Risk Maturity Assessment for Small and Medium Businesses: A Practical Guide

How to Use ISO 31000 to Assess and Improve Your Risk Maturity (Without Over-Engineering It)

Mark Scales

Stylised illustration of maturing risk checklists with charts

Download the StartRisk ISO 31000 Risk Maturity Assessment Guide (Free Template) A practical 5-level maturity rubric aligned to ISO 31000 principles, framework and process elements designed specifically for small and medium businesses and not-for-profits.
✔ Structured scoring model
✔ Evidence-based assessment prompts
✔ Built for practical use not theory

Download

Many organisations don’t know where they really stand

In small and medium businesses and not-for-profits, risk management can look very different from one organisation to the next.

For some organisations:

  • Risk is primarily associated with workplace health and safety
  • Executives know risk management matters, but aren’t sure what “good” looks like in practice
  • A framework or spreadsheet risk register exists, but it isn’t consistently maintained or integrated into decision-making

For others:

  • Risk is viewed more broadly — covering strategy, finance, operations, compliance and people
  • Leaders use risk conversations to inform planning and major decisions
  • Risk registers, appetite statements and reporting are actively maintained and embedded in governance processes

Risk management isn’t binary. It exists on a spectrum of maturity.

Most organisations are somewhere in between, with strengths in some areas and gaps in others.

Understanding where you sit on that spectrum is the first step toward improving it in a practical, proportionate and sustainable way.

What is a risk maturity assessment?

A risk maturity assessment is a structured review of how well risk management is designed, implemented, embedded and improved over time.

It is:

  • Not an audit
  • Not a compliance tick-box
  • Not about chasing perfection

It is about progression.

The goal is not to reach the highest possible level everywhere — it is to reach the right level for your size, complexity and risk profile.

The 5 levels of risk maturity explained

At StartRisk, we use a simple five-level model to assess maturity across principles, framework and process.

Level Name Description
1 Ad-hoc Risk is reactive, undocumented and inconsistent. Individuals manage issues as they arise. No structured framework.
2 Emerging Some framework elements exist. A risk register may be present but inconsistently used. Limited integration into decision-making.
3 Defined Framework aligned to recognised good practice (e.g. ISO 31000). Roles are defined. Risk appetite articulated. Reporting structured.
4 Embedded Risk is integrated into governance, planning and operations. Consistent language used. Board reporting aligned to appetite.
5 Optimised Continuous improvement evident. Controls monitored systematically. Data-informed insights. Risk proactively informs strategy.

Most small and medium businesses do not need Level 5 across every dimension. Fit-for-purpose maturity is the goal, and understanding your target maturity is an important aspect of an effective maturity assessment.

How to assess risk maturity

StartRisk assesses maturity against ISO 31000 Risk Management, the global benchmark for effective risk governance. ISO 31000 provides a strong structural foundation while allowing flexibility to ensure a fit-for-purpose approach tailored to each organisation.

We distil ISO 31000 into three practical lenses to assess and strengthen risk maturity:

  1. Principles — Is risk management creating and protecting value?
  2. Framework — Is leadership genuinely embedding risk into governance?
  3. Process — Are risk practices systematic, repeatable and effective?

Together, these lenses ensure balance between culture, structure and execution.

Lens 1: Principles (Value Creation & Protection)

The Principles lens evaluates whether risk management is genuinely enabling value creation and protection, rather than operating as a compliance exercise.

ISO 31000 Principles Diagram a circular diagram showing the 8 principles of risk management in a ring around Value Creation and Protection in the centre of the circle. The 8 principles are Integrated, Structured and Comprehensive, Customised, Inclusive, Dynamic, Best Available Information, Human and Cultural Factors, and Continual Improvement.

Figure 1 - ISO 31000 Principles Diagram

Lens 2: Framework (Leadership and Commitment)

The Framework lens evaluates how risk management is designed, governed and embedded across the organisation.

ISO 31000 Framework Diagram a circular diagram showing the 5 framework elements of risk management in a ring around Leadership and Commitment in the centre of the circle. The 5 framework elements are integration, design, implementation, evaluation, and improvement.

Figure 2 - ISO 31000 Framework Diagram

Lens 3: Process (Practice & Execution)

The Process lens examines the day-to-day operation of risk management.

ISO 31000 Process Diagram a circular diagram showing the core risk process elements Scope, Context, Criteria, Risk Assessment, Risk Treatment, Recording and Reporting, Communication and Consultation, Monitoring and Review.

Figure 3 - ISO 31000 Process Diagram

What is included in a risk maturity assessment?

A meaningful maturity assessment goes far beyond reviewing policies and procedures. It tests whether risk management is understood, embedded and influencing decisions in practice.

A robust assessment typically includes three complementary components.

