IVI Framework Viewer

Assessment

C1

Identify subject matter experts for risk assessments. Run risk assessments to identify, document, and quantify or score risks and their components. Assessments include the evaluation of exposure to risks and measurement of their potential impact.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Assessment at each level of maturity.

1Initial
  • Practice
    Rely on the best endeavours of available personnel.
    Outcome
    _
    Metric
    _
2Basic
  • Practice
    Identify subject matter experts within the IT function for risk assessments.
    Outcome
    Risk assessments are aligned with responsible persons, mainly on a technical level.
    Metric
    # of SMEs identified for risk assessment in IT.
  • Practice
    Assess risk exposure in isolated incidents within the IT function.
    Outcomes
    • A basic risk overview exists.
    • The assessments are based on the perceived risk by identified SMEs, media and other external sources.
    • The risks identified include major pain-points and current trends but may lack consistency.
    Metrics
    • Risk exposure for each identified risk.
    • % of identified risks whose impact/likelihood exceed the organization's risk tolerance.
  • Practice
    Use IT specific risk metrics during risk assessments.
    Outcome
    Risk assessments include IT metrics that are typically focused on technical assets but no consistent metrics framework is in place.
    Metric
    _
3Intermediate
  • Practice
    Identify subject matter experts in the IT function and some other business units for risk assessments.
    Outcome
    Risks are collected and evaluated with an overall business perspective in mind.
    Metrics
    • # of SMEs identified for risk assessment in IT.
    • # of SMEs identified for risk assessment in other business units.
  • Practices
    • Conduct risk assessments on a regular basis.
    • Use dimensions and information from risk profiles for assessments and ensure complete assessment of exposures.
    • Assess violations, missed opportunities and response time.
    Outcomes
    • Collection of comparable data is facilitated and follow-through on risk handling is encouraged.
    • Consistent information is available for all risks.
    • Information is sufficient for risks to be taken into account in decision-making processes.
    Metrics
    • Risk exposure for each identified risk.
    • % of identified risks whose impact/likelihood exceed the organization's risk tolerance.
  • Practice
    Use IT and business metrics in risk assessments.
    Outcomes
    • Risk assessments include IT and business metrics that are typically focused on business assets and processes.
    • A consistent metrics framework is used.
    Metric
    _
4Advanced
  • Practice
    Proactively identify subject matter experts across the organization for risk assessments.
    Outcome
    Risks are collected and evaluated organization-wide with an overall business perspective in mind.
    Metrics
    • # of SMEs identified for risk assessment in IT.
    • # of SMEs identified for risk assessment in other business units.
  • Practices
    • Perform standardized risk identification and assessment across the organization.
    • Build risk assessment into product and project life cycles and investment appraisals.
    Outcomes
    • Comparable and consistent data is available on risks.
    • Risks are identified and assessed in organization-wide decisions such as product and project life cycles and investment appraisals.
    Metrics
    • % of IT dependent project budgets that are covered by RM measures.
    • % of IT dependent product budgets that are covered by RM measures.
  • Practice
    Define and use assessment metrics that are linked to the impact on business processes.
    Outcomes
    • An organization-wide, holistic and stable metrics framework exists.
    • There is clear linkage between business process impact and risk.
    Metric
    _
5Optimized
  • Practice
    Identify and consult subject matter experts in the business ecosystem for risk assessments.
    Outcome
    The risks collected and evaluated are kept relevant and up-to-date with input from experts in the business ecosystem.
    Metrics
    • # of SMEs identified for risk assessment in IT.
    • # of SMEs identified for risk assessment in other business units.
    • # of SMEs identified for risk assessment in the business ecosystem.
  • Practices
    • Build agility and adaptability into the risk identification process.
    • Consider long-term risks and continually review and update the process.
    Outcome
    The expanded scope of Risk Management allows for inclusion of long-term risks and adaptability to the complexity and scope of the business operating model.
    Metric
    Time horizon for risks.
  • Practice
    Evaluate and optimize the efficiency and effectiveness of risk metrics.
    Outcome
    Metrics are improved, often based on systematic internal and/or external benchmarks.
    Metric
    Ratio of actual risk metric benchmarks to required benchmarks (set out in the policy or handbook).