IVI Framework Viewer

Assessment

C1

Identify subject matter experts (SMEs) for risk assessments. Run risk assessments to identify, document, evaluate exposure to, and quantify/score risks and their components. Record the results in a risk register.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Assessment at each level of maturity.

2Basic
  • Practice
    Begin to identify subject matter experts (SMEs) for risk assessments.
    Outcome
    Risk assessments are informed by individuals with appropriate technical expertise.
    Metrics
    • # of SMEs identified for risk assessment in IT.
    • # of SMEs identified for risk assessment in other business units.
  • Practice
    Establish a basic risk assessment approach and assess risk exposure in isolated risk incidents.
    Outcomes
    • A basic risk overview exists, with particular focus on major pain-points and current trends.
    • The assessments are based on the perceived risk by identified subject matter experts and other sources (e.g. project work breakdown structures, risk taxonomies, risks in similar projects, lessons learned databases, and requirement specifications).
    Metrics
    • Risk exposure for each identified risk.
    • % of identified risks whose impact/likelihood exceeds the organization's risk tolerance.
  • Practice
    Establish a basic risk register.
    Outcome
    A structure for recording the identified risks is in place.
    Metric
    % of identified risks recorded in a risk register.
  • Practice
    Use IT specific risk metrics during risk assessments.
    Outcome
    Risk assessments include IT metrics that are typically focused solely on technical assets.
3Intermediate
  • Practice
    Establish a standardized process to identify subject matter experts (SMEs) across most areas for risk assessments.
    Outcome
    Most risks are identified and evaluated with an overall business perspective in mind.
    Metrics
    • # of SMEs identified for risk assessment in IT.
    • # of SMEs identified for risk assessment in other business units.
  • Practice
    Conduct risk assessments on a regular basis, using dimensions and information from the risk profiles to assess risk exposure.
    Outcome
    Collection of comparable data on risks is facilitated and follow-through on risk treatment is encouraged.
    Metrics
    • Risk exposure for each identified risk.
    • % of identified risks whose impact/likelihood exceeds the organization's risk tolerance.
  • Practice
    Set up a detailed and centralized risk register.
    Outcome
    Recording of risks in the risk register allows for more efficient risk management and reporting.
    Metric
    % of identified risks recorded in a risk register.
  • Practice
    Use IT-related and business-related metrics in risk assessments.
    Outcome
    Risk assessments include IT and business metrics that are typically focused on business assets and processes.
4Advanced
  • Practice
    Proactively identify subject matter experts (SMEs) across the organization for risk assessments.
    Outcome
    All risks are identified and evaluated organization-wide with an overall business perspective in mind.
    Metrics
    • # of SMEs identified for risk assessment in IT.
    • # of SMEs identified for risk assessment in other business units.
  • Practices
    • Proactively conduct organization-wide risk assessments that reflect collaborative, partnership type relationships between IT and business function leaders.
    • Build risk assessments into all programme/project life cycles and investment appraisals.
    Outcome
    Comparable and consistent data is available on all risks, and this informs all programme/project life cycle and investment appraisal decisions.
    Metrics
    • Risk exposure for each identified risk.
    • % of identified risks whose impact/likelihood exceeds the organization's risk tolerance.
  • Practice
    Define and use assessment metrics that are linked to the potential impact of the assessed risks on business assets, processes, and business value.
    Outcome
    There is clear linkage between risk and business assets, processes, and value.
5Optimized
  • Practice
    Identify and consult subject matter experts (SMEs) in the business ecosystem and external thought leaders for risk assessments.
    Outcome
    The risks identified and evaluated are kept relevant and up to date with input from experts in the business ecosystem.
    Metrics
    • # of SMEs identified for risk assessment in IT.
    • # of SMEs identified for risk assessment in other business units.
    • # of SMEs identified for risk assessment in the business ecosystem.
  • Practice
    Ensure collaboration between the organization's leaders and business ecosystem partners in order to assess risks across the entire value chain using an agile and adaptable risk assessment process.
    Outcomes
    • Comparable and consistent data is available on all risks across the value chain.
    • The risk management assessment process is adaptable to the complexity and scope of the business operating model.
    Metrics
    • Risk exposure for each identified risk.
    • % of identified risks whose impact/likelihood exceeds the organization's risk tolerance.
  • Practice
    Continually review and improve the risk register, as required.
    Outcome
    The risk register is always maintained up to date and relevant.
    Metrics
    • % of identified risks recorded in a risk register.
    • Frequency of updates to the risk register.
  • Practice
    Conduct systematic internal and external benchmarks to assess the effectiveness of the risk metrics.
    Outcome
    Metrics are improved and are sufficiently adaptable and agile to address the needs of the business.
    Metric
    Ratio of actual risk metric benchmarks to required benchmarks (set out in the risk management policy).