Governance

Establishes how IT risk management should be executed.

A1Policies for Risk Management: Define, implement, review, and make accessible risk management policies. Incorporate compliance requirements into risk management approaches.
A2Integration: Integrate IT risk management with IT leadership and governance structures, and with overall ERM policies and approaches.
A3Risk Management Programme and Performance Management: Identify risk management leadership responsibilities and accountability. Define risk management roles, responsibilities, and accountabilities in support of the programme's principles and guidance. Measure and report on the effectiveness and efficiency of risk management activities.
A4Communication and Training: Disseminate risk management approaches, policies, and results. Train stakeholders in risk management practices. Develop a risk management culture and risk management knowledge and skills.