Risk Management
The Risk Management (RM) capability is the ability to assess, prioritize, handle, and monitor the exposure to and the potential impact of IT-related risks that can directly impact the business in a financial or reputational manner. Risks include those associated with (among others) IT security, data protection and information privacy, operations, continuity of business and recovery from declared disasters, IT investment and project delivery, and IT service contracts and suppliers. The Risk Management (RM) capability covers:
- Establishing an IT risk management programme and policies.
- Establishing risk management roles and responsibilities.
- Communicating and training in the area of risk management.
- Understanding the organization's tolerance for IT-related risks.
- Defining risk profiles.
- Assessing and prioritizing different types of risks.
- Defining risk handling strategies for identified IT risks (accept, avoid, mitigate, or transfer).
- Monitoring IT risk exposures.
- Integrating IT risk management with wider ERM practices such as business continuity planning, disaster recovery, information security, audit and assurance.
Structure
RM is made up of the following Categories and CBBs. Maturity and Planning are described at both the CC and the CBB level.
- AGovernance
Establishes how IT risk management should be executed.
- A1Policies for Risk Management
Define, implement, review, and make accessible risk management policies. Incorporate compliance requirements into risk management approaches.
- A2Integration
Integrate IT risk management with IT leadership and governance structures, and with overall ERM policies and approaches.
- A3Risk Management Programme and Performance Management
Identify risk management leadership responsibilities and accountability. Define risk management roles, responsibilities, and accountabilities in support of the programme's principles and guidance. Measure and report on the effectiveness and efficiency of risk management activities.
- A4Communication and Training
Disseminate risk management approaches, policies, and results. Train stakeholders in risk management practices. Develop a risk management culture and risk management knowledge and skills.
- BProfiling and Coverage
Ensures that IT-related risks are assessed effectively.
- B1Definition of Risk Profiles
Define the risk profiles by their potential impact on business continuity and performance. Apply risk profiles in risk management activities.
- B2Risk Coverage
Establish the breadth of IT risk categories and asset classes that are addressed by risk management activities.
- CProcess
Addresses the day-to-day activities of identifying and protecting the organization from IT-related risks.
- C1Assessment
Identify subject matter experts for risk assessments. Run risk assessments to identify, document, and quantify or score risks and their components. Assessments include the evaluation of exposure to risks and measurement of their potential impact.
- C2Prioritization
Prioritize inherent and residual risks and risk handling strategies, based on the organization's risk tolerance – that is, what risk levels are acceptable.
- C3Handling
Assign ownership to identified risks, and responsibility and accountability for developing risk handling strategies. Initiate implementation of risk handling strategies, where risks can be transferred, absorbed, or mitigated. Interact with incident management functions – see chapter 27, Service Provisioning (SRP).
- C4Monitoring
Establish a risk register. Track and report risks and risk incidents, and validate the effectiveness of risk controls.
Overview
Goal
The Risk Management (RM) capability aims to protect the organization from risk exposures associated with Information Technology (IT).
Objectives
- Identify and assess the IT-related risks that present vulnerabilities to the business, determine appropriate risk handling strategies, and monitor their effectiveness.
- Manage the exposure to IT-related risks such as those related to IT security, IT sabotage, data protection, information privacy, product and project life cycles, and IT investment; and protect the business from the impact of risk incidents.
- NOTE: For detailed technical analysis and technical mitigation actions pertaining to information security-related risks, see chapter 21, Information Security Management (ISM).
- Increase compliance with external regulations and ethics policies relating to the deployment and use of technology.
- Increase transparency around how IT-related risks could affect business objectives and decisions.
- Contribute to improving the organization's reputation as a trusted supply chain business partner.
Value
The Risk Management (RM) capability can reduce the frequency and the severity of risks associated with IT negatively impacting the organization's business operations.
