MATURITY OF RISK MANAGEMENT CULTURE

: Risk management culture is an element of management philosophy in an organization. Private, public and non-profit organisations differ in the objectives pursued while doing their business, but the activity of each of them entails taking and mitigating risks. To maximise the likelihood of reaching the objectives of an organization is essentially the sense of management. Yet, risk can create a threat that the objectives will not be met; therefore, to manage an organisation is to manage risk in such a way as to maximise the likelihood of achieving objectives. In this way, organisations build risk management culture, and, within it, they build such a system where the risk management process will be effective in maximising objectives. The article addresses the problem of building and improving risk management culture. It is part of broader research into the culture of risk management in companies and public organisations in Poland. The research, a basis for analysis and assessment of the maturity of risk management culture, was carried out involving survey questionnaires, free interviews and participant observations. To analyse the results and to assess the maturity of risk management culture in the surveyed organisations a categorization method and the author's risk management culture maturity model were applied.


Introduction
Risk management is currently gaining in importance. An analysis of the potential impact of risk should result in actions and use of methods to properly manage it, taking preventive measures against risk materialisation at the level of causes. Risk management is a decision-making process with an implementation of actions aimed at increasing the likelihood of achieving the objectives pursued to ensure that the organization can continue to function. Risk management in the strictest sense is organizational work, involving job assignments, leadership, but also motivation, identification and estimation of employees, with monitoring, improvement and control of the activities undertaken. This all is a procedure designed to shape structures, functions and processes so that the organisation can respond effectively to emerging risks, accurately identifying threats, effectively eliminating them and noticing emerging opportunities. Generally, risk management of an organization comprises decision-making and implementation of measures leading to risk acceptable level (Jajuga 2009). It is a process implemented by both the management and the employees, included in the strategy of actions and taking place in the whole organization.
Effective risk management is based on building strong risk management culture in the organisation. Building this culture means creating the basis for conscious risk management based on three basic pillars: organisational culture, awareness and involvement of employees and a well-developed risk management system. It means constructing both behavioural patterns, risk management infrastructures and mechanisms to manage risk effectively.
The article aims to discuss risk management culture and the author's proposal to evaluate this culture in an organisation. In order to achieve this, the maturity of risk management culture was studied, based on a literature query and empirical research. This paper is not a simple compilation of views contained in the literature, but to a large extent presents the author's own reflections, modelling the issues of construction and improvement of an organization's risk management culture. The author's model of the construction and improvement of risk management culture is based on three main dimensions of its maturity: organizational culture, awareness and involvement of employees and a developed risk management system. These dimensions were analysed and evaluated in the research, the essence of which was to determine the maturity level of risk management culture in the organisations surveyed, i.e. offices of local government units in Poland. Risk management is not only the domain of commercial enterprises, but this concept is successfully applied in other sectors. Moreover, public finance institutions, including local government units, are obliged by law to manage risk. The reasons for this state of affairs should be sought in the increasing managerization of public sector entities; it is a departure from 'ideal bureaucracy' to the model of efficient management of public funds (Młodzik 2012). Not only does risk management support those processes, but it is also a precondition for the effectiveness of public sector management. There are therefore more and more models and guidelines to help entities from different industries implement a risk management system. The presented reflections and analyses are part of broader research into the culture of risk management, and they are an effect of the author's participation in the processes of building management systems in public organisations.

