Monitoring
Track identified risks, and validate the effectiveness of the risk treatment strategies.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Monitoring at each level of maturity.
- 2Basic
- Practice
- Monitor the top 10 risks and the effectiveness of their risk treatment strategies periodically.
- Outcome
- There is high visibility on the highest priority risks.
- Metric
- Risk exposure for each identified risk and changes to risk scores.
- 3Intermediate
- Practice
- Base the time intervals for monitoring risks and the effectiveness of risk treatment strategies on the risk priority.
- Outcomes
- A more systematic approach is taken to risk monitoring.
- Risks with a high importance to the organization are monitored more closely.
- Metrics
- Risk exposure for each identified risk and changes to risk scores.
- Frequency of monitoring of high priority risks.
- 4Advanced
- Practice
- Incorporate pre-defined results/event-triggered activities as part of the risk monitoring process.
- Outcome
- Monitoring is more efficient due to its responsiveness to certain results or events.
- Metrics
- Risk exposure for each identified risk and changes to risk scores.
- # of monitoring triggers.
- Practice
- Evaluate financial and benchmark data to validate the business/monetary value of the monitored risks.
- Outcome
- Inconsistent valuations are more readily detected, and relative context is provided for risk evaluations.
- Metrics
- % of valuations validated.
- Comparison of estimated versus actual risk mitigation effort and impact.
- 5Optimized
- Practice
- Continually review the risk monitoring process for improvement opportunities.
- Outcome
- The monitoring process can be improved based on feedback from past risk incidents and emerging industry insights.
- Metric
- Ratio of actual reviews of the risk monitoring process to required reviews (set out in the risk management policy).