GRC Professional - February 2015 Edition | Page 33
Principle Eight: Risk Management takes
human and cultural factors into account
Principle Eleven: Risk Management facilitates
continual improvement of the organisation
How would you assess your competency and maturity level for this principle?
How would you assess your competency and maturity level
for this principle?
Level 1 – Absent: There is no risk management framework in place
or what is in place anticipates only predictable or basic risks.
Level 2 – Reactive: Isolated efforts are made to encourage behaviours that meet the risk appetite. Risk management may become a
focus when and incident occurs. Policies are not enforced and there
are no controls in place that anticipate human or cultural behaviours.
Level 3 – Foundation: Risk Management professionals and other
key staff encourage the behaviours that create and support the risk
framework. Behaviours that c
ompromise the risk management
framework are discouraged by management. Some controls are in
place anticipating some of these behaviours. Policies exist to promote desired risk taking behaviours (and deter those not desired)
but are only intermittently applied.
Level 4 – Proactive: All leaders and managers encourage the behaviours that create and support risk management and a general
culture of risk taking within the risk appetite appears to exist. Active effort is made by all not to tolerate the behaviours that compromise the risk appetite. Hiring procedures include pre-employment
screening for desirable behavioural attributes around risk management for senior management. Consistent punishment and rewards
occur for behavior that falls within or outside the agreed risk \