The Illusion of Maturity: Why Risk Models Keep Failing the VET Sector

The Illusion of Maturity: Why Risk Models Keep Failing the VET Sector

The Illusion of Maturity: Why Risk Models Keep Failing the VET Sector

Table Of Contents

How process-driven scales create dangerous blind spots and prevent the conversations that truly matter

The Australian vocational education and training sector is experiencing a renewed focus on risk, governance, and assurance as new regulatory frameworks reshape expectations for RTOs, providers, and training organisations. Across the industry, leaders regularly embrace maturity models to measure their capability and readiness. These models promise certainty, confidence, and clarity. Yet few are asking the uncomfortable but essential question: Do these tools actually measure what matters? In sector after sector, including finance, healthcare, and education, risk maturity models have repeatedly failed to predict catastrophic issues. A major reason is that most models assess processes rather than outcomes. They describe steps, templates, and systems instead of the real measure of maturity: the quality of decisions, the strength of conversations, and the integration of risk thinking into everyday behaviour. This article unpacks why risk maturity assessments across the VET sector can become misleading comfort blankets, how language within these models influences organisational thinking, and why the industry must shift from describing risk processes to challenging whether strategic, learner-centred, and compliance-driven conversations are genuinely occurring. Drawing on cross-sector analysis, regulatory expectations, and lessons from recent national inquiries, the article argues that unless RTOs rethink their approach to maturity, they risk reproducing the same overconfidence that plagued Australia’s banks before the Banking Royal Commission.

A Sector Built on Assurance… But Whose Assurance?

The Australian VET sector relies heavily on systems of assurance. Whether it is ASQA’s regulatory model, internal audit programs, validation schedules, industry consultation frameworks, or student support systems, providers are expected to demonstrate a high degree of strategic and operational control. Over time, the language of assurance has become deeply embedded in quality systems. This includes the language of risk maturity models.

Many RTOs apply maturity scales to demonstrate compliance strength or organisational capacity. The terminology varies, but typical pathways include descriptors such as Fundamental, Developed, Systematic, Integrated and Advanced. Others use Ad Hoc, Fragmented, Defined, Integrated and Optimised. Each scale promises to reveal how mature the organisation’s approach to risk may be.

However, as appealing as these terms may sound, they often provide a sense of comfort rather than clarity. The VET sector needs to examine whether these scales illuminate organisational reality or simply reinforce its blind spots. Before judging their usefulness in education, it is instructive to consider how such models misled one of Australia’s most heavily regulated sectors: banking.

Remember the Banking Royal Commission? Risk Models Didn’t See That Coming

Before the Banking Royal Commission exposed systemic wrongdoing, major Australian banks widely believed they were highly mature in their risk frameworks. They had layers of reporting, robust documentation, and seemingly sophisticated assurance systems. Their maturity models said they were strong. Their audit processes said they were well-governed. Their internal reviews confirmed their confidence.

Yet the Commission revealed a very different story — one of cultural failure, ineffective oversight, perverse incentives, and widespread compliance breaches.

How could a sector that invests billions of dollars into risk management score itself so highly while significant failures were occurring under its nose? The answer lies in the design of the tools used to measure maturity. Most of the models assessed process steps, documentation, compliance activities, and system coverage. They did not assess whether risks were genuinely understood, challenged, escalated, or mitigated. They measured appearance, not impact. They assessed what was easy to quantify, not what was essential to question.

If a multi-billion-dollar industry, combed over by auditors, analysts, boards, and regulators, could profoundly misunderstand its own maturity, what does that mean for the VET sector, which operates under increasing pressure, leaner resources, and ever-changing standards?

Risk Maturity Models: The Language That Shapes Thinking

Risk maturity models use vocabulary that strongly influences how leaders interpret their role. Terms such as integrated, systematic, and optimised sound compelling. They imply precision, coordination, and sophistication. But the language is deeply process-oriented. Each descriptor tends to focus on whether risk processes are documented, embedded, repeatable, or data-driven.

