IVI Framework Viewer

Risk Management

RM

The Risk Management (RM) capability is the ability to assess, prioritize, handle, and monitor the exposure to and the potential impact of IT-related risks that can directly impact the business in a financial or reputational manner. Risks include those associated with (among others) IT security, data protection and information privacy, operations, continuity of business and recovery from declared disasters, IT investment and project delivery, and IT service contracts and suppliers. The Risk Management (RM) capability covers:

  • Establishing an IT risk management programme and policies.
  • Establishing risk management roles and responsibilities.
  • Communicating and training in the area of risk management.
  • Understanding the organization's tolerance for IT-related risks.
  • Defining risk profiles.
  • Assessing and prioritizing different types of risks.
  • Defining risk handling strategies for identified IT risks (accept, avoid, mitigate, or transfer).
  • Monitoring IT risk exposures.
  • Integrating IT risk management with wider ERM practices such as business continuity planning, disaster recovery, information security, audit and assurance.

Structure

RM is made up of the following Categories and CBBs. Maturity and Planning are described at both the CC and the CBB level.

AGovernance

Establishes how IT risk management should be executed.

A1Policies for Risk Management

Define, implement, review, and make accessible risk management policies. Incorporate compliance requirements into risk management approaches.

A2Integration

Integrate IT risk management with IT leadership and governance structures, and with overall ERM policies and approaches.

A3Risk Management Programme and Performance Management

Identify risk management leadership responsibilities and accountability. Define risk management roles, responsibilities, and accountabilities in support of the programme's principles and guidance. Measure and report on the effectiveness and efficiency of risk management activities.

A4Communication and Training

Disseminate risk management approaches, policies, and results. Train stakeholders in risk management practices. Develop a risk management culture and risk management knowledge and skills.

BProfiling and Coverage

Ensures that IT-related risks are assessed effectively.

B1Definition of Risk Profiles

Define the risk profiles by their potential impact on business continuity and performance. Apply risk profiles in risk management activities.

B2Risk Coverage

Establish the breadth of IT risk categories and asset classes that are addressed by risk management activities.

CProcess

Addresses the day-to-day activities of identifying and protecting the organization from IT-related risks.

C1Assessment

Identify subject matter experts for risk assessments. Run risk assessments to identify, document, and quantify or score risks and their components. Assessments include the evaluation of exposure to risks and measurement of their potential impact.

C2Prioritization

Prioritize inherent and residual risks and risk handling strategies, based on the organization's risk tolerance – that is, what risk levels are acceptable.

C3Handling

Assign ownership to identified risks, and responsibility and accountability for developing risk handling strategies. Initiate implementation of risk handling strategies, where risks can be transferred, absorbed, or mitigated. Interact with incident management functions – see chapter 27, Service Provisioning (SRP).

C4Monitoring

Establish a risk register. Track and report risks and risk incidents, and validate the effectiveness of risk controls.

Overview

Goal

The Risk Management (RM) capability aims to protect the organization from risk exposures associated with Information Technology (IT).

Objectives

  • Identify and assess the IT-related risks that present vulnerabilities to the business, determine appropriate risk handling strategies, and monitor their effectiveness.
  • Manage the exposure to IT-related risks such as those related to IT security, IT sabotage, data protection, information privacy, product and project life cycles, and IT investment; and protect the business from the impact of risk incidents.
  • NOTE: For detailed technical analysis and technical mitigation actions pertaining to information security-related risks, see chapter 21, Information Security Management (ISM).
  • Increase compliance with external regulations and ethics policies relating to the deployment and use of technology.
  • Increase transparency around how IT-related risks could affect business objectives and decisions.
  • Contribute to improving the organization's reputation as a trusted supply chain business partner.

Value

The Risk Management (RM) capability can reduce the frequency and the severity of risks associated with IT negatively impacting the organization's business operations.

