Policies for Risk Management
Define, implement, review, and make accessible risk management policies. Incorporate compliance requirements into risk management approaches.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Policies for Risk Management at each level of maturity.
- 1Initial
- Practice
- Rely on the best endeavours of available personnel.
- Outcome
- _
- Metric
- _
- 2Basic
- Practice
- Identify regulatory/legal compliance policies and frameworks.
- Outcome
- Systematic implementation of regulatory and legal requirements is supported.
- Metrics
- Ratio of actual reviews of external regulations to required reviews (set out in the policy).
- Ratio of incorporated to identified external regulations.
- # of identified non-compliance occurrences with relevant external regulations.
- Practice
- Develop an initial Risk Management policy within the IT function.
- Outcome
- Existence of a policy document enables the organization to embark on the implementation of the Risk Management programme.
- Metric
- Existence of a RM policy.
- Practice
- Execute reviews of the initial Risk Management policy within the IT function as needed.
- Outcome
- Accuracy and relevance of the policy increase, as the policy is more likely to be informed by major risk events.
- Metric
- Ratio of actual RM policy reviews to required reviews (set out in the policy).
- Practice
- Implement the basic Risk Management policy in the IT function.
- Outcome
- The Risk Management policy can be used to support, for example, risk avoidance and legal requirements within IT.
- Metric
- % of IT staff who have signed the RM policy.
- Practice
- Make the Risk Management policy locally available to employees within the IT function.
- Outcome
- The Risk Management policy can be accessed on request by some employees to support operational needs.
- Metric
- % of IT staff who have signed the RM policy.
- 3Intermediate
- Practices
- Formalize a process and schedule for the review of the Risk Management policy.
- Review and refine the policy and procedures, the business continuity plan and the alignment with corporate strategy.
- Outcome
- The Risk Management policy and approach are proactively kept in line with the business strategy.
- Metric
- Ratio of actual RM policy reviews to required reviews (set out in the policy).
- Practice
- Implement a detailed Risk Management policy within the IT function and some other business units.
- Outcome
- A consistent and holistic Risk Management policy is in place covering for example assets, processes, people, key emerging risks, risk avoidance, mitigation etc.
- Metrics
- % of IT staff who have signed the RM policy.
- % of middle management who have signed the RM policy.
- % of general staff who have signed the RM policy.
- Practice
- Make the Risk Management policy centrally available.
- Outcome
- The Risk Management policy can be accessed by most employees centrally, via for example a document management system or the Intranet, in order to support operational needs.
- Metrics
- % of IT staff who have signed the RM policy.
- % of middle management who have signed the RM policy.
- % of general staff who have signed the RM policy.
- 4Advanced
- Practice
- Develop the Risk Management policy via a process of organization-wide cooperation and review the policy regularly.
- Outcome
- Existence of the policy document with multiple stakeholder input supports consistent and effective organization-wide implementation of the Risk Management programme.
- Metric
- Ratio of actual RM policy reviews to required reviews (set out in the policy).
- Practice
- Benchmark the Risk Management policy against industry best known practice.
- Outcome
- Validity and completeness of the Risk Management policy are improved.
- Metric
- Ratio of actual RM policy benchmarks to planned benchmarks (set out in the policy).
- Practice
- Align the Risk Management policy with business objectives.
- Outcome
- The Risk Management policy is consistent with and supportive of business goals.
- Metric
- % of IT dependent business activities incorporated in the scope of the IT RM policy.
- Practice
- Implement the Risk Management policy organization-wide.
- Outcome
- A consistent and holistic organization-wide policy supports all required operational needs with respect to Risk Management.
- Metrics
- % of IT staff who have signed the RM policy
- % of middle management who have signed the RM policy.
- % of general staff who have signed the RM policy.
- Practice
- Make the Risk Management policy accessible to all stakeholders.
- Outcome
- All internal and external stakeholders can access the policy to support their operational needs.
- Metrics
- % of IT staff who have signed the RM policy.
- % of middle management who have signed the RM policy.
- % of general staff who have signed the RM policy.
- 5Optimized
- Practice
- Develop the Risk Management policy with partners in the business ecosystem and ensure continual refinement and update of the policy using a well-defined and implemented process.
- Outcomes
- Existence of the policy document with multiple stakeholder input supports consistent and effective implementation of the Risk Management programme across the business ecosystem.
- Policy reviews include regular analysis and updates to ensure their ongoing relevance, and to support the improvement of organization-wide Risk Management effectiveness and efficiency.
- Metric
- Ratio of actual RM policy reviews to required reviews (set out in the policy).
- Practice
- Share the Risk Management policy across the business ecosystem.
- Outcome
- A consistent and holistic policy supports all required operational needs with respect to Risk Management, including those of customers, suppliers, and other partners.
- Metrics
- % of IT staff who have signed the RM policy.
- % of middle management who have signed the RM policy.
- % of general staff who have signed the RM policy.
- % of stakeholders in the business ecosystem whose interests inform aspects of the RM policy.
- # of mutual RM agreements in place with business ecosystem constituents.
- Practice
- Continually improve the process for making the Risk Management policy available and accessible.
- Outcome
- All internal and external stakeholders can easily access the policy to support their operational needs.
- Metrics
- % of IT staff who have signed the RM policy.
- % of middle management who have signed the RM policy.
- % of general staff who have signed the RM policy.
- % of stakeholders in the business ecosystem whose interests inform aspects of the RM policy.