financial
Not Financial
Ad hoc 13.8% 2.8% 0.0% 0.0% 5.9% 22.7%
Preliminary 28.8% 25.0% 42.9% 33.3% 11.8% 31.8%
Defined 43.8% 50.0% 42.9% 41.7% 58.8% 38.6%
Integrated 3.8% 2.8% 14.3% 0.0% 0.0% 4.5%
Optimized 10.0% 19.4% 0.0% 25.0% 23.5% 2.3%


The results by geography indicate that, in general, the U.S. lags Australia and New Zealand but is somewhat ahead of Europe.


  Overall U.S. Canada Europe Australia/
New Zealand
Ad hoc 13.8% 8.3% 11.1% 29.4% 0.0% 12.0%
Preliminary 28.8% 37.5% 11.1% 29.4% 40.0% 24.0%
Defined 43.8% 45.8% 66.7% 23.5% 40.0% 48.0%
Integrated 3.8% 4.2% 0.0% 0.0% 20.0% 4.0%
Optimized 10.0% 4.2% 11.1% 17.6% 0.0% 12.0%


When you look at who is responding, the maturity level is higher than average when the respondent is a risk officer.


  Overall Risk
Ad hoc 13.8% 4.0% 22.2% 10.5%
Preliminary 28.8% 24.0% 30.6% 31.6%
Defined 43.8% 56.0% 41.7% 31.6%
Integrated 3.8% 8.0% 0.0% 5.3%
Optimized 10.0% 8.0% 5.6% 21.1%


So what does this all mean?

  1. Although questions remain as to whether they consider all risks (including strategic and operational), respondents in financial services self-assess as having higher maturity levels.
  2. Even so, there is room for improvement in the level of maturity for all industries.
  3. The U.S. and Europe continue to lag behind Australia/New Zealand.
  4. Organizations should understand where they are (in risk management maturity), contrast that with where they want to be (if different), and take actions as needed.

I welcome your views and comments.

Posted on Jul 17, 2012 by Norman Marks

Share This Article:    

  1. Thanks for sharing the information regarding the survey results.  It's interesting how 63% of the results sit between Preliminary and Defined.  Organizations can get to these levels and say they have an effective ERM program but still not have to actually implement accountability throughout their company.  I call it the cosmetic fix so it looks good, the Board, examiners and regulators have something to look at and it doesn't take Management out of their comfort zone.  But to get to the Integrated stage and have to measure and evaluate results, implement efficiency and effectiveness throughout the organization, break down silos, and hold Management accountable for its performance, that's an entirely different stage that requires a buy-in from all levels of the organization.  A lot of CEO's would feel threatened and scared by how they would look as a result of this.  This is where great leadership at the top separates itself from others.  They can visualize what they want the end-result to look like and that they have to reach the Integrated and Optimized stages to accomplish their goals.  It's sad that businesses don't have more leaders like this and it's reflected in your results.

Leave a Reply