IVI Framework Viewer

Governance Structures

A3

Establish risk management governance structures. Outline the composition and scope of risk management governance bodies, decision rights, and authorization. Identify and establish reporting arrangements, issue escalation protocols, roles in complying with obligations and overseeing governance activities, and rules to govern and control the application of risk management authority within the organization.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Governance Structures at each level of maturity.

2Basic
  • Practice
    Establish an informal governance body/working group for risk management.
    Outcome
    A basic governance model for risk management is emerging.
    Metrics
    • % of IT managers participating in the risk management governance body.
    • % of business unit managers participating in the risk management governance body.
3Intermediate
  • Practice
    Establish a formal governance board for risk management as part of overall IT governance, that includes key IT and business unit participants.
    Outcomes
    • A standardized governance model for risk management can be agreed, outlining, for example, decision rights, authorizations, reporting arrangements, and issue escalation protocols.
    • Some collaboration on the management of key related capabilities is evident.
    Metrics
    • % of IT managers participating in the risk management governance body.
    • % of business unit managers participating in the risk management governance body.
4Advanced
  • Practice
    Share responsibility for the governance of risk management across a cross-functional governance board that includes all relevant senior managers and stakeholders from across the organization.
    Outcome
    Governance of risk management is comprehensively embedded as part of an organization-wide governance model, and collaboration on the management of all related capabilities is evident.
    Metrics
    • % of IT managers participating in the risk management governance body.
    • % of business unit managers participating in the risk management governance body.
5Optimized
  • Practice
    Regularly review the composition of the governance board for improvement opportunities based on feedback, emerging industry insights, and input from key business ecosystem partners.
    Outcome
    Governance structures are industry exemplars, and are always kept effective and relevant.
    Metrics
    • Frequency of review cycle.
    • % of IT managers participating in the risk management governance body.
    • % of business unit managers participating in the risk management governance body.