IVI Framework Viewer

Definition of Risk Profiles

B1

Define the risk profiles by their potential impact on business continuity and performance. Apply risk profiles in risk management activities.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Definition of Risk Profiles at each level of maturity.

1Initial
  • Practice
    Rely on the best endeavours of available personnel.
    Outcome
    _
    Metric
    _
2Basic
  • Practice
    Create basic risk profiles within the IT function.
    Outcome
    Basic risk profiles support the IT function's risk assessment and mitigation activities in a number of high-risk areas.
    Metric
    # of risk areas covered by the risk profile.
  • Practice
    Create risk buckets to cluster risks within the IT function.
    Outcome
    Risk buckets provide awareness of key topics and focus areas of Risk Management.
    Metric
    Risk categorization volatility.
  • Practice
    Use risk profiles within the IT function.
    Outcome
    Risk profiles are used in the IT function to identfiy risks and trends.
    Metric
    % of projects and operational systems in the various risk categories.
3Intermediate
  • Practice
    Establish a standardized risk profile process in the IT function and some other business units.
    Outcomes
    • Risk profiles covering several risk areas (e.g. key emerging risks) are in place.
    • The risk profiles support risk assessment and mitigation processes within IT and some other business units.
    Metric
    # of risk areas covered by the risk profile.
  • Practice
    Use risk profiles across IT and some other business units.
    Outcome
    Risk profiles support risk assessment and mitigation processes across IT and some other business units.
    Metric
    % of projects and operational systems in the various risk categories.
  • Practice
    Create and maintain threat libraries.
    Outcome
    Creation of threat libraries results in awareness of key threats and threat agents, and ensures availability and consistency of information on them.
    Metrics
    • # of threat agents identified.
    • # of threat agent attributes.
4Advanced
  • Practice
    Use the risk profiles consistently across the organization.
    Outcome
    The risk profiles support risk assessment and mitigation processes organization-wide.
    Metric
    % of projects and operational systems in the various risk categories.
  • Practice
    Incorporate benchmark data from industry sources into the risk profiles.
    Outcomes
    • Incorporation of benchmark data into risk profiles allows evaluation of risks in an industry context with meaningful, relative placement of risks along the risk profile's dimensions.
    • Validity and quality assurance are supported.
    Metric
    Ratio of actual risk profile benchmarking exercises to required benchmarks (set out in the policy or handbook).
  • Practice
    Establish a unified threat library and use it consistently in organization-wide risk assessments.
    Outcome
    Creation of threat libraries results in organization-wide awareness of key threats and threat agents, and ensures availability and consistency of information on them.
    Metrics
    • # of threat agents identified.
    • # of threat agent attributes.
    • % of risk assessments in which threat libraries are used.
  • Practice
    Integrate risk profile data into controls and tools for Risk Management.
    Outcomes
    • Risk assessment, prioritization, handling and monitoring work on a common structure and use data based on the risk profiles that are easily exchanged between tools and process steps.
    • There is consistent use of up-to-date information across the organization for risk control creation.
    Metrics
    • % of RM tools using risk profile data.
    • % of RM controls using risk profile data.
5Optimized
  • Practice
    Define risk profiles in collaboration with the business ecosystem, and review and update them.
    Outcome
    Risk profiles are kept up-to-date and relevant through collaborative input and review processes.
    Metric
    Frequency of risk profile updates.
  • Practice
    Evaluate the effectiveness and efficiency of risk profiles and threat libraries in risk assessment and mitigation.
    Outcome
    Evaluation results provide input to continually improving risk profiles and threat libraries.
    Metrics
    • Magnitude of provisions for IT risk.
    • Ratio of potential cost of IT risk and annual sales.
    • Ratio of potential cost of IT risk and annual profit.
    • Ratio of potential cost of IT risk and provisions for IT risk.