IVI Framework Viewer

Communication and Performance Reporting

A8

Inform stakeholders of key developments (e.g. objectives, policies, approaches, activities, risks, and outcomes) to build a shared understanding of how they can contribute to the realization of risk management objectives. Report on the effectiveness/efficiency of the risk principles, policies, controls, strategy, and activities.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Communication and Performance Reporting at each level of maturity.

2Basic
  • Practice
    Establish a basic approach for communicating the most significant risk management topics to stakeholders.
    Outcome
    Employees begin to understand key issues pertaining to risk management and can discuss their potential impacts.
    Metrics
    • Frequency of risk management communications.
    • # of scheduled meetings to communicate risk management information per annum.
  • Practice
    Start to measure and report on the performance of key risk management activities, using selected basic metrics.
    Outcomes
    • There is a high-level view of the overall performance of risk management activities and a growing understanding of the effectiveness of risk measures.
    • The focus is typically on basic compliance/audit-orientated oversight.
    Metrics
    • # of IT-related risk issues identified.
    • # of risk reports including basic information on costs, measures, and risk incidents.
    • Magnitude of provisions for IT risk.
    • Ratio of potential cost of IT risk and annual sales.
3Intermediate
  • Practice
    Standardize the approach used for regularly and consistently communicating key risk management topics to stakeholders in most areas, and tailor the communications to their needs and interests.
    Outcome
    Visibility and awareness of risk management issues and their impacts are improved.
    Metrics
    • Frequency of risk management communications.
    • # of scheduled meetings to communicate risk management information per annum.
    • # of emails/reports distributed to communicate risk management information per annum.
    • % of employees receiving risk management communications.
  • Practice
    Standardize risk performance measurement and reporting across most areas, and compare results against targets to identify areas for improvement.
    Outcomes
    • The consistency of risk performance measurement and reporting with overall ERM is improving.
    • Stakeholders receive an 'at a glance' view of the status of risk management activities.
    • They understand the effectiveness of risk measures and can help to align them better with business needs, priorities, and budgets.
    Metrics
    • # of IT-related risk issues identified.
    • # of risk reports including trend information, and the business impact of risk activities and risk incidents.
    • Magnitude of provisions for IT risk.
    • Ratio of potential cost of IT risk and annual sales.
    • % of risk management objectives met against targets.
4Advanced
  • Practice
    Proactively communicate risk management topics in a tailored manner to all relevant stakeholders across the organization.
    Outcomes
    • Communication is in the context and language of the stakeholder.
    • Broader visibility, awareness, and credibility of risk management issues are fostered, generating higher levels of interest for engaging in future activities.
    Metrics
    • Frequency of risk management communications.
    • # of scheduled meetings to communicate risk management information per annum.
    • # of emails/reports distributed to communicate risk management information per annum.
    • % of employees receiving risk management communications.
  • Practice
    Comprehensively measure and report on the performance of risk management activities across the entire organization, and regularly compare results against targets and internal and external benchmarks to identify areas for improvement.
    Outcome
    Reporting covers the entire organization, enabling transparent comparisons and adjustments, and reducing the risk of weak links.
    Metrics
    • # of IT-related risk issues identified.
    • # of risk reports, including trend information, and the business impact of risk activities and risk incidents.
    • Magnitude of provisions for IT risk.
    • Ratio of potential cost of IT risk and annual sales.
    • % of risk management objectives met against targets.
5Optimized
  • Practice
    Extend communication of risk management topics to the wider business ecosystem where relevant, and review the communication approach for improvement opportunities.
    Outcome
    The communications can be framed with discrete audiences in mind, down to the level of key individuals where appropriate.
    Metrics
    • Frequency of risk management communications.
    • # of scheduled meetings to communicate risk management information per annum.
    • # of emails/reports distributed to communicate risk management information per annum.
    • % of employees receiving risk management communications.
    • % of business ecosystem partners receiving risk management communications.
  • Practice
    Consolidate risk performance measures into a single dashboard and use them to support continual improvement.
    Outcome
    The organization and its key business ecosystem partners are confident that the risk measures adopted are effective in securing business assets.
    Metrics
    • # of IT-related risk issues identified.
    • # of risk reports including trend information, and the business impact of risk activities and risk incidents.
    • Magnitude of provisions for IT risk.
    • Ratio of potential cost of IT risk and annual sales.
    • % of risk management objectives met against targets.