Risk Management Maturity Model for Logistic Processes

: Recently, the maturity models for risk management are attracting growing attention. The obtained maturity level deﬁnes an assessment of an organization’s management competence. Therefore, as a set of various tools and practices, the maturity model is critical for a company’s overall risk maintenance strategy development and implementation. Thus, the purpose of this article is to present a model for risk management maturity for logistic processes. We investigated the main deﬁned assessment areas for risk maturity model implementation in logistic systems. Based on research ﬁndings, we introduced a new risk maturity assessment area based on participation in the supply chain—cooperation at risk. The proposed model constitutes the base for a two-stage assessment method implementation, where the global maturity index is introduced. Finally, we implement the proposed two-stage assessment method to verify the proposed model’s diagnostic function and determine its labor intensity. The study conﬁrmed that the ﬁve deﬁned maturity areas (knowledge, risk assessment, process risk management, cooperation at risk, and risk monitoring) provide a complex diagnostic tool for risk maturity level identiﬁcation and, based on the obtained results, allows to deﬁne an appropriate development strategy for a given decision-making environment.


Introduction
Following M. Porter's classification [1], logistics processes are the necessary processes that have crucial importance for today's proper performance. In industrial systems, they determine the efficiency and cost of material flow along supply chains. It is also increasingly pointed out that this business activity area determines companies' competitiveness and even the entire supply chain's competitive advantage. Enterprises currently operate in conditions in which every business entity has access to the same technological solutions. That is why the technological advantage of enterprises is mentioned less and less often. Therefore, the product brand and its market position are primarily built through the reliability of delivery carried out in accordance with the level of logistics service required by the customer [2].
The requirement of deliveries meeting high logistics service parameters makes companies have little or no margin for making mistakes or reacting with a delay to situations disrupting the correct course of the performed processes. Additionally, dynamic market changes of both regional and global nature make logistic processes more and more vulnerable to various types of undesired events occurrence, to which the company has to adapt quickly. The delivery system's response time to the disruptions resulting from undesired events occurrence and, above all, the time of its return to the required service level are determined by the managers' skills responsible for managing the logistics processes in the company [3]. Following this, the changing business environment and logistical process management approach have forced introducing concepts, such as logistic risk, system resilience, and process vulnerability, into logistics terminology [4]. All three concepts need to be defined for the presented research results. 2 of 19 There is no comprehensive definition of the above concepts. The definitions adopted in this study are based on recent publications by Prof. Aven (see refs. [5][6][7][8]) and Prof. Bukowski (see refs. [9,10]). Following this, we may define logistic risk as a potential possibility of an undesired event occurrence that will enable the logistic system to achieve delivery parameters regarding time, place, quantity, and quality at an assumed level (declared logistical service level). In this respect, a logistic system's vulnerability means a decrease in the level of logistics service performance resulting from the logistics system's response to an adverse event occurrence. Finally, the resilience of a logistics system, as opposed to its vulnerability, is defined as the system's potential ability to achieve the assumed level of logistics service performance after the occurrence of an undesired event while maintaining cost limits.
At the same time, it should be noted that the increasing market expectations for shortening the reaction time of logistics systems to disruptions in supply chains cause an increased emphasis on the implementation of the risk management concept in logistics processes. This management, according to COSO (Committee of Sponsoring Organizations of the Treadway Commission) [11], aims for: (1) Identification of potential events that may affect the organization; (2) keeping risks within established limits; (3) reasonably ensuring the achievement of the organization's objectives. The better the company manages the risks associated with its operations, the better it is prepared for potential adverse events that may occur in its processes. Moreover, the better it is prepared for adverse events, the shorter the reaction time, and the faster the return to the standard of service offered before the event occurrence.
The development of the risk management concept caused the need to create tools that (a) will allow the company to assess the current level of implementation of specific solutions supporting the process of dealing with adverse events and (b) indicate the direction of further development/changes, which will allow the processes resilience to disruptions to be strengthened. The most popular tool supporting both of these areas is the Risk Management Maturity Model (RMMM). This tool will be described in detail in Section 2. However, at the outset, it should be made clear that according to [12], the risk maturity models are typically qualitative models, which aim to describe the current state of implementation of the Enterprise Risk Management (ERM), and typically consist of attributes which are intended to describe the essential characteristics for the ERM such as management's commitment to risk management (RM). Different maturity stages are assigned to the attributes to describe the level of progress. As can be seen from the above definition, risk management maturity models refer to Enterprise Risk Management concepts and therefore relate to general business assumptions implemented at the enterprise management level. This observation is also confirmed by other publications indicated in Section 2 of the article, which show that the described Risk Management Maturity (RMM) models are primarily used for the global assessment of enterprise maturity or project management.
In our research, the authors focus on the specificity of risk management in logistics processes. This risk management area in an enterprise is incredibly demanding, as logistic processes are carried out at the interface of links in the supply chains. That makes them more vulnerable to various types of disruptions, the source of which is internal and most of all external factors beyond the organization's control. For this reason, risk management in this area of the company's operations is particularly challenging and requires taking into account specific aspects of planning, organizing, and implementing logistics processes.
The inter-organizational nature of logistics operations and their importance in assessing the competitiveness of the delivered products and services should also be reflected in dedicated tools for assessing risk management's maturity. RMM models described in the literature focus primarily on the aspects related to intra-organizational solutions focused on risk management. In models dedicated to logistics processes, one should also focus on aspects related to the possibility of risk management within the entire supply chain. For this reason, this article aims to present the risk management maturity model in logistics processes and its verification against the classic approach, based on the example of implementation at a selected manufacturer from the automotive sector.
Following this, the main contribution of this study is that: • We have defined assessment areas for risk management maturity, which are essential for logistic processes performance.