Risk management culture: theoretical aspects and literature review
Risk culture is a problem that is not often undertaken in the literature. It particular it is absent in non-serial publications. Similarly, in risk management standards there are no behavioural elements or an emphasis on the role of culture in the risk management process. Writing about the success and effectiveness of risk management the authors, in addition to building the right risk management architecture, usually pay attention to the duties of managers and risk owners and the role of the managerial staff and their support for the idea of risk management (Jastrzębska, Janowicz-Lomott, Łyskawa 2014, Kumpiałowska 2011. Rather than describing employee participation in the risk management process (Malinowska 2011), the authors only mention this problem and do not normally deal with the topic of building risk culture in an organisation. Many authors discuss risks and errors in the risk management process by paying attention to the communication between the risk manager and the management and business environment, describing the way messages are formulated (Lorek 2011, Taleb 2013, or analysing an improper selection of tools for risk management. Those shortcomings and errors are simply brought about by a lack of proper risk management culture. The European Commission also points that out (European Commission 2010), listing the absence of risk culture in organisations as one of the main causes of the collapse of many financial institutions.
The issue of risk management culture is mainly present in short monographs, in some, not many, scientific papers, in reports of organisations active in the dissemination of risk management issues, or in specialised training materials. There is a stronger perception of risk management culture abroad than in Poland. More attention to risk management culture is devoted by financial institutions, who often identify it with risk culture (Committee of European Banking 2010) (in fact, there is a fine line between the notion of risk culture and the culture of risk management, and in the literature the term is used interchangeably). Generally it is done in the form of recommendations rather than obligatory regulations.
Risk culture is a concept that is difficult to define, interpret and investigate, if only because it consists of two highly-complex multidimensional categories, namely culture and risk. In addition, culture and risk are part of different scientific disciplines (economic sciences deal with risk, and culture finds an important place in sociology, psychology and anthropology) that are characterized by other methods of research. In examining the definitions of risk culture in the literature S. Kasiewicz and L. Kurkliński (2016) distinguished the following approaches: a) culture plus: relying on the definition of culture, 'risk' is emphasized as a term used as a detailed area of interest to refer to culture (Banks 2012). Thus, risk is essentially part of culture. An alternative suggestion can be immediately made to change these roles, i.e. to take the definition of risk as a basis and to treat culture as a supplement; b) attribute: emphasizing the characteristics of risk culture (strong, weak, clear, good, etc.) (Ludwig 2015), referring, among others, to the dimensions of culture, above all, to avoid uncertainty (Hofstede, Hofstede 2007); c) instrumental: resulting from the perception of risk culture by financial institutions and its operationalization in the form of implemented programs (Power, Ashby, Palermo 2012); d) narrow view: risk culture includes the perception of 'risk appetite' in the organization (Boizeman, Kingsley 1998).
Despite many common features, differences between the concept of risk culture and the concept of risk management culture can be pointed out. The notion of risk culture is a much broader term, although it does not have one generally accepted definition. Risk culture should be understood as an awareness of the need for risk management at each level of an organisation, and it should constitute a set of values, attitudes and risk behaviour patterns represented by a person or group of people (Committee of European Banking 2010, Hopkin 2010). An organisation's risk culture describes the degree to which its culture encourages or limits the taking of risks and the opportunities that arise from those risks (McGing, Brown 2014).
The culture of risk lies at the heart of human decisions and everyday activities of each organization. This is a key concept for building risk management culture and the basis for effective risk management in organizations. The culture of risk existing within an organization has a significant impact on the organization's ability to manage risk, and a lack of risk culture makes it difficult to achieve strategic, tactical and operational goals. The culture of risk management is connected with the architecture of the risk management system, organization of the risk management process and with clear specification of the tasks of individual participants of this process. It is based on risk culture and without risk culture it is difficult to achieve. It requires a full understanding of the risk to which the institution is exposed and the way it is managed. It is risk culture and especially the attitudes of organization members that determine the system architecture, organization of the risk management process and the way of managing particular types of risk, taking into account the level of risk tolerance and the adopted risk appetite (Domańska-Szaruga 2016).
Bearing in mind that correct and consistent culture of risk management is a key element of effective risk management, the organization should shape risk management culture through appropriate regulations and procedures specifying, among others, desirable attitudes in this regard, appropriate examples, motivational systems not only of financial nature as well as methods of communication and training of employees in the scope of their responsibilities related to risk. To summarise the above paragraphs, it is possible to point out the fundamental difference between risk culture and risk management culture (Table 1).

