Response/Treatment
Assign ownership to prioritized risks, and assign responsibility and accountability for developing risk response/treatment strategies. Initiate implementation of risk response/treatment strategies, where risks can be avoided, accepted, mitigated, or transferred. Interact with incident management functions.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Response/Treatment at each level of maturity.
- 2Basic
- Practice
- Establish a basic process to treat prioritized risks.
- Outcome
- There is some success in mitigating the potential consequences of some high-priority risks.
- Metric
- % of prioritized risks mitigated to within the organization's risk tolerance threshold.
- Practice
- Define a basic risk ownership policy.
- Outcome
- Some accountability for risk treatment is evident.
- Metric
- % of identified risks that are assigned owners.
- Practice
- Establish some basic interaction between risk management and incident management functions.
- Outcome
- There is growing visibility of risks and risk incidents between risk management and incident management functions.
- Metric
- # of formal meetings between risk management and incident management function stakeholders.
- 3Intermediate
- Practice
- Standardize the risk treatment process and match the risk treatment strategies to the magnitude of the risks posed vis-a-vis particular business unit needs and objectives.
- Outcome
- Most prioritized risks are addressed and can be mitigated sufficiently.
- Metric
- % of prioritized risks mitigated to within the organization's risk tolerance threshold.
- Practice
- Assign ownership of risks and risk treatment strategies to individuals from IT and other business units.
- Outcome
- Growing accountability for risk treatment is evident, which increases the likelihood of many risks being mitigated to within the organization's risk tolerance threshold.
- Metric
- % of identified risks that are assigned owners.
- Practice
- Standardize interaction processes between risk management and incident management functions.
- Outcome
- Incident management functions are updated on high priority risks and risk treatment strategies.
- Metric
- # of formal meetings between risk management and incident management function stakeholders.
- 4Advanced
- Practice
- Extend the risk treatment process to address all prioritized risks and match the risk treatment strategies to the magnitude of the risks posed vis-a-vis the organization's overall needs and objectives.
- Outcome
- All prioritized risks are reliably addressed and can be mitigated sufficiently.
- Metric
- % of prioritized risks mitigated to within the organization's risk tolerance threshold.
- Practice
- Establish a multi-disciplinary organization-wide committee to assign ownership of risks and risk treatment strategies.
- Outcome
- Expert risk owners are clearly identified across the organization and are held visibly accountable.
- Metric
- % of identified risks that are assigned owners.
- Practice
- Encourage close involvement and collaboration between risk management and incident management functions and provide regular updates on risks and risk treatment strategies.
- Outcome
- The incident management function is closely involved in the risk management processes and is regularly updated on all identified risks and risk treatment strategies.
- Metric
- # of formal meetings between risk management and incident management function stakeholders.
- 5Optimized
- Practice
- Regularly review the risk treatment process for improvement opportunities.
- Outcomes
- The risk treatment process is kept relevant through feedback from relevant experts and learning from past experiences.
- Prioritized risks are reliably addressed across the organization and in relation to the interface with the business ecosystem.
- Metrics
- % of prioritized risks mitigated to within the organization's risk tolerance threshold.
- % of identified risks that are assigned owners.
- Practice
- Interact with external parties in the business ecosystem on managing risk incidents, and continually improve interaction with incident management functions.
- Outcome
- Risk and incident management benefit from input from experts in the business ecosystem.
- Metrics
- # of formal meetings between risk management and incident management function stakeholders.
- # of business ecosystem partners providing input on incident management.