Relevance
While the replacement of traditional business models by technology-enabled models (as in, for example, the replacement of ‘bricks and mortar’ stores by e-commerce stores) supports improved operational efficiency, it can also increase the exposure of the organization to IT-related risk if not managed appropriately. Risks pertaining to cloud computing, analytics, mobile, and social technologies continue to evolve, and these could potentially impact business-critical operations1. Hence, an effective approach to managing these and other IT-related risks is required to enable organizations to reduce their exposure and the potential negative consequences2.
By establishing an effective Risk Management (RM) capability, an organization can identify and understand current and emerging IT-related risks, including the likelihood of their occurrence and the magnitude of their impact. Stakeholders can then take steps to protect IT assets proportionate to their organizational value through prioritizing, handling, and monitoring those risks. Integrating the management of risks associated with IT with wider Enterprise Risk Management (ERM) practices promotes a greater understanding by the IT function of business priorities and critical business services, thereby enabling more effective risk treatment, avoidance of risk oversights, and better return on IT investments34.
Scope
Definition
The Risk Management (RM) capability is the ability to assess, prioritize, handle, and monitor the exposure to and the potential impact of IT-related risks that can directly impact the business in a financial or reputational manner. Risks include those associated with (among others) IT security, data protection and information privacy, operations, continuity of business and recovery from declared disasters, IT investment and project delivery, and IT service contracts and suppliers. The Risk Management (RM) capability covers:
- Establishing an IT risk management programme and policies.
- Establishing risk management roles and responsibilities.
- Communicating and training in the area of risk management.
- Understanding the organization's tolerance for IT-related risks.
- Defining risk profiles.
- Assessing and prioritizing different types of risks.
- Defining risk handling strategies for identified IT risks (accept, avoid, mitigate, or transfer).
- Monitoring IT risk exposures.
- Integrating IT risk management with wider ERM practices such as business continuity planning, disaster recovery, information security, audit and assurance.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for RM at each level of maturity.
- 2Basic
- Practice
- Identify regulatory compliance policies and frameworks.
- Outcome
- Confidence grows regarding the consistent implementation of measures to satisfy regulatory requirements.
- Metrics
- Number of instances of non-compliance with external regulations.
- Number of compliance issues identified as business-critical.
- Practice
- Set up initial employee training in risk management principles, tools, and techniques, initially focusing on the IT function.
- Outcome
- There is high-level user awareness of, and proficiency in, risk management for operational and decision-making processes.
- Metrics
- Number of mandatory risk management training sessions per annum.
- Percentage of IT employees trained in risk management.
- Number of IT employees with industry certifications in risk management.
- Practice
- Create basic risk profiles for prioritized areas across the IT function.
- Outcome
- Basic risk profiles support the IT function's risk assessment and treatment in a number of high-risk areas.
- Metrics
- Number of risk areas covered by the risk profiles.
- Percentage of projects and operational systems in the various risk categories and asset classes.
- Practice
- Assess risk exposure to high-profile incidents within the IT function.
- Outcome
- A basic risk overview is provided, with particular emphasis on major pain-points/sensitivities and current trends.
- Metrics
- Risk exposure for each identified risk.
- Percentage of identified risks whose potential impact or likelihood of being realized exceeds the organization's risk tolerance.
- 3Intermediate
- Practice
- Implement a consistent set of risk management principles and guidelines across the IT function and some other business units.
- Outcome
- A consistent and holistic risk management policy is in place covering assets, approaches, people, risk identification, and risk treatment, and it is increasingly relevant to more and more business unit needs.
- Metric
- Percentage of functional groups within the IT function and other business units that have participated in the risk management programme.
- Practice
- Communicate the risk management policy and approaches across the IT function and to some other business unit stakeholders.
- Outcomes
- There is a growing awareness of risk management principles and guidelines.
- Communication ensures that a risk management culture emerges across key areas of the organization.
- Metric
- Percentage of functional groups that align to the overall ERM policies.
- Practice
- Allocate risk management ownership and accountability across roles in the IT function and some other business units.
