Risk Assessment
Assess the probability and impact of IT-related risks on organizational activities — for example, quantification of IT-enabled business value-at-risk.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Risk Assessment at each level of maturity.
- 1Initial
- Practice
- Rely on the best endeavours of staff prior to formal risk assessment planning being in place.
- Outcome
- Reactive environment with minimal predictability and poor corrective actions, leading to budget overruns and/or over-investment (“sledgehammer to crack a nut”).
- Metrics
- Number of outages
- Total downtime
- Variance from planned BAU cost
- Helpdesk calls
- MTTR
- 2Basic
- Practice
- Investigate the root causes of all issues and implement appropriate corrective actions.
- Outcome
- Improved IT performance as a consequence of minimising recurring IT issues.
- Metrics
- Number of incidents per issue-type
- Number of incidents per category
- MTBF
- 3Intermediate
- Practice
- Base reallocation of resources to priority applications and services on risk quantification.
- Outcomes
- Capacity Planning:
- Improved IT-Business alignment
- Improved ROI
- Optimized cost per service
- Scenario Planning:
- Improved IT-Business planning
- Reduction in risk
- Improved business continuity plans
- Example CP: Where should we best target part of our IT budget in order to accommodate 1200 users?
- Example SP: Are our remote access services capable of handling a predicted increase in usage brought about by and outbreak of avian flu?
- Metrics
- Capacity Planning:
- ROI
- IT service cost per user
- IT asset utilization
- Stakeholder satisfaction
- Adoption of IT service metrics by the business
- IT service metrics
- Storage requirements per service user (trended)
- CPU requirements per service user (trended)
- Bandwidth requirements
- Scenario Planning:
- Original predicted impact of incident vs Predicted impact following implementation of new contingency plans
- Number of times a risk threshold is broken
- 4Advanced
- Practice
- Track business-level IT service metrics against agreed business process SLAs to identify impact of IT service constraints (if any) and the possible need to implement improvements.
- Outcomes
- Improved basis for prioritisation of investments
- Optimal level of investment in order to achieve target business performance levels (as opposed to excessive overinvestment or under-investment)
- Potential to manage risk more effectively
- Continuous improvement in IT service levels
- Target IT investments and effort in areas where the greatest impact can be made in terms of business process capacity
- NOTE: This insight can also be helpful in managing change from a legacy application to a new application solution (identifying bottlenecks in its adoption).
- Metrics
- Transactions handled per IT dollar
- IT SLAs breached
- Business process SLAs breached
- Business process impact (eg additional process capacity) of service investment
- Business process impact (eg business process hours lost from SLA breaches (ie no investment)
- Transactions handled per IT dollar
- Number of business process transactions (or hours) lost due to IT service/component failure
- 5Optimized
- Practice
- Use business value-at-risk from IT quantification to allocate scarce resources.
- Outcomes
- Increased confidence in model.
- Improved capability to optimize IT.
- Metrics
- Variance (actual vs planned)
- ROI (per IT dollar)