Communication and Training
Disseminate risk management approaches, policies, and results. Train stakeholders in risk management practices. Develop a risk management culture and risk management knowledge and skills.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Communication and Training at each level of maturity.
- 1Initial
- Practice
- Rely on the best endeavours of available personnel.
- Outcome
- _
- Metric
- _
- 2Basic
- Practice
- Communicate Risk Management concepts to stakeholders within the IT function, using basic communication processes.
- Outcome
- There is improved awareness of Risk Management considerations within the IT function, typically communicated via meetings.
- Metric
- # of scheduled meetings to communicate RM information p.a.
- Practice
- Establish a basic process within IT to review major risks and exchange deliverables between IT and enterprise risk managers.
- Outcome
- Collaboration between IT and enterprise risk managers in relation to major risks supports improved visibility and management of these risks.
- Metrics
- # of formal meetings of IT risk managers p.a.
- # of formal meetings of IT risk managers with enterprise risk managers p.a.
- # of formal meetings of IT risk managers with project or line managers p.a.
- Practice
- Establish initial user training, typically focusing on the IT function.
- Outcome
- There is high-level user proficiency and awareness of Risk Management for operational and decision-making processes.
- Metrics
- # of mandatory RM trainings offered p.a.
- % of IT staff trained in RM.
- 3Intermediate
- Practice
- Communicate the Risk Management policies to IT and some other business stakeholders, via agreed communication channels.
- Outcomes
- Communication ensures that a Risk Management culture emerges across some areas of the organization.
- Risk of non-compliance with policies is reduced.
- Metrics
- # of scheduled meetings to communicate RM information p.a.
- # of emails/reports distributed to communicate RM information p.a.
- Practice
- Encourage facilitator, subject matter experts, internal audit, finance and other service owners to collaborate to systematically determine, evaluate and prioritize risks (including key emerging risks) using a defined process.
- Outcome
- Collaboration between IT and enterprise risk managers to consistently evaluate and prioritize risks supports improved visibility and management of these risks.
- Metrics
- # of formal meetings of IT risk managers p.a.
- # of formal meetings of IT risk managers with enterprise risk managers p.a.
- # of formal meetings of IT risk managers with project/line managers p.a.
- Practices
- Introduce Risk Management training as part of the organization-wide curriculum.
- Provide on-demand training for selected employees.
- Outcomes
- Awareness of Risk Management is spread systematically as well as proficiency in Risk Management processes.
- Training programmes increase awareness of emerging IT risks.
- Metrics
- # of mandatory RM trainings offered p.a.
- # of executives for whom RM training is available.
- # of general staff for whom RM training is available.
- % of executives trained in RM.
- % of general staff trained in RM.
- % of IT staff trained in RM.
- % of other business unit staff trained in RM.
- 4Advanced
- Practices
- Regularly communicate the Risk Management policies in the language of the stakeholder via multiple channels of communication.
- Survey stakeholders for their feedback.
- Outcomes
- Communication ensures that the Risk Management culture is established organization-wide.
- Feedback on quality, frequency and completeness of communication can be acted upon during improvement initiatives.
- Metrics
- # of scheduled meetings to communicate RM information p.a.
- # of emails/reports distributed to communicate RM information p.a.
- # of surveys conducted p.a.
- Practice
- Integrate IT Risk Management into the Enterprise Risk Management (ERM) framework and processes.
- Outcomes
- IT Risk Management is fully integrated into the ERM framework and processes.
- Organization-wide Risk Management is effective.
- Metrics
- # of formal meetings of IT risk managers p.a.
- # of formal meetings of IT risk managers with business risk managers p.a.
- # of formal meetings of IT risk managers with project/line managers p.a.
- Practice
- Train all employees and teams to be fully conversant with Risk Management processes.
- Outcomes
- Employees and teams have more specific knowledge and tools to enhance the Risk Management processes.
- The provision of Risk Management role specific training enables Risk Management processes to become more embedded in the organization's culture.
- Metrics
- # of mandatory RM trainings offered p.a.
- # of executives for whom RM training is available.
- # of general staff for whom RM training is available.
- % of executives trained in RM.
- % of general staff trained in RM.
- % of IT staff trained in RM.
- % of other business unit staff trained in RM.
- Practice
- Incorporate Risk Management topics into leadership training.
- Outcome
- The Risk Management processes are embedded in the training of organizational leadership roles.
- Metric
- % of leadership training courses that incorporate RM topics.
- 5Optimized
- Practices
- Communicate the Risk Management policies to the business ecosystem.
- Regularly monitor the effectiveness of communication and collaboration processes and tools.
- Outcomes
- Stakeholders in the business ecosystem can use and provide input on the Risk Management policies and associated Risk Management processes.
- The effectiveness of communication and collaboration processes and tools can be regularly improved based on feedback.
- Metrics
- # of scheduled meetings to communicate RM information p.a.
- # of emails/reports distributed to communicate RM information p.a.
- Practice
- Establish a collaborative network of risk managers across the business ecosystem.
- Outcome
- Collaboration of risk managers and external experts across the business ecosystem supports optimized visibility and management of risks.
- Metric
- # of collaborating risk managers identified in the business ecosystem.
- Practice
- Continually evaluate and optimize Risk Management training programmes.
- Outcomes
- Processes are optimized to include the most up-to-date training and tools.
- Risk management knowledge and skills are continually updated in line with policies and techniques.
- Metrics
- # of mandatory RM trainings offered p.a.
- # of executives for whom RM training is available.
- # of general staff for whom RM training is available.
- % of executives trained in RM.
- % of general staff trained in RM.
- % of IT staff trained in RM.
- % of other business unit staff trained in RM.
- Frequency of update of training programmes.