Integration
Integrate IT risk management with IT leadership and governance structures, and with overall ERM policies and approaches.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Integration at each level of maturity.
- 1Initial
- Practice
- Rely on the best endeavours of available personnel.
- Outcome
- _
- Metric
- _
- 2Basic
- Practice
- Consider some integration of IT Risk Management into IT governance structures, processes, and systems and overall Enterprise Risk Management (ERM).
- Outcome
- Some decisions can be taken with appropriate consideration of risk.
- Metric
- _
- 3Intermediate
- Practices
- Integrate IT Risk Management into governance structures and overall Enterprise Risk Management (ERM) in IT and some other business units.
- Include risk assessment scores in decision-making processes.
- Outcome
- Many decisions can be taken with appropriate consideration of risk.
- Metric
- % of decisions that have documented risk assessments.
- 4Advanced
- Practices
- Reflect the IT Risk Management policy as a part of important organization-wide governance models.
- Integrate Risk Management processes into overall decision-making processes and overall Enterprise Risk Management (ERM).
- Outcomes
- IT Risk Management is on the agenda of all stakeholders and is accepted as a key component of the management of business risk.
- Consideration of risk is a key driver in making decisions.
- Metric
- % of decisions that have documented risk assessments.
- Practice
- Embed IT Risk Management processes into product and project life cycles.
- Outcome
- All product and project life cycles are risk-aware, with relevant risks logged in a risk register.
- Metrics
- % of IT dependent project budgets that are covered by RM measures.
- % of IT dependent product budgets that are covered by RM measures.
- Practice
- Use the IT Risk Management policy in business case preparation for product and project life cycles.
- Outcome
- Consideration of risk becomes a formal part of investment appraisal.
- Metric
- % of business cases that include documented risk assessments.
- Practice
- Reflect IT Risk Management results in budgetary processes.
- Outcome
- Risks taken in budgetary decisions are transparent and this allows for a more accurate overall view for the sponsor of the funded item.
- Metric
- % of budgetary decisions that include documented risk assessments.
- 5Optimized
- Practice
- Continually review and improve the integration of IT Risk Management into governance structures and overall Enterprise Risk Management (ERM).
- Outcome
- IT Risk Management's integration into governance structures and overall ERM is regularly improved based on past experience.
- Metrics
- % of decisions that have documented risk assessments.
- % of IT dependent project budgets that are covered by RM measures.
- % of IT dependent product budgets that are covered by RM measures.
- % of business cases that include documented risk assessments.
- % of budgetary decisions that include documented risk assessments.