IVI Framework Viewer

Risk Management Programme and Performance Management

A3

Identify risk management leadership responsibilities and accountability. Define risk management roles, responsibilities, and accountabilities in support of the programme's principles and guidance. Measure and report on the effectiveness and efficiency of risk management activities.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Risk Management Programme and Performance Management at each level of maturity.

1Initial
  • Practice
    Rely on the best endeavours of available personnel.
    Outcome
    _
    Metric
    _
2Basic
  • Practice
    Develop and promote IT management support for the Risk Management programme.
    Outcomes
    • There is evidence of growing commitment by IT senior management to improving Risk Management practices.
    • However, the Risk Management programme may be treated as a silo capability within IT.
    Metric
    % of IT management endorsing and communicating the RM programme.
  • Practices
    • Establish a Risk Management programme within the IT function.
    • Identify key stakeholders and allocate responsibility, accountability and ownership to IT roles.
    Outcomes
    • The IT function has a structured base on which to establish and co-ordinate an efficient Risk Management programme.
    • Key decision makers are involved at the outset.
    Metric
    # of IT staff with allocated RM responsibility and accountability.
  • Practice
    Define elementary access rights based on roles or job duties.
    Outcome
    Information and systems that can be accessed from each role are formally defined, together with the level of access.
    Metric
    % of roles for which access rights are defined.
  • Practice
    Use selected metrics to measure the overall performance of Risk Management activities within the IT function.
    Outcome
    There is a high-level view of the overall performance of Risk Management activities, which can serve as the basis for improved Risk Management decision-making.
    Metrics
    • Magnitude of provisions for IT risk.
    • Ratio of potential cost of IT risk and annual sales.
    • Ratio of potential cost of IT risk and annual profit.
    • Ratio of potential cost of IT risk and provisions for IT risk.
3Intermediate
  • Practice
    Develop and promote IT and business senior management support for Risk Management.
    Outcomes
    • There is evidence of growing commitment by IT and some other business unit senior management to improving Risk Management practices.
    • Risk management philosophies are embedded into business objectives.
    Metrics
    • % of IT management endorsing and communicating the RM programme.
    • % of business unit management endorsing and communicating the RM programme.
  • Practice
    Allocate Risk Management ownership and accountability to IT and business roles.
    Outcome
    Points of contact exist for Risk Management, and the necessary time and skills are invested in the Risk Management programme.
    Metrics
    • # of IT staff with allocated RM responsibility and accountability.
    • # of general staff with allocated RM responsibility and accountability.
  • Practice
    Evaluate and report the effectiveness and efficiency of selected Risk Management activities.
    Outcome
    Performance reports of selected Risk Management activities are available, which can serve as the basis for improved Risk Management decision-making.
    Metrics
    • Magnitude of provisions for IT risk.
    • Ratio of potential cost of IT risk and annual sales.
    • Ratio of potential cost of IT risk and annual profit.
    • Ratio of potential cost of IT risk and provisions for IT risk.
4Advanced
  • Practice
    Promote corporate senior management endorsement of the Risk Management policies and programme organization-wide.
    Outcome
    The Risk Management policies and programme are embedded into the overall organization's operations.
    Metrics
    • % of IT management endorsing and communicating the RM programme.
    • % of business unit management endorsing and communicating the RM programme.
    • % of corporate senior management endorsing and communicating the RM programme.
  • Practice
    Identify or set up a dedicated function within the organization that has ownership and accountability for the Risk Management programme.
    Outcomes
    • Dedicated points of contact for Risk Management exist organization-wide, and the necessary time and skills are invested in the Risk Management programme.
    • IT and other business stakeholders perform dedicated roles in the programme.
    Metrics
    • # of IT staff with allocated RM responsibility and accountability.
    • # of general staff with allocated RM responsibility and accountability.
  • Practice
    Evaluate the effectiveness of organization-wide Risk Management and the efficiency of major Risk Management activities, and report the results.
    Outcomes
    • Organization-wide Risk Management effectiveness, and efficiency of major Risk Management activities are understood.
    • This helps identify areas for improvement in relation to Risk Management.
    Metrics
    • Magnitude of provisions for IT risk.
    • Ratio of potential cost of IT risk and annual sales.
    • Ratio of potential cost of IT risk and annual profit.
    • Ratio of potential cost of IT risk and provisions for IT risk.
5Optimized
  • Practice
    Embed Risk Management philosophies into the mission and vision statements and ensure strategic objectives are in place to support them.
    Outcome
    Risk management is an integral part of the organization's overall mission, vision and strategic objectives.
    Metric
    # of strategic objectives reflecting RM importance.
  • Practice
    Dynamically assign ownership and accountability for the Risk Management programme to the appropriate level within the organization.
    Outcome
    Risk management ownership and accountability is assigned to the most appropriate levels and roles within the organization.
    Metric
    Ratio of actual reviews of RM accountability and ownership assignment to required reviews (set out in the policy).
  • Practice
    Regularly evaluate the effectiveness and efficiency of the organization-wide Risk Management function.
    Outcome
    The effectiveness and efficiency of the Risk Management function is understood, and this helps identify areas for improvement and optimization.
    Metrics
    • Magnitude of provisions for IT risk.
    • Ratio of potential cost of IT risk and annual sales.
    • Ratio of potential cost of IT risk and annual profit.
    • Ratio of potential cost of IT risk and provisions for IT risk.