IVI Framework Viewer

Integration

A4

Integrate IT risk management with digital leadership and governance structures, and with overall Enterprise Risk Management (ERM) policies and approaches.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Integration at each level of maturity.

2Basic
  • Practice
    Integrate IT risk management into some key aspects of wider digital leadership and governance structures, processes, and systems.
    Outcome
    Some decisions can be taken with appropriate consideration of risk.
    Metric
    % of key business decisions that have documented risk assessments.
  • Practice
    Begin to consider how IT risk management can be integrated into overall Enterprise Risk Management (ERM).
    Outcome
    The link between IT risk management and overall ERM is beginning to be understood.
    Metric
    % of IT risk management initiatives that align with ERM.
  • Practice
    Establish a basic process to review major risks and exchange deliverables between IT and enterprise risk managers.
    Outcome
    Collaboration between IT and enterprise risk managers in relation to major risks supports improved visibility and management of these risks.
    Metric
    # of formal meetings of IT risk managers with enterprise risk managers per annum.
3Intermediate
  • Practice
    Integrate IT risk management into most aspects of wider digital leadership and governance structures.
    Outcomes
    • IT risk management is on the agenda of most key stakeholders.
    • Many decisions can be taken with appropriate consideration of risk.
    Metric
    % of key business decisions that have documented risk assessments.
  • Practice
    Establish a standardized process to support the joint evaluation of risks by both IT and enterprise risk managers, and prioritize efforts to close any integration gaps between IT risk management and Enterprise Risk Management (ERM).
    Outcome
    There is a clear understanding of ERM expectations, activities, methods, and practices, and they are reflected in most IT risk management initiatives.
    Metric
    % of IT risk management initiatives that align with ERM.
  • Practice
    Encourage subject matter experts, internal audit, finance, and other service owners to collaborate in order to systematically review and manage risks using a defined process.
    Outcome
    Collaboration in relation to most risks supports improved visibility and management of these risks.
    Metric
    # of formal meetings of IT risk managers with enterprise risk managers per annum.
4Advanced
  • Practice
    Integrate IT risk management into digital leadership and governance structures organization-wide (e.g. into overall decision processes, product and project life cycles, and business case preparation).
    Outcomes
    • IT risk management is on the agenda of all stakeholders and is accepted as a key component of the management of business risk.
    • Consideration of risk is a key driver in appraising investments and making decisions.
    Metrics
    • % of key business decisions that have documented risk assessments.
    • % of IT dependent project budgets that are covered by risk management measures.
    • % of business cases that include documented risk assessments.
  • Practice
    Comprehensively integrate IT risk management with the Enterprise Risk Management (ERM) framework and processes organization-wide (e.g. optimize controls, streamline risk assessments, coordinate key risk indicators and escalation triggers, and integrate reporting).
    Outcome
    There is a clear understanding of ERM expectations, activities, methods, and practices, and all IT risk management initiatives are aligned with ERM approaches.
    Metric
    % of IT risk management initiatives that align with ERM.
5Optimized
  • Practice
    Continually review and improve the integration of IT risk management into digital leadership and governance structures.
    Outcome
    IT risk management's integration into governance structures is continually improved based on learning from past experiences.
    Metrics
    • Frequency of review cycle.
    • % of key business decisions that have documented risk assessments.
    • % of IT dependent project budgets that are covered by risk management measures.
    • % of business cases that include documented risk assessments.
  • Practice
    Continually review and improve the integration of IT risk management into overall Enterprise Risk Management (ERM).
    Outcome
    IT risk management's integration into overall ERM is continually improved based on learning from past experiences.
    Metric
    % of IT risk management initiatives that align with ERM.
  • Practice
    Establish a collaborative network of risk managers across the business ecosystem.
    Outcome
    Collaboration of risk managers and external experts across the business ecosystem supports optimized visibility and management of risks.
    Metric
    # of collaborating risk managers identified in the business ecosystem.