IVI Framework Viewer

Handling

C3

Assign ownership to identified risks, and responsibility and accountability for developing risk handling strategies. Initiate implementation of risk handling strategies, where risks can be transferred, absorbed, or mitigated. Interact with incident management functions – see chapter 27, Service Provisioning (SRP).

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Handling at each level of maturity.

1Initial
  • Practice
    Rely on the best endeavours of available personnel.
    Outcome
    _
    Metric
    _
2Basic
  • Practice
    Establish a basic policy for developing risk handling strategies within the IT function.
    Outcome
    Approaches are in place for handling prioritized risks, although clear risk owners may not always be allocated.
    Metric
    Existence of a policy.
  • Practice
    Handle prioritized risks within the IT function.
    Outcome
    There is some success in mitigating the potential consequences of these risks.
    Metric
    % of prioritized risks mitigated to within the organization's risk tolerance threshold.
  • Practice
    Employ basic or non-specific Risk Management tools (e.g. spreadsheets) within the IT function to support risk handling.
    Outcome
    Considerable effort is required to cover a wide range of possible risks or to support all avoidance, mitigation, transfer and absorption of risks.
    Metric
    # of RM tools employed.
  • Practice
    Establish some basic interaction between Risk Management and incident management functions.
    Outcome
    There is growing visibility of risks and risk incidents between Risk Management and incident management functions.
    Metric
    # of formal meetings between Risk Management and incident management function stakeholders.
3Intermediate
  • Practice
    Assign responsibility for ownership of risks and risk handling strategies within the IT function and some other business units.
    Outcome
    Risks can be addressed by assigned risk owners in IT and some other business units.
    Metric
    # of identified risks that are assigned owners.
  • Practice
    Handle prioritized risks within the IT function and some other business units.
    Outcome
    Prioritized risks are addressed and can be mitigated sufficiently.
    Metric
    % of prioritized risks mitigated to within the organization's risk tolerance threshold.
  • Practice
    Employ several Risk Management specific tools and techniques to support risk handling.
    Outcome
    The tools and techniques cover a large range of relevant topics (e.g. related to assets, processes and people) and support avoidance, mitigation, transfer and absorption of risk.
    Metric
    # of RM tools employed.
  • Practice
    Standardize interaction processes between Risk Management and incident management functions.
    Outcome
    Incident management functions are updated on high priority risks and risk handling strategies.
    Metric
    # of formal meetings between Risk Management and incident management function stakeholders.
4Advanced
  • Practice
    Establish a multi-disciplinary organization-wide committee to assign ownership for risk handling.
    Outcome
    Expert risk owners are clearly identified organization-wide.
    Metric
    # of identified risks that are assigned owners.
  • Practice
    Establish an organization-wide process for handling prioritized risks.
    Outcome
    Prioritized risks are reliably addressed across the organization.
    Metric
    % of prioritized risks mitigated to within the organization's risk tolerance threshold.
  • Practice
    Use established tools to support risk handling organization-wide.
    Outcome
    The tools cover all relevant topics and support avoidance, mitigation, transfer and absorption of risk.
    Metric
    # of RM tools employed.
  • Practice
    Encourage close involvement and collaboration between Risk Management and incident management functions and provide regular updates on risks and risk handling strategies.
    Outcome
    The incident management function is closely involved in the Risk Management processes and is regularly updated on all identified risks and risk handling strategies.
    Metric
    # of formal meetings between Risk Management and incident management function stakeholders.
5Optimized
  • Practice
    Review and optimize the process for risk handling.
    Outcome
    The risk handling process is improved and kept relevant through feedback.
    Metrics
    • Ratio of potential cost of IT risk and annual sales.
    • Ratio of potential cost of IT risk and annual profit.
    • Ratio of potential cost of IT risk and provisions for IT risk.
  • Practice
    Continually improve the process for handling prioritized risks.
    Outcome
    Prioritized risks are reliably addressed across the organization and in relation to the interface with the business ecosystem.
    Metric
    % of prioritized risks mitigated to within the organization's risk tolerance threshold.
  • Practice
    Fully deploy ERM tools and processes and conduct frequent searches for new techniques.
    Outcome
    Tools and processes that support Risk Management are kept up-to-date and relevant.
    Metric
    Frequency of searches for new techniques/tools.
  • Practice
    Interact with external parties in the business ecosystem on managing incidents and continually improve interaction with incident management functions.
    Outcome
    Risk and incident management benefit from input from experts in the business ecosystem.
    Metrics
    • # of formal meetings between Risk Management and incident management function stakeholders.
    • # of business ecosystem partners providing input on incident management.