Handling
Assign ownership to identified risks, and responsibility and accountability for developing risk handling strategies. Initiate implementation of risk handling strategies, where risks can be transferred, absorbed, or mitigated. Interact with incident management functions – see chapter 27, Service Provisioning (SRP).
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Handling at each level of maturity.
- 1Initial
- Practice
- Rely on the best endeavours of available personnel.
- Outcome
- _
- Metric
- _
- 2Basic
- Practice
- Establish a basic policy for developing risk handling strategies within the IT function.
- Outcome
- Approaches are in place for handling prioritized risks, although clear risk owners may not always be allocated.
- Metric
- Existence of a policy.
- Practice
- Handle prioritized risks within the IT function.
- Outcome
- There is some success in mitigating the potential consequences of these risks.
- Metric
- % of prioritized risks mitigated to within the organization's risk tolerance threshold.
- Practice
- Employ basic or non-specific Risk Management tools (e.g. spreadsheets) within the IT function to support risk handling.
- Outcome
- Considerable effort is required to cover a wide range of possible risks or to support all avoidance, mitigation, transfer and absorption of risks.
- Metric
- # of RM tools employed.
- Practice
- Establish some basic interaction between Risk Management and incident management functions.
- Outcome
- There is growing visibility of risks and risk incidents between Risk Management and incident management functions.
- Metric
- # of formal meetings between Risk Management and incident management function stakeholders.
- 3Intermediate
- Practice
- Assign responsibility for ownership of risks and risk handling strategies within the IT function and some other business units.
- Outcome
- Risks can be addressed by assigned risk owners in IT and some other business units.
- Metric
- # of identified risks that are assigned owners.
- Practice
- Handle prioritized risks within the IT function and some other business units.
- Outcome
- Prioritized risks are addressed and can be mitigated sufficiently.
- Metric
- % of prioritized risks mitigated to within the organization's risk tolerance threshold.
- Practice
- Employ several Risk Management specific tools and techniques to support risk handling.
- Outcome
- The tools and techniques cover a large range of relevant topics (e.g. related to assets, processes and people) and support avoidance, mitigation, transfer and absorption of risk.
- Metric
- # of RM tools employed.
- Practice
- Standardize interaction processes between Risk Management and incident management functions.
- Outcome
- Incident management functions are updated on high priority risks and risk handling strategies.
- Metric
- # of formal meetings between Risk Management and incident management function stakeholders.
- 4Advanced
- Practice
- Establish a multi-disciplinary organization-wide committee to assign ownership for risk handling.
- Outcome
- Expert risk owners are clearly identified organization-wide.
- Metric
- # of identified risks that are assigned owners.
- Practice
- Establish an organization-wide process for handling prioritized risks.
- Outcome
- Prioritized risks are reliably addressed across the organization.
- Metric
- % of prioritized risks mitigated to within the organization's risk tolerance threshold.
- Practice
- Use established tools to support risk handling organization-wide.
- Outcome
- The tools cover all relevant topics and support avoidance, mitigation, transfer and absorption of risk.
- Metric
- # of RM tools employed.
- Practice
- Encourage close involvement and collaboration between Risk Management and incident management functions and provide regular updates on risks and risk handling strategies.
- Outcome
- The incident management function is closely involved in the Risk Management processes and is regularly updated on all identified risks and risk handling strategies.
- Metric
- # of formal meetings between Risk Management and incident management function stakeholders.
- 5Optimized
- Practice
- Review and optimize the process for risk handling.
- Outcome
- The risk handling process is improved and kept relevant through feedback.
- Metrics
- Ratio of potential cost of IT risk and annual sales.
- Ratio of potential cost of IT risk and annual profit.
- Ratio of potential cost of IT risk and provisions for IT risk.
- Practice
- Continually improve the process for handling prioritized risks.
- Outcome
- Prioritized risks are reliably addressed across the organization and in relation to the interface with the business ecosystem.
- Metric
- % of prioritized risks mitigated to within the organization's risk tolerance threshold.
- Practice
- Fully deploy ERM tools and processes and conduct frequent searches for new techniques.
- Outcome
- Tools and processes that support Risk Management are kept up-to-date and relevant.
- Metric
- Frequency of searches for new techniques/tools.
- Practice
- Interact with external parties in the business ecosystem on managing incidents and continually improve interaction with incident management functions.
- Outcome
- Risk and incident management benefit from input from experts in the business ecosystem.
- Metrics
- # of formal meetings between Risk Management and incident management function stakeholders.
- # of business ecosystem partners providing input on incident management.