This creates an unintended but powerful side effect. When leaders hear process-oriented language, they think in process-oriented terms. They start equating maturity with paperwork instead of outcomes. They focus on whether risk registers are updated rather than whether the risks identified are the right ones. They check whether systems are integrated rather than whether decisions are being challenged. They prioritise reporting over reflection.

In the VET sector, where compliance obligations are extensive and documentation is heavily scrutinised, process language becomes even more dominant. Providers may believe they are mature in risk practice simply because they have systems in place — not because the systems produce better decisions.

Maturity models were never intended to replace conversations. But in practice, they often do.

When Process Overshadows Purpose

The central problem with most maturity models is that they inadvertently misdirect organisational focus. Instead of asking “Are we achieving the right outcomes?”, they encourage organisations to ask “Are we doing the process correctly?”

For instance, an RTO may be classified as “Integrated” if it has:

  • a risk management framework,

  • coordinated reporting mechanisms,

  • a centralised risk register,

  • management dashboards,

  • and staff awareness activities.

These are all good things. But none of them prove that leaders understand the risks that matter most, such as:

  • the quality of learning and assessment,

  • student wellbeing and support,

  • staff capability,

  • regulatory breaches,

  • financial viability,

  • reputation risks,

  • and the alignment between business decisions and learner outcomes.

A maturity score may climb because processes are polished while the underlying culture remains unchanged. The bank sector learned this the hard way. The VET sector risks learning the same lesson if it does not shift its focus.

Why Risk Maturity in VET Is Often Assessed Through the Wrong Lens

In Australian VET, many RTOs define risk maturity according to their compliance posture rather than their governance posture. Compliance is important, but it is not the same as maturity. Maturity speaks to the strength of behaviour, culture, decision-making, and ownership. Compliance speaks to whether minimum standards are met.

When an RTO treats compliance as synonymous with maturity, three things occur:

  1. The organisation becomes reactive instead of proactive.

  2. The focus becomes passing audits rather than improving outcomes.

  3. Risk becomes a burden instead of an enabler of strategy.

A mature organisation proactively anticipates challenges, engages openly with regulators, and treats risk as an essential part of strategic planning, not as an administrative requirement.

The irony is that many RTOs score themselves highly on maturity scales precisely because they have strong administrative processes, even while the deeper layers of risk management remain underdeveloped.

Outcome-Driven Risk: The Conversation RTO Leaders Need to Have

The real measure of maturity is not the process — it is the outcome. A provider may have an impressive risk framework but still fail to foresee a critical incident, a compliance breach, or a learning quality issue. Conversely, an organisation with modest documentation but a strong culture of open discussion may demonstrate far higher maturity in practice.

Outcome-driven thinking asks:

  • Are learners safer?

  • Are trainers better supported?

  • Are assessments more valid and reliable?

  • Are complaints decreasing because issues are genuinely resolved?

  • Are decisions made with a clear understanding of consequences?

  • Are leaders having difficult conversations early rather than late?

These are harder to quantify, which is why maturity models often avoid them. But avoiding them undermines the very purpose of maturity assessment.

In risk management, the most important conversations are often the most uncomfortable. True maturity involves openly acknowledging weaknesses, ambiguities, contradictions, and failures. If a maturity model does not provoke these discussions, it is not doing its job.

The Structural Weakness of Process-Based Maturity Models

Across industries, several structural problems repeatedly emerge in process-driven maturity models.

1. They reinforce confirmation bias

Leaders who believe their systems are strong will interpret maturity scales through that lens, resulting in inflated self-ratings. The absence of external challenge allows overconfidence to flourish.

2. They assume processes equal performance

Process descriptions are treated as proxies for capability, even though processes can exist without being effective.

3. They ignore power, culture, and incentives

A risk framework may be “integrated” on paper but ignored in practice when commercial pressures overshadow educational or compliance risks.

