IVI Framework Viewer

Risk Profile Definition

B1

Define the IT-related risk profiles by their potential impact on business continuity and performance, and apply them in risk management activities. The risk profile is the description of the overall (identified) IT risks and risk attributes that an organization may be exposed to.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Risk Profile Definition at each level of maturity.

2Basic
  • Practice
    Create basic risk profiles, and use them to identify and categorize risks.
    Outcome
    Basic risk profiles support risk assessment and treatment activities in a number of high-risk areas.
    Metrics
    • # of IT-related risk areas covered by the risk profile.
    • % of projects and operational systems in the various risk categories.
3Intermediate
  • Practice
    Establish a standardized approach for defining risk profiles and use them in most risk assessment and treatment activities.
    Outcome
    The risk profiles support most risk assessment and treatment activities.
    Metrics
    • # of IT-related risk areas covered by the risk profile.
    • % of projects and operational systems in the various risk categories.
  • Practice
    Regularly update the risk profiles.
    Outcome
    The risk profiles are relevant and up to date, and reflect changes in the risk landscape and technological advances.
    Metric
    Frequency of risk profile review cycle.
  • Practice
    Establish and maintain threat libraries.
    Outcome
    Creation of threat libraries results in awareness of key threats and threat agents, and ensures availability and consistency of information on them.
    Metrics
    • # of threat agents identified.
    • # of threat agent attributes.
4Advanced
  • Practice
    Define risk profiles in collaboration with the entire organization, and systematically use them in the organization's risk assessment and treatment activities.
    Outcome
    The risk profiles support risk assessment and treatment activities organization-wide.
    Metrics
    • # of IT-related risk areas covered by the risk profile.
    • % of projects and operational systems in the various risk categories.
  • Practice
    Incorporate benchmark data from industry sources into the risk profiles.
    Outcomes
    • Incorporation of external benchmark data into risk profiles allows evaluation of risks in an industry context with meaningful, relative placement of risks along the risk profile's dimensions.
    • Validation and quality assurance are supported.
    Metric
    Ratio of actual risk profile benchmarking exercises to required benchmarks (set out in the risk management policy or handbook).
  • Practice
    Establish a unified threat library and systematically use it in organization-wide risk assessments.
    Outcome
    Awareness of key threats and threat agents is enhanced, and the availability and consistency of information on them is more transparent.
    Metrics
    • # of threat agents identified.
    • # of threat agent attributes.
    • % of risk assessments in which threat libraries are used.
5Optimized
  • Practice
    Define risk profiles in collaboration with the business ecosystem, and review and update them as required.
    Outcome
    Risk profiles are kept up to date and relevant through collaborative input and review processes.
    Metric
    Frequency of risk profile review cycle.
  • Practice
    Regularly evaluate the effectiveness of the risk profiles in risk assessment and treatment activities.
    Outcome
    Evaluation results provide input to continually improve the risk profiles.
    Metric
    Frequency of risk profile review cycle.