IVI Framework Viewer

Risk Assessment

B2

Assess the probability and impact of IT-related risks on organizational activities — for example, quantification of IT-enabled business value-at-risk.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Risk Assessment at each level of maturity.

1Initial
  • Practice
    Rely on the best endeavours of staff prior to formal risk assessment planning being in place.
    Outcome
    Reactive environment with minimal predictability and poor corrective actions, leading to budget overruns and/or over-investment (“sledgehammer to crack a nut”).
    Metrics
    • Number of outages
    • Total downtime
    • Variance from planned BAU cost
    • Helpdesk calls
    • MTTR
2Basic
  • Practice
    Investigate the root causes of all issues and implement appropriate corrective actions.
    Outcome
    Improved IT performance as a consequence of minimising recurring IT issues.
    Metrics
    • Number of incidents per issue-type
    • Number of incidents per category
    • MTBF
3Intermediate
  • Practice
    Base reallocation of resources to priority applications and services on risk quantification.
    Outcomes
    • Capacity Planning:
    • Improved IT-Business alignment
    • Improved ROI
    • Optimized cost per service
    • Scenario Planning:
    • Improved IT-Business planning
    • Reduction in risk
    • Improved business continuity plans
    • Example CP: Where should we best target part of our IT budget in order to accommodate 1200 users?
    • Example SP: Are our remote access services capable of handling a predicted increase in usage brought about by and outbreak of avian flu?
    Metrics
    • Capacity Planning:
    • ROI
    • IT service cost per user
    • IT asset utilization
    • Stakeholder satisfaction
    • Adoption of IT service metrics by the business
    • IT service metrics
    • Storage requirements per service user (trended)
    • CPU requirements per service user (trended)
    • Bandwidth requirements
    • Scenario Planning:
    • Original predicted impact of incident vs Predicted impact following implementation of new contingency plans
    • Number of times a risk threshold is broken
4Advanced
  • Practice
    Track business-level IT service metrics against agreed business process SLAs to identify impact of IT service constraints (if any) and the possible need to implement improvements.
    Outcomes
    • Improved basis for prioritisation of investments
    • Optimal level of investment in order to achieve target business performance levels (as opposed to excessive overinvestment or under-investment)
    • Potential to manage risk more effectively
    • Continuous improvement in IT service levels
    • Target IT investments and effort in areas where the greatest impact can be made in terms of business process capacity
    • NOTE: This insight can also be helpful in managing change from a legacy application to a new application solution (identifying bottlenecks in its adoption).
    Metrics
    • Transactions handled per IT dollar
    • IT SLAs breached
    • Business process SLAs breached
    • Business process impact (eg additional process capacity) of service investment
    • Business process impact (eg business process hours lost from SLA breaches (ie no investment)
    • Transactions handled per IT dollar
    • Number of business process transactions (or hours) lost due to IT service/component failure
5Optimized
  • Practice
    Use business value-at-risk from IT quantification to allocate scarce resources.
    Outcomes
    • Increased confidence in model.
    • Improved capability to optimize IT.
    Metrics
    • Variance (actual vs planned)
    • ROI (per IT dollar)