•
We have introduced a new risk maturity assessment area based on participation in the supply chain-cooperation at risk.

•
We propose a 5-grade maturity assessment scale to define the risk assessment maturity achieved by an organization dedicated to logistic processes.

•
We introduce a two-stage assessment method to assess the risk based on the global maturity index's average level. • Finally, we implement the proposed two-stage assessment method to verify the proposed model's diagnostic function and determine its labor intensity.
Therefore, the article structure includes, apart from the Introduction, a detailed review of the literature in the area of risk management and assessment. Moreover, business maturity modeling issues are investigated. Next, a proposed model of assessing the maturity of risk management in logistic processes is presented. The developed maturity assessment model includes five main assessment areas, including knowledge, risk identification and analysis, risk response, risk monitoring, and cooperation at risk. The described model has been implemented in the selected production company from the automotive industry. Based on the analyzed case study, a diagnosis of the current maturity level was made based on the two selected approaches-the classical RMM approach and the proposed extended RMM approach. The whole work is summarized in the form of conclusions and the identification of further directions of the authors' research work.

Literature Review
The proposed research is closely related to two research areas: Risk management and organization maturity modeling. The authors briefly review the key literature in each of these areas related to supply chain performance in the following section.

Supply Chain Risk Management
Supply chain risk and resilience issues have become a field of research over the past 20 years. The growing interest in supply chain risk and resilience issues may be confirmed by the results of the Supply Chain Resilience Reports in which the challenges of developing resilient supply chains have been considered since 2008 (see, e.g., [13][14][15]). The reports highlight the level, range, and cost of disruptions those organizations face and demonstrate how a disruption in one organization can spread out over the entire supply chain [15].
Moreover, many definitions have been developed in known scientific works due to the plethora of studies on supply chain risk management. A summary and review of the existing definitions are presented, e.g., in [16]. In another work [17], the authors classify existing literature on risk sources' typology, including environmental factors, industry factors, organizational factors, problem-specific factors, and the decision-making process. Moreover, the analysis of designing supply chains in the aspect of the decision-making process affected by uncertainty and risk is presented in work [18]. The paper presents a review of the literature analyzing the possibilities of using selected quantitative methods in the aspect of analysis and assessment of various types of risk as well as measures assessing the resilience of chains. Additionally, recent literature reviews on supply chain risk management are provided, e.g., in works [19][20][21][22][23][24].
The problems of supply chain disruptions management are analyzed, e.g., in [25], where the relationship between detection of a disruption event, causes of an event, and recovery performance were reviewed. This problem was also analyzed in [26] from the decision-making process perspective. The author developed propositions for social, psychological, environmental, organizational, and individual factors that drive the idiosyncratic nature of supply disruption risk decision-making. A comprehensive review of supply chain risk sources is given in [27]. The authors also provided a short investigation of the link between those supply chain risk sources and supply chain performance.
The influence of different risk conditions on supply chain risk management strategies was analyzed in [28]. The authors focused on widely acknowledged risk management approaches as postponement and speculation and highlighted the dangers of functionally isolated decision making.
Risk mitigation strategies were under investigation, e.g., in works [29]. In [29], the authors review supply chain decision-making from a system perspective. They focused on green supply chain management, supply chain risk, and supply chain efficiency issues. In the second work [30], the authors proposed supply chain risk mitigation strategies in the presence of a variety of risk categories, risk sources, and supply chain configurations.
Another interesting problem was analyzed in [31]. The authors focused on the investigation of supply chain uncertainty for delayed supply chain project investments. They analyzed six main options-unlocking, stage, scale, switch use, deferral, and abandonment in the frame of decision-making theory.
In another work [32], the authors analyzed risks caused by supplier disruptions using the probabilistic risk assessment approach. Moreover, scientific work may be found focused on, e.g., HAZOP-based (Hazard and Operability Studies) approach implementation [33], or bow-tie diagrams use [34]. The problem of monitoring key risk indicators is investigated, e.g., in [35].
Supply chain risk management can be analyzed regarding maturity modeling issues.

Organizations' Maturity Modeling
The term "maturity" may be defined as a state of being complete, perfect, or ready; a fullness of development [36]. Simultaneously, a maturity model is usually defined as a structured set of elements that describes an evolutionary path of improvement from immature processes to mature, effective, and qualitatively better processes [36].
The main idea beyond any maturity model is to assess the level of achievement of identified goals or expected results. Maturity can also show the preparedness to set new business challenges and development [37]. Therefore, the maturity model is a set of various tools and practices that enable the assessment of an organization's management competence [38], as well as the improvement of key factors leading to the achievement of the assumed objectives [39]. The OMG (Object Management Group) defines maturity models as an evolutionary process of implementing key practices in one or more areas of company performance [40]. Thus, the model determines the current state of an organization, which results from:

