IVI Framework Viewer

Communication and Training

A4

Disseminate risk management approaches, policies, and results. Train stakeholders in risk management practices. Develop a risk management culture and risk management knowledge and skills.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Communication and Training at each level of maturity.

1Initial
  • Practice
    Rely on the best endeavours of available personnel.
    Outcome
    _
    Metric
    _
2Basic
  • Practice
    Communicate Risk Management concepts to stakeholders within the IT function, using basic communication processes.
    Outcome
    There is improved awareness of Risk Management considerations within the IT function, typically communicated via meetings.
    Metric
    # of scheduled meetings to communicate RM information p.a.
  • Practice
    Establish a basic process within IT to review major risks and exchange deliverables between IT and enterprise risk managers.
    Outcome
    Collaboration between IT and enterprise risk managers in relation to major risks supports improved visibility and management of these risks.
    Metrics
    • # of formal meetings of IT risk managers p.a.
    • # of formal meetings of IT risk managers with enterprise risk managers p.a.
    • # of formal meetings of IT risk managers with project or line managers p.a.
  • Practice
    Establish initial user training, typically focusing on the IT function.
    Outcome
    There is high-level user proficiency and awareness of Risk Management for operational and decision-making processes.
    Metrics
    • # of mandatory RM trainings offered p.a.
    • % of IT staff trained in RM.
3Intermediate
  • Practice
    Communicate the Risk Management policies to IT and some other business stakeholders, via agreed communication channels.
    Outcomes
    • Communication ensures that a Risk Management culture emerges across some areas of the organization.
    • Risk of non-compliance with policies is reduced.
    Metrics
    • # of scheduled meetings to communicate RM information p.a.
    • # of emails/reports distributed to communicate RM information p.a.
  • Practice
    Encourage facilitator, subject matter experts, internal audit, finance and other service owners to collaborate to systematically determine, evaluate and prioritize risks (including key emerging risks) using a defined process.
    Outcome
    Collaboration between IT and enterprise risk managers to consistently evaluate and prioritize risks supports improved visibility and management of these risks.
    Metrics
    • # of formal meetings of IT risk managers p.a.
    • # of formal meetings of IT risk managers with enterprise risk managers p.a.
    • # of formal meetings of IT risk managers with project/line managers p.a.
  • Practices
    • Introduce Risk Management training as part of the organization-wide curriculum.
    • Provide on-demand training for selected employees.
    Outcomes
    • Awareness of Risk Management is spread systematically as well as proficiency in Risk Management processes.
    • Training programmes increase awareness of emerging IT risks.
    Metrics
    • # of mandatory RM trainings offered p.a.
    • # of executives for whom RM training is available.
    • # of general staff for whom RM training is available.
    • % of executives trained in RM.
    • % of general staff trained in RM.
    • % of IT staff trained in RM.
    • % of other business unit staff trained in RM.
4Advanced
  • Practices
    • Regularly communicate the Risk Management policies in the language of the stakeholder via multiple channels of communication.
    • Survey stakeholders for their feedback.
    Outcomes
    • Communication ensures that the Risk Management culture is established organization-wide.
    • Feedback on quality, frequency and completeness of communication can be acted upon during improvement initiatives.
    Metrics
    • # of scheduled meetings to communicate RM information p.a.
    • # of emails/reports distributed to communicate RM information p.a.
    • # of surveys conducted p.a.
  • Practice
    Integrate IT Risk Management into the Enterprise Risk Management (ERM) framework and processes.
    Outcomes
    • IT Risk Management is fully integrated into the ERM framework and processes.
    • Organization-wide Risk Management is effective.
    Metrics
    • # of formal meetings of IT risk managers p.a.
    • # of formal meetings of IT risk managers with business risk managers p.a.
    • # of formal meetings of IT risk managers with project/line managers p.a.
  • Practice
    Train all employees and teams to be fully conversant with Risk Management processes.
    Outcomes
    • Employees and teams have more specific knowledge and tools to enhance the Risk Management processes.
    • The provision of Risk Management role specific training enables Risk Management processes to become more embedded in the organization's culture.
    Metrics
    • # of mandatory RM trainings offered p.a.
    • # of executives for whom RM training is available.
    • # of general staff for whom RM training is available.
    • % of executives trained in RM.
    • % of general staff trained in RM.
    • % of IT staff trained in RM.
    • % of other business unit staff trained in RM.
  • Practice
    Incorporate Risk Management topics into leadership training.
    Outcome
    The Risk Management processes are embedded in the training of organizational leadership roles.
    Metric
    % of leadership training courses that incorporate RM topics.
5Optimized
  • Practices
    • Communicate the Risk Management policies to the business ecosystem.
    • Regularly monitor the effectiveness of communication and collaboration processes and tools.
    Outcomes
    • Stakeholders in the business ecosystem can use and provide input on the Risk Management policies and associated Risk Management processes.
    • The effectiveness of communication and collaboration processes and tools can be regularly improved based on feedback.
    Metrics
    • # of scheduled meetings to communicate RM information p.a.
    • # of emails/reports distributed to communicate RM information p.a.
  • Practice
    Establish a collaborative network of risk managers across the business ecosystem.
    Outcome
    Collaboration of risk managers and external experts across the business ecosystem supports optimized visibility and management of risks.
    Metric
    # of collaborating risk managers identified in the business ecosystem.
  • Practice
    Continually evaluate and optimize Risk Management training programmes.
    Outcomes
    • Processes are optimized to include the most up-to-date training and tools.
    • Risk management knowledge and skills are continually updated in line with policies and techniques.
    Metrics
    • # of mandatory RM trainings offered p.a.
    • # of executives for whom RM training is available.
    • # of general staff for whom RM training is available.
    • % of executives trained in RM.
    • % of general staff trained in RM.
    • % of IT staff trained in RM.
    • % of other business unit staff trained in RM.
    • Frequency of update of training programmes.