Risk Maturity Test

1. 1. What is the status of your risk management framework? (check all that apply)
   • We have Enterprise Risk Management where e.g., operational risk framework is integrated into the overall ERM framework, including risk processes and risk functions
   • We have a formal governance structure used to manage risk oversight
   • We use risk identification and assessment tools (e.g., top down and/or bottom up assessment tools or a mix thereof)
   • None of the above
2. 2. Do you use an Enterprise Risk Management software application?
   • Yes, we are all on the same system
   • Some of us are on a system
   • No
3. 3. Do you have a board approved risk appetite and tolerance framework? (check all that apply)
   • Yes, our board has approved our risk appetite and tolerance levels
   • Yes, and our 2ND line and board monitors adherence to the framework
   • No
4. 4. What is the state of your governance structure, ERM set-up and defense?
   • Senior management has an effective governance oversight structure with well defined, transparent and consistent lines of responsibilities and escalation protocols (e.g., policy, committee(s))
   • There is a lack of an effective governance structure in general across the organization
   • We work with a true Enterprise Risk Management set-up, with one method and platform
   • We work with Risk Management in silos
5. 5. Which kind of defense (3 Lines of Defense / 5 Lines of Assurance) is applied in your organization?
   • 3LOD
   • 5LOA
   • None of the above
6. 6. What is the status of your risk culture? (check all that apply)
   • Our culture is Open and Aware (People are trained on risk management and are transparent on risk issues immediately without fear of consequences)
   • Less open and aware (the culture is open but could be improved)
   • Closed (People are not aware of risk management and/or are reluctant to share information)
   • We have a code of conduct or ethical policy
   • We have aligned out compensation policies with our risk appetite and tolerance
7. 7. Do you feel comfortable with your mitigation efforts around cyber security?
   • Yes
   • No
8. 8. Is your board actively involved in risk management?
   • Yes, our board approves the policies of the framework and provides independent review and best practices
   • No
9. 9. Do you trust the output from your risk framework in your decision making?
   • Yes, our risk framework is advanced enough that risk appetite is set at decision taking time , based on framework MI and data
   • No
10. 10. Do you consider risks when developing new products, activities, processes, and/or systems? (check all that apply)
    • Yes, risk and performance indicators are used to provide insight into risk exposure
    • Yes, we have clearly defined key risk indicators and/or key performance indicators which trigger actions
    • Yes, we thoroughly assess all aspects consistent with taxonomy and measurement categories
    • Yes, we have clearly defined roles and responsibilities to asses and challenge decisions
    • No, we do not consider risk this formalized
11. 11. Do you have a reporting structure to ensure the risk profiles are monitored and actions are taken? (check all that apply)
    • Yes, reports are comprehensive, accurate, consistent and actionable across business lines and products
    • Yes, our reporting is timely and we are able to produce reports in both normal and stressed market conditions
    • Nope
12. 12. Do you have a clear business continuity framework?
    • Yes, we have established business continuity plans that are equivalent to the size and complexity of our operation
    • No, hopefully nothing happens
13. 13. Does your organization currently have organized operational risk training throughout the organization?
    • Yes
    • No
14. 14. Does Internal Audit follow a risk-based approach with is aligned with 1st and 2nd line risk management approach?
    • Yes, we are one happy family
    • No, Internal Auditors fly solo
15. 15. Is risk management tied to and involved in strategy work?
    • Yes, we perform risk assessments on strategy and objectives
    • Not in a formalized way
    • Not at all

Your submission is anonymous and the data is only used for your reference. No information is shared externally. For more information please read the Privacy Policy

• Sign up to stay up to date with latest news and events.