HVR Consulting Services Banner  
Business Assurance Information
Risk Maturity ModelsRisk Maturity Models FAQsRisk Maturity Model Case Study
 
Business Assurance Home
Business Assurance Publications Papers
Contact Us
Links To HVR Sites
Business Assurance Services
Due Diligence
Risk Maturity Model
Risk Management
Monte Carlo Analysis
System Dynamics
Project Portfolio Management
Risk Tools
Business Continuity
Independent Safety Authority
Governance Of Project Management
Risk Training
Proposal Scrutiny
 

General FAQs concerning HVR’s Risk Maturity Models

What does a Risk Maturity Model do?
A Risk Maturity model can be used to assess the capability of a risk management process that is being used by a project or organization. The HVR models are designed to measure risk management capability and to identify priorities for improvement.

Why is it important to measure risk management capability?
Risk is an inevitable fact business and project life. Without willingness to take risk, there would be little or no economic progress. However, accepting excessive risk, or failing to manage risk adequately, can both have highly undesirable consequences. Projects and organizations are therefore investing increasing resources in their risk management processes. Measuring risk management capability and acting upon the results provides assurance to managers, shareholders and stakeholders that risk is being managed effectively and efficiently.

Is there a sound theoretical basis for the Risk Maturity Models?
The framework used by the HVR models was established in a paper by Dr. David Hillson (1997) published in the International Journal of Business and Project Risk Management. Further development of the HVR model has been undertaken, as described in publications such as Kluwer’s Risk Management Briefing (Hopkinson 2000). In their revised form the models are now aligned with risk management standards, such as the Australia / New Zealand Std 4360 and guidance from recent publications, including the Turnbull guidance.

Can my organization make use of the Risk Maturity Models without buying them?
Yes. HVR provides a risk management assessment service using the Risk Maturity Models. This is the most cost-effective way for organizations to make a small number of project or business risk management capability assessments.

Is the Risk Maturity Model a software product that can be bought “off the shelf”?
No. Although both models are now encapsulated in software, HVR does not sell them as a software product. However HVR does offer alternative commercial arrangements under which organizations can buy exploitation rights. These rights include the use of software copies of the model by the organization’s employees.

How can my organization buy exploitation rights for HVR Risk Maturity Models?
HVR offers a consultancy package that transfers unlimited rights to exploit HVR Risk Maturity Models for the assessment of risk management capability within the client’s organization. This package includes a trial period in which the HVR conducts early risk management capability assessments and tailors the models for the client organization. As this period progresses, the associated audit skills are transferred to staff selected by the client. This ensures that the results produced by assessments using the models are realistic and provide reliable measurements for benchmarking. On payment of a one-off fee, the organization is then able to use its own employees to conduct future internal audits and assessments.

Why should defence companies take a particular interest in the Risk Maturity Model?
The UK MoD Defence Procurement Agency (DPA) has adopted the Project Risk Maturity Model for assessing the capability of its Integrated Project Teams (IPTs). DPA policy now requires all Category A, B and C equipment projects (projects with a value exceeding £20Million) to be at Risk Maturity Level 3 or above by Main Gate Approval. Since each IPT’s risk management maturity is affected by the capability of its contractors, risk management maturity is likely to be a selection factor for Assessment phase contracts and prior to Main Gate.

Should non-defence companies be interested in the Risk Maturity Model?
Yes. The Business Risk Maturity Model is equally relevant to non-defence companies and organizations. Similarly the Project Risk Maturity Model is relevant to all types of project. There is nothing in either model that is specific to the defence industry.

Why do the outputs of the Business and Project Risk Maturity Models look so similar?
Each of the six bars on the Risk Maturity Model output measures Business and project risk All risk management follows the same core process of risk identification, risk analysis and risk mitigation. Success is also dependent upon there being a good risk management culture. Businesses and projects risk management share other characteristics in that they both have responsibilities to stakeholders and both require risk to be reviewed regularly and integrated with their other decision making processes.

How similar is the content of the Project and Business Risk Maturity Models?
Approximately half of the questions in the two models are similar. This is because all risk management processes share a number of basic characteristics. However, there are also significant differences in the question sets to reflect the different implementation issues and techniques that apply to business and project risk management. There are also differences in the weightings used to calculate results.

