Risk Management
The Risk Management (RM) capability is the ability to identify, assess, prioritize, treat, and monitor the exposure to and the potential impact of IT-related risks that can directly affect the business. Risks include traditional IT risks and those more specific to the transformational changes brought about by new and emerging technologies; they include those mainly associated with IT security, data protection and information privacy, business operations, continuity of business and recovery from declared disasters, IT investment and project/service delivery, and IT service contracts and suppliers.
Structure
RM is made up of the following Categories and CBBs. Maturity and Planning are described at both the CC and the CBB level.
- AGovernance
- A1Risk Management Principles and Policies
Define the principles that underpin the organization's approach to risk management. Define, review, make accessible, and comply with risk management policies.
- A2Risk Management Programme
Provide leadership direction in relation to the risk management programme and the organization's risk appetite and risk tolerance. Establish and maintain a plan/strategy that outlines the scope and overall approach of the risk management effort.
- A3Governance Structures
Establish risk management governance structures. Outline the composition and scope of risk management governance bodies, decision rights, and authorization. Identify and establish reporting arrangements, issue escalation protocols, roles in complying with obligations and overseeing governance activities, and rules to govern and control the application of risk management authority within the organization.
- A4Integration
Integrate IT risk management with digital leadership and governance structures, and with overall Enterprise Risk Management (ERM) policies and approaches.
- A5Roles, Responsibilities, and Accountabilities
Complete job and business process designs to identify the required roles for risk management tasks, and assign employees with the requisite knowledge and experience to the identified roles. Define and allocate the associated responsibilities and assign accountabilities to those who will be answerable for the achievement of risk management objectives.
- A6Skills and Competence Development
Establish and make available a risk management training curriculum and other employee development mechanisms to enhance skills and competences. Record employee participation in risk management training and development initiatives, and recognise and acknowledge their achievements (e.g. courses completed, certifications, skills and competence levels acquired).
- A7Culture and Stakeholder Management
Establish a risk aware culture. Motivate and secure stakeholder support, buy-in, and ownership of key risk management initiatives.
- A8Communication and Performance Reporting
Inform stakeholders of key developments (e.g. objectives, policies, approaches, activities, risks, and outcomes) to build a shared understanding of how they can contribute to the realization of risk management objectives. Report on the effectiveness/efficiency of the risk principles, policies, controls, strategy, and activities.
- BProfiling and Coverage
- B1Risk Profile Definition
Define the IT-related risk profiles by their potential impact on business continuity and performance, and apply them in risk management activities. The risk profile is the description of the overall (identified) IT risks and risk attributes that an organization may be exposed to.
- B2Risk Coverage
Establish the breadth of risk categories and asset classes that are addressed by risk management activities.
- CProcess
- C1Assessment
Identify subject matter experts (SMEs) for risk assessments. Run risk assessments to identify, document, evaluate exposure to, and quantify/score risks and their components. Record the results in a risk register.
- C2Prioritization
Prioritize inherent and residual risks and risk response/treatment strategies, based on the organization's risk tolerance — that is, the risk levels that are acceptable to the organization.
- C3Response/Treatment
Assign ownership to prioritized risks, and assign responsibility and accountability for developing risk response/treatment strategies. Initiate implementation of risk response/treatment strategies, where risks can be avoided, accepted, mitigated, or transferred. Interact with incident management functions.
- C4Monitoring
Track identified risks, and validate the effectiveness of the risk treatment strategies.
Overview
Goal & Objectives
An effective Risk Management (RM) capability aims to:
- Understand the organization's risk appetite, and establish senior management direction and governance structures for risk management.
- Establish proactive risk management approaches. Identify, profile, and assess the IT-related risks that present vulnerabilities, determine appropriate responses to risk disruptions, and monitor risk response effectiveness.
- Monitor changes in the risk landscape and in technological advances.
- Proactively sense and respond to unexpected/unforeseen IT-related risks, and increase transparency around how they could affect business objectives and decisions.
- Increase compliance with relevant legal and regulatory requirements.
- Assign ownership and share accountability for risk avoidance across business and IT leaders, and build employee competences to facilitate risk decisions.