•
The way it operates; • The possibility of using its resources or previous experience; • The objectives that can be achieved in the future by setting priorities for actions and identifying the means and ways of their implementation.
The adopted levels of maturity allow the organization to improve its practices, starting from undefined and inconsistent practices and processes, through practices that are repetitive at the level of organizational units, to comprehensively defined business processes (predictable and statistically managed), to the continuous process of innovation implementation and optimization [40]. The maturity model, therefore, has two functions-diagnostic and planning. First, it is used to assess the organization's competencies by determining the level of implementation of individual solutions and practices and, consequently, assessing the organization's strengths and weaknesses. Next, the same tool allows the decision-makers to show the way of development by determining the scope of activities and changes, which is necessary to increase the maturity level [41].
Two approaches are distinguished in assessing maturity: Fixed and continuous representation [42]. In the fixed representation, each level of maturity is assigned a specific number of process areas, whose implementation in a given organization allows a specific level of maturity to be achieved. In this approach, the principle of aggregation applies. Achieving a given level of maturity means a positive assessment of all process areas from a given level. The improvement of the organization is, therefore, of an incremental nature. The improvement process is carried out based on a schedule of activities, which defines the designated practices necessary to be implemented to achieve the target level of maturity in the future. Continuous representation makes it possible to improve selected process areas that are critical to the organization. In the process of improvement, each process area is assessed individually according to the adopted maturity scale; therefore, the organization gains excellent flexibility in selecting activities. The selection of implemented practices from a selected area depends on the resources available and the adopted development goals. The main differences in fixed and continuous representation are presented in Figure 1.
Recently, there are many maturity models used for the assessment of performance levels of business organizations. The discussion about maturity models concerning the application section was provided, e.g., in [43], where the authors identified 200 maturity models and later analyzed them, taking into account validity tests. Moreover, the literature review on the evaluation of maturity models was developed in [44]. The authors classified the existing models into six categories: the maturity model evaluation, type of evaluation, a relation of the evaluators/authors to the maturity model, level of objectivity, the primary purpose of the paper, and the study's size. A short comparison of the chosen models was provided, e.g., in [45], where the authors established differences and similarities between the maturity levels (and their processes) described in the analyzed models. In turn, enterprise maturity models are reviewed in [46], where maturity alignment was widely investigated. quently, assessing the organization's strengths and weaknesses. Next, the same tool allows the decision-makers to show the way of development by determining the scope of activities and changes, which is necessary to increase the maturity level [41]. Two approaches are distinguished in assessing maturity: Fixed and continuous representation [42]. In the fixed representation, each level of maturity is assigned a specific number of process areas, whose implementation in a given organization allows a specific level of maturity to be achieved. In this approach, the principle of aggregation applies. Achieving a given level of maturity means a positive assessment of all process areas from a given level. The improvement of the organization is, therefore, of an incremental nature. The improvement process is carried out based on a schedule of activities, which defines the designated practices necessary to be implemented to achieve the target level of maturity in the future. Continuous representation makes it possible to improve selected process areas that are critical to the organization. In the process of improvement, each process area is assessed individually according to the adopted maturity scale; therefore, the organization gains excellent flexibility in selecting activities. The selection of implemented practices from a selected area depends on the resources available and the adopted development goals. The main differences in fixed and continuous representation are presented in Figure 1.
Recently, there are many maturity models used for the assessment of performance levels of business organizations. The discussion about maturity models concerning the application section was provided, e.g., in [43], where the authors identified 200 maturity models and later analyzed them, taking into account validity tests. Moreover, the literature review on the evaluation of maturity models was developed in [44]. The authors classified the existing models into six categories: the maturity model evaluation, type of evaluation, a relation of the evaluators/authors to the maturity model, level of objectivity, the primary purpose of the paper, and the study's size. A short comparison of the chosen models was provided, e.g., in [45], where the authors established differences and similarities between the maturity levels (and their processes) described in the analyzed models. In turn, enterprise maturity models are reviewed in [46], where maturity alignment was widely investigated. According to [37], the idea of a mature organization in a supply chain may be understood as engagement in extensive collaboration across a wide arc of supply chain partners in order to implement appropriate integrative practices. One of the recent literature reviews on supply chain management maturity models was developed in [48]. A summary of supply chain management maturity models was given in [49]. Furthermore, maturity According to [37], the idea of a mature organization in a supply chain may be understood as engagement in extensive collaboration across a wide arc of supply chain partners in order to implement appropriate integrative practices. One of the recent literature reviews on supply chain management maturity models was developed in [48]. A summary of supply chain management maturity models was given in [49]. Furthermore, maturity models in supply chain sustainability were reviewed in [50] and analyzed in [37]. The study on the assessment of the company's maturity level of Logistics 4.0 implementation was presented, e.g., in [51], and the innovation maturity model in logistics was introduced in [52].
Moreover, the problems of maturity differences in supply chains between customers and suppliers were of interest to the paper's authors [53]. A maturity test for supply chain operations was investigated in [54].
Risk management maturity models were reviewed, e.g., in [55]. The authors analyzed the main attributes of the existing maturity models and provided a comparison of maturity measurement levels of different models that may be implemented in construction organizations.

