IVI Framework Viewer

Risk Management Programme

A2

Provide leadership direction in relation to the risk management programme and the organization's risk appetite and risk tolerance. Establish and maintain a plan/strategy that outlines the scope and overall approach of the risk management effort.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Risk Management Programme at each level of maturity.

2Basic
  • Practice
    Ensure a few key senior management figures provide initial direction for the risk management programme.
    Outcome
    A basis upon which to establish and coordinate a risk management programme is emerging.
    Metrics
    • % of IT management who are involved in setting direction for the risk management programme.
    • % of senior business unit management who are involved in setting direction for the risk management programme.
  • Practice
    Establish an initial position regarding the organization's risk appetite and risk tolerance.
    Outcome
    A basis exists for understanding the level of risk that is acceptable for the organization.
    Metric
    Existence of a position on risk appetite and risk tolerance.
  • Practice
    Develop a basic risk management strategy/plan, covering, for example, key roles, methods, and high-level actions.
    Outcome
    There is a foundation and initial goals and objectives for risk management activities.
    Metric
    Existence of a risk management strategy.
3Intermediate
  • Practice
    Ensure most key senior management figures provide clear direction for the risk management programme.
    Outcome
    Risk management philosophies can be embedded into the business objectives.
    Metrics
    • % of IT management who are involved in setting direction for the risk management programme.
    • % of senior business unit management who are involved in setting direction for the risk management programme.
  • Practice
    Periodically refine the organization's risk appetite and risk tolerance in light of key changes in the risk landscape and in technological advances.
    Outcome
    The level of risk that is acceptable for the organization is periodically refined to take account of the most significant changes in the risk landscape and in technological advances.
    Metric
    Frequency of risk appetite and risk tolerance review cycle.
  • Practice
    Develop a standardized risk management strategy/plan, covering, for example, roles, responsibilities, accountabilities, ownership, methods, tools, and detailed actions.
    Outcome
    Detailed goals and objectives for risk management activities are in place.
    Metrics
    • Existence of a risk management strategy.
    • % of employees aware of and using the risk management strategy.
4Advanced
  • Practice
    Ensure corporate senior management and a dedicated organization-wide risk management function regularly provide direction for the risk management programme.
    Outcome
    Risk management philosophies can be embedded into the overall organization's operations.
    Metrics
    • % of IT management who are involved in setting direction for the risk management programme.
    • % of senior business unit management who are involved in setting direction for the risk management programme.
    • Existence of a dedicated risk management function.
  • Practice
    Regularly review and refine the organization's risk appetite and risk tolerance in light of all relevant changes in the risk landscape and in technological advances.
    Outcome
    The level of risk that is acceptable for the organization is regularly refined to account for all relevant changes in the risk landscape and in technological advances.
    Metric
    Frequency of risk appetite and risk tolerance review cycle.
  • Practice
    Develop a comprehensive risk management strategy/plan that is aligned with the overall business objectives.
    Outcomes
    • The risk management strategy/plan reflects the organization's overall business objectives.
    • There is confidence that risk management approaches are responsive to changing risks and threats, meet business requirements, and are neither excessive nor inadequate.
    Metrics
    • Existence of a risk management strategy which reflects overall business objectives.
    • % of employees aware of and using the risk management strategy.
5Optimized
  • Practice
    Embed risk management philosophies into the mission and vision statements, and ensure that strategic objectives are in place to support them.
    Outcome
    Risk management is an integral part of the organization's overall mission, vision, and strategic objectives.
    Metric
    # of strategic objectives reflecting risk management importance.
  • Practice
    Dynamically review and refine the organization's risk appetite and risk tolerance in light of changes in the risk landscape and in technological advances.
    Outcome
    The level of risk that is acceptable for the organization is always reflective of the ongoing changes in the risk landscape and technological advances.
    Metric
    Frequency of risk appetite and risk tolerance review cycle.
  • Practice
    Continually review the risk management strategy/plan for business ecosystem-wide proficiency, and refine it to reflect the latest legislative changes, standards, tools, and emerging research concepts.
    Outcome
    The risk management strategy/plan is an industry exemplar, and reflects key business ecosystem requirements and all relevant emerging insights and changes in the risk landscape.
    Metrics
    • Existence of a risk management strategy which reflects overall business objectives.
    • Frequency of review of the risk management strategy.
    • % of employees aware of and using the risk management strategy.