EVALUATION OF RISK MANAGEMENT MATURITY IN THE CZECH AUTOMOTIVE INDUSTRY: MODEL AND METHODOLOGY

This article provides a review of currently used risk maturity models to provide an overview of the assessment and diagnostics of risk management maturity in companies. The main research goal is to develop an entry-level easy-to-use diagnostic tool for enterprise-wide risk management maturity assessment tailored to Tier I suppliers of the automotive industry. In the first step, the questionnaire for self-evaluation was prepared with the help of a panel of experts using a synthesis of existing models suitable for use in the automotive industry. The risk maturity assessment model is then prepared using the Delphi method and the Likert scale for multi-criteria evaluation since the experts insisted on setting different weights for each criterion. Based on the results presented in the paper, a risk maturity self-evaluation tool in the form of a questionnaire was created for companies. Findings: The initial purpose of the research was to provide a review of the currently used risk maturity models, which led us to find more than 77 maturity models. The origin of risk maturity models can be credited to Hillson (1997) who built the first risk maturity model based on the capability maturity model from the IT sector. A significant research effort was put into the observation of hard and soft benefits of risk management. Based on the analysis of carefully chosen models, the new model was synthesized. The proposed model uses a selfevaluating easy-to-use questionnaire. The questionnaire consists of 24 attributes divided into 5 modules that were evaluated based on the 25 questions. All attributes were assessed on a 10-point Likert scale using the Delphi method conducted with the panel of experts. The outcome and purpose of the model is an entry-level diagnostics questionnaire of company risk management maturity tailored for Tier I suppliers of the automotive industry. Originality/value: As risk management is complex, maturity models provide companies with the ability to assess their situation and set strategic goals in the field of risk management. Tailoring a risk maturity model for the needs of the specific organization or industry sector has been recommended by researchers and industry practitioners in risk management (Antonucci, 2016; Kaplan and Mikes, 2016; Marks, 2015; MARSH, 2018; McKay, 2017).


Introduction
In today's highly competitive and complex business environment that is now turning towards sustainable development and growth, companies need to be aware of and consciously manage their potential vulnerabilities. If one finds term "complex business environment" vague, one only needs to look at the company reports of the world's leading companies and find other such equally vague terminology -"technological advancements", "disruptive innovations threatening core business models", "recurring natural disasters with catastrophic impact", "soaring equity markets", "turnover of leadership in key political positions", "potential changes in interest rates", "cyber breaches on a massive scale", "terrorism", "elections", "threats of nuclear engagement", "the strength of US dollar", and many more (Protivi and State University North Carolina, 2017). This is backed up by (AFP, 2018) advocating cybersecurity, technological development issues, and artificial intelligence both as risk drivers and as a competitive advantage. It is interesting is to look at this from a global perspective (World Economic Forum, 2018), where natural disasters, water, and food crises together with cyberattacks are mentioned as high-impact risks. In our context, they would be called risk drivers or influencers of a business. Risk management practices are still in the process of maturing since the first model was developed in 1997 and has now grown to more than 77 models, and some of the most widely-known risk management standards are ISO 2009:31000 (ISO, 2009), COSO ERM (COSO, 2017), Six Sigma, EFQM, or M_o_R. (PWC, 2017) The author is well aware that an SME (Small Medium Enterprise) seated in a safe country like the Czech Republic (ranked #7 on Global Peace Index) could be biased in thinking that this view of risk is far-fetched, but as a practicing risk officer or risk researcher, the regional and country geopolitical and economic situation should be kept in mind and considered on every level of risk management (Institute for Economics and Peace, 2018).
It needs to be mentioned that company maturity goes hand-in-hand with sustainable development. Multiple consulting firms have proved that company maturity, or risk management, in this case, has a positive impact on the financial performance of a company (PR Newswire, 2011). The soft and hard benefits of risk management are elaborated in the following sections. The goal of risk management, among other things, is to protect and ideally enhance core business assets (Duckert, 2011).
The key takeaway from this is that all developed countries and all complex, dynamic projects prone to uncertainty and risks must take risk management maturity into consideration. These projects could be large-scale or time intensive projects: constructions projects, IT projects, or rather specific R&D projects. In such projects, risk management needs to be systematically evaluated and managed (Caiado et al., 2016).
Based on this observation, the risk management maturity model must be evaluated with care to capture the different requirements of differently-sized companies and industries and their overall management maturity. In addition, the selection of risk management approach to fit the appropriate stage in the life-cycle of the company is a strategic decision. Further, as Duckert (2011) proposed in his book, a company should not settle for the first option offered by a consulting firm, as there are as many as 77 possible maturity models to choose from, as observed by Antonucci (2016).