Relevance

While the replacement of traditional business models by technology-enabled models (as in, for example, the replacement of ‘bricks and mortar’ stores by e-commerce stores) supports improved operational efficiency, it can also increase the exposure of the organization to IT-related risk if not managed appropriately. Risks pertaining to cloud computing, analytics, mobile, and social technologies continue to evolve, and these could potentially impact business-critical operations1. Hence, an effective approach to managing these and other IT-related risks is required to enable organizations to reduce their exposure and the potential negative consequences2.

By establishing an effective Risk Management (RM) capability, an organization can identify and understand current and emerging IT-related risks, including the likelihood of their occurrence and the magnitude of their impact. Stakeholders can then take steps to protect IT assets proportionate to their organizational value through prioritizing, handling, and monitoring those risks. Integrating the management of risks associated with IT with wider Enterprise Risk Management (ERM) practices promotes a greater understanding by the IT function of business priorities and critical business services, thereby enabling more effective risk treatment, avoidance of risk oversights, and better return on IT investments34.

Scope

Definition

The Risk Management (RM) capability is the ability to assess, prioritize, handle, and monitor the exposure to and the potential impact of IT-related risks that can directly impact the business in a financial or reputational manner. Risks include those associated with (among others) IT security, data protection and information privacy, operations, continuity of business and recovery from declared disasters, IT investment and project delivery, and IT service contracts and suppliers. The Risk Management (RM) capability covers:

  • Establishing an IT risk management programme and policies.
  • Establishing risk management roles and responsibilities.
  • Communicating and training in the area of risk management.
  • Understanding the organization's tolerance for IT-related risks.
  • Defining risk profiles.
  • Assessing and prioritizing different types of risks.
  • Defining risk handling strategies for identified IT risks (accept, avoid, mitigate, or transfer).
  • Monitoring IT risk exposures.
  • Integrating IT risk management with wider ERM practices such as business continuity planning, disaster recovery, information security, audit and assurance.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for RM at each level of maturity.

