IVI Framework Viewer

Risk Management Principles and Policies

A1

Define the principles that underpin the organization's approach to risk management. Define, review, make accessible, and comply with risk management policies.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Risk Management Principles and Policies at each level of maturity.

2Basic
  • Practice
    Identify applicable regulatory/legal compliance requirements.
    Outcome
    Compliance with regulatory/legal requirements is beginning to be supported.
    Metrics
    • Ratio of actual reviews of external regulations to required reviews (set out in the risk management policies).
    • Ratio of incorporated to identified external regulations.
  • Practice
    Develop risk management principles and basic policies (e.g. based on reviews of mandatory standards or regulations), and execute reviews of the policies as needed.
    Outcomes
    • The emergence of principles and policies enables the organization to embark on the implementation of the risk management programme.
    • Through undertaking reviews of the policies, their accuracy and relevance increase as they are more likely to be informed by major risk events.
    Metrics
    • # of risk management policies and standards in existence.
    • Ratio of actual risk management policy reviews to required reviews (set out in the policies).
  • Practice
    Make the risk management policies accessible to some employees (e.g. on request).
    Outcome
    The risk management policies can be accessed on request by some employees to support key operational needs.
    Metrics
    • % of IT employees who have signed the risk management policies.
    • % of business unit employees who have signed the risk management policies.
    • % of managers who have signed the risk management policies.
  • Practice
    Begin to conduct compliance audits with the risk management policies.
    Outcome
    Some issues of non-compliance are beginning to be uncovered.
    Metrics
    • # of audit findings related to non-adherence to the risk management policies.
    • # of identified occurrences of non-compliance with relevant external regulations.
    • % of employees adhering to the risk management policies.
3Intermediate
  • Practice
    Develop detailed risk management principles and standardized policies (e.g. covering most assets, processes, people, key emerging risks, and risk treatment strategies), and formalize a process and schedule for their review.
    Outcome
    There are clear and consistent principles and policies in place which relate to key business needs and support the implementation of the risk management programme.
    Metrics
    • # of risk management policies mapped to business requirements.
    • Ratio of actual risk management policy reviews to required reviews (set out in the policies).
  • Practice
    Implement the risk management policies and ensure they are centrally accessible to most employees.
    Outcome
    The risk management policies can be accessed centrally by most employees, via for example a document management system or an Intranet, to support most operational needs.
    Metrics
    • % of IT employees who have signed the risk management policies.
    • % of business unit employees who have signed the risk management policies.
    • % of managers who have signed the risk management policies.
  • Practice
    Regularly audit and enforce compliance with the risk management policies in most areas.
    Outcome
    Key issues of non-compliance are evident, and steps can be taken to rectify them.
    Metrics
    • # of audit findings related to non-adherence to the risk management policies.
    • # of identified occurrences of non-compliance with relevant external regulations.
    • % of employees adhering to the risk management policies.
4Advanced
  • Practice
    Develop the risk management principles and comprehensive policies via a process of organization-wide cooperation and collaboration, and systematically review them for alignment with business objectives.
    Outcomes
    • The principles and policies are supportive of all business goals.
    • They enable consistent and effective implementation of the risk management programme across the organization.
    Metrics
    • # of risk management policies mapped to business requirements.
    • Ratio of actual risk management policy reviews to required reviews (set out in the policies).
    • % of IT dependent business activities incorporated in the scope of the risk management policies.
  • Practice
    Benchmark the risk management policies against industry best known practice.
    Outcome
    The validity and completeness of the risk management policies are improved.
    Metric
    Ratio of actual risk management policy benchmarks to planned benchmarks (set out in the policies).
  • Practice
    Implement the risk management policies and ensure they are readily accessible to all employees.
    Outcome
    The risk management policies can be accessed centrally by all employees to support all operational needs.
    Metrics
    • % of IT employees who have signed the risk management policies.
    • % of business unit employees who have signed the risk management policies.
    • % of managers who have signed the risk management policies.
  • Practice
    Regularly audit and systematically enforce compliance with the risk management policies across the organization.
    Outcome
    There is organization-wide confidence that policies are being adhered to, and that any issues of non-compliance are effectively rectified.
    Metrics
    • # of audit findings related to non-adherence to the risk management policies.
    • # of identified occurrences of non-compliance with relevant external regulations.
    • % of employees adhering to the risk management policies.
5Optimized
  • Practice
    Reflect input from consultation with relevant business ecosystem partners and leading insights from the latest research and legislative changes in the risk management principles and policies.
    Outcome
    The principles and policies are industry exemplars and kept relevant to the changing organization and business ecosystem context to ensure optimized protection of business assets.
    Metric
    Ratio of actual risk management policy reviews to required reviews (set out in the policies).
  • Practice
    Share the risk management policies across the business ecosystem.
    Outcome
    The risk management policies can be accessed by all relevant stakeholders (internal and external) to support all operational needs, including those of customers, suppliers, and other partners.
    Metrics
    • % of IT employees who have signed the risk management policies.
    • % of business unit employees who have signed the risk management policies.
    • % of managers who have signed the risk management policies.
    • % of stakeholders in the business ecosystem whose interests inform aspects of the risk management policies.
    • # of mutual risk management agreements in place with business ecosystem constituents.