The International Association for Contract & Commercial Management (IACCM) is the professional body for contracting and commercial professionals, with over 50,000 members across 166 countries. Its mission is to enable both public- and private-sector organizations and professionals to achieve world-class standards in contracting and relationship management process and skills.

As part of fulfilling this mission, IACCM has developed a Capability Maturity Model, which can be used by organizations to benchmark their contracting processes against global best practices. The IACCM Capability Maturity Model uses nine factors to assess the performance of contracting processes (see here).

The model provides an objective assessment of maturity against five levels, allowing an organization to compare its results with the competition and against world-class standards.

The nine factors of the IACCM Capability Maturity Model are also all relevant to the ability of an organization to manage risk effectively. If we modify these nine factors to relate specifically to risk management capability, they look like this:

Leadership. Senior managers and executives need to understand key risk concepts. These include knowing what risk means, why it matters to the organization, how risk management contributes to value creation, the relationship between strategy and risk, and how to make risk-informed decisions. Leaders can then role model good risk behaviors and encourage their staff to do the same.

Customer Experience. Effective risk management requires a good understanding of key stakeholders who need to be identified and engaged appropriately throughout the risk process.

Execution and Delivery. Risk management needs to deliver measurable benefits, which can demonstrate how well the risk process is working (or not).

Solution/Requirements Management. It is important to have a clear understanding of each specific risk challenge, with a focus on delivering a risk management solution that meets the requirement, rather than applying a one-size-fits-all approach.

Financial. It should be possible to demonstrate a positive return on investment (ROI) for risk management by comparing the benefits of managing risk against the costs.

Knowledge Management. Risk data and information must be captured and used to ensure that lessons for future improvement are generated, learned and applied.

Risk Management. Risk management manages risk, so there must be a demonstrable impact on overall risk exposure as well as seeing individual threats avoided or minimized and individual opportunities captured or enhanced. (It seems obvious, but it is not always true!)

Strategy. Risk appetite must be fully understood and clearly expressed, enabling appropriate risk thresholds to be set against strategic and operational goals.

People Development. The organization must provide the necessary resources and skills to enable staff at all levels to understand and manage risk. Risk professionals should be regarded as trusted advisors, supporting all staff in managing risk effectively.

We can use this risk-based modification of the IACCM Capability Maturity Model to indicate how capable our organization is when it comes to risk management.

If (when) we discover areas requiring attention, we can design a specific improvement program that addresses our weaknesses and builds on our strengths. Why not see how your organization maps against these nine important factors and find out where you might develop your risk capability further?