Methodology
During the performance of risk management maturity assessment analyses in logistics processes, we formulated the following research questions: What areas of risk management should be the subject of maturity studies in relation to logistics processes based on classic RMM ERM models? • RQ2. How to additionally take the inter-organizational nature of logistics processes into account in the risk management maturity study? • RQ3. How do we identify risk area characteristics at maturity levels? • RQ4: How should the risk management maturity assessment process be conducted in logistics processes? • RQ5. Will the developed RMM model's application affect the risk management maturity assessment performed in the selected organization?
Based on the review of RMM models presented in [56], areas for assessing the maturity of risk management have been identified, which so far have been included in the models presented by various authors. These areas, together with the number of occurrences, are presented in Figure 2.
Based on the mind map analysis, eight areas of maturity assessment were identified, which most often appear in the models described in the literature, i.e., culture, process, experience, application, risk identification, risk analysis, risk response, management capabilities in relations to risk. The risk management maturity assessment areas identified based on literature studies were verified with logistics specialists' information needs. The research was carried out as part of training courses on "risk management in logistics processes," which logistics managers attended from enterprises representing various economic sectors. The training participants were asked to indicate which areas assessed in classic RMM models should be the subject of maturity studies to assess logistics processes. A total of 46 managers took part in the survey. The most frequently indicated areas are presented in Figure 3. The surveys of managers' opinions have not been of a purely statistical nature. The obtained results have been aimed at a preliminary verification of the assumptions made in the adopted methodology.    Based on both conducted research studies, four leading assessment areas have been defined for the risk management maturity model, which takes into account the specificity of logistics processes:

1.
Experience/knowledge: It should be taken into account that in an interview with logistics managers, the participants stressed the importance of the experience and registered/formalized knowledge of established events.

2.
Risk identification and analysis: Taking primarily the methods and scope of conducted risk analyses for logistics processes into account.

3.
Risk process management/Risk response: Determining the degree of use of the results of conducted risk analyses in the process of planning material and information flows, as well as the process management itself, taking into account their limitations and unwanted events.

4.
Risk monitoring: Understood as monitoring the correctness and effectiveness of logistic processes and achieving the assumed logistic standards.
The indicated areas of maturity assessment are in line with the patterns described in the literature on RMM models. However, as noted in the Introduction, logistic systems have specificity in operating at several organizations' interaction. Therefore, when developing a maturity assessment tool for risk management in logistic processes, their cooperative nature should be considered. Therefore, the proposed model, LRMM (Logistic Risk Management Maturity), includes the concept of Collaborative Risk Management. This concept is primarily concerned with "the capacity of organizations, societies, and countries to coordinate and join efforts, prior to, during, and after major incidents, in an attempt to prevent or, at least mitigate adverse consequences through effective utilization of technology, unique leadership, teamwork, and communications" [57]. Based on this, the fifth area of assessing risk management's maturity, namely cooperation at risk, has been established.
In determining the number of maturity levels for the model developed, the literature review prepared by [56] was used again. The described maturity models were mostly based on a 4-or 5-grade assessment scale. They analyze the implementation path for reaching full maturity for risk management in logistics processes. Therefore the authors also decided to use a 5-stage assessment scale. For each of the five identified maturity areas, the risk management system's characteristics were therefore determined, as shown in Table 1. Table 1. Characteristics of global maturity levels of risk management system in logistics processes.

Knowledge
Lack of systematic knowledge about the operation of logistic processes and occurring disturbances. The employees rely solely on their own experience. Lack of knowledge of the organization about risks in logistics systems.
Logistics process managers have the knowledge gained from their team about critical logistics operations and the associated risks. However, this knowledge is not formally recorded in the system.
Based on collected reports about logistic operations, managers report the most significant adverse events to the system.
A knowledge base of adverse events is established, taking into account the causes, effects, dates of occurrence, associated factors, and critical logistic operations (in particular their time and space relationships and resources).
The knowledge base is regularly updated based on current observations and events. The company also registers in the system sectoral, process, and technical knowledge derived from benchmarking analyses. The knowledge is acquired based on developed reporting tools. The knowledge comes not only from the company's own experience but also from other external entities. Defined knowledge management principles.

Risk identification and analysis
Lack of identification of undesirable event to the successful operation of logistics processes. No risk assessment, even for the critical delivery processes.
In the case of undesirable events in critical logistic operations, the risk of their occurrence shall be determined using qualitative tools. The results are communicated to the management board only.
Risk identification and analysis of logistic processes carried out at the request of the management board.
Only a small team of logistics specialists is involved in the performed analyses. Quality tools are mainly used. The results are communicated to the management board and logistics managers.
Risk analysis is carried out for all logistics processes regularly but at considerable intervals. An evaluation carried out using quantitative and qualitative tools. The results are communicated to the management board and selected managers (not only from the logistics area).
A risk assessment carried out on a systematic basis (periodic update of the results obtained). The assessment uses the knowledge of managers from different areas-a team composed of specialists from different areas of the company. The use of advanced quantitative and qualitative risk assessment tools. Assessment results are distributed to all units of the organization.

Risk response
Lack of identification of the critical logistics processes. Lack of consideration of occurring limitations or undesired events in the planning processes performance.

Risk monitoring
Lack of a system of logistic indicators to monitor the efficiency and effectiveness of performed processes.
Fundamental logistic indicators that monitor the performance of processes and the results obtained. Lack of use of logistic indicators in the assessment of hazards to the execution of delivery processes.
Fundamental logistic indicators to monitor the efficiency and effectiveness of performed processes, calculated regularly for reporting purposes, and at the management board's request. Set standards for indicators to inform about deviations from planned effects achievement level.
A formalized (integrated with the IT system) system of indicators monitoring the correctness and effectiveness of the implementation of logistic processes and their compliance with the set standards (logistic service standards). Risk analysis in the case of long-term or significant deviations occurrence.
A comprehensive system of indicators monitoring the correctness and effectiveness of logistic processes, determined regularly based on data reported to the system. Regular analysis and interpretation of deviations from the assumed logistic standards. Exchange of information between departments on significant deviations affecting supply processes and other company processes. Indicators play the role of guards of process correctness.

