| 0 Non-existent | There is little awareness of external
requirements that affect IT, with no process regarding
compliance with regulatory, legal and contractual
requirements.
|
| 1 (Initial/Ad Hoc) | Risk assessment for processes and
business decisions does not occur. The organisation does
not consider the business impacts associated with
security vulnerabilities and with development project
uncertainties. Risk management has not been identified
as relevant to acquiring IT solutions and delivering IT
services.
|
| 2 (Repeatable but Intuitive) | The organization is aware of its legal
and contractual responsibilities and liabilities, but
considers IT risks in an ad hoc manner, without
following defined processes or policies. Informal
assessments of project risk take place as determined by
each project. Risk assessments are not likely to be
identified specifically within a project plan or to be
assigned to specific managers involved in the project. IT
management does not specify responsibility for risk
management in job descriptions or other informal means.
Specific IT-related risks such as security, availability and
integrity are occasionally considered on a project-byproject
basis. IT-related risks affecting day-to-day
operations are infrequently discussed at management
meetings. Where risks have been considered, mitigation
is inconsistent.
|
| 3 (Defined Process) | An organization-wide risk
management policy defines when and how to conduct
risk assessments. Risk assessment follows a defined
process that is documented and available to all staff
through training. Decisions to follow the process and to
receive training are left to the individual’s discretion.
The methodology is convincing and sound, and ensures
that key risks to the business are likely to be identified.
Decisions to follow the process are left to individual IT
managers and there is no procedure to ensure that all
projects are covered or that the ongoing operation is
examined for risk on a regular basis.
|
| 4 (Managed and Measurable) | The assessment of risk is a
standard procedure and exceptions to following the
procedure would be noticed by IT management. It is
likely that IT risk management is a defined management
function with senior level responsibility. The process is
advanced and risk is assessed at the individual project
level and also regularly with regard to the overall IT
operation. Management is advised on changes in the IT
environment which could significantly affect the risk
scenarios, such as an increased threat from the network
or technical trends that affect the soundness of the IT
strategy. Management is able to monitor the risk position
and make informed decisions regarding the exposure it is
willing to accept. Senior management and IT
management have determined the levels of risk that the
organisation will tolerate and have standard measures for
risk/return ratios. Management budgets for operational
risk management projects to reassess risks on a regular
basis. A risk management database is established.
|
| 5 Optimized | Risk assessment has developed to the stage
where a structured, organisation-wide process is
enforced, followed regularly and well managed. Risk
brainstorming and root cause analysis, involving expert
individuals, are applied across the entire organisation.
The capturing, analysis and reporting of risk
management data are highly automated. Guidance is
drawn from leaders in the field and the IT organisation
takes part in peer groups to exchange experiences. Risk
management is truly integrated into all business and IT
operations, is well accepted and extensively involves the
users of IT services.
|
![[To top of Page]](../../../images/up.gif){kind=small}
