Definition of Risk Profiles
Define the risk profiles by their potential impact on business continuity and performance. Apply risk profiles in risk management activities.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Definition of Risk Profiles at each level of maturity.
- 1Initial
- Practice
- Rely on the best endeavours of available personnel.
- Outcome
- _
- Metric
- _
- 2Basic
- Practice
- Create basic risk profiles within the IT function.
- Outcome
- Basic risk profiles support the IT function's risk assessment and mitigation activities in a number of high-risk areas.
- Metric
- # of risk areas covered by the risk profile.
- Practice
- Create risk buckets to cluster risks within the IT function.
- Outcome
- Risk buckets provide awareness of key topics and focus areas of Risk Management.
- Metric
- Risk categorization volatility.
- Practice
- Use risk profiles within the IT function.
- Outcome
- Risk profiles are used in the IT function to identfiy risks and trends.
- Metric
- % of projects and operational systems in the various risk categories.
- 3Intermediate
- Practice
- Establish a standardized risk profile process in the IT function and some other business units.
- Outcomes
- Risk profiles covering several risk areas (e.g. key emerging risks) are in place.
- The risk profiles support risk assessment and mitigation processes within IT and some other business units.
- Metric
- # of risk areas covered by the risk profile.
- Practice
- Use risk profiles across IT and some other business units.
- Outcome
- Risk profiles support risk assessment and mitigation processes across IT and some other business units.
- Metric
- % of projects and operational systems in the various risk categories.
- Practice
- Create and maintain threat libraries.
- Outcome
- Creation of threat libraries results in awareness of key threats and threat agents, and ensures availability and consistency of information on them.
- Metrics
- # of threat agents identified.
- # of threat agent attributes.
- 4Advanced
- Practice
- Use the risk profiles consistently across the organization.
- Outcome
- The risk profiles support risk assessment and mitigation processes organization-wide.
- Metric
- % of projects and operational systems in the various risk categories.
- Practice
- Incorporate benchmark data from industry sources into the risk profiles.
- Outcomes
- Incorporation of benchmark data into risk profiles allows evaluation of risks in an industry context with meaningful, relative placement of risks along the risk profile's dimensions.
- Validity and quality assurance are supported.
- Metric
- Ratio of actual risk profile benchmarking exercises to required benchmarks (set out in the policy or handbook).
- Practice
- Establish a unified threat library and use it consistently in organization-wide risk assessments.
- Outcome
- Creation of threat libraries results in organization-wide awareness of key threats and threat agents, and ensures availability and consistency of information on them.
- Metrics
- # of threat agents identified.
- # of threat agent attributes.
- % of risk assessments in which threat libraries are used.
- Practice
- Integrate risk profile data into controls and tools for Risk Management.
- Outcomes
- Risk assessment, prioritization, handling and monitoring work on a common structure and use data based on the risk profiles that are easily exchanged between tools and process steps.
- There is consistent use of up-to-date information across the organization for risk control creation.
- Metrics
- % of RM tools using risk profile data.
- % of RM controls using risk profile data.
- 5Optimized
- Practice
- Define risk profiles in collaboration with the business ecosystem, and review and update them.
- Outcome
- Risk profiles are kept up-to-date and relevant through collaborative input and review processes.
- Metric
- Frequency of risk profile updates.
- Practice
- Evaluate the effectiveness and efficiency of risk profiles and threat libraries in risk assessment and mitigation.
- Outcome
- Evaluation results provide input to continually improving risk profiles and threat libraries.
- Metrics
- Magnitude of provisions for IT risk.
- Ratio of potential cost of IT risk and annual sales.
- Ratio of potential cost of IT risk and annual profit.
- Ratio of potential cost of IT risk and provisions for IT risk.