4. They reward documentation over dialogue

When scores depend on documented processes, RTOs naturally prioritise paperwork, even though genuine risk maturity relies on mindset.

5. They create false confidence

High scores suggest high capability, which can deter leaders from engaging in necessary self-critique.

This is the same pattern that enabled misconduct in the finance sector. The maturity models gave banks a false sense of security. The VET sector cannot afford to repeat it.


Why the VET Sector Is Particularly Vulnerable to Misleading Maturity Models


The VET landscape is highly dynamic. Government funding rules change, qualifications are revised, regulatory reforms are ongoing, and community expectations continue to evolve. Because of this complexity, many RTOs rely on maturity frameworks as anchors — tools that seem to provide stability in a shifting environment.

However, this reliance creates vulnerabilities:

Regulatory pressure encourages process-driven thinking

Because providers are audited heavily on documentation, internal cultures can shift towards doing things “for ASQA” rather than for genuine improvement.

Quality systems overshadow quality conversations.

Large volumes of templates and documented processes can mask the absence of strategic engagement.

Executives may assume governance is strong because compliance is strong

But compliance alone does not protect against poor decision-making or systemic risk.

Rapid industry changes mean yesterday’s maturity no longer reflects today’s reality

A model that was adequate before the Standards for RTOs 2025 may be obsolete today.

Maturity tools often struggle to capture human behaviour

In VET, risk is shaped by the actions of trainers, assessors, managers, agents, and support teams — not just the systems they use.

Unless maturity tools are redesigned to capture behavioural and cultural dimensions, the sector will continue to overestimate its true readiness.

A Closer Look at Language: Why It Pushes Organisations in the Wrong Direction

Language shapes mental models. When maturity scales use language centred around integration, systemisation, or optimisation, they implicitly instruct organisations to concentrate on building bigger, more complex systems. Yet some of the most mature risk cultures are elegantly simple. They rely on conversation, clarity, transparency, and accountability.

Imagine an RTO described as “Fundamental” because it has limited formal processes. That label sounds negative. But what if the organisation’s leaders regularly challenge assumptions, analyse learner outcomes, and escalate concerns rapidly and transparently? What if risks are discussed openly every week rather than buried in reports? What if decisions are made with rigorous attention to consequences?

Under most maturity scales, such an organisation may still be ranked “low maturity” because it lacks the heavy documentation implied by higher tiers. That exposes a flaw in the model, not in the organisation.

As the banking sector discovered, a highly systemised process can mask a low-maturity culture — and a low-system process can support a high-maturity culture. The VET sector must break free from language that equates documentation with maturity.

The VET Sector’s Most Common Risk Maturity Misconceptions

Through extensive observation of the sector, several misconceptions emerge that repeatedly undermine risk understanding:

Misconception 1: “If our risk register is comprehensive, our maturity is strong.”

Registers are only as good as the conversations behind them. A long list of risks does not equal understanding.

Misconception 2: “Our audit results reflect our maturity.”

Audits assess compliance, not organisational resilience. They do not measure whether staff know how to respond when an unexpected risk arises.

Misconception 3: “If we have policies, we have maturity.”

Policies describe intent, not behaviour. Maturity is what people do when no one is watching.

Misconception 4: “If a consultant designed our framework, it must be advanced.”

External design cannot substitute for internal ownership.

Misconception 5: “If we didn’t have a non-compliance, our systems are working.”

Absence of detection does not prove absence of risk.

The danger is clear: when leaders believe the myths of maturity, they stop asking the questions that expose underlying issues.

The Heart of True Maturity: Conversations, Culture, and Consequences

A truly mature risk environment is one in which:

  • conversations about risk occur early, openly, and honestly,

  • decision-makers understand the real-world implications of their actions,

  • staff can challenge decisions regardless of hierarchy,

  • culture encourages transparency and discourages cover-ups,

  • learner outcomes, not paperwork, drive behaviour.