- Outcome
- Points of contact exist for risk management, and the necessary time and skills are invested in the risk management programme.
- Metric
- Distribution of employees with allocated risk management responsibility and accountability.
- Practice
- Establish a central risk register.
- Outcome
- The recording of risks in a central register provides consistent information on risks, and supports efficient management and reporting.
- Metric
- Number of risks actively managed in a central risk register.
- Practices
- Conduct regular risk assessments, using dimensions and information provided by the risk profiles.
- Assess violations, missed opportunities, and response times.
- Outcome
- Data on risks can be consistently gathered, and used to support risk prioritization and handling.
- Metrics
- Risk exposure for each identified risk.
- Percentage of identified risks whose potential impact or likelihood of being realized exceeds the organization's risk tolerance.
- 4Advanced
- Practice
- Benchmark risk management practices against industry best-known practice on a regular basis.
- Outcomes
- The risk management policy reflects latest industry practice insights.
- Risk management principles and guidelines are more robust and complete.
- Metric
- Percentage of identified risks within the tolerance levels of broader ERM guidance.
- Practice
- Broaden training on risk management approaches to include all stakeholders and teams.
- Outcomes
- Teams have the knowledge and tools needed for risk management activities.
- Risk management becomes more embedded in the organization's culture.
- Metrics
- Number of mandatory risk management training sessions per annum.
- Percentage of executives, IT employees, and business unit employees trained in risk management.
- Number of executives, IT employees, and business unit employees with industry certifications in risk management.
- Practice
- Incorporate benchmark data from industry sources into the risk profiles.
- Outcome
- Incorporating benchmark data enables risks to be evaluated in an industry context, with meaningful placement of risks along the risk profile's dimensions, and supports validity and quality assurance.
- Metric
- Percentage of projects and operational systems in the various risk categories and asset classes.
- Practice
- Integrate the risk management of IT into overall ERM approaches and decision-making.
- Outcome
- The risk management of IT is on the agenda of all stakeholders, and is accepted as a key component in the management of business risks.
- Metric
- Percentage of IT risk management principles that align with ERM approaches.
- Practice
- Extend risk identification and assessment approaches organization-wide, and embed risk assessment into IT service life cycles and investment appraisals.
- Outcomes
- There is a consistent organization-wide approach to risk management assessment.
- Risks in relation to IT service life cycles and proposed investments are consistently understood, enabling more informed investment decisions to be made.
- Metric
- Percentage of IT risk categories and asset classes covered by risk management measures.
- 5Optimized
- Practice
- Establish a collaborative network of risk managers across the business ecosystem.
- Outcome
- Collaboration of risk managers and external experts across the business ecosystem supports optimized visibility and management of risks.
- Metric
- Percentage of business units that have a dedicated risk management role.
- Practice
- Review risk profiles in regular collaboration with relevant business ecosystem partners, and update them as required.
- Outcome
- Risk profiles are kept up to date and relevant through collaborative input and review.
- Metric
- Frequency of risk profile reviews and updates (as appropriate).
- Practice
- Ensure that ERM tools share data across the organization and that decision criteria relating to risk are uniform across the IT function and the rest of the business.
- Outcome
- Tools and data that support risk management are consistent.
- Metric
- Number of occurrences of non-compliance with risk management policies.
- Practice
- Optimize training programmes for specific stakeholder groups/risk management roles.
- Outcomes
- The most up-to-date training and tools are available, in line with policies and techniques.
- Risk management knowledge and skills can be specialized.
- Metrics
- Number of employees completing mandatory risk management training courses per annum.
- Percentage of executives, IT employees, and business unit employees trained in risk management.
- Number of executives, IT employees, and business unit employees with industry certifications in risk management.
- Frequency of updates to training programmes.
Reference
History
This capability was introduced in Revision 16 as a new critical capability.
It was deprecated in Revision 18.04, being updated by Risk Management (18.04).