In this paper, we present a method and a tool to assess the maturity of an enterprise's capability to manage its risks. Akin to the software capability model we rate a firms' risk management capability on a scale from one-to-five. Gaps between the bottom-up reported capabilities and the top-down perceived capabilities, as well as the gaps between organizations are highlighted and provide a useful reality-check for companies in their quest to improve their enterprise risk management (ERM) capabilities and processes. Through an explicit association of ERM capabilities with the organization's business strategy, we provide a more focused assessment and pinpointing of hotspots. The method presented in this paper is supported by a practitioner tool that is currently being piloted in a large IT consulting organization. © 2010 IEEE.