Risk Coverage
Establish the breadth of IT risk categories and asset classes that are addressed by risk management activities.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Risk Coverage at each level of maturity.
- 1Initial
- Practice
- Rely on the best endeavours of available personnel.
- Outcome
- _
- Metric
- _
- 2Basic
- Practice
- Establish a process in the IT function for identifying the critical areas to be included in Risk Management activities.
- Outcome
- The most important risk areas are identified and managed.
- Metric
- # of risk areas managed.
- 3Intermediate
- Practice
- Establish an agreed and documented process by which the IT function and some other business units can identify the critical risk areas to be managed.
- Outcome
- The critical risk areas are jointly and consistently agreed by IT and some other business units and can be prioritized for Risk Management activities.
- Metric
- # of risk areas managed.
- 4Advanced
- Practice
- Involve IT and all other business units in selecting the risk areas to be addressed in Risk Management activities.
- Outcome
- The critical risk areas are jointly and consistently agreed organization-wide and can be prioritized for Risk Management activities.
- Metric
- # of risk areas managed.
- 5Optimized
- Practice
- Continually revise the process for identifying the risk areas to be managed.
- Outcome
- Frequent reviews of the risk landscape ensure that the most relevant risk areas are identified for Risk Management activities.
- Metric
- # of risk areas managed.