Our organization has recently adopted the APO12 (Manage Risk) process. We want to know if our risk mitigation strategies are actually working. What are some specific performance metrics we can use to measure the maturity and effectiveness of our risk management efforts over time?
3 answers
To measure APO12 effectiveness, focus on the "percentage of identified risks with a defined and tested mitigation plan." A key maturity metric is the "time taken to identify a risk after its emergence." If this time is decreasing, your proactive monitoring is improving. Also, track the "number of risk incidents that were NOT in the risk register." This is a powerful metric; a high number suggests your risk identification process is failing. Ultimately, you want to see a reduction in the "financial impact of IT-related incidents" over a 12-month period.
Do you currently have a centralized risk register that is accessible to both IT and business stakeholders, or is risk management still being handled in silos?
Track the "ratio of accepted risks versus mitigated risks." This helps the board understand the organization’s actual risk appetite and whether it aligns with their strategy.
That’s a very practical metric, Margaret. It provides a clear visual for the board to see if they are being too conservative or too reckless with IT investments.
Siloed risk management is a major hurdle. If the business doesn't see the IT risks, they won't fund the mitigation. A good metric to address Charles's point would be the "number of business-led initiatives that included a formal IT risk assessment." This measures how well risk management is integrated into the company culture, which is a core principle of COBIT 5.