Research limitations
The goal of this paper is to prepare an easy-to-use tool for evaluating risk management maturity in the automotive industry. Tailoring the risk maturity model to the needs of a specific organization or industry sector has been recommended by multiple researchers and practitioners since general tools are not an ideal solution (Antonucci, 2016;Kaplan and Mikes, 2016;Marks, 2015;Marsh, 2018;McKay, 2017).
The automotive industry, specifically, the Tier 1 suppliers in the automotive industry in the Czech Republic were selected because in the Czech Republic 24% of the economy is directly connected to the automotive industry. Automotives forms 22% of total Czech exports and the yearly automotive production has grown (2017 compared to 2016) by 5.1% (Sdružení automobilového průmyslu, 2018).
Understanding state-of-the-art risk management maturity models will guide the future research efforts in this field. Based on our search options, some models might have been unintentionally omitted in the first part of this paper.
The experts chosen for cooperation in our study are from the Czech Republic. The results should not be distorted and should be valid for whole EU territory since the panel of experts believe that most automotive companies operate in multiple countries that have the same laws.

Risk management
Risk management is a set of coordinated activities that control and direct an organization towards its objectives. It deals with both positive and negative deviations from the planned indicators and objectives. The deviations are a consequence of uncertainty which is everpresent in the modern business environment (ISO, 2009).
Risk management consists of processes, principles, and frameworks. In a company, these processes, principles, and frameworks must be aligned with the strategic business goals to provide benefits (ISO, 2009). The step-by-step process for implementation, execution, and evaluation of risk management activities is based on the approach or framework selected. It generally includes risk identification, risk analyses, response to risk, risk communication, and regular reporting. The overall learning and progress of organization is an integral part of risk management (Zou, Chen, and Chan, 2010). It is obvious that risk management influences every activity in the company and can prevent bad results and ensure that objectives are achieved or even exceeded. While selecting a framework, one can use a conceptual framework such as ISO 31000 as a guide or take advantage of other certified practices, as we will explore later. The key factor here is that the selected approach should be the best fit for the organization. While searching for an integrated risk management system, strategic risk management or enterprise risk management (ERM) can be adopted. It is worth noting that big consulting firms usually offer their proprietary risk management frameworks (Antonucci, 2016;Kerzner, 2001;Marks, 2015).
For the purpose of maturity discussion, risk management should be considered a system (set of activities that functions as a single mechanism with inputs and outputs) where its capabilities in different areas are explored and diagnosed in the search for the effectiveness of such a system (Marks, 2015). We will explain this in the next section.

