IVI Framework Viewer

Monitoring

C4

Establish a risk register. Track and report risks and risk incidents, and validate the effectiveness of risk controls.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Monitoring at each level of maturity.

1Initial
  • Practice
    Rely on the best endeavours of available personnel.
    Outcome
    _
    Metric
    _
2Basic
  • Practice
    Establish and actively manage a basic risk register within the IT function.
    Outcome
    Monitoring of risks becomes possible.
    Metric
    % of identified risks recorded in a risk register.
  • Practice
    Monitor the top 10 risks periodically.
    Outcome
    There is high visibility on top priority risks although many risks are not visible.
    Metric
    Risk exposure for each identified risk and changes to risk scores.
  • Practice
    Report key risks within the IT function.
    Outcome
    There is basic transparency of risk development.
    Metric
    % of identified risks reported within the IT function.
  • Practice
    Report key risk incidents within the IT function.
    Outcome
    There is basic transparency of risk incidents that have occurred.
    Metric
    % of risk incidents reported within the IT function.
3Intermediate
  • Practice
    Set up a central risk register with business case support.
    Outcome
    Recording of risks in the risk register allows for more efficient management and reporting.
    Metric
    % of identified risks recorded in a risk register.
  • Practices
    • Conduct regular and proactive monitoring of project risks, and include additional project stakeholders beyond the project managers.
    • Base monitoring time intervals on risk priority.
    Outcome
    An independent view of what could go wrong before completion of a project is available.
    Metrics
    • % of projects that meet the planned completion date, budget and outcome.
    • % of projects stopped due to non-compliance with RM requirements.
  • Practices
    • Include risk prioritization in management reports.
    • Publish comprehensive reports on risks within the IT function and share them with some other business units.
    Outcome
    There is strong transparency within IT and some other business units regarding risks.
    Metrics
    • % of identified risks reported within the IT function.
    • % of identified risks reported within other business units.
  • Practice
    Publish comprehensive reports on risk incidents within the IT function and share them with some other business units.
    Outcome
    There is strong transparency within IT and some other business units regarding risk incidents.
    Metrics
    • % of risk incidents reported within the IT function.
    • % of risk incidents reported within other business units.
4Advanced
  • Practice
    Implement a monitoring process that includes pre-defined results/event-triggered activities.
    Outcome
    Monitoring is triggered based on certain results or events.
    Metric
    # of monitoring triggers.
  • Practice
    Base the monitoring period of risks on their priority.
    Outcomes
    • Risks with a high importance to the organization are monitored more closely.
    • There is more efficient monitoring with limited resources and reporting cycles.
    Metric
    Frequency of monitoring of high priority risks.
  • Practice
    Use financial and benchmark data to validate the business/monetary value of evaluated risks.
    Outcome
    Inconsistent valuations are more readily detected, and relative context is provided for risk evaluations.
    Metrics
    • % of valuations validated.
    • Comparison of estimated versus actual risk mitigation effort and impact.
  • Practice
    Integrate risk reporting into organization-wide reporting.
    Outcome
    There is risk awareness across the organization.
    Metrics
    • % of identified risks reported within the IT function.
    • % of identified risks reported within other business units.
  • Practice
    Integrate risk incident reporting into organization-wide reporting.
    Outcome
    There is risk incident awareness across the organization.
    Metrics
    • % of risk incidents reported within the IT function.
    • % of risk incidents reported within other business units.
5Optimized
  • Practice
    Review and optimize the risk monitoring process and continually improve the risk register.
    Outcomes
    • The monitoring process is improved based on feedback from past incidents.
    • The risk register is maintained up-to-date and relevant.
    Metrics
    • Ratio of actual reviews of the risk monitoring process to required reviews (set out in the policy or handbook).
    • % of identified risks recorded in a risk register.
    • Frequency of updates to the risk register.
  • Practice
    Continually re-align communication with the types of risks identified and optimize the risk reporting mechanisms.
    Outcome
    Appropriate communication on risks is ensured.
    Metrics
    • % of identified risks reported within the IT function.
    • % of identified risks reported within other business units.
  • Practice
    Optimize the reporting of risk incidents.
    Outcome
    Appropriate communication on risk incidents is ensured.
    Metrics
    • % of risk incidents reported within the IT function.
    • % of risk incidents reported within other business units.