Proceedings of The 3rd International Conference on Applied Research in Business, Management and Economics
Enterprise risk management: The maturity model for the ISO 31000 adopters
Franciskus Antonius Alijoyo, Ridwan Hendra, and Kevin Bastian Sirait
This paper aims to examine and shed light on the essential criteria for assessing the organization’s enterprise risk management (ERM) maturity and test whether the existing ERM maturity models have fulfilled those criteria, both of the non-ISO 31000 based and the ISO 31000 based version. A literature review is conducted to identify, analyze and validate the essential criteria that should be considered when an organization exercises its ERM maturity assessment. Those criteria are then mapped against the elements of existing risk management maturity models, which are grouped as non-ISO 31000 and ISO 31000 based models. In using the mapping result, further analysis is made to understand the reason and argumentation if one or more of the essential criteria is absent or additional or alternative criteria infused into the model. The literature review discovers seven criteria that are considered essential in measuring an organization’s ERM maturity. However, the mapping produces a result that shows that those seven essential criteria are not fully reflected or practically used by the existing ERM maturity models of the non-ISO 31000 and the ISO 31000. Whereas there is no explanation of the missing criteria in the non-ISO 31000 based model, a well-noted argumentation is made that relates to the ISO 31000 based model. As such, the ISO 31000 based risk management maturity model put forward an argumentation that is basically in line with the underlying reasoning of ISO 31000 standard itself, which emphasizes its generic features as a standard (i.e., regardless of the size).
Keywords: Enterprise risk management, risk management maturity, ISO 31000.