Designing a Risk Management Maturity Assessment Model in Iran's Insurance Industry with an Emphasis on the Role of Internal Audit

Document Type : Research Paper


1 Assistant Prof., Department of Accounting and Finance, Faculty of Financial Management and Accounting, College of Farabi, Tehran University, Qom, Iran.

2 Assistant Prof., Department of Accounting, Faculty of Management and Finance, Khatam University, Tehran, Iran.

3 PhD. Candidate, Department of Accounting, Faculty of Financial Management and Accounting, College of Farabi, Tehran University, Qom, Iran.


Objective: The main purpose of this research is to design a model to measure the maturity of risk management in Iran's insurance industry, emphasizing the role of internal audit.
Methods: To achieve the objective of the research, first, the existing theoretical and empirical literature was studied by using the qualitative content analysis method. The key propositions indicating the maturity of risk management and the role of internal audit in risk management were also identified. Next, the propositions were classified based on similarity, semantic connection, and also by referring to risk management frameworks and standards in the form of dimensions, components, and main indicators of risk management maturity. Then, to ensure the validity of the obtained model, the Delphi method was used to examine and apply the opinions of risk management and internal audit experts in the insurance industry. At this stage, a questionnaire was used to collect data. The reliability of the questionnaire was confirmed with the help of Cronbach's alpha statistic.
Results: By employing qualitative content analysis, the process of identifying and categorizing significant and recurring propositions led to the identification of 68 indicators of risk management maturity. These indicators were organized into nine components, forming three primary dimensions of risk management maturity within Iran's insurance sector, with a specific emphasis on the role of internal audit. Subsequently, the developed model was presented to professionals and academics with substantial experience in the realm of risk management and internal audit. This was carried out through a questionnaire that was distributed to experts in these domains. They announced their agreement, disagreement, or their proposed amendments regarding each of the dimensions, components, and indicators. After gathering their feedback, 50 indicators were agreed upon by experts, and the rest were removed from the final model. The model put forth encompasses three primary dimensions: corporate governance, policy and strategy, and the risk management process, along with the roles and responsibilities of internal audit. The result is in line with the "three lines of defense against risk" model proposed by the International Association of Internal Auditors. Therefore, all operational units of the organization under good corporate governance and strategy form the first layer of defense against risk. Risk management is the second layer of defense by implementing the processes of identification, evaluation, response to risk and reporting. The internal audit, by monitoring and evaluating the risk management process, forms the third layer of defense against risk.
Conclusion: The model developed within this study comprises 50 indicators sourced from risk management standards, existing research, and insights from experts in the Iranian insurance industry. These indicators delineate the ideal condition of risk management, organized into three primary dimensions and nine crucial components. Iranian insurance firms have the capability to assess the maturity level of their risk management practices by gauging their alignment with the indicators outlined in this model. This assessment aids in recognizing both their strengths and areas that require improvement. Also, unlike previous risk management maturity models, this model could successfully address the roles and duties of internal audit. Therefore, The internal auditors within the insurance industry can incorporate the indicators outlined in this model while devising and executing assurance and consulting services related to the organization's risk management procedures.


