RACI Chart – Board of DirectorsGovernance Practice Board EDM03.01 Evaluate risk management. A EDM03.02 Direct risk management. A EDM03.03 Monitor risk management. A RACI Chart - ManagementManagement Practice Chief ExecutiveOfficer ChiefInformationSecurity OfficerChiefRiskOfficer ChiefInformationOfficer APO12.01 Collect data. I R R A APO12.02 Analyze risk. I C R A APO12.03 Maintain a risk profile. I C A R APO12.04 Articulate risk. I C R A APO12.05 Define a risk management action portfolio.I C A R APO12.06Respond to risk.IRRABoard of Directors – 1. EDM03.01 Evaluate risk management. Continually examine and make judgment on the effect of risk on the current and future use of IT in theenterprise. Consider whether the enterprise’s risk appetite is appropriate and that risk to enterprisevalue related to the use of IT is identified and managed.ACTIVITY DETAILED ACTIVITIES 1. Determine the level of IT-related risk thatthe enterprise is willing to take to meet its riskobjectives. 2. Evaluate and approve proposed IT risktolerance thresholds against the enterprise’sacceptable risk and opportunity levels. 3. Determine the extent of alignment of the ITrisk strategy to enterprise risk strategy. 4. Proactively evaluate IT risk factors inadvance of pending strategic enterprisedecisions and ensure that risk-awareThe board needs to actively take part in therisk evaluation process of the enterprise,which also includes the IT-related risks, and, inassessing the risk, define a risk tolerancethreshold for acceptable risks and opportunitylevels. The board needs to evaluate the risk factorsbefore taking decisions on strategies to ensurethat impact of risk has been factored. The board should evaluate the riskmanagement activities and regularly define the1
enterprise decisions are made. 5. Determine that IT use is subject toappropriate risk assessment and evaluation,as described in relevant international andnational standards. 6. Evaluate risk management activities toensure alignment with the enterprise’scapacity for IT-related loss and leadership’stolerance of it. enterprise’s capacity for loss and the tolerancelimits. 2. EDM03.02 Direct risk management. Direct the establishment of risk management practices toprovide reasonable assurance that IT risk management practices are appropriate to ensure that theactual IT risk does not exceed the board’s risk appetite. ACTIVITY DETAILED ACTIVITIES 1. Promote an IT risk-aware culture andempower the enterprise to proactively identifyIT risk, opportunity and potential businessimpacts. 2. Direct the integration of the IT risk strategyand operations with the enterprise strategicrisk decisions and operations. 3.Direct the development of riskcommunication plans (covering all levels of theenterprise) as well as risk action plans.