Cooperation at risk
Lack of exchange of information on adverse events within the company and with business partners.
For critical events, cooperation between functional areas following the guidelines of the management board.
Sharing information on adverse events with other functional areas of the company. Internal cooperation in planning high-risk processes. Information on disruptions to business partners.
Sharing information on adverse events within the company and with strategic partners. Developed emergency scenarios for high-risk adverse events, prepared together with strategic partners.
Information integration of risks within the company and with business partners. Cooperation with partners in the supply chain in the area of risk reduction. Joint development of preventive measures. Jointly developed emergency response scenarios taking into account the potential and accepted ranges of deviations by partners in the supply chain and distribution channels. Coordinated responses to the occurrence of adverse events.
The conducted maturity assessment is in accordance with the model of continuous representation, which not only allows the current level of maturity of the organization to be diagnosed, but also the weak and robust management areas to be identified. Thanks to this, the tool used plays a diagnostic role and enables the determination of further directions for the improvement and development of the assessed system. However, the organizations' managers also assess management areas in order to determine their position among competitive companies. Therefore, there is a need for a global index defining the level of an organization's maturity, which will determine its position among enterprises from the sector. Therefore, the analysis of risk management's maturity based on a 5area assessment matrix is complemented by determining the logistic risk management maturity indicator. This indicator is calculated based on the organization's results in each of the analyzed logistic risk assessment areas. The points obtained for particular areas are summed up, and then the average maturity level is calculated. In order to estimate the average level of maturity, the arithmetic mean can be used if all assessed areas have comparable value for managers. However, it is worth considering using a weighted average, which will allow an organization to assign importance to particular areas of risk management in a company and reflect priorities resulting from the adopted operational strategy. Thus, an assessment of the maturity of a risk management system in logistic processes will be estimated according to Formula (1): where: ML-the average level of global maturity, the ML need not be an integer, A i -assessment of the maturity of processes in the ith area, ω i -the weight assigned to the ith area, where ∑ ω i = 1, n-number of areas evaluated. Due to the use of a weighted average, the result of the global maturity of logistics processes achieved by an organization does not have to be an integer. Therefore, when designing a matrix for assessing the resilience of logistics processes based on risk management maturity, it is reasonable to use a range scale to consider the partial/weighted results obtained. This scale can be modified accordingly, depending on the managers' preferences responsible for the assessment procedures. Thus, the assessment scale in the second phase of the procedure will take the form presented in Figure 4. The conducted maturity assessment is in accordance with the model of continuous representation, which not only allows the current level of maturity of the organization to be diagnosed, but also the weak and robust management areas to be identified. Thanks to this, the tool used plays a diagnostic role and enables the determination of further directions for the improvement and development of the assessed system. However, the organizations' managers also assess management areas in order to determine their position among competitive companies. Therefore, there is a need for a global index defining the level of an organization's maturity, which will determine its position among enterprises from the sector. Therefore, the analysis of risk management's maturity based on a 5-area assessment matrix is complemented by determining the logistic risk management maturity indicator. This indicator is calculated based on the organization's results in each of the analyzed logistic risk assessment areas. The points obtained for particular areas are summed up, and then the average maturity level is calculated. In order to estimate the average level of maturity, the arithmetic mean can be used if all assessed areas have comparable value for managers. However, it is worth considering using a weighted average, which will allow an organization to assign importance to particular areas of risk management in a company and reflect priorities resulting from the adopted operational strategy. Thus, an assessment of the maturity of a risk management system in logistic processes will be estimated according to Formula (1): where: ML-the average level of global maturity, the ML need not be an integer, -assessment of the maturity of processes in the ith area, -the weight assigned to the ith area, where ∑ = 1, n-number of areas evaluated.
Due to the use of a weighted average, the result of the global maturity of logistics processes achieved by an organization does not have to be an integer. Therefore, when designing a matrix for assessing the resilience of logistics processes based on risk management maturity, it is reasonable to use a range scale to consider the partial/weighted results obtained. This scale can be modified accordingly, depending on the managers' preferences responsible for the assessment procedures. Thus, the assessment scale in the second phase of the procedure will take the form presented in Figure 4   As noted previously, the ML indicator is calculated on a weighted average, so its value does not have to be an integer. For this reason, when constructing each level's global characteristics, it is necessary to consider the partial achievement of the requirements assigned to each level in the assessment areas under consideration. This means that an organization can reach a certain level of maturity determined by the ML indicator without obtaining the maximum rating for that level in all areas of the analyzed logistic risk management (e.g., an organization reaches level 3 according to the ML indicator, although in the detailed assessment process, level 3 was obtained in 4 out of 5 assessed areas).
For each ML value, a global characteristic of the organization's maturity level of logistical risk management has been developed. These characteristics are presented in Table 2. Table 2. Characteristics of global maturity levels of risk management system in logistics processes.

