Monitoring
Establish a risk register. Track and report risks and risk incidents, and validate the effectiveness of risk controls.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Monitoring at each level of maturity.
- 1Initial
- Practice
- Rely on the best endeavours of available personnel.
- Outcome
- _
- Metric
- _
- 2Basic
- Practice
- Establish and actively manage a basic risk register within the IT function.
- Outcome
- Monitoring of risks becomes possible.
- Metric
- % of identified risks recorded in a risk register.
- Practice
- Monitor the top 10 risks periodically.
- Outcome
- There is high visibility on top priority risks although many risks are not visible.
- Metric
- Risk exposure for each identified risk and changes to risk scores.
- Practice
- Report key risks within the IT function.
- Outcome
- There is basic transparency of risk development.
- Metric
- % of identified risks reported within the IT function.
- Practice
- Report key risk incidents within the IT function.
- Outcome
- There is basic transparency of risk incidents that have occurred.
- Metric
- % of risk incidents reported within the IT function.
- 3Intermediate
- Practice
- Set up a central risk register with business case support.
- Outcome
- Recording of risks in the risk register allows for more efficient management and reporting.
- Metric
- % of identified risks recorded in a risk register.
- Practices
- Conduct regular and proactive monitoring of project risks, and include additional project stakeholders beyond the project managers.
- Base monitoring time intervals on risk priority.
- Outcome
- An independent view of what could go wrong before completion of a project is available.
- Metrics
- % of projects that meet the planned completion date, budget and outcome.
- % of projects stopped due to non-compliance with RM requirements.
- Practices
- Include risk prioritization in management reports.
- Publish comprehensive reports on risks within the IT function and share them with some other business units.
- Outcome
- There is strong transparency within IT and some other business units regarding risks.
- Metrics
- % of identified risks reported within the IT function.
- % of identified risks reported within other business units.
- Practice
- Publish comprehensive reports on risk incidents within the IT function and share them with some other business units.
- Outcome
- There is strong transparency within IT and some other business units regarding risk incidents.
- Metrics
- % of risk incidents reported within the IT function.
- % of risk incidents reported within other business units.
- 4Advanced
- Practice
- Implement a monitoring process that includes pre-defined results/event-triggered activities.
- Outcome
- Monitoring is triggered based on certain results or events.
- Metric
- # of monitoring triggers.
- Practice
- Base the monitoring period of risks on their priority.
- Outcomes
- Risks with a high importance to the organization are monitored more closely.
- There is more efficient monitoring with limited resources and reporting cycles.
- Metric
- Frequency of monitoring of high priority risks.
- Practice
- Use financial and benchmark data to validate the business/monetary value of evaluated risks.
- Outcome
- Inconsistent valuations are more readily detected, and relative context is provided for risk evaluations.
- Metrics
- % of valuations validated.
- Comparison of estimated versus actual risk mitigation effort and impact.
- Practice
- Integrate risk reporting into organization-wide reporting.
- Outcome
- There is risk awareness across the organization.
- Metrics
- % of identified risks reported within the IT function.
- % of identified risks reported within other business units.
- Practice
- Integrate risk incident reporting into organization-wide reporting.
- Outcome
- There is risk incident awareness across the organization.
- Metrics
- % of risk incidents reported within the IT function.
- % of risk incidents reported within other business units.
- 5Optimized
- Practice
- Review and optimize the risk monitoring process and continually improve the risk register.
- Outcomes
- The monitoring process is improved based on feedback from past incidents.
- The risk register is maintained up-to-date and relevant.
- Metrics
- Ratio of actual reviews of the risk monitoring process to required reviews (set out in the policy or handbook).
- % of identified risks recorded in a risk register.
- Frequency of updates to the risk register.
- Practice
- Continually re-align communication with the types of risks identified and optimize the risk reporting mechanisms.
- Outcome
- Appropriate communication on risks is ensured.
- Metrics
- % of identified risks reported within the IT function.
- % of identified risks reported within other business units.
- Practice
- Optimize the reporting of risk incidents.
- Outcome
- Appropriate communication on risk incidents is ensured.
- Metrics
- % of risk incidents reported within the IT function.
- % of risk incidents reported within other business units.