The Risk Management Maturity Model (RM3) provides a useful mechanism to understand the capability of the organisation to sustain (or improve) high levels of effective control ie to understand why an organisation is performing as it is. Information captured from the audits can be used to help inform the RM3 evaluation.
We have also produced guidance on how RM3 can be used to measure risk management of occupational health.
We would recommend the use of RM3 as this provides an evaluation of how important elements of an organisation are performing, and therefore which areas can be improved to ensure that risk is controlled, efficiently and effectively.
Figure 1 below provides an overview of a six stage approach to assurance. The last three stages form a management cycle once the first six steps are completed.