Level 1: Ad hoc risk management
There are no activities aimed at identifying risks in the area of logistic systems performance; no preventive actions, and no reduction of the effects of supply disruptions. Lack of risk management rules and procedures in logistic systems operation, due to the occurrence of undesired events, deliveries are executed in a chaotic manner ("ad hoc" management).

Level 2: Critical events in logistic system management
Developed and implemented procedures for managing critical events in logistic systems.
Other possible disruptions are identified, but there are no systematically applied solutions for risk assessment and logistic process performance management. Lack of use of available IT (information technology) tools to gather knowledge and monitor the current implementation of delivery processes. Possible risk reduction is limited to a given logistic process and results from particular logistic managers' initiative. The competence and commitment of employees determine the success of an organization.

Level 3: Selective organizational risk management
Risk management procedures and rules have been developed but are not implemented in a systemically sound manner. They are known only to a small group of logistic specialists. Risk assessment is supported by information from the IT system (ERP (Enterprise Resource System), WMS (Warehouse Management System)). No continuous monitoring of risks. Delivery risk assessment results support management processes, but only in selected cases. The principles of cross-departmental cooperation (of particular functional areas in the company) are defined in case of undesired events (with a high level of risk) in particular processes occurrence. Qualitative methods are used to identify and assess logistic risk.

Level 4: Cross-functional supply risk management
Risk assessment and management procedures in the logistic system have been developed and implemented systematically. The risk assessment involves representatives of the logistics department and the departments cooperating in handling material and information flows in the company. The company collects information on undesirable events systemically occurring in the delivery process and uses it in the planning processes. Selected business partners are involved in risk management processes. In addition to qualitative methods, basic quantitative methods are included in risk identification and assessment. Risk monitoring is based on a defined system of logistic indicators.

Level 5: Integrated supply risk management
Full implementation of all assumed supply risk management tools in a fully integrated system. A system for gathering and using the information following the concept of a learning organization. Continuous improvement of logistics processes based on risk assessment. Full use of the knowledge and experience of logistics staff and external information from supply chain partners. Risk management system based on integration with business partners. Integration of the risk management system with the so-called core business objectives and company management strategy.
For such a defined model of assessing the maturity of logistic processes risk management, an assessment procedure has been formulated, which includes a 2-stage analysis process: (1) A detailed assessment based on a 5-area assessment matrix and (2) an overall assessment based on the global maturity indicator for operational risk management ML. The assessment process is the first phase of the diagnostic procedure and is an input to phase 2, consisting of identifying potential areas of improvement for logistic risk management. Both phases of the proposed LRMM model are shown in Figure 5. For such a defined model of assessing the maturity of logistic processes risk management, an assessment procedure has been formulated, which includes a 2-stage analysis process: (1) A detailed assessment based on a 5-area assessment matrix and (2) an overall assessment based on the global maturity indicator for operational risk management ML. The assessment process is the first phase of the diagnostic procedure and is an input to phase 2, consisting of identifying potential areas of improvement for logistic risk management. Both phases of the proposed LRMM model are shown in Figure 5.

Results and Discussion
The proposed method was used to assess a risk management system's maturity for the selected production company. The company under investigation is a supplier for manufacturers from the automotive sector, located mainly in Poland. The company started as a local family business, supplying several customers located in the region. However, thanks to the commitment and high quality of the service provided, the company has, in recent years, registered a few times increase in its turnover thanks to the acquisition of

Results and Discussion
The proposed method was used to assess a risk management system's maturity for the selected production company. The company under investigation is a supplier for manufacturers from the automotive sector, located mainly in Poland. The company started as a local family business, supplying several customers located in the region. However, thanks to the commitment and high quality of the service provided, the company has, in recent years, registered a few times increase in its turnover thanks to the acquisition of successive several-year contracts. At present, the company employs about 200 people, with the management staff (upper and middle level) representing about 20% of all employees. The company provides products with an uncomplicated technological structure to not compete with the manufactured products' innovativeness. Therefore, it builds its competitive advantage based on a high level of logistic service and operational flexibility. To meet the customer service policy's declared objectives, the management of the company puts great emphasis on the improvement of logistic processes, including the process of material supply and logistic service of the customer order.
For several years the company has been implementing the concept of risk management in its key business processes. One such area is logistic processes, which determine the competitiveness of the manufacturer's offer on the serviced market. The risk analysis methods are currently limited to quality tools implementation, which is selected and prepared for implementation by a small group of the CEO's (chief executive officer) closest associates. The company is a participant in global supply chains. The supply of raw materials is provided by local (national) suppliers, but also global companies from China or European countries (Italy, Spain, Germany). Direct customers of the manufactured products are Polish clients, but also from Asian and European countries, as well as companies located in South America. The company's management has established partnership relations primarily with domestic suppliers and customers, but also with selected contractors in Germany. The cooperation with other business partners is based on several years' contracts, but without information integration in terms of crucial material flows performance. The customers send their demand forecasts for the following months of the year to the surveyed company, following the contract signed, but the final orders may differ up to 50% from the reported monthly demand forecasts.
The evaluation procedure has been prepared based on the following: • Face-to-face interviews with senior and middle management and with the management board, based on a structured interview aimed at identifying procedures and tools for risk management areas according to the proposed approach; • Accompanying direct observation carried out between October 2019 and January 2020; • Document workflow analysis; • Analysis of the scope of prepared reports and indicators.
The assessment procedure has been carried out according to Steps 1 and 2 of the scheme given in Figure 5. The analytical procedure was carried out for two models of logistic risk management assessment: • Option 1-traditional core areas of RMM models described in the literature were assessed; • Option 2-traditional assessment areas have been extended to include the area of cooperation in risk management.
Due to the fact that in option 1-4 areas are assessed, while in option 2-5 areas, each assessment procedure required separate weights for the analyzed areas. The weights in both options were determined by the management board and the logistics department managers. Therefore, one should consider that the weight values may be modified according to the managerial decisions taken in the company. Moreover, they are company-specific, and one will need to be aware that they can take different values from one company to another.
According to the assessed areas, the company's logistical risk management characteristics are presented in Table 3. The weights assigned to each of the areas in both analytical variants, as well as the estimated level of maturity, are presented in Table 4.
The carried out analytical process indicates that by assessing according to the classic RMM areas, the company achieves a global logistic process management maturity indicator at level 3. This means that the company already has qualitative tools for assessing risks in its delivery systems. Thus, the effects of potentially occurring adverse events can be effectively minimized by managers. The weaker area in the evaluated company is process risk management. Emergency management modes are developed only for critical adverse events occurring in delivery processes. The company also lacks focus on implementing preventive actions or actions to limit the consequences of undesirable events occurrence. Table 3. Characteristics of areas subject to an assessment of the risk management maturity in the company's logistic processes.

