Prioritization
Prioritize inherent and residual risks and risk handling strategies, based on the organization's risk tolerance – that is, what risk levels are acceptable.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Prioritization at each level of maturity.
- 1Initial
- Practice
- Rely on the best endeavours of available personnel.
- Outcome
- _
- Metric
- _
- 2Basic
- Practice
- Establish a managed prioritization process within the IT function and conduct risk prioritization as needed.
- Outcome
- Risk prioritization can be based on the organization's risk appetite, and the estimated risk impact/probability of occurrence/time horizon.
- Metric
- % of identified risks that are prioritized.
- 3Intermediate
- Practice
- Base prioritization decisions in the IT function and some other business units on an evaluation of risk impact/probability of occurrence/time horizon etc.
- Outcome
- Risk prioritization in the IT function and in some other business units becomes more proactive and no longer treats only major perceived pain-points.
- Metric
- % of identified risks that are prioritized.
- 4Advanced
- Practice
- Integrate the risk prioritization process across the organization and assess risk impact and probability of occurrence based on the business operating model.
- Outcome
- A consistent organization-wide approach to risk prioritization exists.
- Metric
- % of identified risks that are prioritized.
- 5Optimized
- Practice
- Continually review and optimize the prioritization process.
- Outcomes
- The prioritization process meets the current and future needs of the organization.
- Its effectiveness, efficiency, and accuracy of estimates are regularly assessed.
- Metrics
- % of identified risks that are prioritized.
- Ratio of actual risk prioritization process reviews to required reviews (set out in the policy).