IVI Framework Viewer

Prioritization

C2

Prioritize inherent and residual risks and risk response/treatment strategies, based on the organization's risk tolerance — that is, the risk levels that are acceptable to the organization.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Prioritization at each level of maturity.

2Basic
  • Practice
    Establish a basic risk prioritization process and conduct risk prioritization as needed.
    Outcome
    Risk prioritization can be based on the organization's risk appetite, and the estimated risk impact, probability of occurrence, and time horizon.
    Metric
    % of identified risks that are prioritized.
3Intermediate
  • Practice
    Prioritize most of the identified risks in line with the organization's risk tolerance.
    Outcome
    Risk prioritization becomes more proactive and no longer treats only major perceived pain-points.
    Metric
    % of identified risks that are prioritized.
4Advanced
  • Practice
    Prioritize all of the risks identified in the organization-wide risk assessments in line with the organization's risk tolerance.
    Outcome
    Risk prioritization proactively takes account of all assessed risks.
    Metric
    % of identified risks that are prioritized.
5Optimized
  • Practice
    Continually review and improve the prioritization process, as required.
    Outcomes
    • The prioritization process meets the current and future needs of the organization.
    • Its effectiveness, efficiency, and accuracy of estimates are regularly assessed.
    Metrics
    • % of identified risks that are prioritized.
    • Ratio of actual risk prioritization process reviews to required reviews (set out in the risk management policy).