In the introduction, I highlighted the importance of feedback assessment as part of a risk management framework.

The international standard for risk management (ISO 31000) highlights the necessary feedback loop in the framework, starting with mandate and commitment of the risk function and closing with monitoring and review of the framework, followed by continuous improvement. In 2017, COSO published a new enterprise risk management (ERM) framework, positioning ERM as the enabler of corporate performance. This chapter reviews some useful criteria to assess the maturity of an operational risk management framework, discusses risk‐based priorities in the implementation of a framework, and proposes ways to quantify and demonstrate the value of risk management.

HOW DO YOU KNOW IT WORKS?¹ CRITERIA FOR A MATURE FRAMEWORK

Some organizations use maturity models, either developed in‐house or sourced externally, to assess the performance of their risk management frameworks. These models use scaling tables that rate the design and implementation of each part of the framework on a 4‐ or 5‐point scale, ranging from “beginner” to “expert.” Firms self‐assess their current maturity level against their own objectives. They do not necessarily need to be at “expert” level for all elements of the framework. The box presents a simpler, yet effective alternative to a maturity model, in the form of a list of quality criteria for each part of a risk management framework.