Prioritization
Prioritize inherent and residual risks and risk response/treatment strategies, based on the organization's risk tolerance — that is, the risk levels that are acceptable to the organization.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Prioritization at each level of maturity.
- 2Basic
- Practice
- Establish a basic risk prioritization process and conduct risk prioritization as needed.
- Outcome
- Risk prioritization can be based on the organization's risk appetite, and the estimated risk impact, probability of occurrence, and time horizon.
- Metric
- % of identified risks that are prioritized.
- 3Intermediate
- Practice
- Prioritize most of the identified risks in line with the organization's risk tolerance.
- Outcome
- Risk prioritization becomes more proactive and no longer treats only major perceived pain-points.
- Metric
- % of identified risks that are prioritized.
- 4Advanced
- Practice
- Prioritize all of the risks identified in the organization-wide risk assessments in line with the organization's risk tolerance.
- Outcome
- Risk prioritization proactively takes account of all assessed risks.
- Metric
- % of identified risks that are prioritized.
- 5Optimized
- Practice
- Continually review and improve the prioritization process, as required.
- Outcomes
- The prioritization process meets the current and future needs of the organization.
- Its effectiveness, efficiency, and accuracy of estimates are regularly assessed.
- Metrics
- % of identified risks that are prioritized.
- Ratio of actual risk prioritization process reviews to required reviews (set out in the risk management policy).