Risk management maturity
Maturity models are considered assistance tools that help companies in their long-term progress. Maturity models are widely used for benchmarking within an industry and for an overview of further steps for a company's strategic growth. The first capability maturity model was developed in the 1980s and was later published in a report as Capability Maturity Model (CMM). CMM was developed by the Software Engineering Institute (SEI) at Carnegie-Mellon University. Version 1.1 of CMM methodology was introduced in 1993 by researchers from SEI (Paulk et al., 1993). In 1990s in Europe the Business Excellence Model from European Foundation for Quality and Management (known as EFQM) was introduced and is also mentioned by Hillson (1997). As Hillson, working as a risk management consultant at that time, pointed out there was a need to provide a formal approach towards risk management. The CMM originated in the field of software development and was later adopted by different industries. Hillson probably built the first maturity framework designed for the needs of risk management in different industries (Risk Maturity Model -RMM).
The Australian standard AS/NZS 4360:2004 is considered the predecessor of the now wellknown risk management standard ISO 31000:2009. Like it or not, standards help the risk management community to agree on the basic capabilities that should be considered to explore the global potential of enterprise risk management. In simple words, this translates to an entire organization being able to make informed, intelligent decisions every day that secure the achievement of their business goals (Antonucci, 2016).
Risk management maturity models, or as some authors call it, risk management system capability maturity models (Antonucci, 2016), help with setting up formal structures and processes in the company, for diagnosing the current capability in the field of risk management, setting realistic expectations, frameworks, and a budget. The goal of these maturity models is to deal with risks and uncertainties, provide a clear view of the company's approach to risk, and protect the company's assets. Planning, monitoring, and control is also an invaluable part of such models. A lot of emphasis is also placed the capability of benchmarking for competition and defining further steps for development (Hillson, 2000). These benefits of risk management are even more relevant in the modern business environment.
To summarize, maturity models got during the time of its existence various names used sometimes as synonyms. It's worth to define the point of view of the authors, based on the following definitions:  project capabilitymay not reflect the full process capability of the organization i. e. the capability of the project is constrained by its environment (Paulk et al., 1993, p. 3)  process capabilityis the range of expected results that can be achieved by following a process (Paulk et al., 1993, p. 2)  organization capability -"Capabilities are abilities, faculties or powers of an organization, enabling it to collectively deliver organization objectives in the face of threats and to leverage opportunities". (Antonucci, 2016, p. 8)

Evaluation of Risk Management Maturity in the Czech Automotive Industry: Model and Methodology
 maturity -"extent to which a specific process is explicitly defined, managed, measured, controlled and effective" (Paulk et al., 1993, p. 3) to explain further the following definition might be added "In other words, maturity is a path or direction ascending from low to more highly developed capability state or states." (Antonucci, 2016, p. 9) Concluding from the definition when the authors talk about the capability the always talk about the maximal possible outcome of analysed system (project, process or organization). When talking about maturity the meaning is to what extent the capability is fulfilled by such a system. In the later presented model we take various perspectives into consideration project, company (eg. process) and industry (outside the company) to provide an overall diagnostic of the system in this meaning the assessed organization.
Since the time that maturity models have originated, they have consisted of multiple levels describing company development. The number of levels observed among the models are generally 4 or 5. The researchers who propose 4 levels argue that a four-level model prevents the company from choosing the mid-point on a self-evaluation questionnaire (Kulas, Stachowski, and Haynes, 2008;Moors, 2008). This approach is contrasted by the argument that Zou et al. (2010) later in risk maturity research discovered the need to include an additional level to incorporate companies that had non-existent risk management practice and experience. Adding more levels would also increase ambiguity and the proposed methodology would reflect these limitations (Hillson, 1997). The maturity level is described by the desired state of specific attributes or dimensions (processes, human resource allocation, planning, experience, management participation, technical approach, transparency, tools, reporting etc.). Usually, 4 or 5 of these attributes are observed across different models. Later, these attributes are qualitatively or quantitatively evaluated based on the questionnaire, employee interviews, panel of experts' discussions, or a combination of all of these. Self-evaluating questionnaires (also available online for some models) are not the exception. The methodology of evaluation differs across the maturity models (Oliva, 2016). Based on such evaluation, first the maturity of each attribute is stated and later the overall company maturity is calculated. There are different approaches -some models choose the lowest level while some calculate the arithmetic average (Caiado et al., 2016;Zou et al., 2010). The company maturity level is later used by the consultant (or the top management, without the assistance of a consultant) to propose further steps for progressing to the next maturity level within a reasonable time-frame with realistic goals.
To summarize, maturity models are implemented in the following way:  Choosing the model  Evaluating company maturity based on model attributes and levels  Benchmarking towards the ideal state/in industry  Progressing between levels  Maintaining the highest level A company can choose to go through these steps either on its own or with the assistance of a certified risk consultant. Although the steps seem simple, they are spread over the lifetime of a company and influence its strategic development.