1. Interviews across the organisation

We speak with a cross-section of the organisation, including:

  • Directors
  • Executives
  • Managers
  • Operational staff

Why? Because the different perspectives of each level give us insight into maturity.

What to look for — indicators of lower maturity

When conducting interviews, pay attention to:

  • Inconsistent understanding of risk appetite
    Leaders may reference it confidently, while managers and staff are unclear on what it means in practice.
  • Risk discussed reactively rather than proactively
    Conversations focus on incidents after they occur, rather than emerging risks or strategic uncertainty.
  • Limited confidence in escalation
    Staff hesitate to raise concerns, or rely on informal channels rather than structured reporting pathways.
  • Inconsistent risk language and scoring
    The same issue may be rated “high” in one area and “medium” in another with no clear rationale.
  • Over-reliance on individuals
    Risk management depends on a few capable people rather than embedded systems and shared understanding.
  • Leadership optimism not reflected operationally
    Directors express confidence in risk oversight, but frontline staff describe unclear processes or inconsistent follow-through.

If significant disconnect exists between levels it is a clear indicator that maturity can be improved.

Higher maturity organisations show consistent language, shared understanding and evidence that risk considerations influence decisions at all levels — not just in board papers.

2. Documentation review

We examine core governance artefacts such as:

  • Risk framework documents
  • Risk registers
  • Risk appetite statements
  • Board papers
  • Meeting minutes
  • Relevant policies

Documents reveal the organisation’s intended design. But maturity is not measured by volume — it is measured by clarity, alignment and evidence of use.

What to look for — indicators of lower maturity

When reviewing documentation, pay attention to:

  • Frameworks that exist but are not referenced
    Policies are formally approved but rarely cited in decision-making or operational discussions.
  • Risk registers that are static or compliance-driven
    Registers updated annually, lacking clear ownership, outdated controls, or generic risk descriptions.
  • Risk appetite statements that are vague or aspirational
    Broad statements (“low tolerance for non-compliance”) without measurable thresholds or decision guidance.
  • Board papers that list risks but do not analyse them
    Reporting that describes issues without articulating impact, trend, treatment effectiveness or alignment to appetite.
  • Inconsistent terminology across documents
    Different definitions of likelihood, consequence or risk ratings across business units.
  • Policies disconnected from operational reality
    Procedures that appear comprehensive but are not reflected in actual practice.
  • No clear linkage between strategy and risk
    Strategic objectives discussed separately from risk exposure.

Strong documentation is clear, aligned and actively used. Lower maturity documentation often looks polished — but lacks evidence of integration.

The test is simple: can you see clarity and consistency in risk management documentation that influences real decisions, or do documents sit unused?

3. Operational evidence

Finally, we review where risk is actually surfacing in practice, including:

  • Incident reports
  • Complaints data
  • Non-compliance events
  • Audit findings
  • Whistleblower reports
  • Near-miss tracking
  • Staff turnover patterns

Operational data reveals whether risk management is embedded — or whether governance exists mainly on paper.

What to look for — indicators of lower maturity

When reviewing operational evidence, pay attention to:

  • Repeated incidents with similar root causes
    The same themes reappear over time, suggesting lessons are not being embedded.
  • Corrective actions that are tactical, not systemic
    Issues are “fixed” locally without addressing underlying process or control weaknesses.
  • Limited trend analysis
    Data is collected but not analysed for patterns, emerging risks or systemic exposure.
  • Weak ownership of actions
    Findings are documented but lack clear accountability, deadlines or follow-through.
  • Audit findings that remain open or recur
    Recommendations are agreed to but not fully implemented or sustained.
  • Reluctance to escalate bad news
    Whistleblower channels exist formally but are rarely used, or staff express low confidence in reporting pathways.
  • Near misses not captured or discussed
    The organisation waits for incidents rather than learning from warning signs.
  • High staff turnover in key risk roles
    Indicates instability, unclear expectations or cultural resistance to governance.

In lower maturity environments, risk data is reactive and fragmented. In higher maturity organisations, it is predictive and integrated into leadership conversations.

Higher maturity organisations demonstrate a clear feedback loop: incidents are analysed, themes are identified, lessons are documented and systemic improvements are implemented.

What is the right level of risk maturity for a small organisation?

This is one of the most important questions.

Too low a maturity level can result in:

  • Governance exposure
  • Regulatory vulnerability
  • Board blind spots
  • Reputational damage

Too high a maturity level can create:

  • Administrative burden
  • Staff disengagement
  • Cost without proportional value

Target maturity should consider:

  • Risk appetite
  • Regulatory complexity
  • Industry risk profile
  • Growth stage
  • Funding dependency (particularly for not-for-profits)
  • Board expectations
  • Internal capability
  • Resource availability

Importantly, target maturity can vary by element. An organisation may require strong maturity in governance and reporting, while maintaining lighter structure in lower-risk operational areas.

