MYOBI uses a model to express the levels of maturity. MYOBI uses the maturity model of DNB as a reference model for this. This is a general model in the financial world that offers the possibility to determine an own ambitious level and to determine realization, and can be used to gain clarity about the level of the other members of MYOBI.
DNB applies this model per control measure. MYOBI uses this model to determine the maturity level based on the level of the underlying controls. The maturity level makes a statement about the effective operation of the controls.
The model describes situations that may arise with users. The higher maturity levels in this model build on the lower. The maturity model consists of five levels:
Level 1: Initially
Controls are (partially) defined but are consistent carried out in a manner. There is a great dependence on individuals in implementing the control measures. Criteria:
- No or limited control measures implemented;
- Not carried out or ad hoc;
- Not / partly documented;
- Method of implementation depending on individual (not standardized).
Level 2: Repeatable but informal
Controls are in place and are consistent and structured, but carried out informally. Criteria:
- The implementation of the control measures is based on an informal but standardized working method. This procedure is not fully documented.
Level 3: Defined
The design of the control measures has been documented and will be completed structured and formalized. The required effectiveness of the control measures are demonstrable and are being tested. Criteria:
- The control measures are defined based on risk assessment;
- Documented and formalized;
- Responsibilities and tasks are unambiguously assigned;
- Design, existence and effective operation are demonstrable;
- Effective operation of controls is periodically tested;
- The assessment is based on risk and shows that the control is effective over a longer period period (> 6 months).
Level 4: Controlled and measurable
The effectiveness of the control measures is periodically evaluated. Where necessary, the control measures are improved or replaced by other control measures. The evaluation is recorded. Level 3 criteria plus the following:
- Periodic (control) evaluation and follow-up takes place;
- Evaluation is documented;
- Tasks and responsibilities for evaluation have been formalized;
- Evaluation frequency is based on the institution’s risk profile and is at least annually;
- The evaluation includes (operational) incidents;
- The results of the evaluation are reported to management.
Level 5: Improve continuously
The control measures are anchored in integrated risk management framework, in which continuous efforts are made to improve the effectiveness of the measures. Hereby external data and benchmarking are used. Employees are proactively involved in the improving control measures. Level 4 criteria plus the following:
- Continuously evaluating controls to continuously improve the effectiveness of controls;
- Using results from self-assessments, gap and root cause analyzes;
- The control measures taken are benchmarked on the basis of external data and are “best practice” compared to other organizations.