Governance Structures
Establish risk management governance structures. Outline the composition and scope of risk management governance bodies, decision rights, and authorization. Identify and establish reporting arrangements, issue escalation protocols, roles in complying with obligations and overseeing governance activities, and rules to govern and control the application of risk management authority within the organization.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Governance Structures at each level of maturity.
- 2Basic
- Practice
- Establish an informal governance body/working group for risk management.
- Outcome
- A basic governance model for risk management is emerging.
- Metrics
- % of IT managers participating in the risk management governance body.
- % of business unit managers participating in the risk management governance body.
- 3Intermediate
- Practice
- Establish a formal governance board for risk management as part of overall IT governance, that includes key IT and business unit participants.
- Outcomes
- A standardized governance model for risk management can be agreed, outlining, for example, decision rights, authorizations, reporting arrangements, and issue escalation protocols.
- Some collaboration on the management of key related capabilities is evident.
- Metrics
- % of IT managers participating in the risk management governance body.
- % of business unit managers participating in the risk management governance body.
- 4Advanced
- Practice
- Share responsibility for the governance of risk management across a cross-functional governance board that includes all relevant senior managers and stakeholders from across the organization.
- Outcome
- Governance of risk management is comprehensively embedded as part of an organization-wide governance model, and collaboration on the management of all related capabilities is evident.
- Metrics
- % of IT managers participating in the risk management governance body.
- % of business unit managers participating in the risk management governance body.
- 5Optimized
- Practice
- Regularly review the composition of the governance board for improvement opportunities based on feedback, emerging industry insights, and input from key business ecosystem partners.
- Outcome
- Governance structures are industry exemplars, and are always kept effective and relevant.
- Metrics
- Frequency of review cycle.
- % of IT managers participating in the risk management governance body.
- % of business unit managers participating in the risk management governance body.