Main Subjects

Aon (2017). Risk Maturity Index Insight Report. Retrieved from:
Babajani, J. & Khodarahmi, B. (2013). A Performance Budgeting Implementation Model for Islamic Republic of Iran's Government. Financial accounting empirical studies, 11, (41), 1-36. (in Persian)
Beygpanah, B., Asnaashari, H., Hoshi, A. & Assadi, GH. (2022). Accountability of audit firms: Content analysis method. Accounting and Auditing Review, 29(2), 213- 241. (in Persian)
Chapman, R.J. (2006). Simple Tools and Techniques for Enterprise Risk Management. New Jersey, John wiley & son’s ltd.
COSO. (2017). Enterprise Risk Management Integrated Framework Executive Summary. Committee of sponsoring organizations of the treadway commission.
Davari, A. & Rezazadeh, A. (2017). Structural equation modeling with PLS software. Tehran. Academic Jihad Publications. Second edition. (in Persian)
Deloitte. (2018). Internal Audit 3.0 The future of Internal Audit is now. Retrieved from:
European Foundation for Quality Management. (2013). An overview of the EFQM excellence model. Retrieved from: v1.pdf
European Parliament and council (2016). Solvency II. Retrieved from: http://eur- Uri=COM: 2007:0361: FIN: EN: HTML.
Federation of European Risk Management Associations. (2003). A risk management standard. Retrieved from:
Golmohammadi, M. & Rahmani, A. (2018). Technical Challenges of Implementing Fair Values in Financial Reporting of Iran: Emphasizing on IFRS13 Requirements. Journal of Accounting and Auditing Review, 25(3), 387-414. (in Persian)
Guidelines for corporate governance of publishers accepted in Tehran Stock Exchange and Iran OTC (2017). Approved by the Board of Directors of the Securities and Exchange Organization. Retrieved from: 6DWbhwQHk7Gw= (in Persian)
Hillson, D. A. (1997). Towards a risk maturity model. International Journal of Project and Business Risk Management, 1(1), 35-45.
Hopkinson, M. M. (2012(. The Project Risk Maturity Model: Measuring and Improving Risk Management Capability. Farnham, UK: Gower Publishing, Ltd. 23-25.
Hoseini, E., Hertogh, M., & Bosch-Rekveldt, M. (2021). Developing a generic risk maturity model (GRMM) for evaluating risk management in construction projects. Journal of Risk Research, 24(7), 889-908.
IIA Position Paper (2009). The Three Lines of Deffence in Effective Risk Managment and Control. Retrieved from:
Institute of Internal Auditors. (2013). The three lines of defense in effective risk management and control. Retrieved from:
International Association for Contract and Commercial Management. (2003). Organisational maturity in business risk management. Retrieved from:
International Association of Insurance Supervisors. (2022). Insurance core principles. Retrieved from: 35-45.
International Organization for Standardization. (2009). ISO31000 Risk management Principles and guidelines. Retrieved from: 216905 Risk Management Fact Sheet FA3 230820100.pdf
Jia, G. S., Ni, X. C.,  Chen, Z., Hong, B. N., Chen, Y. T., Yang, F. J. & Lin, C. (2013). Measuring the Maturity of Risk Management in Large-Scale Construction Projects. Automation in Construction, (34), 56–66.
KPMG. (2018). Shaping ERM Maturity: Insurance ERM maturity assessment thought leadership report. Retrieved from: %20 Maturity.pdf
Kwak, Y. H., Sadatsafavi, H., Walewski, J. & Williams, N. L. (2015). Evolution of Project Based Organization: A Case Study. International Journal of Project Management, 33(8), 1652–1664.
Lloyd’s (2016). Risk Management Tool Kit. Retrieved from lloydsrmtoolkit - pdf.
Loosemore, M., Raftery, J., Reilly, C., and Higgon, D. (2006). Risk management in projects, (2th ed.), New York. Taylor and Francis.
Mashayekhi, B., & Yazdanian, A. (2018). A Survey on Key Components of Internal Audit. Journal of Accounting and Auditing Review, 25(1), 135-158.
Monda, B. & Giorgino, M. (2013). an ERM Maturity Model. ERM Symposium 2013 Monograph,, 35-45.
National Association of Insurance Commissionaires (NAIC). (2012). Risk Management and Own Risk and Solvency Assessment Model Act. Retrieved from:
Ngwenya, M. & Ngwenya, S. (2021). Enterprise Risk Management Maturity Levels of the Insurance Industry in Botswana. East African Journal of Education and Social Sciences EAJESS, 2 (1), 23-32.
OECD. (2021). Enterprise Risk Management Maturity Model Maturity Model. OECD Tax Administration Maturity Model Series, OECD, Paris. Retrieved from:
Oliva, F. L. (2016). A Maturity Model for Enterprise Risk Management. International Journal of Production Economics, 173(3), 66–79.
Öngel, B. (2009). Assessing risk management maturity: a framework for the construction companies (Master's thesis, Middle East Technical University).
Proenca, D., Estevens, J., Vieira, R. & Borbinha, J. (2017, July). Risk management: a maturity model based on ISO 31000. In 2017 IEEE 19th Conference on Business Informatics (CBI) 25(1), 99-108
Rahmani, A, Molanazari, M, Qayyumi, A, Mahmoudkhani, M, Behbahaninia, P. (1401). Designing the maturity model of financial and accounting management of reporting units of the public sector. Accounting and Auditing Reviews, 29(2), 287-310. (in Persian)
Regulation No. 88 of Central Insurance. (2013). Reporting and information disclosure of insurance companies. Retrieved from: (in Persian)
Regulation No. 90 of Central Insurance. (2014). Qualifying managers and key assistants of insurance companies. Retrieved from: (in Persian)
Regulation No. 93 of Central Insurance. (2016). Principles of corporate governance of insurance companies and guidelines for the formation of committees’ subject to this regulation. Retrieved from: (in Persian)
Ren, Y. T., and Yeo, K. T. (2004). Risk management capability maturity model for complex product system CoPS projects. Proc., Int. Engineering Conf. 2004, 807–811.
Research Project No. 63 of Insurance Research Institute commissioned by Central Insurance of Iran. (2015). Principles of corporate governance in insurance companies. Retrieved from: https://civilica.comdoc/1047677/ (in Persian)
Research Project No. 80 of the Insurance Research Institute commissioned by the Central Insurance of Iran. (2016) Examining the necessity and requirements of internal audit in insurance companies. Retrieved from: (in Persian)
Research project No. 87 of Insurance Research Institute commissioned by Central Insurance of Iran. (2016) Suggested model of risk management for insurance companies. Retrieved from: (in Persian)
RIMS (Risk and Insurance Management Society). (2011). An overview of widely used risk management standards and guidelines. Retrieved from:
Schiller, F., and G. Prpich. (2014). Learning to Organise Risk Management in Organisations: What Future for Enterprise Risk Management? Journal of Risk Research, 17(8), 999–1017.
Schreier, M. (2014). Qualitative content analysis. The SAGE Handbook of Qualitative Data Analysis, 170–183. Thousand Oaks, CA: Sage Publications.
Strutt, J. E., J. V. Sharp, E. Terry, and R. Miles. (2006). Capability Maturity Models for Offshore Organisational Management. Environment International, 32(8),1094–1105.
Tarhan, A., O. Turetken, and H. A. Reijers. (2016). Business Process Maturity Models: A Systematic Literature Review. Information and Software Technology, 75(2), 122–134.
Wendler, R. (2012). The Maturity of Maturity Model Research: A Systematic Mapping Study. Information and Software Technology, 54(12), 1317–1339.
Westerveld, E. (2003). The Project Excellence ModelVR: Linking Success Criteria and Critical Success Factors. International Journal of Project Management, 21(6), 411–418
Wieczorek-Kosmala, M. (2014). Risk management practices from risk maturity models perspective. The Journal of East European Management Studies, 19(2), 133–159.
Yeo, K. T., & Ren, Y. (2009). Risk management capability maturity model for complex product systems (CoPS) projects. Systems Engineering, 12(4), 275-294.
Zou, P. X. W., Y. Chen, and T.-Y. Chan. (2010). Understanding and Improving Your Risk Management Capability: Assessment Model for Construction Organizations. Journal of Construction Engineering and Management 136(8), 854–863.