How to Run a Risk Maturity Assessment

Risk is part of everyday business, and regulators are consistently raising the bar. New rules, such as Europe’s NIS2 directive and the Digital Operational Resilience Act (DORA), require organisations to actively manage risk, especially concerning third parties. One practical way to understand how ready you are is to run a risk maturity assessment. This helps you see where your risk processes are strong and where they need some extra attention.

It helps with a lot more than compliance, too. A thorough risk maturity assessment can provide a clear picture of your current risk setup and help you focus your efforts in the right areas. It can also help you in conversations about priorities, budget, and audit preparation. According to a recent global breach report from IBM, many organisations still lack full visibility across their vendor ecosystem, and a significant percentage continue to rely on fragmented tools and manual processes, which shows how important this kind of assessment can be.

In this blog, we explain what a risk maturity assessment is, how to run one, what to watch out for, and how to use the results to build stronger practices over time.

What is a Risk Maturity Assessment?

A risk maturity assessment is a structured way to review how well your organisation identifies, assesses and manages risk. It looks at the quality of your processes, not the individual risks. Think of it as checking the health of your current risk framework.

Most teams use a risk maturity model to guide the assessment. This model usually includes five levels of maturity, from very basic to highly advanced. By comparing your current practices to this model, you can see how far along you are in each area and where to improve.

This kind of assessment is especially helpful if you are preparing for regulations like DORA or NIS2. It helps you see if your practices are aligned with expectations. By running a risk assessment, you can more easily spot which specific areas require improvement. Like tiering your vendors, this helps ensure you focus your limited time where it matters most for your specific company. For example, if your vendor due diligence is rated low, you know it is time to revisit your approach. Read our blog "What Is Due Diligence in Risk Management?" for a clear starting point.

How to Run a Risk Maturity Assessment

Running a maturity assessment does not have to be complicated. Here are the main steps:

Step 1: Defining the purpose and scope of the assessment

The first question you should ask yourself is: "Why are we running this risk maturity assessment?" Getting a clear idea of your goals will be the key to ensuring the next steps align with that. Be clear about your goals and gather any existing policies, such as DORA or NIS2, or data to use as a reference. It is also important to get an overview of who should be involved.

Step 2: Selecting or developing a framework

Choose a model that outlines five clear levels of maturity across your chosen areas. This will help you give consistent ratings. There are plenty of best practices out there, such as COSO ERM or ISO 31000, so there is no need to reinvent the wheel. Look for one that aligns with your business and goals.

Before we continue, let's discuss those five maturity levels further:

The five risk maturity levels

Level 1 - Initial (Ad hoc)

Processes are reactive, informal or missing. Risks are dealt with only after something goes wrong. There is little visibility or documentation. Reporting is pretty much non-existent, with leadership only hearing about risks when they’re in a crisis.

Level 2 – Emerging

Basic processes exist in some areas, but they are inconsistent. For example, some teams might do vendor checks, while others skip them. Improvements tend to be reactive, with teams working hard to bring things together based on customer or regulator requests.

Level 3 – Defined

There is a clear policy and process in place for each area. Risk roles are assigned, and controls are documented and followed. However, while things may be documented, they aren’t exactly optimised either.

Level 4 – Managed

Practices are standard across the business. Risk is discussed regularly by leadership. There is monitoring, reporting, and ongoing improvement. At this level, the organisation is proactively managing risk with clear accountability for risk mitigation.

Level 5 – Optimised

Risk management is part of daily decision-making. Data and feedback are used to refine practices. The organisation adapts quickly to new risks and requirements. Every incident or assessment is analysed to ensure the organisation learns from it and makes the necessary adjustments. At this stage, you’re not simply proactive, you’re also resilient and agile. Able to adapt to upcoming regulations and new threats.

Most organisations fall somewhere between levels 2 and 4 across different areas. That is perfectly normal. The goal is not perfection, but progress.

Step 3: Define assessment criteria

This is where you start looking at the angle of the assessment. While a goal for your assessment may be to look at your risk maturity to confirm DORA-readiness or to see whether you need to increase your budget, that step is the "why" of your assessment. The assessment criteria are part of the "how". More specifically, how are you approaching your assessment? Are you evaluating your existing processes? Assessing the extent to which risk management is embedded in your organisation's business strategy? Or are you focusing on how your people manage risk, from how up-to-date they are with legislation, to risk-awareness? 

Step 4: Designing or selecting a tool

Now that you know your outline, framework and criteria, how are you going to collect the necessary data? In this step, you have several options. Questionnaires will always be a good starting point. You can manually send these out, or you can use a tool like 3rdRisk, which can automate the process for you. This is especially helpful if you're looking to evaluate across multiple teams and perhaps even multiple offices. It also helps you collect the data in a way a spreadsheet simply can't.

Using interviews, either in a group or 1-on-1 setting, can also be useful if you require more qualitative data. We would also recommend integrating some external insight into your assessment. This can be sourced from audits that are already being conducted, or you could hire someone specifically for the purpose of analysing your organisation.

Step 5: Data collection

This step is fairly straightforward. You've outlined the purpose and scope, selected a framework, defined the criteria and even selected or designed a tool. Now you have to go and collect the data. If you choose to do things the "old-fashioned" way by manually sending out questionnaires and holding interviews, then having a checklist will be incredibly useful. We also recommend collecting all data in one central point, like a shared folder, so that it will be easier to evaluate afterwards, and everyone's contributions are easier to find.