Vol. 22 • No. 55 • August 2020
Maturity models are, in general, designed to be used on the entire enterprise, but models that focus only on projects or single departments are an exception. Some might say that risk management and project management are inseparable, as stated in the first model by Hillson (1997). He stated that by the time a company reaches the second-last level, the "organization has built management of risk into routine business processes and implements risk management on most of all projects" (Hillson, 1997). It is, therefore, difficult to draw a line between what comprises overall enterprise risk management or what comprises "only" project risk management. Both should be considered inseparable as most companies, to some extent, use project management practices too. All-in-all, implementing risk management is considered a valuable step for company's sustainability and profits. Risk management in projects, which are generally prone to uncertainty due to their basic characteristics (uniqueness, limited time, limited resources, etc.), can stabilize the project in realization phase and ensure that goals are achieved (Chapman and Ward, 2004). As mentioned earlier, many researchers have attempted to study risk management maturity in the construction industry (Caiado et al., 2016;Jia et al., 2013;Zhao, Hwang, and Low, 2014;Zou et al., 2010). Similar efforts have also been made in the field of software development and IT risks, where risk management practices are usually grouped under the umbrella term "IT governance" (Carcary, 2013;Farah, 2011;Vincent, Higgs, and Pinsker, 2017).
We will explore the existing risk maturity models that provide the possibility of choice for a company which is considering formalization of its risk management efforts for the whole enterprise and its projects.
It is worth mentioning here that risk management maturity should never be used with a check box approach without developing the organization's risk management system capabilities further. Antonucci (2016) pointed out that some of the world's leading companies misuse risk maturity models for just benchmarking purposes. The possibility of benchmarking a company against its competitors and the market is just one of the many benefits of such models but not its sole purpose.

Benefits of risk management
When talking about risk management models, or risk management, or even ERM (enterprise risk management), smart managers must ask about the costs and benefits of risk management practices. Managers must not be swayed by the marketing claims of the different proprietary or academic risk management models or methodologies and should look at published surveys and reports.
It needs to be mentioned that in risk management, there is no one-size-fits-all approach (Antonucci, 2016;COSO, 2017). One of the widespread risk management guides (ISO, 2009) is not a step-by-step manual, but just a guidance for creating a tailored risk management framework for your organization: "Risk management is aligned with the organization's external and internal context and risk profile." (ISO, 2009, p. 8) If a consultant claims otherwise, then it points to a biased opinion.
As implementation of risk management framework and processes is time and cost demanding effort, managers always keep in mind the observable benefits of risk management practice. In Risk Maturity Models: How to Assess Risk Management Effectiveness (2016)   Easier adjustment of capabilities towards new development and requirements (Deloitte, 2017);  A consolidated approach towards stress testing by regulators (in banking) (Deloitte, 2015);  Risk management helps develop a competitive advantage (Ernst & Young, 2014);  Optimization of capital and liquidity, reduction of sunk costs of nonaligned programs and projects (Ernst & Young, 2014);  Reduction in potential losses as a result of effective risk mitigation and increased management responsiveness (Ernst & Young, 2014);  Building a strong risk management culture and making risks everyone's business is a strong shift in mindset and lays the foundation to prevent the next crisis like the 2008 financial crisis which impacts risk management (Ernst & Young, 2012a);  Identifying realistic targets and developing action plans for enhancing risk capability (Hillson, 1997);  Increased awareness of the complexity of risks and their global impacts ;  Finding a balance between level of information detail and effective analyzing and reporting in routine business activities (Ernst & Young, 2017);  Superior stock performance, lower stock price volatility, and superior financial performance ;  Reduction in total cost of risk (Aon, 2013).