Why are there four capability levels in the Risk Maturity Model?
The four levels of risk management capability were identified by in David Hillson’s paper “Towards a Risk Maturity Model” (1997). Over the course of several years and many assessments, HVR has found that this structure is robust in that projects and organizations readily recognize the distinctions between levels.

Some Maturity Models have five levels; why does the Risk Maturity Model only have Four?
Perhaps the best known maturity model is that developed by the Software Engineering Institute (SEI) to assess the capability of engineering processes. This has five levels. However, there is no reason why this number of levels should apply to a model designed to measure a different type of capability. In the case of risk management we have to recognize that there are natural limitations on what can done with information that is inherently uncertain. The Risk maturity model Level 4 is defined in a way that reflects current understanding as to how best practice can be deployed to manage risk efficiently and effectively.

How is the overall capability level measured from the output?
The Risk Maturity Model measures risk management capability from six perspectives. The level of performance measured for each perspective is shown by a bar in the output. The overall level of performance is equal to which ever of these six bars is the lowest. The rationale for this approach is that all six perspectives are critical to effective risk management and that weakness in any one of them will fundamentally affect the overall capability.


FAQs concerning the Project Risk Maturity Model

How well-proven is the Project Risk Maturity Model?
The Project Risk Maturity Model has been used for assessments on more than 70 projects. A number of projects have been assessed on more than one occasion. The total number of assessments to date is about 150. To date, feedback has shown that almost every assessment has been accepted by the project concerned as being fair and indicative of their relative strengths and weaknesses.

What will using the Risk Maturity Model tell me about my project?
The Risk Maturity Model will tell you how capable your project risk management process is, and how this level of capability compares to similar projects. More importantly, it will help to identify prioritized areas for improvement. Subsequent audits using the Risk Maturity Model will allow the effectiveness of these improvements to be measured.

What will using the Project Risk Maturity Model tell me about my organization?
If the Risk Maturity Model is used to assess a number of different projects, the owning organization starts to build up a picture that is very useful for its governance of project management. For example, it may identify common areas of weakness in its project processes that can be acted upon across the organization. Equally, it may find pockets of best practice from which other projects can learn. Maturity assessments will also help the organization to evaluate the reliability of risk-based data presented at major project approval points. All of these benefits are described in the Business Assurance Case Study.

What Levels of capability have been found from project assessments to date?
A small number of projects have been found to be at risk maturity Level 1. The majority of projects have been found to be at Levels 2 or 3. However, most projects assessed to date are based in organizations that would expect to have relatively mature risk management processes. On the basis of evidence collected from other sources, it is likely that a more representative population of projects would show that a larger proportion would be found to be at Risk Maturity Level 1.

Have any projects been assessed as being at Risk Maturity Model Level 4?
Yes. To date, four project teams have been assessed as having a Level 4 capability. All these projects have been able to show that they maintain a coherent qualitative/quantitative risk management process that is actively supported by the project sponsors and stakeholders and provides the project manager with data that they regularly act on.

Are projects with high Risk Maturity Model scores more successful than projects with low scores?
HVR’s experience to date shows that projects with low risk maturity scores are frequently in serious difficulties over which they are struggling to maintain control. Conversely, Level 4 projects have been able to maintain progress against their plans in a much more predictable manner.

From what point in the project lifecycle should risk maturity assessments be made?
Assessments to date have uncovered many instances in which a project has been approved on the basis of unrealistically optimistic targets. These targets have often been supported by naive risk assessments and have proved to be impossible to achieve, even if, subsequently, the risk management process itself has been improved. The lesson learned is that projects need to have a capable risk management process before they are approved.

What is the smallest project assessed to date?
The smallest project assessed to date had a budget of £100,000. However, this project was sufficiently complex to merit the maintenance and regular review of a project risk register. The Risk Maturity Model is designed to be sufficiently flexible to accommodate projects of all sizes, provided that it is reasonable to expect that a formal risk management process will add value. Since a risk management process should be scaled to the needs of the project, some Risk Maturity Model questions may not be applicable to smaller or less complex projects. The assessment process recognizes this by allowing such questions to be “not applicable”, so that the questions concerned are not included in the calculation of results.

