Risk Management Programme and Performance Management
Identify risk management leadership responsibilities and accountability. Define risk management roles, responsibilities, and accountabilities in support of the programme's principles and guidance. Measure and report on the effectiveness and efficiency of risk management activities.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Risk Management Programme and Performance Management at each level of maturity.
- 1Initial
- Practice
- Rely on the best endeavours of available personnel.
- Outcome
- _
- Metric
- _
- 2Basic
- Practice
- Develop and promote IT management support for the Risk Management programme.
- Outcomes
- There is evidence of growing commitment by IT senior management to improving Risk Management practices.
- However, the Risk Management programme may be treated as a silo capability within IT.
- Metric
- % of IT management endorsing and communicating the RM programme.
- Practices
- Establish a Risk Management programme within the IT function.
- Identify key stakeholders and allocate responsibility, accountability and ownership to IT roles.
- Outcomes
- The IT function has a structured base on which to establish and co-ordinate an efficient Risk Management programme.
- Key decision makers are involved at the outset.
- Metric
- # of IT staff with allocated RM responsibility and accountability.
- Practice
- Define elementary access rights based on roles or job duties.
- Outcome
- Information and systems that can be accessed from each role are formally defined, together with the level of access.
- Metric
- % of roles for which access rights are defined.
- Practice
- Use selected metrics to measure the overall performance of Risk Management activities within the IT function.
- Outcome
- There is a high-level view of the overall performance of Risk Management activities, which can serve as the basis for improved Risk Management decision-making.
- Metrics
- Magnitude of provisions for IT risk.
- Ratio of potential cost of IT risk and annual sales.
- Ratio of potential cost of IT risk and annual profit.
- Ratio of potential cost of IT risk and provisions for IT risk.
- 3Intermediate
- Practice
- Develop and promote IT and business senior management support for Risk Management.
- Outcomes
- There is evidence of growing commitment by IT and some other business unit senior management to improving Risk Management practices.
- Risk management philosophies are embedded into business objectives.
- Metrics
- % of IT management endorsing and communicating the RM programme.
- % of business unit management endorsing and communicating the RM programme.
- Practice
- Allocate Risk Management ownership and accountability to IT and business roles.
- Outcome
- Points of contact exist for Risk Management, and the necessary time and skills are invested in the Risk Management programme.
- Metrics
- # of IT staff with allocated RM responsibility and accountability.
- # of general staff with allocated RM responsibility and accountability.
- Practice
- Evaluate and report the effectiveness and efficiency of selected Risk Management activities.
- Outcome
- Performance reports of selected Risk Management activities are available, which can serve as the basis for improved Risk Management decision-making.
- Metrics
- Magnitude of provisions for IT risk.
- Ratio of potential cost of IT risk and annual sales.
- Ratio of potential cost of IT risk and annual profit.
- Ratio of potential cost of IT risk and provisions for IT risk.
- 4Advanced
- Practice
- Promote corporate senior management endorsement of the Risk Management policies and programme organization-wide.
- Outcome
- The Risk Management policies and programme are embedded into the overall organization's operations.
- Metrics
- % of IT management endorsing and communicating the RM programme.
- % of business unit management endorsing and communicating the RM programme.
- % of corporate senior management endorsing and communicating the RM programme.
- Practice
- Identify or set up a dedicated function within the organization that has ownership and accountability for the Risk Management programme.
- Outcomes
- Dedicated points of contact for Risk Management exist organization-wide, and the necessary time and skills are invested in the Risk Management programme.
- IT and other business stakeholders perform dedicated roles in the programme.
- Metrics
- # of IT staff with allocated RM responsibility and accountability.
- # of general staff with allocated RM responsibility and accountability.
- Practice
- Evaluate the effectiveness of organization-wide Risk Management and the efficiency of major Risk Management activities, and report the results.
- Outcomes
- Organization-wide Risk Management effectiveness, and efficiency of major Risk Management activities are understood.
- This helps identify areas for improvement in relation to Risk Management.
- Metrics
- Magnitude of provisions for IT risk.
- Ratio of potential cost of IT risk and annual sales.
- Ratio of potential cost of IT risk and annual profit.
- Ratio of potential cost of IT risk and provisions for IT risk.
- 5Optimized
- Practice
- Embed Risk Management philosophies into the mission and vision statements and ensure strategic objectives are in place to support them.
- Outcome
- Risk management is an integral part of the organization's overall mission, vision and strategic objectives.
- Metric
- # of strategic objectives reflecting RM importance.
- Practice
- Dynamically assign ownership and accountability for the Risk Management programme to the appropriate level within the organization.
- Outcome
- Risk management ownership and accountability is assigned to the most appropriate levels and roles within the organization.
- Metric
- Ratio of actual reviews of RM accountability and ownership assignment to required reviews (set out in the policy).
- Practice
- Regularly evaluate the effectiveness and efficiency of the organization-wide Risk Management function.
- Outcome
- The effectiveness and efficiency of the Risk Management function is understood, and this helps identify areas for improvement and optimization.
- Metrics
- Magnitude of provisions for IT risk.
- Ratio of potential cost of IT risk and annual sales.
- Ratio of potential cost of IT risk and annual profit.
- Ratio of potential cost of IT risk and provisions for IT risk.