- Contribute to improving the organization's reputation as a trusted supply chain business partner.
Scope
Definition
The Risk Management (RM) capability is the ability to identify, assess, prioritize, treat, and monitor the exposure to and the potential impact of IT-related risks that can directly affect the business. Risks include traditional IT risks and those more specific to the transformational changes brought about by new and emerging technologies; they include those mainly associated with IT security, data protection and information privacy, business operations, continuity of business and recovery from declared disasters, IT investment and project/service delivery, and IT service contracts and suppliers.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for RM at each level of maturity.
- 2Basic
- Practice
- Identify applicable regulatory/legal compliance requirements.
- Outcome
- Confidence grows regarding the implementation of measures to satisfy legal requirements.
- Metric
- Number of instances of non-compliance with external regulations.
- Practice
- Set up initial employee training in risk management principles, tools, and techniques.
- Outcome
- There is high-level user awareness of, and proficiency in, risk management processes.
- Metric
- Percentage of executives, IT employees, and business unit employees trained in risk management (or with industry certifications).
- Practice
- Create basic risk profiles for prioritized areas.
- Outcome
- Risk profiles support risk assessment and treatment in high-risk areas.
- Metric
- Number of risk areas covered by the risk profiles.
- 3Intermediate
- Practice
- Implement a consistent set of risk management principles and guidelines across most areas.
- Outcome
- A holistic approach to risk management exists, and it is relevant to more business unit needs.
- Metric
- Percentage of functional groups that have participated in the risk management programme.
- Practice
- Allocate risk management ownership and accountability.
- Outcome
- Points of contact exist for risk management, and the necessary time and skills are invested in the risk management programme.
- Metric
- Distribution of employees with allocated risk management responsibility and accountability.
- Practice
- Establish a central risk register.
- Outcome
- The register provides consistent information on risks, and supports risk management.
- Metric
- Number of risks managed in a risk register.
- Practices
- Conduct regular risk assessments, using risk profile dimensions.
- Assess violations, missed opportunities, and response times.
- Outcome
- Data on risks can be consistently gathered, and used to support risk prioritization and treatment.
- Metric
- Risk exposure for each identified risk. Percentage of identified risks whose potential impact or likelihood exceeds the organization's risk tolerance.
- 4Advanced
- Practice
- Benchmark risk management practices against industry best-known practice on a regular basis.
- Outcome
- The risk management policy, principles, and guidelines reflect latest industry practice insights.
- Metric
- Percentage of identified risks within the tolerance levels of broader ERM guidance.
- Practice
- Broaden training on risk management approaches to include all stakeholders.
- Outcome
- Risk management is more embedded in the organization's culture.
- Metric
- Percentage of executives, IT employees, and business unit employees trained in risk management (or with industry certifications).
- Practice
- Incorporate benchmark data from industry sources into the risk profiles.
- Outcome
- Risks can be evaluated in an industry context, with meaningful placement of risks along the profile's dimensions.
- Metric
- Percentage of projects and operational systems in the various risk categories and asset classes.
- Practice
- Integrate the risk management of IT into overall ERM approaches and decision-making.
- Outcome
- The risk management of IT is accepted as a key component in the management of business risks.
- Metric
- Percentage of IT risk management principles that align with ERM approaches.
- 5Optimized
- Practice
- Establish a collaborative network of risk managers across the business ecosystem.
- Outcome
- Collaboration of risk managers and external experts across the business ecosystem supports optimized visibility and management of risks.
- Metric
- Percentage of business units that have a dedicated risk manager.
- Practice
- Review and update risk profiles in collaboration with business ecosystem partners.
- Outcome
- Risk profiles are kept up to date and relevant through collaborative input and review.
- Metric
- Frequency of risk profile reviews and updates (as appropriate).
- Practice
- Ensure that ERM tools share data across the organization and that decision criteria relating to risk are uniform across the organization.
- Outcome
- Tools and data that support risk management are consistent.
- Metric
- Number of occurrences of non-compliance with risk management policies.
Reference
History
This capability was introduced in Revision 18.04 as an update to Risk Management (16).