Area
Characteristics of the Area in the Analyzed Company

Knowledge
In the case of an adverse event that occurred in supply processes, managers collect information from team members on the causes of the event and determine the consequences of its occurrence. Undesirable events, which are the most important in their assessment, are recorded in a shared spreadsheet with the date of occurrence.

Risk assessment
Risk identification and analysis is prepared for every request of the company management. However, the analysis is prepared by a small team of the CEO's closest associates. Based on the information entered by logistics specialists into the spreadsheet, the logistics director determines critical events. These are registered cases with many repetitions or effects that significantly affect the company's market position. For critical events, managers must periodically prepare a risk analysis based on their observations and knowledge. Information on the identified risks is communicated to the management board and selected managers.

Process risk management
For critical events, particularly for which the consequences determine an enterprise's competitive position, logistic managers are required to develop emergency procedures. These actions are primarily aimed at maintaining the continuity of the company's operations and a quick return to the declared level of logistical service.

Cooperation at risk
Prepared scenarios for emergency procedures assume integration of activities of selected functional areas. For this reason, information on critical events is placed in spreadsheets to which managers of all functional areas have access. However, the cooperation procedure applies only to events critical to the company's operations.

Risk monitoring
Information on critical events is communicated only to selected managers and only for the management board's explicit indication. No exchange of information on adverse events with contractors, even those with whom the company cooperates in partnership relations. However, it should be noted that the analysis carried out according to the proposed extended logistic risk management maturity model (LRMM) takes the company back to level 2. This is due to the fact that managers do not benefit in any way from their position in the logistics chain or the developed relationships with their business partners. In the case of the overall risk management model, which is primarily oriented towards the company's performed inside processes, this fact would not be decisive. However, in the case of logistic processes that are carried out at the interaction of all partners in the supply chain, such a low level of maturity in this area is crucial for the entire logistic risk management system. Therefore, the proposed maturity assessment model has also been used to improve the current logistic risk management system. Based on the assumptions required for the next level of maturity in both areas of the proposed LRMM model, scenarios of changes (improvements) required by the company have been developed. These scenarios are presented in Table 5. Table 5. Scenarios for improving the risk management system for the analyzed company.

Risk Assessment
Risk Process Management AS-IS ANALYSIS No exchange of information on adverse events occurring in the supply chain Process emergency procedures designed for critical events only TO-BE SCENARIO Step 1: Cooperation between departments within the company to reduce the impact and likelihood of adverse events occurrence Step 1: Use of risk analysis results for planning vulnerable processes Step 2: Transmission of the information on potential disruptions in supply/orders to business partners Step 2: Development of preventive procedures and management scenarios for identified adverse events The company's activities should primarily focus on the possibility of mitigating potential logistical disruption by exchanging information along the supply chain. This cooperation should primarily involve suppliers and customers with whom the company has partnership relations. Information on undesirable events provided insufficient advance will allow better management of the material flow along the supply chain, for example, by creating back-up buffers at specific points in the logistics network. Carrying out the proposed to-be scenario will allow the organization to reach the next level of maturity in the area of cooperation at risk and go straight to the third maturity level. The simultaneous observations made by the research team during the indicated period show that the implementation of the proposed scenario is now possible in the company's logistic risk management system.

