Risk Management

The Risk Management (RM) capability is the ability to identify, assess, prioritize, treat, and monitor the exposure to and the potential impact of IT-related risks that can directly affect the business. Risks include traditional IT risks and those more specific to the transformational changes brought about by new and emerging technologies; they include those mainly associated with IT security, data protection and information privacy, business operations, continuity of business and recovery from declared disasters, IT investment and project/service delivery, and IT service contracts and suppliers.

Structure

RM is made up of the following Categories and CBBs. Maturity and Planning are described at both the CC and the CBB level.

AGovernance

A1Risk Management Principles and Policies: Define the principles that underpin the organization's approach to risk management. Define, review, make accessible, and comply with risk management policies.
A2Risk Management Programme: Provide leadership direction in relation to the risk management programme and the organization's risk appetite and risk tolerance. Establish and maintain a plan/strategy that outlines the scope and overall approach of the risk management effort.
A3Governance Structures: Establish risk management governance structures. Outline the composition and scope of risk management governance bodies, decision rights, and authorization. Identify and establish reporting arrangements, issue escalation protocols, roles in complying with obligations and overseeing governance activities, and rules to govern and control the application of risk management authority within the organization.
A4Integration: Integrate IT risk management with digital leadership and governance structures, and with overall Enterprise Risk Management (ERM) policies and approaches.
A5Roles, Responsibilities, and Accountabilities: Complete job and business process designs to identify the required roles for risk management tasks, and assign employees with the requisite knowledge and experience to the identified roles. Define and allocate the associated responsibilities and assign accountabilities to those who will be answerable for the achievement of risk management objectives.
A6Skills and Competence Development: Establish and make available a risk management training curriculum and other employee development mechanisms to enhance skills and competences. Record employee participation in risk management training and development initiatives, and recognise and acknowledge their achievements (e.g. courses completed, certifications, skills and competence levels acquired).
A7Culture and Stakeholder Management: Establish a risk aware culture. Motivate and secure stakeholder support, buy-in, and ownership of key risk management initiatives.
A8Communication and Performance Reporting: Inform stakeholders of key developments (e.g. objectives, policies, approaches, activities, risks, and outcomes) to build a shared understanding of how they can contribute to the realization of risk management objectives. Report on the effectiveness/efficiency of the risk principles, policies, controls, strategy, and activities.

BProfiling and Coverage

B1Risk Profile Definition: Define the IT-related risk profiles by their potential impact on business continuity and performance, and apply them in risk management activities. The risk profile is the description of the overall (identified) IT risks and risk attributes that an organization may be exposed to.
B2Risk Coverage: Establish the breadth of risk categories and asset classes that are addressed by risk management activities.

CProcess

C1Assessment: Identify subject matter experts (SMEs) for risk assessments. Run risk assessments to identify, document, evaluate exposure to, and quantify/score risks and their components. Record the results in a risk register.
C2Prioritization: Prioritize inherent and residual risks and risk response/treatment strategies, based on the organization's risk tolerance — that is, the risk levels that are acceptable to the organization.
C3Response/Treatment: Assign ownership to prioritized risks, and assign responsibility and accountability for developing risk response/treatment strategies. Initiate implementation of risk response/treatment strategies, where risks can be avoided, accepted, mitigated, or transferred. Interact with incident management functions.
C4Monitoring: Track identified risks, and validate the effectiveness of the risk treatment strategies.

Overview

Goal & Objectives

An effective Risk Management (RM) capability aims to:

Understand the organization's risk appetite, and establish senior management direction and governance structures for risk management.
Establish proactive risk management approaches. Identify, profile, and assess the IT-related risks that present vulnerabilities, determine appropriate responses to risk disruptions, and monitor risk response effectiveness.
Monitor changes in the risk landscape and in technological advances.
Proactively sense and respond to unexpected/unforeseen IT-related risks, and increase transparency around how they could affect business objectives and decisions.
Increase compliance with relevant legal and regulatory requirements.
Assign ownership and share accountability for risk avoidance across business and IT leaders, and build employee competences to facilitate risk decisions.
Contribute to improving the organization's reputation as a trusted supply chain business partner.

Scope

Definition

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for RM at each level of maturity.

2Basic

Practice
Identify applicable regulatory/legal compliance requirements.
Outcome
Confidence grows regarding the implementation of measures to satisfy legal requirements.
Metric
Number of instances of non-compliance with external regulations.
Practice
Set up initial employee training in risk management principles, tools, and techniques.
Outcome
There is high-level user awareness of, and proficiency in, risk management processes.
Metric
Percentage of executives, IT employees, and business unit employees trained in risk management (or with industry certifications).
Practice
Create basic risk profiles for prioritized areas.
Outcome
Risk profiles support risk assessment and treatment in high-risk areas.
Metric
Number of risk areas covered by the risk profiles.

3Intermediate

Practice
Implement a consistent set of risk management principles and guidelines across most areas.
Outcome
A holistic approach to risk management exists, and it is relevant to more business unit needs.
Metric
Percentage of functional groups that have participated in the risk management programme.
Practice
Allocate risk management ownership and accountability.
Outcome
Points of contact exist for risk management, and the necessary time and skills are invested in the risk management programme.
Metric
Distribution of employees with allocated risk management responsibility and accountability.
Practice
Establish a central risk register.
Outcome
The register provides consistent information on risks, and supports risk management.
Metric
Number of risks managed in a risk register.
Practices
- Conduct regular risk assessments, using risk profile dimensions.
- Assess violations, missed opportunities, and response times.
Outcome
Data on risks can be consistently gathered, and used to support risk prioritization and treatment.
Metric
Risk exposure for each identified risk. Percentage of identified risks whose potential impact or likelihood exceeds the organization's risk tolerance.

4Advanced

Practice
Benchmark risk management practices against industry best-known practice on a regular basis.
Outcome
The risk management policy, principles, and guidelines reflect latest industry practice insights.
Metric
Percentage of identified risks within the tolerance levels of broader ERM guidance.
Practice
Broaden training on risk management approaches to include all stakeholders.
Outcome
Risk management is more embedded in the organization's culture.
Metric
Percentage of executives, IT employees, and business unit employees trained in risk management (or with industry certifications).
Practice
Incorporate benchmark data from industry sources into the risk profiles.
Outcome
Risks can be evaluated in an industry context, with meaningful placement of risks along the profile's dimensions.
Metric
Percentage of projects and operational systems in the various risk categories and asset classes.
Practice
Integrate the risk management of IT into overall ERM approaches and decision-making.
Outcome
The risk management of IT is accepted as a key component in the management of business risks.
Metric
Percentage of IT risk management principles that align with ERM approaches.

5Optimized

Practice
Establish a collaborative network of risk managers across the business ecosystem.
Outcome
Collaboration of risk managers and external experts across the business ecosystem supports optimized visibility and management of risks.
Metric
Percentage of business units that have a dedicated risk manager.
Practice
Review and update risk profiles in collaboration with business ecosystem partners.
Outcome
Risk profiles are kept up to date and relevant through collaborative input and review.
Metric
Frequency of risk profile reviews and updates (as appropriate).
Practice
Ensure that ERM tools share data across the organization and that decision criteria relating to risk are uniform across the organization.
Outcome
Tools and data that support risk management are consistent.
Metric
Number of occurrences of non-compliance with risk management policies.

Reference

History

This capability was introduced in Revision 18.04 as an update to Risk Management (16).