Risk culture
Risk management culture • a set of values, attitudes, and patterns of behaviours towards risk which a given person or a group of people represent, • behavioural standards and traditions of individuals and groups in an organization, which determine the way in which they understand and take actions related to risk, • a term which denotes values, convictions, knowledge of and approaches to risk shared by a group of people with a common intended purpose, in particular the employees of an organization • based on risk culture, a complete understanding of risk and the way risk is managed, • one of the key elements of effective risk management, • related to the architecture of the system of risk management, developed at the organizational level and can and should be constructed with the use and application of guidelines and recommendations.
• development of risk management culture entails a construction of mechanisms thanks to which risk management will take effect via conscious engagement in the risk management proces of employees at various hierarchy levels Risk management culture combines all elements of risk management infrastructure and reflects common values, goals, practices and mechanisms that involve both risk in the organization's decision-making processes as well as risk management in operational processes. The culture is shaped at the organizational level and can and should be built using guidelines and recommendations. It can be defined as the culture of conscious risk management, which involves full awareness of risk management at all levels of the organization's management and its activity (Domańska-Szaruga 2016). The management of the organization openly communicates hazards, defines risk category, sets directions, engages employees in the risk management process and rewards appropriate behaviour.
Risk culture is a concept that reflects personal beliefs and values of organization members, their individual predispositions and attitudes towards risk and ethical values. The relationship between risk culture and organizational culture is clearly visible. Organizational culture is usually defined as social norms and systems stimulating employee values, the right organizational climate, management methods, shared meanings and symbols, cognitive schemas, behavioural requirements and the system of thinking patterns and activities embedded in the social environment of the organization (Sikorski 2012).
As already mentioned, the boundary between the concept of risk culture and risk management culture is very blurred. These terms are basically used interchangeably. What can be encountered under the term of 'risk culture' is a definition of risk management culture, and there is a joint treatment of these two concepts. However, according to some authors it is necessary to distinguish between these concepts and to use the concept of risk management culture to determine the construction of a risk management system based on mechanisms that determine the effectiveness of this system thanks to full awareness of risk management at all levels of the organization. In reality, however, the notion of risk culture dominates in the literature and is very often used to determine the construction and functioning of mechanisms that ensure effective implementation of the risk management process in an organization. Table 2 shows selected definitions of risk culture. These definitions are as ambiguous as the definitions of organisational culture. Hence, the attempt to define risk management culture more narrowly as opposed to risk culture in an organization.
Risk culture will be a mixture of formal and informal processes. The former are easy to observe. The latter are harder to observe since they involve a myriad of small behaviours and habits which in the aggregate constitute the state of risk culture at any one point in time.
Power, Ashby, Palermo (2012) Risk culture are the norms and traditions of individuals or groups within the organization that determine how they identify, understand, discuss and undertake activities related to the types of risk an organization faces and which it undertakes Risk culture is the awareness of the need to manage risk at every level of the organization, it is the basis for effective risk management

Committee of European Banking
Supervisors (2010) The extent to which the board (and its relevant committees), management, staff and relevant regulators understand and embrace the risk management systems and processes of the organisation.
The Institute of Risk Management (2012) Risk culture is a system of values and norms of conduct that shape employee decisions and actions. Determines the collective ability ... to: recognize, understand, openly discuss and undertake current and future threats to the organization; act consistently as part of the risk appetite; and ultimately achieve the strategic goals and goals of the organization.