What audit techniques are used to collect data for Project Risk Maturity Model Assessments?
HVR has employed two different approaches for the collection of audit data. If accuracy of measurement is a priority, the most reliable approach is to review the current project and risk management data and then to conduct one-to-one interviews with a vertical and horizontal cross-section of the project team. This can be augmented with interviews with the project stakeholders. The other approach replaces one-to-one interviews with a workshop, during which team members provide evidence to answer the maturity model questions. The second approach has two advantages. The first advantage is that the process is quicker and cheaper. The second advantage is that it may result in a stronger buy-in to the results and recommendations from the team members involved in the workshop.


FAQs concerning the Business Risk Maturity Model

What types of organization is the Business Risk Maturity Model suitable for?
The Business Risk Maturity Model is designed for any organization whose business is sufficiently large or complex to justify the use of a formal high-level risk management process. This includes all listed companies, many government organizations and larger private companies and charities.

Is the Business Risk Maturity Model aimed primarily at project-based organizations?
No. Although, there is also a Project Risk Maturity model that shares similar features, the business model is designed to address the management of all sources of business risk, including risks arising from operations and other risks to the organization’s balance sheet. Dependent upon the nature of the organization, project risk may or may not be an important source of risk.

What will using the Risk Maturity Model tell me about my organization?
The Risk Maturity Model will tell you how capable your organization’s top-level risk management process is, and how this level of capability compares to similar organizations. More importantly, it will help to identify prioritized areas for improvement. Subsequent audits using the Risk Maturity Model will allow the effectiveness of these improvements to be measured. In addition, many organizations are required by their owners to provide assurance as to whether or not they meet the requirements of the Turnbull Guidance. The Business Risk Maturity Model helps to develop and confirm such assurance.

What is the Turnbull Guidance?
The “Turnbull Report” (October 1999) provides guidance on internal control for companies listed on the London Stock Exchange. It recommends a risk-based approach to internal control, and much of its content is effectively a high-level guide to business risk management. Listed companies are required to confirm to their shareholders in the annual report that they have reviewed their processes for internal control and to state whether or not they have complied with the Turnbull Guidance during the relevant reporting period. HVRs’ view of the Turnbull Guidance is that, by avoiding prescriptive solutions, it treads a well-judged line between rigor and pragmatism. The document can be downloaded free of charge from the Institute of Chartered Accountants.

To what extent is the Risk Maturity Model based on the Turnbull Guidance?
The Turnbull Guidance has had at least some influence on the content and structure of 80% of the Business Risk Maturity Model questions. However, the true antecedent for the model remains David Hillson’s paper (1997) “Towards a Risk Maturity Model” published in the International Journal of Business and Project Risk Management.

Does the Risk Maturity Model test compliance with the Turnbull Guidance?
Yes. Criteria are built into the Business Risk Maturity Model so that the results can be used to test for Turnbull compliance. The model also includes a database of references to paragraphs in the Turnbull guidance that traces the relationship of each relevant question to Turnbull requirements. In this way each point of compliance or non-compliance can be justified rigorously.

Does my organization have to be at Risk Maturity Level 4 to be compliant with the Turnbull Guidance?
No. It is possible that an organization can be at Risk Maturity Model Level 3 and still be “Turnbull compliant”. The figure below shows the maturity model result that would be obtained for an organization that was (just) compliant with all relevant Turnbull requirements. The fact that Level 4 maturity is not required is a reflection of the pragmatic nature of the Turnbull Guidance.

If my organization is not a company listed on the London Stock Exchange, does the Turnbull Guidance have any relevance to me?
It may do. A number of UK government organizations have adopted the Turnbull Guidance as best practice and aim to achieve compliance. Examples include a number of MoD organizations (e.g. the Defence Procurement Agency) and the NHS, which has used the Turnbull Guidance to develop its processes for internal control. In addition, some larger private companies and charity organizations are choosing to adopt certain aspects of corporate governance, of which the Turnbull Guidance is a part.
HVR Consulting Services Limited, Selborne House, Mill Lane, Alton, Hampshire, GU34 2QJ. United Kingdom
©2005 All Rights Reserved
Home