The Risk Maturity Gap: Examining the Disconnect Between Organizational Confidence and Effective Risk Mitigation

This study investigated the structural, behavioural, and cultural mechanisms that sustain the gap between perceived risk management maturity and actual risk reduction outcomes in South African enterprise contexts, a phenomenon termed the maturity gap. Employing an exploratory sequential mixed-methods design grounded in critical realism, the study conducted 26 semi-structured in-depth interviews and administered a structured survey to 214 risk and governance professionals across financial services, insurance, mining, healthcare, retail, and public administration sectors. Quantitative analysis using multiple linear regression confirmed that self-assessed risk maturity was not a significant predictor of reduced incident frequency (β = .09, p = .21), while governance quality (β = −.34, p < .001) and technology integration (β = −.27, p = .003) emerged as the strongest protective factors. ERM framework adoption status similarly failed to predict incident reduction (β = −.11, p = .22). Thematic analysis identified four mechanisms sustaining the maturity gap.