Maturity vs risk in investments

by Edward Robertson

The maturity model
The Capability Maturity Model (CMM) developed at Carnegie Mellon University back in 1993 [1] is a fairly famous assessment tool for organizations. The need at the time was to have some uniform way of assessing potential software development service firms, as their internal capabilities to meet deliverables were highly variable. 

The CMM consists of a matrix of cells. The processes internal to the business that one wishes to assess (categories of analysis -- e.g., Financial Strength; Management Experience) are listed across the across the top horizontal (x) axis. The vertical (y) axis shows the degree of accomplishment or relative maturity, in 5 levels. The cells, then, under a given category, contain the descriptions of the maturity attributes at each of the 5 levels. 

Here are my own descriptions of the 5 maturity levels from my book (Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation, p.78):

5. Optimizing. Reviews of processes take place to introduce innovations and continuously improve. Employee thinking is aligned with company goals and values.

4. Managed. Standard practices are consistently implemented and followed. Quantitative measures are in place to track performance.

3. Defined. Standard practices are created, guided by overall methodology. In principle, management techniques are consistent.

2. Repeatable. A minimum discipline is in place to repeat some processes, but they are not reviewed. It is mixed with random practice elsewhere in the firm.

1. Initial. A state of ad hoc, unstructured activity, whose success depends largely upon the strength of personalities involved. It is reactive (management by crisis).

So Enterprise Risk Management, and many other fields in the business world, have borrowed the model -- specifically the 5-point vertical scale -- because the levels described in it are intuitively correct and applicable to just about any organizational process or feature one would care to measure.

I believe the model is also applicable (with modifications) to the evaluation of private assets. It would permit an assessment of the issuer and product offering against consistent benchmarks.

Risk assessment
The maturity model indicates how the organization can improve according to an established standard, but the risk assessment accomplishes something quite different. Risk has to do with the uncertainty associated with planned goals and objectives. The risk assessment for a given private market investment, or for any major financial decision, for that matter, is a multi-disciplinary exercise to examine both the operational business plan, and the investment project in its wider strategic context.

Benefits of risk identification
The actual risk profile, developed in a rigorous process, is usually other than what the project team had imagined. The benefits of the exercise include: 1. to see the character and magnitude of the risks that may hinder the execution of management plans; 2. to identify mitigation actions; and 3. to build a shared understanding among the team members. The management team now has improved confidence that they will be successful. They have captured and managed all the issues that had escaped proper analysis, and understand their goals and risks more profoundly.



[1] Capability Maturity Model for Software

For information on Enterprise Risk Management, see the following resources:

Online course:
High Quality Risk Assessment (online course)

Books (in both print and electronic formats for all devices):
Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation
Enterprise Risk Management Tools and Templates

Blog posts

Consulting and Facilitation