Utilizing a maturity model can aid management in identifying risk issues. Procedurally, a maturity model provides a standard means to document and evaluate the state of controls. Collectively, the entity’s not-for-profit managers can contribute to identifying risk issues as well as rate controls — such as policies, procedures, standards, and rules. As for managing risks, it usually is prohibitively expensive to reduce risks to a tolerable level for all potential control weaknesses or deficiencies simultaneously. Therefore, a risk grading system should exist to assist in the evaluation and prioritization of control deployments consistent with the entity’s risk tolerance levels.
“View Part I of the Not-for-profit Risk Management series here“