Australian Prudential Regulation
Authority (2016) Source: own elaboration Risk culture can be understood as an effect of organizational culture on risk management. The often quoted definition of organizational culture is "a system of common values (which define what is important) and standards defining appropriate attitudes and behaviour of members of the organization (how they should feel and behave)" (O`Reilly, Chatman 1996). Risk culture is an application of this concept to the way the organisation acknowledges and manages risks. Risk culture is therefore not separated from organisational culture. Standards and traditions relating to risk culture arise as a result of common experience within the organisation over time.
Moreover, all organisations have the culture of risk regardless of whether they are aware of the risk and are aware how to manage it .
Risk management culture should be developed in the organisation by strong risk management leadership, by the involvement of authorities and all the staff in the risk management process, emphasis on training in this field, identification of employees responsible for specific risk management tasks and by developing openness and communication. The author's proposal for a pyramid of risk management culture ( Figure 1) can be used as an example and very general presentation of the components of risk management culture. The foundations of risk management culture presented this way are organisational culture, employee involvement and risk management system. Without creating and supporting involvement of the managerial staff, risk management culture does not have a greater chance of survival, becoming merely a blind record in risk management policy. The management should communicate with employees, providing them with guidance on the culture of risk management and imposing obligations. Instead using the phrase 'risk management culture' some authors use the concept of 'risk awareness', as the effectiveness of risk management activities depends primarily on those who pursue this process.

ENTREPRENEURSHIP AND SUSTAINABILITY ISSUES
The risk management system is another key variable that determines the success in risk management. Building a risk management system is an integral part of risk management culture because strong risk management culture is built into the process of creating a risk management system using frameworks and guidelines, which also entails responsibilities of individual participants in the risk management process and in the organisation of the process.
Another element of the foundations of risk management culture is organisational culture focused on risk awareness. This often involves changing organisational culture into the culture of security and risk management. An important component of risk management culture is risk tolerance/risk appetite. The setting down of risk appetite and risk thresholds is the basis for the effectiveness of risk management. Risk appetite holds a key place in the risk management architecture. A clear statement regarding risk appetite and the level of tolerated risk together with continuous monitoring of these parameters reveals the level of risk management maturity.
Management is based on maximising the likelihood of reaching the objectives, but the presence of risk means that they might not be met. Therefore, the management of the organisation manages risk in such a way as to maximise the likelihood of achieving the objectives. In this way, organisations build risk management culture, and, within it, a system and process of risk management that will be effective in meeting the objectives.

Building and improving risk management culture
Risk management culture fosters effective risk management and judicious risk-taking. Building risk management culture means building a risk management architecture based on the principles of ethics, accountability, communication and fairness. It is the appropriate organization and construction of mechanisms that will make risk management effective due to the involvement of employees at all levels.
The basis for creating these mechanisms is the built-in risk management architecture and implementation of the risk management system. However, at this stage it is necessary to consider the construction of such risk management culture that would make the system effective.
Effective risk management enables, among other things, more effective provision of services, better use of resources, more efficient implementation of organizational and financial innovations, and it also supports the creation of the organization's values. In addition, an organisation that has built risk management culture may decide to modify it. In this case, it is necessary to design changes to improve it. This model (and precisely those identified mechanisms that build risk management culture in public organisations) has been used to build a tool to diagnose the maturity of the public organisation's risk management culture, as presented later in the article.
The proposed actions, on which the construction of risk management culture was based, were included in three groups (dimensions).

ENTREPRENEURSHIP AND SUSTAINABILITY ISSUES
ISSN 2345-0282 (online) http://jssidoi.org/jesi/ 2020 Volume 7  The use of a model to build or improve risk management culture must be based on successive stages. In Figure 3, these stages are included in the form of the so-called 'circle of risk management culture' based on the assumption of continuous improvement and, therefore, the repeatability of the cycle.  The author's model presented above is one of the approaches to building and improving the culture of risk management.

ENTREPRENEURSHIP AND SUSTAINABILITY ISSUES
In the risk management literature it is difficult to find similar models and guidelines. Instead, it is important to reach out to the studies of companies providing consultancy and audit services, e.g. Institute of Risk Management. However, their solutions are dedicated to businesses, and their use in other types of organizations may be rather fragmented.

The author's concept of the maturity model of risk management culture
Striving to improve the culture of risk management, the management of an organization needs a certain point of reference in order to be able to determine the level of advancement of this process. Therefore, it needs a model that will allow comparing the results of risk management culture assessment with the point of reference, which will allow determining the level of maturity of this culture.
The determination of the level of maturity is the basis for the development of a program of changes -detailed actions allowing the achievement of the desired level of maturity of risk management culture. One of the existing models of process maturity can be adapted for this purpose, for example the following maturity model of the risk management process (Figure 4).