Step 6: Analysis and benchmarking

Use the model to assign a level to each category. Involve multiple team members to get a balanced view and discuss any differences in rating. Are there noticeable differences in how teams rate things? Assigning an internal auditor can help you get a more objective view of how you score based on the evidence. Remember, the goal isn’t to get 5’s across the board, but to get an accurate idea of the current level for each category so you know where things must improve.

Step 7: Reporting

Create a short report showing your scores, key observations and a few clear improvement suggestions. Weave a clear story for your stakeholders, highlight where you’re doing well, the areas for improvement, and the potential quick wins. It also helps to provide extra context based on regulations. If DORA requires a level 4 for governance, but you’re only scoring a 2, then there’s a clear gap that requires immediate attention.

Bonus: Discuss the findings

Meet to review the results and agree on what to do next. Let this be an open conversation where you celebrate your strong points and discuss what’s causing the lower scores. Then, as a next step, you should choose a few areas to focus on first, assign responsibilities, and set realistic deadlines.

Common Pitfalls and How to Avoid Them

Internal and third-party risks are not aligned.

Many teams have better processes for internal risks than for third parties. This creates blind spots. You might have strong internal controls, but if you don’t hold your suppliers to similar standards, that puts your organisation at risk.

This is especially important now. Regulations like DORA expect you to manage vendor risks as part of your wider framework. And IBM’s 2024 Cost of a Data Breach Report found that over half of data breaches were caused by third-party involvement, highlighting how widespread and urgent this challenge is how widespread and urgent this challenge is.

How to fix it:

Apply the same logic to third parties as you do internally. Use a shared policy or checklist for both. Make sure vendor assessments ask the same questions you would ask of internal teams. Also, check if your risk platform has a vendor module. If so, use it. Many don’t, even though 85%of organisations have risk tools, only a quarter use the vendor features.

No follow-up on results

One of the most common issues is doing the assessment and then forgetting about it. The report gets filed away, and nothing changes. Business ends up continuing as usual. Don’t get us wrong, the intention is there to follow up, but day-to-day tasks get in the way, and before they know it, they’re busy tackling different projects. But in the meantime, nothing changes, and risks may even grow.

How to fix it:

Treat the assessment as the starting point for action. Assign owners for each improvement. Set deadlines. Track progress. Even small wins, like updating one policy or introducing a risk review meeting, can build momentum. Schedule a follow-up review in six or twelve months to see what has improved.

Using the Findings to Drive Action

Once the assessment is complete, turn the findings into a clear plan. Focus on a few high-priority gaps and build a shortlist of practical actions. For each one, assign an owner and a deadline.

Examples:

• If vendor risk is low, launch a basic due diligence process and log results.

• If reporting is inconsistent, create a quarterly risk dashboard for leadership.

• If internal controls are informal, start using self-assessments to track them.

Keep it simple and measurable. Over time, you can expand your improvements. Remember, Rome wasn’t built in a day, and it’s better to take small, clear steps than to get lost striving for perfection.

You can also use the results to support budget or tooling requests. If the assessment shows that manual processes are a barrier, this is a strong case for investing in software. Just make sure you choose a tool that actually fits your needs.

For example, Schoeller Allibert used their findings to streamline third-party risk checks with 3rdRisk. They now screen more than 50 suppliers with just a few hours of work per week.

Building Long-Term Maturity

The best assessments lead to long-term habits. Here are a few ways to keep the momentum going:

Repeat the assessment regularly

Aim for once a year. This helps track progress and keep risk on the agenda. Treat it like a health check or performance review. Over time, people will grow to expect it, which helps keep maturity front and centre.

Tie maturity to business goals

Show how better risk processes support smoother audits, better vendor decisions or stronger operations. Teams are more likely to see the value when they realise that risk management is tied to business success.

Share knowledge and stay up to date

Encourage a learning culture around risk. This can include anything from periodic training sessions or workshops to simply sharing articles. When regulations like DORA or NIS2 receive updated requirements, holding a brief meeting to discuss what this means for your organisation can help your team stay proactive.

Share wins and learn from mistakes

When a new process catches an issue early or helps you avoid a delay, share that story. Positive reinforcement goes a long way. And if things do go wrong, use it as a learning opportunity rather than playing the blame game.

Keep risk visible

Add risk updates to regular meetings. Encourage teams to raise concerns early. This normalises the conversation and helps you improve faster. By involving everyone, it ensures that people stay engaged and aware of the benefits of  

Conclusion

A risk maturity assessment helps you step back and see where your risk management stands today and where it needs to go. It highlights gaps, aligns teams, and shows regulators and stakeholders that you're taking a structured, proactive approach.

This is where 3rdRisk can make a real difference. Our platform brings clarity and control to risk and third-party management, without adding layers of complexity. You can track maturity across key areas, prioritise improvements, and stay prepared for audits or regulatory reviews.

What sets us apart is our focus on being practical. We’ve designed 3rdRisk to be flexible and easy to adopt, whether you’re building the basics or refining a mature program. It helps you turn insights from your assessment into action, without getting lost in the process or paperwork.

To help you get started, we’ve created a best practices page with templates, checklists and step-by-step guidance. These tools are free to use and built from real-world experience with teams facing the same challenges as you.

If you're ready to move from reactive to resilient risk management, 3rdRisk and our best practices can help you get there faster, smarter and with fewer surprises. To learn more about how we can tackle your risk management challenges, sign up for a demo today.

‍