Vol. 22 • No. 55 • August 2020
This extensive list of benefits from some of the world's top consulting firms or world's bestknown risk management methodologies provides a good foundation for further observation of risk management benefits in companies.
Managers should rather look at the hard benefits of risk management. For years, this particular area has been elaborated on both in the real-world and academic fields and they can be listed as follows:  The EBITDA and EBITDA/EV difference between the top 20% and the bottom 20% risk maturity comparable firms has almost tripled (20.3 % vs 7.4 %) (Ernst & Young, 2012b;Herrington, 2012);  The companies with advanced risk management practices generate 28 % EBITDA growth against the 16% EBITDA growth in companies with emerging risk management practices (FERMA, 2012);  Highest revenue growth of 16.8 % in the top 20% and 10.6 % in the bottom 20% risk maturity comparable firms (Ernst & Young, 2012b);  FERMA (2012) observed revenue growth of 29% in companies with advanced risk management practices and 18 % revenue growth in companies with emerging risk management practices;  Above 0% stock price gains for the most risk mature companies, while the rest show negative stock price gains (Aon and Wharton, 2017);  20% lower stock price volatility among risk mature firms than among the emerging risk firms based on Aon Risk Maturity Index (Aon and Wharton, 2017);  Close to 10% higher market valuation based on P/E ratio between significantly lowrisk maturity companies and high-risk maturity companies (Aon and Wharton, 2017);  Aon and Wharton (2017) also reported higher resilience to market shocks that they simulated (e.g., 10% GDP decline because of Brexit);  Aon and Wharton (2014) also reported higher ROE (return on equity) among advanced risk mature companies, which are able to reach 10% -40% ROE, companies that are in the initial stages of risk management negative ROE was observed;  Around 11% ROA (return on assets) was observed among advanced risk maturity companies compared to an ROA of minus 10% to 0% among companies in initial stages of risk maturity (Aon and Wharton, 2014);  Higher credit rating, better credit profile and 25% higher firm value is observed among risk mature companies (RIMS, 2015);  Aberdeen Group (2014) presented operational improvement where best in class companies (risk mature) rated plus 27% operating margin against corporate plan, 13% decrease in compliance costs, 90% overall equipment effectiveness and only 3% unscheduled asset downtime, the study elaborated more deeply the operational impacts or risk management.
It is worth going back to risk management in the domain of projects. This management practice is widely spreading among SMEs where ERM might be quite impracticable.

Evaluation of Risk Management Maturity in the Czech Automotive Industry:
Model and Methodology

Risk management models and frameworks
As explained previously wide range of capability models emerged since creation of the first one. Lots of them focuses on risk management practices. List of the models and frameworks that focus on project risk management can be narrowed down to the following models that constitute around 10% of the existing models identified by Antonucci (2016) The evolving practice of risk management not only focuses on the implementation of one approach but also tailors the risk model. The above-mentioned models can be used for project risk management and conceptual and basic frameworks such as ISO 31000 or COSO ERM, can be extended to provide additional ideas to tailor the model to an organization/projects to capture its uniqueness. The most important work in this regard was the Hopkinson project risk management model that was first published in 2010 and updated recently in 2016. Those looking for an organization of pedigree can pick the PMI model or OGC model. Hillson risk management model, the father of all risk management models is still a good choice. Kerzner (2002) provided an interesting view from the perspective of people and behavior competencies -the soft side of projects. This can be combined with the approach of Jereb (2013) who opined that the actual sources of risks are the various stakeholders and without them, there would be no risks. These approaches could be combined with another branch of risk maturity models that focus more on the people and their competencies but that discussion would exceed the scope of the current research.
In table no. 1 we present a comparative analysis of the above-mentioned maturity models. First, we analyse the maturity levels that each model uses. There are models with 4 or 5 levels of maturity defined. INCOSE is an exception in starting the numbering of the levels from 0.
Another way to analyse the models is by looking at the attributes they evaluate. These are shown in table no. 2 where multiple variations and different approaches are shown. We start with Hillson and INCOSE because they share the same attributes and INCOSE is highly influenced by the Hillson model, then continue with Axelos P3M3 that focuses not only on risk management but also on other managerial roles separately. The Murphy 4e model uses a specific matrix for evaluation. To put models in perspective, we will look at the maturity levels they define. From table no. 2, it becomes obvious that even the approach to the assessment of attribute maturity and overall maturity of projects/organization vary among the models.

