Integration
Integrate IT risk management with digital leadership and governance structures, and with overall Enterprise Risk Management (ERM) policies and approaches.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Integration at each level of maturity.
- 2Basic
- Practice
- Integrate IT risk management into some key aspects of wider digital leadership and governance structures, processes, and systems.
- Outcome
- Some decisions can be taken with appropriate consideration of risk.
- Metric
- % of key business decisions that have documented risk assessments.
- Practice
- Begin to consider how IT risk management can be integrated into overall Enterprise Risk Management (ERM).
- Outcome
- The link between IT risk management and overall ERM is beginning to be understood.
- Metric
- % of IT risk management initiatives that align with ERM.
- Practice
- Establish a basic process to review major risks and exchange deliverables between IT and enterprise risk managers.
- Outcome
- Collaboration between IT and enterprise risk managers in relation to major risks supports improved visibility and management of these risks.
- Metric
- # of formal meetings of IT risk managers with enterprise risk managers per annum.
- 3Intermediate
- Practice
- Integrate IT risk management into most aspects of wider digital leadership and governance structures.
- Outcomes
- IT risk management is on the agenda of most key stakeholders.
- Many decisions can be taken with appropriate consideration of risk.
- Metric
- % of key business decisions that have documented risk assessments.
- Practice
- Establish a standardized process to support the joint evaluation of risks by both IT and enterprise risk managers, and prioritize efforts to close any integration gaps between IT risk management and Enterprise Risk Management (ERM).
- Outcome
- There is a clear understanding of ERM expectations, activities, methods, and practices, and they are reflected in most IT risk management initiatives.
- Metric
- % of IT risk management initiatives that align with ERM.
- Practice
- Encourage subject matter experts, internal audit, finance, and other service owners to collaborate in order to systematically review and manage risks using a defined process.
- Outcome
- Collaboration in relation to most risks supports improved visibility and management of these risks.
- Metric
- # of formal meetings of IT risk managers with enterprise risk managers per annum.
- 4Advanced
- Practice
- Integrate IT risk management into digital leadership and governance structures organization-wide (e.g. into overall decision processes, product and project life cycles, and business case preparation).
- Outcomes
- IT risk management is on the agenda of all stakeholders and is accepted as a key component of the management of business risk.
- Consideration of risk is a key driver in appraising investments and making decisions.
- Metrics
- % of key business decisions that have documented risk assessments.
- % of IT dependent project budgets that are covered by risk management measures.
- % of business cases that include documented risk assessments.
- Practice
- Comprehensively integrate IT risk management with the Enterprise Risk Management (ERM) framework and processes organization-wide (e.g. optimize controls, streamline risk assessments, coordinate key risk indicators and escalation triggers, and integrate reporting).
- Outcome
- There is a clear understanding of ERM expectations, activities, methods, and practices, and all IT risk management initiatives are aligned with ERM approaches.
- Metric
- % of IT risk management initiatives that align with ERM.
- 5Optimized
- Practice
- Continually review and improve the integration of IT risk management into digital leadership and governance structures.
- Outcome
- IT risk management's integration into governance structures is continually improved based on learning from past experiences.
- Metrics
- Frequency of review cycle.
- % of key business decisions that have documented risk assessments.
- % of IT dependent project budgets that are covered by risk management measures.
- % of business cases that include documented risk assessments.
- Practice
- Continually review and improve the integration of IT risk management into overall Enterprise Risk Management (ERM).
- Outcome
- IT risk management's integration into overall ERM is continually improved based on learning from past experiences.
- Metric
- % of IT risk management initiatives that align with ERM.
- Practice
- Establish a collaborative network of risk managers across the business ecosystem.
- Outcome
- Collaboration of risk managers and external experts across the business ecosystem supports optimized visibility and management of risks.
- Metric
- # of collaborating risk managers identified in the business ecosystem.