Stages of risk management maturity -attributes
•Ad-hoc approach.
•The chaotic reaction to risk depends mainly on individual skills and oral knowledge.
•Risk is defined differently at different levels and in different parts of the organization.
•Risk groups consist of managers.
•Limited emphasis is put on the links between risks.
•No reference to risk in the strategy.
• Separate functions of risk monitoring and reporting functions.
•Identified risk context. •Common risk assessment -an approach developed and adopted throughout the whole organization.
•Risk assessment carried out.
•Developed action plans in response to highpriority threats.
•Communication of the biggest threats to the top management.
•Coordinated activities related to risk management in various business areas.
•Risk analysis tools developed and delivered.
•General measurement and reporting systems.
•Specified chances of risk happening. •Progressive risk assessment process.
•Inclusion of risk in the process of strategic planning, capital allocation, product development, etc.
•The system of early warning and notifying the Management Board about the risk above the set thresholds.
•Linking risk with performance measures •Risk modeling.

Integrated risk management
Systemic risk management However, adaptation of the process maturity model is not an optimal method for measuring and assessing the maturity of risk management culture.
A better solution is to develop a model that would be based on the maturity model of risk management, at the same time taking into account not only the maturity of the process, but also evaluating all the components of risk management culture.
Inspired by process maturity models and taking into account the components of management culture, the concept of a maturity model of risk management culture consisting of four levels can be proposed. The assumption of the model is the suitability for assessing the maturity of risk management culture in the offices of local government units ( Figure 5). •Organizational culture with the predominance of target culture features creates the basis of the strong culture of risk management.

ENTREPRENEURSHIP AND SUSTAINABILITY ISSUES
•The organization has implemented a wellfunctioning risk management system.
•Employees are aware of risk management and their role in the risk management process and the impact of risk management on a success in achieving the organization's goals.
•The culture of power is not conducive to build ing risk management culture.
•Managers do not perceive the importance of risk management culture, lower level employees are not aware of risk management or do not perform their tasks despite the existence of an organization's risk management policy.
•The organization does not have an effectively implemented risk management system.
•Existing target culture optimally supports risk management culture.
•There is an effective risk communication and all employees are aware of risk factors and their role in the risk management process. • The risk management system is an integral part of the organization.
•Risk management is an element of strategic management and covers all areas of the organization's functioning.
•The risk is optimized in order to build a lasting competitive advantage.

Figure 5. An original maturity model of risk management culture
The model presented above is universal and can be successfully used to assess the maturity level of risk management culture in various types of organisations, including commercial enterprises.

