MeasureRISK® Maturity Scoring Key

INITIAL	REPEATABLE	DEFINED	MANAGED	OPTIMIZED
​20 (.5-10)	40  (1.5 to 2.5)	60 (2.5 to 3.5)​​	​80 ​(3.5 to 4.5)	​100 ​(4.5 to 5)
Ad Hoc, unpredictable, poorly controlled, reactive	​Basic process management and repeatable tasks	​Defined and documented processes, proactive	Integrated, measured and controlled processes	Continued improvement and significant automation

There are six levels of a risk management maturity model:

1. Startup or no third-party risk management: new organizations beginning operations or organizations with no existing vendor risk management activities.
2. Initial vision and ad hoc activity: third-party risk management activities performed on an ad hoc basis and considering how to best structure third-party risk activities.
3. Approved road map and ad hoc activity: Management has approved a plan to structure activity as part of an effort to achieve full implementation.
4. Defined and established: Organizations with fully defined, approved and established risk management activities where activities are not fully operationalized with metrics and enforcement lacking.
5. Fully implemented and operational: Organizations where vendor risk management activities are fully operationalized with compliance measures, including reporting and independent oversight.
6. Continuous improvement: Organizations striving for operational excellence with clear understanding of best-in-class performance levels and how to implement program changes to continuously improve the process.

Understanding where your organization's risk management maturity level is a key part of understanding how to best manage risk and where you can improve