Risk Management Programme
Provide leadership direction in relation to the risk management programme and the organization's risk appetite and risk tolerance. Establish and maintain a plan/strategy that outlines the scope and overall approach of the risk management effort.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Risk Management Programme at each level of maturity.
- 2Basic
- Practice
- Ensure a few key senior management figures provide initial direction for the risk management programme.
- Outcome
- A basis upon which to establish and coordinate a risk management programme is emerging.
- Metrics
- % of IT management who are involved in setting direction for the risk management programme.
- % of senior business unit management who are involved in setting direction for the risk management programme.
- Practice
- Establish an initial position regarding the organization's risk appetite and risk tolerance.
- Outcome
- A basis exists for understanding the level of risk that is acceptable for the organization.
- Metric
- Existence of a position on risk appetite and risk tolerance.
- Practice
- Develop a basic risk management strategy/plan, covering, for example, key roles, methods, and high-level actions.
- Outcome
- There is a foundation and initial goals and objectives for risk management activities.
- Metric
- Existence of a risk management strategy.
- 3Intermediate
- Practice
- Ensure most key senior management figures provide clear direction for the risk management programme.
- Outcome
- Risk management philosophies can be embedded into the business objectives.
- Metrics
- % of IT management who are involved in setting direction for the risk management programme.
- % of senior business unit management who are involved in setting direction for the risk management programme.
- Practice
- Periodically refine the organization's risk appetite and risk tolerance in light of key changes in the risk landscape and in technological advances.
- Outcome
- The level of risk that is acceptable for the organization is periodically refined to take account of the most significant changes in the risk landscape and in technological advances.
- Metric
- Frequency of risk appetite and risk tolerance review cycle.
- Practice
- Develop a standardized risk management strategy/plan, covering, for example, roles, responsibilities, accountabilities, ownership, methods, tools, and detailed actions.
- Outcome
- Detailed goals and objectives for risk management activities are in place.
- Metrics
- Existence of a risk management strategy.
- % of employees aware of and using the risk management strategy.
- 4Advanced
- Practice
- Ensure corporate senior management and a dedicated organization-wide risk management function regularly provide direction for the risk management programme.
- Outcome
- Risk management philosophies can be embedded into the overall organization's operations.
- Metrics
- % of IT management who are involved in setting direction for the risk management programme.
- % of senior business unit management who are involved in setting direction for the risk management programme.
- Existence of a dedicated risk management function.
- Practice
- Regularly review and refine the organization's risk appetite and risk tolerance in light of all relevant changes in the risk landscape and in technological advances.
- Outcome
- The level of risk that is acceptable for the organization is regularly refined to account for all relevant changes in the risk landscape and in technological advances.
- Metric
- Frequency of risk appetite and risk tolerance review cycle.
- Practice
- Develop a comprehensive risk management strategy/plan that is aligned with the overall business objectives.
- Outcomes
- The risk management strategy/plan reflects the organization's overall business objectives.
- There is confidence that risk management approaches are responsive to changing risks and threats, meet business requirements, and are neither excessive nor inadequate.
- Metrics
- Existence of a risk management strategy which reflects overall business objectives.
- % of employees aware of and using the risk management strategy.
- 5Optimized
- Practice
- Embed risk management philosophies into the mission and vision statements, and ensure that strategic objectives are in place to support them.
- Outcome
- Risk management is an integral part of the organization's overall mission, vision, and strategic objectives.
- Metric
- # of strategic objectives reflecting risk management importance.
- Practice
- Dynamically review and refine the organization's risk appetite and risk tolerance in light of changes in the risk landscape and in technological advances.
- Outcome
- The level of risk that is acceptable for the organization is always reflective of the ongoing changes in the risk landscape and technological advances.
- Metric
- Frequency of risk appetite and risk tolerance review cycle.
- Practice
- Continually review the risk management strategy/plan for business ecosystem-wide proficiency, and refine it to reflect the latest legislative changes, standards, tools, and emerging research concepts.
- Outcome
- The risk management strategy/plan is an industry exemplar, and reflects key business ecosystem requirements and all relevant emerging insights and changes in the risk landscape.
- Metrics
- Existence of a risk management strategy which reflects overall business objectives.
- Frequency of review of the risk management strategy.
- % of employees aware of and using the risk management strategy.