IVI Framework Viewer

Prioritization

C2

Prioritize inherent and residual risks and risk handling strategies, based on the organization's risk tolerance – that is, what risk levels are acceptable.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Prioritization at each level of maturity.

1Initial
  • Practice
    Rely on the best endeavours of available personnel.
    Outcome
    _
    Metric
    _
2Basic
  • Practice
    Establish a managed prioritization process within the IT function and conduct risk prioritization as needed.
    Outcome
    Risk prioritization can be based on the organization's risk appetite, and the estimated risk impact/probability of occurrence/time horizon.
    Metric
    % of identified risks that are prioritized.
3Intermediate
  • Practice
    Base prioritization decisions in the IT function and some other business units on an evaluation of risk impact/probability of occurrence/time horizon etc.
    Outcome
    Risk prioritization in the IT function and in some other business units becomes more proactive and no longer treats only major perceived pain-points.
    Metric
    % of identified risks that are prioritized.
4Advanced
  • Practice
    Integrate the risk prioritization process across the organization and assess risk impact and probability of occurrence based on the business operating model.
    Outcome
    A consistent organization-wide approach to risk prioritization exists.
    Metric
    % of identified risks that are prioritized.
5Optimized
  • Practice
    Continually review and optimize the prioritization process.
    Outcomes
    • The prioritization process meets the current and future needs of the organization.
    • Its effectiveness, efficiency, and accuracy of estimates are regularly assessed.
    Metrics
    • % of identified risks that are prioritized.
    • Ratio of actual risk prioritization process reviews to required reviews (set out in the policy).