Vol. 22 • No. 55 • August 2020
From this observation, we can make observations about the complexity of the models. In this mixture, there are complex models with more iterations (OPM3, P3M3, M_o_R) as opposed to simple models, such as Hillson or INCOSE. The complex models are characterized by a steep learning curve for reactions and might be challenging for the entry-level benchmarking in risk management. While the others with a shallow learning curve can provide practitioners with insights into risk management of observed subject with a progress roadmap (moving between levels).
This research explores maturity models with a shallow learning curve that can serve as an entry-level assessment of risk management maturity. Once this is set as the baseline, we will elaborate more on the attributes and methods of assessment/self-assessment in the presented models to tailor a maturity model for the automotive industry.

Research methodology
The proposed article combines several scientific methods and practices. First, a systematic literature review of the main risk management maturity models was conducted.
Second, the panel of experts representing Tier I automotive suppliers in the Czech Republic was created. Suitable models for the automotive industry were then analysed and synthesized into one model in collaboration with the panel of experts using the Delphi method. The first round of the Delphi method consisted of synthesizing the questionnaire. The final proposed self-evaluating questionnaire is provided online as described in the chapter 4.5. During the discussion, the panel of experts concluded that all the questions in the questionnaire cannot be assigned the same weight. Some areas that are being evaluated in the questionnaire survey are significantly more important than other areas in terms of evaluating the maturity of the risk management system in a company. Third, weights were assigned to individual questions so that the questionnaire could be adequately evaluated. With regard to accuracy, given the complexity of the questionnaire, Saaty's method proved to be unusable. The questionnaire contains 25 questions and Saaty's method would have required 300 pair comparisons. At the same time, due to the marked scattering of extreme values on some questions and the overall difficulty in evaluation, Saaty's method was rejected for this paper. We decided to use a combination of Delphi method and 0-10 point Likert scale (Brožová, Houška and Šubrt, 2003). The Likert scale gives cardinal information about the preferences for individual criteria.
The Delphi method can be broadly considered a structured group communication, or a group discussion, or a collection of expert opinions through multiple rounds of queries with controlled feedback between individual rounds. The first round was used for the synthesizing the questionnaire and the following two rounds were used for evaluating the questions (Linstone and Turoff, 2002).
The key factor affecting the success of the Delphi method is the appropriate selection of experts. The number of experts is not pre-determined and usually ranges between 15-30. We chose the Delphi method to avoid the problematic use of statistical analysis or other standard methods.
The entire Delphi technique followed is given as follows:

Vol. 22 • No. 55 • August 2020 835
First, the research problem is defined. In our case it was the creation of a suitable model, namely, a questionnaire to evaluate the maturity risk model for Tier I automotive suppliers. Later, a panel was created consisting 16 experts who hold senior and middle management positions either in automotive companies or in Tier I supplier companies and had access to risk management information (medium and large companies). The next step was preparing and distributing the questions. In the first round, the questions were selected and questionnaire was synthesized based on suitable models for the automotive industry. In the following two rounds, experts evaluated the questions on a Likert scale of 0-10, with 0 signifying the question is not relevant at all to the maturity risk model. The first round contained an explanation of the Delphi method and the promise of anonymity along with the purpose and description of the study, including a timetable. After evaluating the second round, the experts were asked about questions that showed a large discrepancy between the answers to discuss, why they gave specific number of points to certain disputed questions, and the areas where they saw the contribution to or the lack of relevance to the maturity model. In the third round, the experts were asked to assess the views and suggestions of other experts and, if necessary, to re-evaluate or substantiate their proposals. The obtained answers were statistically analysed further in section 4.4. Because of the differences in opinions, we eventually dropped the idea of calculating the exact weight for individual questions and instead presented the group view as the modus. The self-evaluation tool has to stay simple and easy-to-use, therefore, weights were determined in the following fashion:  For most answers in the 0-1 range: the question was removed;  For most answers in the 2-5 range: insignificant for evaluation (50% weight);  For most answers in the 6-8 range: significant (100% weight);  For most answers in the 9-10 range: crucial (150% weight).