Maturity of risk management culture in the offices of local government units in Poland -empirical research methodology
Currently, the literature increasingly deals with maturity of management systems, including maturity of risk management. However, it is lacking in comprehensive and reliable research on this subject. In addition, limited as they are, research attempts are usually flawed by methodological errors. They are based on a self-assessment conducted by organisations which in results are classified into maturity levels on the basis of subjective evaluation. Additionally, although there is a growing recognition of risk culture, in principle not much literatrue on risk management culture is available, which clearly results in a lack of adequate research.
The study of risk management culture maturity at the offices of local government units in Poland was conducted between 2016 and 2019. That was a multi-faceted study of organisational culture, maturity of the risk management process and the maturity of the organisation's risk management culture.
A key issue in the assessment of the maturity level of risk management culture is the choice of a research procedure to carry it out. A simple survey with questions used to classify an organization into a maturity level is inadequate. Classification on the basis of an assessment of each of the actions needed to build and improve risk management culture listed in the model presented in Figure 2, with equal treatment of their weights, is also not a good methodology. An additional problem is the divergence of assessments of individual criteria used to classify an organisation into a particular level ENTREPRENEURSHIP AND SUSTAINABILITY ISSUES ISSN 2345-0282 (online) http://jssidoi.org/jesi/ 2020 Volume 7 Number 3 (March) http://doi.org/10. 9770/jesi.2020.7.3(41) 2071 In view of the above doubts about reliability of research for the purposes of assessing the maturity of risk management culture, a categorization method was applied to the offices of local government units. Categorization is a research procedure, the essence of which is to assess the condition or functioning of the object for its qualitative classification (Cabała P, Messiah C, Piekarz H, Stabryła A, Wozniak, 2009). A category is a qualitative class of an object, determined on the basis of a value scale. Categorisation may be aimed at the comprehensive or partial classification of the organisation's activities. It can be successfully used to assess the organisation in terms of risk management culture maturity.
The studies were conducted in 74 selected municipalities. In the first phase of the research, the selection of evaluation criteria was carried out. A comprehensive assessment of risk management culture maturity requires that the structure of the evaluation criteria should be diverse, but it should also be complementary. These are very important issues in terms of the completness and accuracy of the diagnostic analysis. In the investigation, the structure with 20 evaluation criteria proposed in the author's model of building and improving risk management culture was adopted.
It should be stressed that the selection of criteria used in the author's model of building and improving risk management culture was made by an expert method based on a qualitative assessment of facts, intuition and, above all, on individual association pattern, as a type of algorithm to understand the existing state and to make predictions. Overall 20 experts were selected, including six professors in the field of management and in other disciplines of social sciences, 10 municipality employees in managerial positions and four business consultants. E-mail was used as a means of communication with them. For each of the selected criteria, its characteristics and evaluation model optimal for building and improving risk management culture were specified (Table 3). The achievement of the ideal conditions was marked by ascribing the maximum number of points according to the conversion of evaluation criteria shown in Table 4. Table 3. Characteristics and evaluation models of 'Identification of the existing organizational culture' criterion

K1 Identification of the existing organizational culture Criterion characteristics
The criterion is used to evaluate organisational culture in municipalities. Organizational culture is a style of the organization, views and values shared by its members, common behavioural patterns and ways of communicating. The culture of the organization is a cornerstone of risk management culture, as it directly affects the organization-specific risk management architecture and risk management principles. Appropriate organisational culture facilitates organisation of the risk management process, particularly in the area of responsibility of the organisation's members for risk management.

Evaluation models
The model status, i.e. organisational culture that is optimal for the construction and improvement of risk management culture, is achieved when: -mission and vision are constantly communicated and known to employees, -there is a code of ethics in the organization, and ethical behaviour is rewarded, -leadership style in the organization is identified with innovation, efficient organization and coordination, -decentralization of decisions in the organization is introduced wherever possible, employees have a sense of equal rights, -autonomy, initiative, innovation, freedom and originality are preferred in the organization; -written communication takes place where it is necessary; whereas oral communication is of great importance, particularly when there is a need for swift action, -the degree of formalization is appropriate to the public institution; the initiative undertaken by employees is appreciated, -there is an opportunity for discussion, argumentation and exchange of views in the organisation; there is openness, freedom and immediate communication between the members of the organisation; differences in status and hierarchy do not inhibit access to information, -among employees there is an acceptance to expose irregularities, and the appropriate behaviour in the field of information about events is noticed and rewarded, -employees have a sense of being appreciated and show a high degree of loyalty to the workplace.
Source: own elaboration ENTREPRENEURSHIP AND SUSTAINABILITY ISSUES ISSN 2345-0282 (online) http://jssidoi.org/jesi/ 2020 Volume 7 Number 3 (March) http://doi.org/10. 9770/jesi.2020.7.3(41) 2072 The table presents a description of one of the 20 criteria used in the research. In fact, similar descriptions had been drawn up for all criteria. They were the basis for constructing a questionnaire for a research survey addressed to municipal offices. The questionnaire included 82 research questions divided into 20 groups, i.e. 20 research criteria. The CATI method was used to carry out the survey. CATI (computer-assisted telephone interviewing) is a computer-aided phone interview. When obtaining information, an appropriate computer script is used to automate the work. The data collected were analysed by means of categorization. In view of the fact theat there were many questions in the research survey, the results were presented synthetically.
The results of the studies were compared with the designed optimal evaluation model, containing so-called preferential aspects, awarding points on a scale from 0 to 6 according to the previously constructed table of conversion (Fig 4). Taking into account the impact of different criteria on the maturity level of the risk management system (the impact was determined with the expert method), the weights from 1 to 3 were awarded to each criterion (Table 5).

