RACI Chart – Board of Directors
Governance Practice
Board
EDM03.01
Evaluate risk management.
A
EDM03.02
Direct risk management.
A
EDM03.03
Monitor risk management.
A
RACI Chart - Management
Management
Practice
Chief Executive
Officer
Chief
Information
Security Officer
Chief
Risk
Officer
Chief
Information
Officer
APO12.01
Collect data.
I
R
R
A
APO12.02
Analyze risk.
I
C
R
A
APO12.03
Maintain a risk
profile.
I
C
A
R
APO12.04
Articulate risk.
I
C
R
A
APO12.05
Define a risk
management
action portfolio.
I
C
A
R
APO12.06
Respond
to risk.
I
R
R
A
Board of Directors –
1. EDM03.01 Evaluate risk management.
Continually examine and make judgment on the effect of risk on the current and future use of IT in the
enterprise. Consider whether the enterprise’s risk appetite is appropriate and that risk to enterprise
value related to the use of IT is identified and managed.
ACTIVITY
DETAILED ACTIVITIES
1.
Determine the level of IT-related risk that
the enterprise is willing to take to meet its risk
objectives.
2.
Evaluate and approve proposed IT risk
tolerance thresholds against the enterprise’s
acceptable risk and opportunity levels.
3.
Determine the extent of alignment of the IT
risk strategy to enterprise risk strategy.
4.
Proactively evaluate IT risk factors in
advance of pending strategic enterprise
decisions and ensure that risk-aware
The board needs to actively take part in the
risk evaluation process of the enterprise,
which also includes the IT-related risks, and, in
assessing the risk, define a risk tolerance
threshold for acceptable risks and opportunity
levels.
The board needs to evaluate the risk factors
before taking decisions on strategies to ensure
that impact of risk has been factored.
The board should evaluate the risk
management activities and regularly define the
1
enterprise decisions are made.
5.
Determine that IT use is subject to
appropriate risk assessment and evaluation,
as described in relevant international and
national standards.
6.
Evaluate risk management activities to
ensure alignment with the enterprise’s
capacity for IT-related loss and leadership’s
tolerance of it.
enterprise’s capacity for loss and the tolerance
limits.
2.
EDM03.02 Direct risk management.
Direct the establishment of risk management practices to
provide reasonable assurance that IT risk management practices are appropriate to ensure that the
actual IT risk does not exceed the board’s risk appetite.
ACTIVITY
DETAILED ACTIVITIES
1.
Promote an IT risk-aware culture and
empower the enterprise to proactively identify
IT risk, opportunity and potential business
impacts.
2.
Direct the integration of the IT risk strategy
and operations with the enterprise strategic
risk decisions and operations.
3.
Direct the
development
of
risk
communication plans (covering all levels of the
enterprise) as well as risk action plans.
You've reached the end of your free preview.
Want to read all 9 pages?
- Fall '08
- SreenivasKumar
- Databases