This type of maturity has nothing to do with whether a process is Integrated or Optimised. It depends entirely on organisational behaviour.

A risk maturity model that does not evaluate the depth and quality of conversation is incomplete. A model that does not examine culture is misleading. A model that does not probe whether decisions improve learner outcomes is inadequate.

True maturity requires courage. It involves admitting uncertainty, confronting difficult truths, and rethinking longstanding assumptions. The VET sector must move towards this deeper, more behavioural definition of maturity.

Examples of How Confusion Is Spreading in the VET Sector

Example 1: The “high maturity” provider hit with unexpected regulatory action

A medium-sized RTO rated itself as “Integrated” on a commonly used maturity scale. It had policies, risk registers, and quarterly board reports. However, a regulatory audit revealed systemic assessment issues. When the regulator asked how quality risks were identified, the organisation pointed to its register. The document existed, but the discussion never occurred. Staff assumed leadership was handling risk, while leadership assumed assessors were reporting concerns. The maturity rating had given everyone false assurance.

Example 2: The provider with no formal maturity scale but exceptional outcomes

A small community-based RTO had minimal documentation but demonstrated excellent learner outcomes, strong stakeholder engagement, and proactive risk escalation. Inspectors praised its willingness to identify weaknesses before they became failures. According to standard maturity models, this RTO might score “low”, yet its behaviour demonstrated higher maturity than many larger providers.

Example 3: The provider that confuses data volume with data insight

Another RTO collected extensive data — student attendance, student portal activity, upload frequency, assessment turnaround times, and feedback surveys. Leaders believed this represented high maturity. But they never analysed which data truly linked to risk. This created noise instead of insight. Maturity is not the quantity of data but the quality of decisions made from it.

These examples illustrate the spread of confusion. The VET sector often interprets maturity through an administrative lens rather than a behavioural one.

Do Maturity Models Help Leaders Have the Right Conversations?

This is the most important question. If a maturity model does not elevate discussion, deepen insight, or uncover blind spots, its value is limited. Leaders must ask:

  • Does this model challenge my assumptions?

  • Does it provoke discomfort, reflection, or re-examination?

  • Does it expose weaknesses we have avoided discussing?

  • Does it encourage my team to think critically about consequences?

  • Does it link risk thinking to strategic decisions?

Most importantly:

Does this model give me confidence that my team is actually having the conversations that protect learners, staff, and our organisation?

If the answer is no, then the model is not measuring maturity — it is measuring process adherence.

Shifting the VET Sector Towards a More Honest Definition of Maturity

The VET sector must rethink how it conceptualises maturity. The following principles can guide a more meaningful approach.

1. Replace process-driven indicators with behaviour-driven indicators

Instead of measuring whether a risk register exists, measure whether:

  • staff escalate concerns early,

  • leaders actively challenge assumptions,

  • decisions reflect risk insight,

  • and risk ownership is shared, not delegated.

2. Focus on outcomes, not appearances

A high-maturity organisation should be judged by improved learner outcomes, fewer incidents, stronger assessment validity, and more resilient operations — not the number of documents in its system.

3. Consider incentives and culture

Culture determines whether risk frameworks are used effectively. Incentives determine whether staff prioritise long-term outcomes or short-term wins.

4. Test maturity through scenarios, not checklists

Scenario-based assessments reveal whether leaders understand their risks and know how to respond.

5. Encourage transparent governance

Boards and executives should openly discuss failures, near misses, ethical dilemmas, and conflicting priorities.

6. Align risk with purpose

In VET, the purpose is learner safety, quality education, and public trust. Maturity models must reflect this, not abstract process criteria.

When maturity is defined through behaviour and outcomes, providers gain a more accurate, honest, and actionable understanding of their capabilities.