Maturity model proposal
The following section provides a list of various assessment techniques that are used in risk maturity models as diagnostic tools. Techniques range from scales, binary answers, audit style questions, textbook format, and text-in the box.
The models use online self-evaluation questionnaires, spreadsheet-type questionnaires, printed questionnaires, or proprietary software. They are always chosen with the purpose of the model in mind. (Antonucci, 2016) Based on research findings, we propose the following model. Our model reflects the approach used by a majority of the models, where levels and attributes are stated and maturity is evaluated based on assessment. Such a model should consist of 4 components (Antonucci, 2016). First, we define the domain of the model based on its purpose. The domain of our model is enterprise-wide risk management (ERM) maturity assessment. Second, we define capabilities or attributes that will be evaluated on scales and will help create the levels of the maturity model. Further, this model is tailored for the automotive industry via the Delphi method. The model is evaluated by experts and industry practitioners and specific weights for each criterion is set.

Proposed attributes
The selected capabilities (or attributes, per the ISO terminology) create the core of the model. These capabilities will define the meaning and purpose of the model. The number of attributes in models range from 12 to hundreds. Since our research purpose is to create an entry-level diagnostic tool, we chose lesser number of attributes. The attributes described in table no. 3 were selected based on discussion with a panel of experts specifically for automotive industry The overall approach of the company towards risk management is a key element in the longterm success of risk management practices (ISO, 2009). The "culture" attribute of our model evaluates the attitudes, beliefs, awareness of and communication in risk management. Both theory and recent reports have pointed out that the commitment of top-level managers towards RM has an enormous bearing on the success of an RM (Ernst & Young, 2014;Aon and Wharton, 2017). It is necessary to be able to evaluate the long-term formalization of risk management practices. "Integration" evaluates whether risk management is included in other business tasks. The scope of RM evaluates whether risks are taken into consideration only on the project level or goes beyond the company borders.
The resources allocated to risk management -the money, people, and their skills -are evaluated on a company level.
"Process" evaluates the degree to which risk management processes are formalized, documented, and embedded into the company's day-to-day activities. Evaluated attributes are following the risk management process steps proposed by ISO 31000 (ISO, 2009).
"Improvement attribute" focuses on the part of the risk management that looks for opportunities and long-term learning. The learning elements are evaluated on the basis of utilization of historical data, previous experience, quality documentation, and past project risk evaluation.

Proposed maturity levels
The analysis and examination of the models mentioned earlier also revealed the respective advantages and disadvantages of the models. Hillson and INCOSE were found to be more basic and lacked the self-assessing component, an additional model was added to the mix -Supply Chain Risk Management Maturity (SCRLC, 2013) in the last iteration of Hillson and INCOSE in 2017. Using the tailoring approach of Antonucci (2016), the additional maturity model was taken into consideration, especially, to capitalize on its questionnaire evaluation abilities.
All 7 models mentioned earlier were used to develop our new risk maturity model specifically designed for risk management maturity assessment in the automotive industry, rather than using only one model. Models that were used to synthesize the easy and self-evaluating questionnaire encompass three main areas -project level, company level, and industry level.

