Risk Profile Definition
Define the IT-related risk profiles by their potential impact on business continuity and performance, and apply them in risk management activities. The risk profile is the description of the overall (identified) IT risks and risk attributes that an organization may be exposed to.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Risk Profile Definition at each level of maturity.
- 2Basic
- Practice
- Create basic risk profiles, and use them to identify and categorize risks.
- Outcome
- Basic risk profiles support risk assessment and treatment activities in a number of high-risk areas.
- Metrics
- # of IT-related risk areas covered by the risk profile.
- % of projects and operational systems in the various risk categories.
- 3Intermediate
- Practice
- Establish a standardized approach for defining risk profiles and use them in most risk assessment and treatment activities.
- Outcome
- The risk profiles support most risk assessment and treatment activities.
- Metrics
- # of IT-related risk areas covered by the risk profile.
- % of projects and operational systems in the various risk categories.
- Practice
- Regularly update the risk profiles.
- Outcome
- The risk profiles are relevant and up to date, and reflect changes in the risk landscape and technological advances.
- Metric
- Frequency of risk profile review cycle.
- Practice
- Establish and maintain threat libraries.
- Outcome
- Creation of threat libraries results in awareness of key threats and threat agents, and ensures availability and consistency of information on them.
- Metrics
- # of threat agents identified.
- # of threat agent attributes.
- 4Advanced
- Practice
- Define risk profiles in collaboration with the entire organization, and systematically use them in the organization's risk assessment and treatment activities.
- Outcome
- The risk profiles support risk assessment and treatment activities organization-wide.
- Metrics
- # of IT-related risk areas covered by the risk profile.
- % of projects and operational systems in the various risk categories.
- Practice
- Incorporate benchmark data from industry sources into the risk profiles.
- Outcomes
- Incorporation of external benchmark data into risk profiles allows evaluation of risks in an industry context with meaningful, relative placement of risks along the risk profile's dimensions.
- Validation and quality assurance are supported.
- Metric
- Ratio of actual risk profile benchmarking exercises to required benchmarks (set out in the risk management policy or handbook).
- Practice
- Establish a unified threat library and systematically use it in organization-wide risk assessments.
- Outcome
- Awareness of key threats and threat agents is enhanced, and the availability and consistency of information on them is more transparent.
- Metrics
- # of threat agents identified.
- # of threat agent attributes.
- % of risk assessments in which threat libraries are used.
- 5Optimized
- Practice
- Define risk profiles in collaboration with the business ecosystem, and review and update them as required.
- Outcome
- Risk profiles are kept up to date and relevant through collaborative input and review processes.
- Metric
- Frequency of risk profile review cycle.
- Practice
- Regularly evaluate the effectiveness of the risk profiles in risk assessment and treatment activities.
- Outcome
- Evaluation results provide input to continually improve the risk profiles.
- Metric
- Frequency of risk profile review cycle.