Two years ago a research project by Peter Kulik investigated how organisations perceive the value of risk management. The survey addressed a number of different aspects, but two questions were particularly interesting. The first question asked "How important is risk management to project success?", with possible answers chosen from extremely important, very important, important, somewhat important, not important. The second question asked "How effective is risk management on your projects?", with answers ranging from extremely effective, very effective, effective, somewhat effective, or ineffective. Of course the raw data was interesting in itself, but the correlation between answers to these two questions was fascinating. If the answers to each question are simplified into two options (positive or negative), then there are four possible combinations :
兩年前有一個由Peter Kulik 進行的研究計畫，探討組織對風險管理價值的認知，該調查指出了數個不同的面向，其中有兩個問題特別有趣；第一個問題是「風險管理對專案的成功有多重要？」，可選擇的答案為非常重要、很重要、重要、有些重要、或不重要。第二個問題是「風險管理在你的專案中效果如何？」，答案的範圍包括非常有效、很有效、有效、稍微有效、或無效。當然，原始資料本身十分有趣，但是這兩個問題的答案間之相關性卻更耐人尋味；如果將每個問題的答案簡化為兩個選項（正面或負面），那麼就會出現四種組合 :

1. Risk management is important and effective
2. Risk management is important but not effective
3. Risk management is not important and not effective
4. Risk management is not important but it is (somehow) effective
1. 風險管理是重要且有效的
2. 風險管理是重要的但沒有效
3. 風險管理是不重要的且沒有效
4. 風險管理是不重要的但卻有（某種）效果

Perhaps the fourth combination is not really feasible, since it would be unusual for risk management to be effective if the organisation does not consider it to be important. Indeed if it is viewed as unimportant it might not be done at all. But the other three combinations represent different levels of risk management maturity, and organisations in each of these three groups might be expected to act in very different ways.
也許第四種組合並不合適，因為如果組織並不認為風險管理是重要的，但它卻能夠有效是 不合乎常理的，若被視為不重要的話則甚至可能根本不會去執行。但其他三種組合正代表了不同 水準的風險管理成熟度，且三群內的組織會以非常不一樣的方式採取行動。

Where risk management is seen as important and it is also effectively delivering the promised benefits (Combination 1), those organisations could become champions for risk management, demonstrating how it can work, and persuading others to follow their lead. These risk-mature organisations might be prepared to supply case studies and descriptions of best-practice, allowing others to learn from their good experience.
在風險管理被視為重要且能有效地帶來所承諾的效益時（組合1），那些組織可以成為風險管理的標竿，展示風險管理是如何的有效、並引領其他組織追隨其腳步，這些風險成熟的組織可以提供個案研究及最佳實務的案例，讓其他組織學習其良好的經驗。