2Basic
  • Practice
    Identify regulatory compliance policies and frameworks.
    Outcome
    Confidence grows regarding the consistent implementation of measures to satisfy regulatory requirements.
    Metrics
    • Number of instances of non-compliance with external regulations.
    • Number of compliance issues identified as business-critical.
  • Practice
    Set up initial employee training in risk management principles, tools, and techniques, initially focusing on the IT function.
    Outcome
    There is high-level user awareness of, and proficiency in, risk management for operational and decision-making processes.
    Metrics
    • Number of mandatory risk management training sessions per annum.
    • Percentage of IT employees trained in risk management.
    • Number of IT employees with industry certifications in risk management.
  • Practice
    Create basic risk profiles for prioritized areas across the IT function.
    Outcome
    Basic risk profiles support the IT function's risk assessment and treatment in a number of high-risk areas.
    Metrics
    • Number of risk areas covered by the risk profiles.
    • Percentage of projects and operational systems in the various risk categories and asset classes.
  • Practice
    Assess risk exposure to high-profile incidents within the IT function.
    Outcome
    A basic risk overview is provided, with particular emphasis on major pain-points/sensitivities and current trends.
    Metrics
    • Risk exposure for each identified risk.
    • Percentage of identified risks whose potential impact or likelihood of being realized exceeds the organization's risk tolerance.
3Intermediate
  • Practice
    Implement a consistent set of risk management principles and guidelines across the IT function and some other business units.
    Outcome
    A consistent and holistic risk management policy is in place covering assets, approaches, people, risk identification, and risk treatment, and it is increasingly relevant to more and more business unit needs.
    Metric
    Percentage of functional groups within the IT function and other business units that have participated in the risk management programme.
  • Practice
    Communicate the risk management policy and approaches across the IT function and to some other business unit stakeholders.
    Outcomes
    • There is a growing awareness of risk management principles and guidelines.
    • Communication ensures that a risk management culture emerges across key areas of the organization.
    Metric
    Percentage of functional groups that align to the overall ERM policies.
  • Practice
    Allocate risk management ownership and accountability across roles in the IT function and some other business units.
    Outcome
    Points of contact exist for risk management, and the necessary time and skills are invested in the risk management programme.
    Metric
    Distribution of employees with allocated risk management responsibility and accountability.
  • Practice
    Establish a central risk register.
    Outcome
    The recording of risks in a central register provides consistent information on risks, and supports efficient management and reporting.
    Metric
    Number of risks actively managed in a central risk register.
  • Practices
    • Conduct regular risk assessments, using dimensions and information provided by the risk profiles.
    • Assess violations, missed opportunities, and response times.
    Outcome
    Data on risks can be consistently gathered, and used to support risk prioritization and handling.
    Metrics
    • Risk exposure for each identified risk.
    • Percentage of identified risks whose potential impact or likelihood of being realized exceeds the organization's risk tolerance.
4Advanced
  • Practice
    Benchmark risk management practices against industry best-known practice on a regular basis.
    Outcomes
    • The risk management policy reflects latest industry practice insights.
    • Risk management principles and guidelines are more robust and complete.
    Metric
    Percentage of identified risks within the tolerance levels of broader ERM guidance.
  • Practice
    Broaden training on risk management approaches to include all stakeholders and teams.
    Outcomes
    • Teams have the knowledge and tools needed for risk management activities.
    • Risk management becomes more embedded in the organization's culture.
    Metrics
    • Number of mandatory risk management training sessions per annum.
    • Percentage of executives, IT employees, and business unit employees trained in risk management.
    • Number of executives, IT employees, and business unit employees with industry certifications in risk management.
  • Practice
    Incorporate benchmark data from industry sources into the risk profiles.
    Outcome
    Incorporating benchmark data enables risks to be evaluated in an industry context, with meaningful placement of risks along the risk profile's dimensions, and supports validity and quality assurance.
    Metric
    Percentage of projects and operational systems in the various risk categories and asset classes.
  • Practice
    Integrate the risk management of IT into overall ERM approaches and decision-making.
    Outcome
    The risk management of IT is on the agenda of all stakeholders, and is accepted as a key component in the management of business risks.
    Metric
    Percentage of IT risk management principles that align with ERM approaches.
  • Practice
    Extend risk identification and assessment approaches organization-wide, and embed risk assessment into IT service life cycles and investment appraisals.
    Outcomes
    • There is a consistent organization-wide approach to risk management assessment.
    • Risks in relation to IT service life cycles and proposed investments are consistently understood, enabling more informed investment decisions to be made.
    Metric
    Percentage of IT risk categories and asset classes covered by risk management measures.
5Optimized
  • Practice
    Establish a collaborative network of risk managers across the business ecosystem.
    Outcome
    Collaboration of risk managers and external experts across the business ecosystem supports optimized visibility and management of risks.
    Metric
    Percentage of business units that have a dedicated risk management role.
  • Practice
    Review risk profiles in regular collaboration with relevant business ecosystem partners, and update them as required.
    Outcome
    Risk profiles are kept up to date and relevant through collaborative input and review.
    Metric
    Frequency of risk profile reviews and updates (as appropriate).
  • Practice
    Ensure that ERM tools share data across the organization and that decision criteria relating to risk are uniform across the IT function and the rest of the business.
    Outcome
    Tools and data that support risk management are consistent.
    Metric
    Number of occurrences of non-compliance with risk management policies.
  • Practice
    Optimize training programmes for specific stakeholder groups/risk management roles.
    Outcomes
    • The most up-to-date training and tools are available, in line with policies and techniques.
    • Risk management knowledge and skills can be specialized.
    Metrics
    • Number of employees completing mandatory risk management training courses per annum.
    • Percentage of executives, IT employees, and business unit employees trained in risk management.
    • Number of executives, IT employees, and business unit employees with industry certifications in risk management.
    • Frequency of updates to training programmes.

Reference

History

This capability was introduced in Revision 16 as a new critical capability.

It was deprecated in Revision 18.04, being updated by Risk Management (18.04).