IVI Framework Viewer

Response/Treatment

C3

Assign ownership to prioritized risks, and assign responsibility and accountability for developing risk response/treatment strategies. Initiate implementation of risk response/treatment strategies, where risks can be avoided, accepted, mitigated, or transferred. Interact with incident management functions.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Response/Treatment at each level of maturity.

2Basic
  • Practice
    Establish a basic process to treat prioritized risks.
    Outcome
    There is some success in mitigating the potential consequences of some high-priority risks.
    Metric
    % of prioritized risks mitigated to within the organization's risk tolerance threshold.
  • Practice
    Define a basic risk ownership policy.
    Outcome
    Some accountability for risk treatment is evident.
    Metric
    % of identified risks that are assigned owners.
  • Practice
    Establish some basic interaction between risk management and incident management functions.
    Outcome
    There is growing visibility of risks and risk incidents between risk management and incident management functions.
    Metric
    # of formal meetings between risk management and incident management function stakeholders.
3Intermediate
  • Practice
    Standardize the risk treatment process and match the risk treatment strategies to the magnitude of the risks posed vis-a-vis particular business unit needs and objectives.
    Outcome
    Most prioritized risks are addressed and can be mitigated sufficiently.
    Metric
    % of prioritized risks mitigated to within the organization's risk tolerance threshold.
  • Practice
    Assign ownership of risks and risk treatment strategies to individuals from IT and other business units.
    Outcome
    Growing accountability for risk treatment is evident, which increases the likelihood of many risks being mitigated to within the organization's risk tolerance threshold.
    Metric
    % of identified risks that are assigned owners.
  • Practice
    Standardize interaction processes between risk management and incident management functions.
    Outcome
    Incident management functions are updated on high priority risks and risk treatment strategies.
    Metric
    # of formal meetings between risk management and incident management function stakeholders.
4Advanced
  • Practice
    Extend the risk treatment process to address all prioritized risks and match the risk treatment strategies to the magnitude of the risks posed vis-a-vis the organization's overall needs and objectives.
    Outcome
    All prioritized risks are reliably addressed and can be mitigated sufficiently.
    Metric
    % of prioritized risks mitigated to within the organization's risk tolerance threshold.
  • Practice
    Establish a multi-disciplinary organization-wide committee to assign ownership of risks and risk treatment strategies.
    Outcome
    Expert risk owners are clearly identified across the organization and are held visibly accountable.
    Metric
    % of identified risks that are assigned owners.
  • Practice
    Encourage close involvement and collaboration between risk management and incident management functions and provide regular updates on risks and risk treatment strategies.
    Outcome
    The incident management function is closely involved in the risk management processes and is regularly updated on all identified risks and risk treatment strategies.
    Metric
    # of formal meetings between risk management and incident management function stakeholders.
5Optimized
  • Practice
    Regularly review the risk treatment process for improvement opportunities.
    Outcomes
    • The risk treatment process is kept relevant through feedback from relevant experts and learning from past experiences.
    • Prioritized risks are reliably addressed across the organization and in relation to the interface with the business ecosystem.
    Metrics
    • % of prioritized risks mitigated to within the organization's risk tolerance threshold.
    • % of identified risks that are assigned owners.
  • Practice
    Interact with external parties in the business ecosystem on managing risk incidents, and continually improve interaction with incident management functions.
    Outcome
    Risk and incident management benefit from input from experts in the business ecosystem.
    Metrics
    • # of formal meetings between risk management and incident management function stakeholders.
    • # of business ecosystem partners providing input on incident management.