Why Confusion Will Continue Unless the Sector Changes Its Mindset

Every time new standards, new funding rules, or new compliance expectations arise, the sector sees a wave of interpretive confusion. Providers scramble to update policies, rewrite procedures, attend training, and realign documentation. Maturity models often get updated, too. But unless the underlying mindset changes, the confusion returns again during the next regulatory cycle.

The problem is not the standards or the rules. It is the industry’s continued reliance on process-based thinking. When risk and quality are approached as administrative tasks instead of strategic behaviours, confusion is inevitable.

True clarity emerges when organisations focus on conversations, consequences, and culture — not checklists.

Where to From Here? A Call to the VET Sector

The VET sector stands at an important crossroads. With greater public scrutiny, increased accountability, and evolving regulatory expectations, the sector must advance beyond the superficial comfort of maturity labels and focus on what truly matters. Leaders must ask deeper questions, engage in more transparent discussions, and challenge the cultural assumptions that underpin their organisations.

Risk maturity is not a score. It is not a rating. It is not a tier.

Risk maturity is the quality of the decisions made when challenges arise. It is the honesty with which weaknesses are acknowledged. It is the integrity of behaviour when no one is watching. It is the courage to view risk and strategy as inseparable, complementary forces.

If the VET sector can shift towards this deeper, behavioural understanding of maturity, it will be far better equipped to meet the demands of tomorrow — and far less likely to repeat the failures seen in other industries.

Maturity Is Measured in Truth, Not Templates

Risk maturity models are not inherently flawed, but the way they are interpreted often is. When these models focus on process descriptions, they mislead leaders into believing that documentation equals protection. As the Banking Royal Commission demonstrated, high maturity scores can hide low maturity behaviour.

The VET sector must learn from these lessons. If the goal is genuinely mature risk management, then the conversation must change. Maturity must be measured through outcomes, behaviours, and culture — not through the sophistication of paperwork.

The future of quality and compliance in the VET sector depends on leaders who prioritise difficult conversations over comfort, consequence over convenience, and truth over templates.

Back to blog

Search

RECENT POSTS

When Checklists Aren’t Enough

When Checklists Aren’t Enough

Stop Telling Learners To “Just Believe”

Stop Telling Learners To “Just Believe”

When the Robots Write, Who Thinks?

When the Robots Write, Who Thinks?

Tags


Sukh Sandhu

Executive Director

Sukh has been working in the VET and Higher Education Industry for over 25 years. In this time, he has held several roles with RTO's and Higher Education Providers (HEP) including CEO roles for International Colleges and National Compliance and Quality Assurance Manager roles for several RTO's, TAFE's and Universities. Sukh has also worked for the Australian Skills Quality Authority (ASQA) as a Business Systems Project Official. Sukh is a Canadian permanent resident and Australian citizen.

Sukh has had extensive project management experience in risk management, compliance, administration and as a training consultant. He has extensive knowledge in government compliance standards and has participated in nearly one hundred audits across Australia and provided consultancy advice regarding ASQA/VRQA, TEQSA, ACPET, DET-HESG, VQF/Higher Education, ELICOS, NEAS, ANMAC, AHPRA, CRICOS, ESOS and ISO.

Sukh is a member of several independent professional organisations and government bodies including, ACPET, VELG, ACS, AITD, MARA, MIA, ISANA, APEX, IEEE, The Internet Society (Global Member), AISIP, IAMOT, ACM, OISV, APACALL, IWA, Eta Kappa Nu, EDSIG and several others.

Sukh's qualifications include two MBAs, three masters in IT and systems, a Graduate diploma of management learning, Diploma in training design and development, Diploma in vocational education training, Diploma of work, health and safety, Diploma of Quality Auditing, Advanced diploma of management, Advanced diploma in marketing, human resources, information technology, and a number of other courses and qualifications. He has been working as a lecturer and as a trainer and assessor since 1998, Sukh has been a vocal advocate of audit reforms and system centred auditing practices rather than auditor centred auditing practices for many years.