Questionnaire for Information Technology Profect Risk Management Tools & Techniques

Crgan|zat|ona| Cu|ture and Support

C1 1he responslblllLy for rlsk managemenL ls documenLed and undersLood LhroughouL Lhe
organlzaLlon? Strong|y D|sagree D|sagree Neutra| Agree Strong|y Agree
1 2 3 4 S

C2 uoes Lhe organlzaLlon have a rlsk LreaLmenL (acLlon) plan? es No
1 2

C3 Who ls responslble for ldenLlfylng Lhe rlsks faclng your organlzaLlon C|rc|e a|| that App|y
O Chlef LxecuLlve Cfflcer? 1
O 8oard/LxecuLlve ManagemenL 1eam? 2
O Pead of llnance? 3
O lnLernal AudlLor? 4
O 8lsk Manager? S
O Llne Managers?
O A CommlLLee?
O CLher? lleose speclfy below
O %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

C4 Pow lmporLanL ls effecLlve rlsk managemenL Lo Lhe achlevemenL of your organlzaLlons'
ob[ecLlves? Some
Not at A|| Very Important
1 2 3 4 S
C3 LffecLlve rlsk managemenL can lmprove your organlzaLlon's performance?
Strong|y D|sagree D|sagree Neutra| Agree Strong|y Agree
1 2 3 4 S

C6 CapablllLy MaLurlLy Model lnLegraLlon (CMMl) models from Lhe SofLware Lnglneerlng
lnsLlLuLe (SLl) ? Leve|

1 2 3 4 S Not App||cab|e

C7 CrganlzaLlonal ro[ecL ManagemenL MaLurlLy Model (CM3) from Lhe ro[ecL
ManagemenL lnsLlLuLe (Ml) ? Leve|

1 2 3 4 S Not App||cab|e

C8 1o whaL degree has your organlzaLlon developed a close llnk beLween lLs sLraLeglc
ob[ecLlves and managemenL of rlsks eg rlsk ldenLlflcaLlon ls conducLed durlng sLraLeglc
plannlng? Some
Not at A|| S|gn|f|cant
1 2 3 4 S
C9 ManagemenL has documenLed lLs aLLlLude on rlsk managemenL for Lhe beneflL of all sLaff
Lhls ls separaLe from a pollcy sLaLemenL
Strong|y D|sagree D|sagree Neutra| Agree Strong|y Agree
1 2 3 4 S

C10 uoes Lhe sponsor/champlon have a faclllLaLlve role ln
es No
O lncreaslng awareness of Lhe beneflLs of rlsk managemenL? 1 2
O romoLlng Lhe accepLance of rlsk managemenL Lechnlques? 1 2
O ueveloplng rlsk managemenL pollcles and procedures? 1 2
O rovldlng advlce and supporL? 1 2
O Crganlzlng Lralnlng? 1 2

C11 ?our organlzaLlon ls able Lo allocaLe approprlaLe resources ln supporL of rlsk managemenL
pollcy and pracLlce?
Strong|y D|sagree D|sagree Neutra| Agree Strong|y Agree
1 2 3 4 S

C12 lf Lhe answer Lo C11 above was negaLlve (LhaL ls 1 or 2) whaL are Lhe maln barrlers Lo Lhe
provlslon of adequaLe resources ln supporL of rlsk managemenL
C|rc|e a|| that App|y
O 8udgeLary? 1
O CulLural? 2
O CLher? lleose speclfy below 3
O %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%



C13 Pas Lralnlng been provlded by your organlzaLlon on
%|) Staff %||) Management
es No NA es No NA
O 8lsk? 1 2 3 1 2 3
O 8lsk pollcy procedures and pracLlces? 1 2 3 1 2 3
O 8lsk Laklng? 1 2 3 1 2 3
O 8lsk Lools and Lechnlques? 1 2 3 1 2 3


C14 1o whaL degree does your organlzaLlon recognlze Lhe need for Lechnlcal rlsk managemenL
skllls? Some
Not at A|| S|gn|f|cant
1 2 3 4 S
C13 1o whaL degree does your organlzaLlon encourage and resource sLaff Lo underLake
relevanL Lralnlng Lo lmprove Lhelr skllls ln Lhe above areas C13 C14?
Some
Not at A|| S|gn|f|cant
1 2 3 4 S

