IVI Framework Viewer

Integration

A2

Integrate IT risk management with IT leadership and governance structures, and with overall ERM policies and approaches.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Integration at each level of maturity.

1Initial
  • Practice
    Rely on the best endeavours of available personnel.
    Outcome
    _
    Metric
    _
2Basic
  • Practice
    Consider some integration of IT Risk Management into IT governance structures, processes, and systems and overall Enterprise Risk Management (ERM).
    Outcome
    Some decisions can be taken with appropriate consideration of risk.
    Metric
    _
3Intermediate
  • Practices
    • Integrate IT Risk Management into governance structures and overall Enterprise Risk Management (ERM) in IT and some other business units.
    • Include risk assessment scores in decision-making processes.
    Outcome
    Many decisions can be taken with appropriate consideration of risk.
    Metric
    % of decisions that have documented risk assessments.
4Advanced
  • Practices
    • Reflect the IT Risk Management policy as a part of important organization-wide governance models.
    • Integrate Risk Management processes into overall decision-making processes and overall Enterprise Risk Management (ERM).
    Outcomes
    • IT Risk Management is on the agenda of all stakeholders and is accepted as a key component of the management of business risk.
    • Consideration of risk is a key driver in making decisions.
    Metric
    % of decisions that have documented risk assessments.
  • Practice
    Embed IT Risk Management processes into product and project life cycles.
    Outcome
    All product and project life cycles are risk-aware, with relevant risks logged in a risk register.
    Metrics
    • % of IT dependent project budgets that are covered by RM measures.
    • % of IT dependent product budgets that are covered by RM measures.
  • Practice
    Use the IT Risk Management policy in business case preparation for product and project life cycles.
    Outcome
    Consideration of risk becomes a formal part of investment appraisal.
    Metric
    % of business cases that include documented risk assessments.
  • Practice
    Reflect IT Risk Management results in budgetary processes.
    Outcome
    Risks taken in budgetary decisions are transparent and this allows for a more accurate overall view for the sponsor of the funded item.
    Metric
    % of budgetary decisions that include documented risk assessments.
5Optimized
  • Practice
    Continually review and improve the integration of IT Risk Management into governance structures and overall Enterprise Risk Management (ERM).
    Outcome
    IT Risk Management's integration into governance structures and overall ERM is regularly improved based on past experience.
    Metrics
    • % of decisions that have documented risk assessments.
    • % of IT dependent project budgets that are covered by RM measures.
    • % of IT dependent product budgets that are covered by RM measures.
    • % of business cases that include documented risk assessments.
    • % of budgetary decisions that include documented risk assessments.