Setting target maturity should be a deliberate leadership discussion — ideally facilitated between Board and Management. The conversation should explore:

  • What level of risk visibility does the Board require to discharge its duties confidently?
  • Where does regulatory scrutiny sit today — and where might it increase?
  • What level of structure supports performance without slowing the organisation down?

When leadership alignment is achieved, maturity targets become strategic guardrails — guiding investment and uplift decisions rather than creating unnecessary bureaucracy.

What happens after a risk maturity assessment?

An assessment without action is theatre.

The outcome should be:

  • A prioritised action plan
  • Categorised by effort vs impact
  • Aligned to budget cycles
  • Structured as a 12–24 month roadmap

We often use a simple Impact vs Investment lens:

  • What delivers the greatest risk reduction for the least effort?
  • What strengthens governance confidence quickly?
  • What foundational gaps need addressing first?

Risk maturity reassessment is typically appropriate every 2–3 years. This allows time for processes to embed and learning to accumulate before reviewing again.

BONUS - What is risk culture and how do you assess it?

Risk culture is the behaviours, attitudes and conversations about risk inside your organisation.

It is not what your policy says.

It is how people behave when something goes wrong — and how they behave before something goes wrong.

Indicators of low maturity culture:

  • Risk seen purely as compliance
  • Staff reluctant to escalate issues
  • Incidents hidden or minimised
  • “That’s not my job” mindset
  • Boards surprised by adverse events

Indicators of healthy risk culture:

  • Open escalation of concerns
  • Early identification of emerging issues
  • Leaders ask proactive risk questions
  • Incidents used as learning opportunities
  • Staff can describe risks clearly and consistently

How to assess risk culture in practice

Culture cannot be measured by policy review alone. It must be observed and tested.

Practical approaches include:

  • Cross-level interviews to explore how different levels perceive the behaviour and openness of others. Cultural friction often appears where:

    • Frontline staff believe escalation is discouraged

    • Managers filter issues before they reach executives

    • Executives “manage the message” before reporting to the Board

    • The Board believes it has full visibility while operational staff feel unheard

  • Reviewing escalation patterns — how quickly and transparently have issues moved upward.

  • Examining response to past incidents — were root causes addressed systemically, or was blame assigned?

  • Observing meeting dynamics — do leaders invite challenge and risk discussion, or is dissent subtly discouraged?

One simple diagnostic question can be revealing:

“If you identified a serious risk tomorrow, how confident would you feel raising it?”

Hesitation in answering often signals cultural friction.

Assessing culture can be confronting. It may reveal overconfidence at leadership level or silence at operational level. But without understanding culture, maturity scores are incomplete. A well-documented framework cannot compensate for a culture that avoids difficult conversations.

This is why interviews, observation and honest dialogue are essential in any serious risk maturity assessment.

Ready to Strengthen Your Risk Maturity?

Download the ISO 31000 Risk Maturity Assessment Guide and conduct a quick self-assessment.

If the results highlight gaps, that’s not a failure — it’s clarity. With the right structure and support, organisations can move from Level 1 to Level 3 in a matter of weeks, not months.

The opportunity now is to translate your insight into structured uplift.

How StartRisk Accelerates Risk Maturity

There are two practical pathways.

1. Structured Maturity Assessment Engagement

For organisations seeking independent insight and board-level clarity, StartRisk delivers:

  • Facilitated executive and stakeholder interviews
  • Evidence-based scoring using our five-level maturity rubric
  • A clear current-state maturity profile
  • Defined target maturity by element
  • A prioritised uplift roadmap aligned to strategy

This provides boards and executives with immediate clarity on strengths, gaps and next steps.

2. The StartRisk Platform as a Maturity Accelerator

For organisations ready to embed risk management into day-to-day operations, the StartRisk platform accelerates uplift by:

  • Standardising risk language across the organisation
  • Embedding ISO 31000-aligned structure
  • Clarifying alignment to risk appetite
  • Improving rating consistency
  • Strengthening board and executive reporting
  • Creating a single source of truth
  • Integrating risk management into operational workflows

AI tooling enhances this uplift through:

  • Guided onboarding experience
  • Risk generation and writing assistance
  • Control recommendation support
  • Reporting narrative drafting

For organisations focused on building strong risk governance, AI becomes a genuine force multiplier. With the right structure in place, it accelerates analysis, improves reporting quality and supports better decisions — turning good governance into scalable governance.

Whether you require an independent maturity review or a platform to embed risk at scale, StartRisk provides a practical, structured pathway to measurable uplift.

Want clarity on where your organisation really stands?
Book a 30-minute Risk Maturity Discussion to review your assessment results and identify the fastest pathway to structured uplift.

Book now

More articles