Proposed assessment technique
The self-evaluation questionnaire is used as an assessment technique to fulfil our purposed of creating an easy-to-use maturity model as a diagnostics tool. It capitalizes on the techniques used in the analysis and provides the synthesis with the automotive industry.
The questions are divided into 5 modules and the answers represent the five levels of maturity.
The number of levels were chosen based on a thorough analysis of the models used to tailor our maturity model and are based on two presumptions:  Choosing only 4 levels limits the ability of the model to properly evaluate the companies with no experience in RM, and at the same time, it prevents choosing a "middle way".
 Choosing 5 levels provides the possibility to differentiate the company maturity with greater precision. To be able to advise on how to move between levels, adding more levels is not recommended as the added benefit is minimal (Hillson, 1997), and the tendency to choose the "middle way" might arise.
Starting from number/level 0 provides for the possibility to properly categorize the companies with zero or basic risk management awareness. The side benefit of that is there is no obvious middle way, which should help to fight some cognitive biases (Kahneman and Tversky, 1979).
The proposed form of the questionnaire is available online (see chapter 4.5.). The questionnaire was created by the synthesizing the different questionnaires of existing risk maturity models based on a discussion with a panel of experts (SCRLC, 2017;Antonucci, 2016;Öngel, 2009).
One possible application of the questionnaire (along with the Delphi method) in the industry is to refine the proposed concept and eliminate factual mistakes (Saunders, Lewis and Thornhill, 2016). The panel of experts consisted of academics and practitioners from the automotive industry. In the second and third rounds of the Delphi method, weights were assigned based on the Likert scale to the questions to calculate the overall company maturity in a specific attribute. Lastly, the questionnaire will be validated by the companies in the field. Additionally, other techniques will be used to enhance the objectivity of a tailored maturity model (e.g., assessment of additional models and referencing to evolving trends in risk management) to improve scales and capabilities (Antonucci, 2016). More research efforts need to be put into the critique of risk management that will be beneficial for increasing the objectivity and rationality of the proposed model (Ehrenfeld, 1996;Adler, 2005;Dionne, 2013;Bromiley et al., 2015). All these steps are being pursued for further research by the authors.

Evaluation of the model
As we had described at the beginning, the proposed model was evaluated in the second and third rounds of the Delphi technique. Experts evaluated the questions on a 0-10 point Likert scale, where 0 signifies the question is not relevant for the evaluation of company risk maturity at all and 10 signifies it is crucial. We decided to divide the questions into four groups according to the results median because even after third round the experts did not exactly agree on the importance of the given questions. The first group contains the irrelevant questions (0-1) that should be removed from the proposed questionnaire. But in the first round the experts had agreed that none of the questions should be removed from the questionnaire. The second group contains the insignificant questions that, according to experts, are not relevant for the overall picture but are still important enough to be included. This group of questions was evaluated at mostly between 2-5 points on the scale (marked N in table no. 4.). In this group, there is just one question-Does your organization have a dedicated budget for risk management (budget for training, tools, standards, experts etc.). Apparently, this is not considered important from the point of view of the experts. And, therefore, this group of questions is weighted at just 50% in the final evaluation stage.
The third group consisting of significant questions rank between 5-8. Most of the questions are in this group (marked S in table no. 4.). This group of questions is weighted at 1.
The fourth group consisting of crucial factors (marked C in table no. 4.) rank 9-10 and are, therefore, evaluated with 150% weight in the final model. The questionnaire with assigned weights is an outcome of the Delphi method and serves as the stepping stone in creating the model self-assessment tool. Proper evaluation is the key requirement for the successful model implementation.
After going through the steps mentioned above, the entry-level diagnostic is ready to be used as input for strategic risk management maturity planning, development, and maintenance.
The dashboard of the model consists of a candlestick chart on the left in figure no. 1, which displays the maturity of each module based on equation (1). The result is displayed as a horizontal line. At the bottom of each vertical line is the minimum evaluation of the attribute in the module. At the top of each vertical line is the maximum evaluation of the attribute in the module. If the results show a large difference between the minimum and maximum, the company should further analyze that module, look for the root causes and take appropriate steps (e.g., the Culture module).
The gauge chart in the dashboard on the right in figure no. 1 displays the overall company maturity calculated by equation (2).

Figure no. 1: Example results of the maturity model
The company should use these results for planning future evaluation milestones and desired maturity level for each module. This provides the roadmap for achieving long-term mature risk management as shown in figure no. 2. We are working of further development of the model.