Risk Management Principles and Policies
Define the principles that underpin the organization's approach to risk management. Define, review, make accessible, and comply with risk management policies.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Risk Management Principles and Policies at each level of maturity.
- 2Basic
- Practice
- Identify applicable regulatory/legal compliance requirements.
- Outcome
- Compliance with regulatory/legal requirements is beginning to be supported.
- Metrics
- Ratio of actual reviews of external regulations to required reviews (set out in the risk management policies).
- Ratio of incorporated to identified external regulations.
- Practice
- Develop risk management principles and basic policies (e.g. based on reviews of mandatory standards or regulations), and execute reviews of the policies as needed.
- Outcomes
- The emergence of principles and policies enables the organization to embark on the implementation of the risk management programme.
- Through undertaking reviews of the policies, their accuracy and relevance increase as they are more likely to be informed by major risk events.
- Metrics
- # of risk management policies and standards in existence.
- Ratio of actual risk management policy reviews to required reviews (set out in the policies).
- Practice
- Make the risk management policies accessible to some employees (e.g. on request).
- Outcome
- The risk management policies can be accessed on request by some employees to support key operational needs.
- Metrics
- % of IT employees who have signed the risk management policies.
- % of business unit employees who have signed the risk management policies.
- % of managers who have signed the risk management policies.
- Practice
- Begin to conduct compliance audits with the risk management policies.
- Outcome
- Some issues of non-compliance are beginning to be uncovered.
- Metrics
- # of audit findings related to non-adherence to the risk management policies.
- # of identified occurrences of non-compliance with relevant external regulations.
- % of employees adhering to the risk management policies.
- 3Intermediate
- Practice
- Develop detailed risk management principles and standardized policies (e.g. covering most assets, processes, people, key emerging risks, and risk treatment strategies), and formalize a process and schedule for their review.
- Outcome
- There are clear and consistent principles and policies in place which relate to key business needs and support the implementation of the risk management programme.
- Metrics
- # of risk management policies mapped to business requirements.
- Ratio of actual risk management policy reviews to required reviews (set out in the policies).
- Practice
- Implement the risk management policies and ensure they are centrally accessible to most employees.
- Outcome
- The risk management policies can be accessed centrally by most employees, via for example a document management system or an Intranet, to support most operational needs.
- Metrics
- % of IT employees who have signed the risk management policies.
- % of business unit employees who have signed the risk management policies.
- % of managers who have signed the risk management policies.
- Practice
- Regularly audit and enforce compliance with the risk management policies in most areas.
- Outcome
- Key issues of non-compliance are evident, and steps can be taken to rectify them.
- Metrics
- # of audit findings related to non-adherence to the risk management policies.
- # of identified occurrences of non-compliance with relevant external regulations.
- % of employees adhering to the risk management policies.
- 4Advanced
- Practice
- Develop the risk management principles and comprehensive policies via a process of organization-wide cooperation and collaboration, and systematically review them for alignment with business objectives.
- Outcomes
- The principles and policies are supportive of all business goals.
- They enable consistent and effective implementation of the risk management programme across the organization.
- Metrics
- # of risk management policies mapped to business requirements.
- Ratio of actual risk management policy reviews to required reviews (set out in the policies).
- % of IT dependent business activities incorporated in the scope of the risk management policies.
- Practice
- Benchmark the risk management policies against industry best known practice.
- Outcome
- The validity and completeness of the risk management policies are improved.
- Metric
- Ratio of actual risk management policy benchmarks to planned benchmarks (set out in the policies).
- Practice
- Implement the risk management policies and ensure they are readily accessible to all employees.
- Outcome
- The risk management policies can be accessed centrally by all employees to support all operational needs.
- Metrics
- % of IT employees who have signed the risk management policies.
- % of business unit employees who have signed the risk management policies.
- % of managers who have signed the risk management policies.
- Practice
- Regularly audit and systematically enforce compliance with the risk management policies across the organization.
- Outcome
- There is organization-wide confidence that policies are being adhered to, and that any issues of non-compliance are effectively rectified.
- Metrics
- # of audit findings related to non-adherence to the risk management policies.
- # of identified occurrences of non-compliance with relevant external regulations.
- % of employees adhering to the risk management policies.
- 5Optimized
- Practice
- Reflect input from consultation with relevant business ecosystem partners and leading insights from the latest research and legislative changes in the risk management principles and policies.
- Outcome
- The principles and policies are industry exemplars and kept relevant to the changing organization and business ecosystem context to ensure optimized protection of business assets.
- Metric
- Ratio of actual risk management policy reviews to required reviews (set out in the policies).
- Practice
- Share the risk management policies across the business ecosystem.
- Outcome
- The risk management policies can be accessed by all relevant stakeholders (internal and external) to support all operational needs, including those of customers, suppliers, and other partners.
- Metrics
- % of IT employees who have signed the risk management policies.
- % of business unit employees who have signed the risk management policies.
- % of managers who have signed the risk management policies.
- % of stakeholders in the business ecosystem whose interests inform aspects of the risk management policies.
- # of mutual risk management agreements in place with business ecosystem constituents.