Assessment
Identify subject matter experts (SMEs) for risk assessments. Run risk assessments to identify, document, evaluate exposure to, and quantify/score risks and their components. Record the results in a risk register.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Assessment at each level of maturity.
- 2Basic
- Practice
- Begin to identify subject matter experts (SMEs) for risk assessments.
- Outcome
- Risk assessments are informed by individuals with appropriate technical expertise.
- Metrics
- # of SMEs identified for risk assessment in IT.
- # of SMEs identified for risk assessment in other business units.
- Practice
- Establish a basic risk assessment approach and assess risk exposure in isolated risk incidents.
- Outcomes
- A basic risk overview exists, with particular focus on major pain-points and current trends.
- The assessments are based on the perceived risk by identified subject matter experts and other sources (e.g. project work breakdown structures, risk taxonomies, risks in similar projects, lessons learned databases, and requirement specifications).
- Metrics
- Risk exposure for each identified risk.
- % of identified risks whose impact/likelihood exceeds the organization's risk tolerance.
- Practice
- Establish a basic risk register.
- Outcome
- A structure for recording the identified risks is in place.
- Metric
- % of identified risks recorded in a risk register.
- Practice
- Use IT specific risk metrics during risk assessments.
- Outcome
- Risk assessments include IT metrics that are typically focused solely on technical assets.
- 3Intermediate
- Practice
- Establish a standardized process to identify subject matter experts (SMEs) across most areas for risk assessments.
- Outcome
- Most risks are identified and evaluated with an overall business perspective in mind.
- Metrics
- # of SMEs identified for risk assessment in IT.
- # of SMEs identified for risk assessment in other business units.
- Practice
- Conduct risk assessments on a regular basis, using dimensions and information from the risk profiles to assess risk exposure.
- Outcome
- Collection of comparable data on risks is facilitated and follow-through on risk treatment is encouraged.
- Metrics
- Risk exposure for each identified risk.
- % of identified risks whose impact/likelihood exceeds the organization's risk tolerance.
- Practice
- Set up a detailed and centralized risk register.
- Outcome
- Recording of risks in the risk register allows for more efficient risk management and reporting.
- Metric
- % of identified risks recorded in a risk register.
- Practice
- Use IT-related and business-related metrics in risk assessments.
- Outcome
- Risk assessments include IT and business metrics that are typically focused on business assets and processes.
- 4Advanced
- Practice
- Proactively identify subject matter experts (SMEs) across the organization for risk assessments.
- Outcome
- All risks are identified and evaluated organization-wide with an overall business perspective in mind.
- Metrics
- # of SMEs identified for risk assessment in IT.
- # of SMEs identified for risk assessment in other business units.
- Practices
- Proactively conduct organization-wide risk assessments that reflect collaborative, partnership type relationships between IT and business function leaders.
- Build risk assessments into all programme/project life cycles and investment appraisals.
- Outcome
- Comparable and consistent data is available on all risks, and this informs all programme/project life cycle and investment appraisal decisions.
- Metrics
- Risk exposure for each identified risk.
- % of identified risks whose impact/likelihood exceeds the organization's risk tolerance.
- Practice
- Define and use assessment metrics that are linked to the potential impact of the assessed risks on business assets, processes, and business value.
- Outcome
- There is clear linkage between risk and business assets, processes, and value.
- 5Optimized
- Practice
- Identify and consult subject matter experts (SMEs) in the business ecosystem and external thought leaders for risk assessments.
- Outcome
- The risks identified and evaluated are kept relevant and up to date with input from experts in the business ecosystem.
- Metrics
- # of SMEs identified for risk assessment in IT.
- # of SMEs identified for risk assessment in other business units.
- # of SMEs identified for risk assessment in the business ecosystem.
- Practice
- Ensure collaboration between the organization's leaders and business ecosystem partners in order to assess risks across the entire value chain using an agile and adaptable risk assessment process.
- Outcomes
- Comparable and consistent data is available on all risks across the value chain.
- The risk management assessment process is adaptable to the complexity and scope of the business operating model.
- Metrics
- Risk exposure for each identified risk.
- % of identified risks whose impact/likelihood exceeds the organization's risk tolerance.
- Practice
- Continually review and improve the risk register, as required.
- Outcome
- The risk register is always maintained up to date and relevant.
- Metrics
- % of identified risks recorded in a risk register.
- Frequency of updates to the risk register.
- Practice
- Conduct systematic internal and external benchmarks to assess the effectiveness of the risk metrics.
- Outcome
- Metrics are improved and are sufficiently adaptable and agile to address the needs of the business.
- Metric
- Ratio of actual risk metric benchmarks to required benchmarks (set out in the risk management policy).