IVI Framework Viewer

Policies for Risk Management

A1

Define, implement, review, and make accessible risk management policies. Incorporate compliance requirements into risk management approaches.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Policies for Risk Management at each level of maturity.

1Initial
  • Practice
    Rely on the best endeavours of available personnel.
    Outcome
    _
    Metric
    _
2Basic
  • Practice
    Identify regulatory/legal compliance policies and frameworks.
    Outcome
    Systematic implementation of regulatory and legal requirements is supported.
    Metrics
    • Ratio of actual reviews of external regulations to required reviews (set out in the policy).
    • Ratio of incorporated to identified external regulations.
    • # of identified non-compliance occurrences with relevant external regulations.
  • Practice
    Develop an initial Risk Management policy within the IT function.
    Outcome
    Existence of a policy document enables the organization to embark on the implementation of the Risk Management programme.
    Metric
    Existence of a RM policy.
  • Practice
    Execute reviews of the initial Risk Management policy within the IT function as needed.
    Outcome
    Accuracy and relevance of the policy increase, as the policy is more likely to be informed by major risk events.
    Metric
    Ratio of actual RM policy reviews to required reviews (set out in the policy).
  • Practice
    Implement the basic Risk Management policy in the IT function.
    Outcome
    The Risk Management policy can be used to support, for example, risk avoidance and legal requirements within IT.
    Metric
    % of IT staff who have signed the RM policy.
  • Practice
    Make the Risk Management policy locally available to employees within the IT function.
    Outcome
    The Risk Management policy can be accessed on request by some employees to support operational needs.
    Metric
    % of IT staff who have signed the RM policy.
3Intermediate
  • Practices
    • Formalize a process and schedule for the review of the Risk Management policy.
    • Review and refine the policy and procedures, the business continuity plan and the alignment with corporate strategy.
    Outcome
    The Risk Management policy and approach are proactively kept in line with the business strategy.
    Metric
    Ratio of actual RM policy reviews to required reviews (set out in the policy).
  • Practice
    Implement a detailed Risk Management policy within the IT function and some other business units.
    Outcome
    A consistent and holistic Risk Management policy is in place covering for example assets, processes, people, key emerging risks, risk avoidance, mitigation etc.
    Metrics
    • % of IT staff who have signed the RM policy.
    • % of middle management who have signed the RM policy.
    • % of general staff who have signed the RM policy.
  • Practice
    Make the Risk Management policy centrally available.
    Outcome
    The Risk Management policy can be accessed by most employees centrally, via for example a document management system or the Intranet, in order to support operational needs.
    Metrics
    • % of IT staff who have signed the RM policy.
    • % of middle management who have signed the RM policy.
    • % of general staff who have signed the RM policy.
4Advanced
  • Practice
    Develop the Risk Management policy via a process of organization-wide cooperation and review the policy regularly.
    Outcome
    Existence of the policy document with multiple stakeholder input supports consistent and effective organization-wide implementation of the Risk Management programme.
    Metric
    Ratio of actual RM policy reviews to required reviews (set out in the policy).
  • Practice
    Benchmark the Risk Management policy against industry best known practice.
    Outcome
    Validity and completeness of the Risk Management policy are improved.
    Metric
    Ratio of actual RM policy benchmarks to planned benchmarks (set out in the policy).
  • Practice
    Align the Risk Management policy with business objectives.
    Outcome
    The Risk Management policy is consistent with and supportive of business goals.
    Metric
    % of IT dependent business activities incorporated in the scope of the IT RM policy.
  • Practice
    Implement the Risk Management policy organization-wide.
    Outcome
    A consistent and holistic organization-wide policy supports all required operational needs with respect to Risk Management.
    Metrics
    • % of IT staff who have signed the RM policy
    • % of middle management who have signed the RM policy.
    • % of general staff who have signed the RM policy.
  • Practice
    Make the Risk Management policy accessible to all stakeholders.
    Outcome
    All internal and external stakeholders can access the policy to support their operational needs.
    Metrics
    • % of IT staff who have signed the RM policy.
    • % of middle management who have signed the RM policy.
    • % of general staff who have signed the RM policy.
5Optimized
  • Practice
    Develop the Risk Management policy with partners in the business ecosystem and ensure continual refinement and update of the policy using a well-defined and implemented process.
    Outcomes
    • Existence of the policy document with multiple stakeholder input supports consistent and effective implementation of the Risk Management programme across the business ecosystem.
    • Policy reviews include regular analysis and updates to ensure their ongoing relevance, and to support the improvement of organization-wide Risk Management effectiveness and efficiency.
    Metric
    Ratio of actual RM policy reviews to required reviews (set out in the policy).
  • Practice
    Share the Risk Management policy across the business ecosystem.
    Outcome
    A consistent and holistic policy supports all required operational needs with respect to Risk Management, including those of customers, suppliers, and other partners.
    Metrics
    • % of IT staff who have signed the RM policy.
    • % of middle management who have signed the RM policy.
    • % of general staff who have signed the RM policy.
    • % of stakeholders in the business ecosystem whose interests inform aspects of the RM policy.
    • # of mutual RM agreements in place with business ecosystem constituents.
  • Practice
    Continually improve the process for making the Risk Management policy available and accessible.
    Outcome
    All internal and external stakeholders can easily access the policy to support their operational needs.
    Metrics
    • % of IT staff who have signed the RM policy.
    • % of middle management who have signed the RM policy.
    • % of general staff who have signed the RM policy.
    • % of stakeholders in the business ecosystem whose interests inform aspects of the RM policy.