4. CMMM (Culture Maturity Model Misappropriation)

Culture Maturity Models have been adopted by various organisations to evaluate and communicate risk culture against a target state, often published alongside risk management maturity model reporting.

Perceived Benefits:

  • Governance forums are familiar with Capability Maturity Model concepts
  • Builds on Safety Culture Maturity techniques (safety is a risk class)
  • Easy to illustrate gaps between current and target cultures
  • Suggested by some regulators as a suitable technique

Observed Shortfalls:

  • Subject to multiple aggregation errors which undermines reliability
  • Culture maturity modelling techniques lack empirical validation; incl. how maturity levels translate to organisational outcomes
  • Difficult to determine required actions and level of investment in response
  • Conveys a level of analytical rigour well beyond technique sophistication

Provocation: Evaluation of risk culture maturity is a misappropriation of business modelling technique, generating misleading conclusions.

Explainer: One of the most cited original thinkers in business modelling is Walter Shewhart. In 1925 while working for Bell Telephone Laboratories, he developed the Statistical Process Control (SPC) methodology for analysing controlled and uncontrolled variations in process performance. His work continues to be extensively applied in learning development and healthcare settings.

The Quality Management Maturity Grid, developed in 1979, built further on SPC. In the 1970-80s under the guise of Total Quality Management (TQM) it gained further prominence through the measurement and communication of process or service quality. Around the same time, the US Defence industry developed the Capability Maturity Model (CMM) to map the relative sophistication of organisational capabilities.

The term "maturity" relates to the degree of formality and optimisation of processes.

Variants of CMM are widely used in IT, software development, project management, safety management, and risk management amongst other domains.

Safety Management Systems and Risk Management Frameworks/Strategies as formal systems are linear and predictable, making evaluation of capability sophistication relatively straightforward. However, reliable evaluation is complicated by the overlay of organisational culture.

Research published in 2007 by Prof. Patrick Hudson discussed the implementation of an advanced safety culture program in the oil and gas industry following a major incident. This led to the emergence and adoption of the first Safety Culture Maturity Models which extended beyond the prevailing concept of ‘safety climate’.

The emergence of Risk Culture Maturity from the research and application of Safety Culture Maturity appears, at face value, a logical extension.

However, it’s important to recognise that different industry sectors face unique risks and risk-related challenges.

Oil & Gas: In sectors like oil and gas, construction, mining, and civil infrastructure, the value creation focus is in managing physical assets and operations. These assets are designed with safety margins which are monitored to prevent serious incidents, similarly, employee actions are regulated and influenced to minimise injury risks. The proximity of work to potential hazards means that safety risk management is embedded in both the design and execution of tasks. Among the various risk classes in these sectors, safety and the preservation of life are tangible and given the highest prominence.

Financial Services: In contrast, value creation in the financial services sector deals with abstract and intangible factors and risks. The separation between individual tasks performed and the occurrence of risk-related events across large organisations makes it harder for employees to detect issues in the context of individual roles. Consequently, the financial sector relies heavily on structured frameworks to manage all key risk classes across three-lines models of control, oversight, and assurance. Each risk class also has differing levels of prominence determined by organisational strategy, risk appetite, and culture.

Although a generalisation, the main distinction in these examples is that safety is a concrete risk class that every employee is directly responsible for managing. It’s straightforward and actionable by everyone. On the other hand, in financial sectors, ‘risk’ is often described in a more abstract way to encompass all key risk classes. This doesn’t have the same immediate, tangible impact as safety risk, making it less accessible and more challenging for every employee to comprehend and respond to. Categorising something as multifaceted as culture in relation to a concept that is conceptually/ambiguously described can lead to misunderstandings and oversimplifications, which is problematic.

While there are many tools purporting to support risk culture maturity evaluation, independent empirical validation is lacking. Similarly, criticism on the validity of safety culture maturity models and recent research suggest a narrowing of elements considered for ‘safety culture’ to only focus on perceptions of mindset and behaviour (i.e., climate) relating to organisational systems of safety management:

  • Communication
  • Training
  • Organisational learning
  • Management commitment
  • Employee commitment and involvement

Attempts to categorise culture maturity end up focusing on attitudes towards risk management practices that support all key risk classes, these practices typically sit adjacent to core work performed.

Maturity models imply a steady state of progression, and while this may be true of formal risk management practices, it is unlikely to uniformly apply to each of the risk classes managed through those practices.

The trade-off hinges on whether an organisation prioritises mere conformance with established risk-related practices (i.e., maturity = 'the degree of formality and optimisation of processes'); or seeks to understand the influence of its culture on strategic, risk, and compliance outcomes.

The Flip: Ditch the 'culture maturity model' as it's likely misleading key stakeholders. Instead, use survey insights on risk-related practices to inform risk management capability maturity models. Culture evaluation is still required, but do so using techniques that consider more than just mindset and behaviour.