Conclusions and Directions for Further Research
In the classic maturity assessment models, the focus is primarily on internal processes related to risk management. The analysis of the risk maturity assessment models described in [56] and presented in the form of a mind map in Figure 2 shows that in the classical approach to risk management, the focus of decision makers is primarily on the development of internal tools and systems for risk analysis and management. This approach is consistent with the concept of Enterprise Risk Management. The strategy defines risk management as a process, which is conducted by directors, board of directors and other staff, included in the organization's strategy and implemented throughout the enterprise in order to: (1) Identify potential events that could adversely affect the business unit, (2) manage the magnitude of their risk, and (3) ensure the achievement of the organization's objectives [11]. As a result, the potential for risk management is limited solely to the organization's internal resources. However, many publications indicate that today's supply chains are competing with each other, not individual companies [58]. As organizations build their competitive position on the basis of their participation in the supply chain, it also seems appropriate to manage risks in cooperation with supply chain participants, particularly in the area of logistical flows performance. This is confirmed by the concept of supply chain risk management, which is described, among others, in [3,28,31]. If this approach is appreciated by managers, the cooperation element must also be included in methods/models aimed at assessing the level of maturity in risk management, in particular for logistics systems at the interface between the links in the supply chain.
Therefore by combining both investigated approaches-supply chain risk management and organizational maturity modelling, a company can not only improve its internal risk management procedures but, above all, take advantage of information integration in the supply chain. This reduces the likelihood of adverse events occurrence, or may reduce their negative consequences by a fast reaction of the supply chain. Thus, the classic model does not allow the potential for improvement of supply chain risk management resulting from partnership cooperation in the supply chain to be identified. Moreover, it does not give the possibility to define directions to improve the company's risk management system by using information integration with partners cooperating in the supply chain. Therefore, in the article, the authors have developed a model for assessing risk management maturity in logistics processes, which can be a diagnostic and planning tool. The novelty of the proposed approach is based on introducing a new area of risk maturity assessment based on participation in the supply chain-cooperation at risk-which has made it possible to take account of the dependencies in the supply chain. A 5-grade maturity assessment scale is also proposed in order to define the risk assessment maturity achieved by an organization dedicated to logistic processes.
The proposed model has been implemented in the process of logistic audits in the selected production company. The assessment procedure for the selected case allowed us to verify the complexity of the adopted procedure, the substantive scope of the developed assessment tool and allowed us to determine the intensity of implementation work. In addition, the proposed solution has been compared with traditional models of risk analysis, which use the four traditional core assessment areas. The results obtained for the case under consideration has demonstrated the superiority of the proposed 5-level assessment approach over the classic risk management of logistics processes. The presented example of the method application allowed its usefulness and adequacy to the needs of the area of logistics risk management in the surveyed company to be determined. The assessment procedure also showed an average workload of measurements. This results from a precisely developed evaluation system, described in the form of precisely defined characteristics for particular levels of maturity and understandable rules for assigning scores at both stages of the proposed procedure. The managers of the surveyed company evaluated the described assessment model positively and found it useful both in the diagnostic phase as well as in the process of changes aimed at increasing the resilience of logistics processes.
We recommend the application of the proposed model in production, distribution and even service-providing companies of different sizes and scope of operation. However, in order to be able to formulate general conclusions about the application of the adopted method in different types of companies, qualitative research will be carried out to assess the usefulness of the proposed LRMM model. Positive verification of the proposed model's diagnostic function is necessary to predispose it to implementation in the logistic audit procedure, taking into account risk management aspects in the company. The studies should also assess the usefulness of the LRMM as a tool to support planning processes. Then this method can be used in consulting projects to improve the risk management system and build the resilience of logistic processes to the occurring disturbances. Moreover, one of the authors' future research directions is focused on the performance of interviews among a representative research sample (interviews of managers from different sectors and company's sizes), what gives the possibility to generalize the obtained results. Conducting such a research step with implementation of the developed model in different companies, will enable the setting of new standards in the area of risk maturity management in logistics processes.
At this stage of carried out research analyses, the authors may point out two main possible limitations of the proposed model. First, the model limitation may be connected with the managers' correctness of the assessment carried out. The managers may give incorrect answers during the internal audit performance to obtain higher ratings than the actual level of achieved maturity of supply chain risk management. The second possible limitation is the possibility of omission of specific steps during the proposed assessment procedure performance. Following this, to obtain reliable results, it is necessary to follow the procedure and appropriately evaluate the actual level of the areas being assessed in the model.
As a result, this research makes significant contributions to the theory and practice of supply chain risk assessment. First, a new approach for risk management maturity assessment was proposed. Second, the presented approach can be a valuable tool to support real-life systems' decision-making processes, as confirmed by the sample company investigated.
The presented implementation of the LRMM model for the investigated company has obtained positive results. However, as it has been stated, they are insufficient to make a generalized conclusion. Therefore, as part of the authors future research, further validation of the assumptions made in the developed model is justified. For this purpose, it is necessary to conduct interviews among a representative research sample and their statistical analysis allowing the results obtained to be generalized according to generally applicable rules. Therefore, the authors plan to conduct structured interviews among logistics managers, aimed at obtaining their opinions on the usefulness, completeness, ease of conducting and practical application of the developed assessment tool. At the same time, implementations will be carried out in other sectors and among other participants of supply chains. Such analyses will allow to assess the universality of the adopted approach and indicate possible directions of specialization required due to the requirements resulting from the specificity of a given organization's activity. Implementation in companies will also allow for the development of a set of good practices that may support the practical application of the proposed tool. On the basis of good practices, it will also be possible to develop the so-called road maps for the application of the proposed LRMM model, which, apart from the basic assumptions, will also include guidelines for its implementation.
Additionally, the authors' future research can focus on uncertainty in the decisionmaking process by implementing fuzzy theory into the risk maturity levels assessment. This provides a more adjusted assessment procedure as managers may have difficulty assigning a specific level of maturity to their organization. Moreover, following the risk-based asset management approach, the proposed risk management maturity model may be extended to provide a comprehensive measurement method in this area. Following this, a new hybrid maturity index ratio will be developed, including both risk and resilience parameters.