2073
Taking into account the evaluation criteria presented above, the maturity index of risk management culture (MIRMC) can be determined as follows: where: wjweight of the j-th criterion of assessment, qija point-based verifying evaluation related to the i-municipal office, i = 1, …, mmunicipal offices, j = 1, …, nevaluation criteria.

Results and discussion
The MIRMC index proposed above was established for each of the municipalities surveyed. Its maximum value was 210. After the determination of the maturity index value of risk management culture for each municipality office, a qualification procedure was developed. It was a formalised way to include the rules and conditions for determining the category of the municipality by virtue of its maturity level of risk management culture. The qualification procedure specified the value scale and the hierarchical intervals of the MIRMC index (the last interval had the smallest span).The hierarchical intervals were matched with the levels of risk management culture maturity (Table 6, Figure 6).  The presented research results indicate the dominance of institutional culture of risk management in municipal offices in Poland. This level is characterized by the management's attitude to meeting formal requirements in the scope of risk management, which are imposed by law. In Poland, the Act of 27 August 2009 on public finances imposes on managers of units of the public finance sector, including local self-government, the obligation to provide management control in managed units and within its framework to provide control of risk management. Unfortunately, many of these units today treat risk management as a formal requirement but not an element of effective management. It is true that employees perform their duties in the risk management process, but they are motivated by regular controls.
The analysis of the maturity dimensions of risk management culture allows for the study of individual assessment criteria and the selection of the criteria that have been assessed the lowest based on the results of surveys and structured interviews. On this basis, it is possible to formulate recommendations for the management of municipalities to improve risk management culture. The worst results in municipalities were reported for criteria: K2-Identification and definition of attributes of organizational culture conducive to building risk management culture, K4-Determining desired risk management culture in the organization, K11-Communicating risk tolerance and risk appetite, K20-Integration of the risk management process with other processes in the organization. The results of these criteria are shown in Figure   In Poland the Ministry of Finance annually receives reports from public organizationa, based on self-assessment of management control, including risk management control. The methodology adopted is fairly straightforward and involves completing a questionnaire, but it is very likely to be to a large extent subjective, with some assessment errors.
The research presented in the present paper is the only comprehensive study of risk management maturity in the offices of local government units in Poland. It may be regareded as certain that despite the increasing number of publications devoted to process maturity, the authors rarely take an effort to investigate the level of maturity. Such studies, apart from advancing the researcher's interests, are important in the practice of managing organisations. So far there have been no patterns and guidelines indicating how organisations can assess the level of process maturity. The present research, carried out primarily for methodological reasons, could be a benchmark for the organisation's self-assessment and is therefore of great importance for the practice of managing organisations.

Conclusions
Legal regulations and dynamic changes in the approach to risk management enforce the inclusion of risk management in the strategy of local government units and the involvement of not only the management and risk managers, but even all organizational units and employees. It is mainly about achieving a specific state of process maturity defined as the ability of the organization and its processes to systematically provide a better quality of services. The author's own scientific work supported by the presentation of views contained in the subject literature allow an identification of a research gap in this area to draw conclusions about the use of process maturity models to assess the maturity of risk management culture.
The research has indicated an unsatisfactory state of risk management culture in municipal offices in Poland. It is to be hoped that the growing number of research and studies on this subject as well as the proposed solutions will be a factor inspiring changes and improvements that will allow for achieving higher levels of risk management culture maturity in public organizations.