C16 1he followlng have slgnlflcanLly conLrlbuLed Lo Lhe developmenL and lmplemenLaLlon of
rlsk managemenL wlLhln your organlzaLlon
Strong|yD|sagree D|sagree Neutra| Agree Strong|yAgree
O M8Ck 8lsk
ManagemenL SLandard 1 2 3 4 S
O cenLral agencles pollcles
dlrecLlves and guldellnes 1 2 3 4 S
O non cenLral agencles pollcles
dlrecLlves and guldellnes 1 2 3 4 S
O leglslaLlon 1 2 3 4 S
O lnLernal audlL reporLs 1 2 3 4 S
O exLernal audlL reporLs 1 2 3 4 S
O lnLernaLlonal sLandards 1 2 3 4 S
O prlvaLe secLor rlsk
managemenL pracLlLloners/
consulLanLs 1 2 3 4 S
O oLher pleose speclfy below 1 2 3 4 S
O %%%%%%%%%%%%%%%%%%%%%%%%%

C17 Pas your organlzaLlon used Lhe sLandard Lools Lechnlques Lo lmprove lLs rlsk
managemenL processes? es No
1 2
C18 lf Lhe sLandard Lools Lechnlques are used LhaL ls es Lo C17 Lhen ls an organlzaLlon
wlde rlsk managemenL plan developed based on Lhe resulLs from uslng Lhe 1ools 1echnlques?
es No
1 2

C19 lf Lhe sLandard Lools Lechnlques are noL used LhaL ls No Lo C17 dld your organlzaLlon
aLLempL Lo lmprove rlsk managemenL and lnLernal conLrol pracLlces ln some oLher way?
es No
1 2


C20 lf ?es Lo C19 whaL Lools/meLhodology are been used by your organlzaLlon?
1 _____________________________________________________
2 _____________________________________________________
3 _____________________________________________________

C21 lf your organlzaLlon dld noL use Lhe sLandard Lools Lechnlques LhaL ls No Lo C17 was
Lhls because of es No
O Lack of resources? 1 2
O Were Lhe Culdellnes and 1oolklL lnadequaLe ln some way? 1 2
O CLher lleose speclfy below 1 2
O _____________________________________________

C22 uld any agency provlde your organlzaLlon wlLh asslsLance ln lmplemenLlng Lhe 1oolklL?
es No
1 2

C23 Cverall does Lhe culLure of your organlzaLlon Lend Lo reflecL a rlsk Laklng or rlsk averse
aLLlLude 1 ls sLrongly rlsk Laklng 3 ls sLrongly rlsk averse?
Some
k|sk 1ak|ng k|sk Averse
1 2 3 4 S

k|sk Management o||cy

C24 uoes your organlzaLlon have a documenLed rlsk managemenL pollcy?
es No
1 2

C23 Who approved Lhe pollcy Lhe C|rc|e a|| that App|y
O MlnlsLer? 1
O Chlef LxecuLlve Cfflcer? 2
O 8oard/LxecuLlve ManagemenL 1eam? 3
O ulrecLor of llnance? 4
O AudlL CommlLLee? S
O 8lsk Manager?
O CLher? lleose speclfy below
O %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%







C28 1o whaL exLenL ls your organlzaLlons' rlsk managemenL pollcy promulgaLed Lhrough Lhe
followlng levels Some
Not at A|| S|gn|f|cant

O Chlef LxecuLlve Cfflcer/8oard? 1 2 3 4 S
O LxecuLlve managemenL? 1 2 3 4 S
O SLaff? 1 2 3 4 S
O SLakeholders? 1 2 3 4 S
O CLher lleose speclfy below 1 2 3 4 S
O %%%%%%%%%%%%%%%%%%%%%%%%

Crgan|zat|ona| Cb[ect|ves

C29 ln applylng rlsk managemenL processes and developlng relaLed plans your organlzaLlon
has examlned and documenLed Lhe
Strong|yD|sagree D|sagree Neutra| Agree Strong|yAgree
O SLraLeglc conLexL 1 2 3 4 S
Lhe relaLlonshlp of Lhe
organlzaLlon Lo lLs
envlronmenL
SWC1 analysls
O CrganlzaLlonal conLexL 1 2 3 4 S
Lhe organlzaLlon lLs
capablllLles goals and
ob[ecLlves
O 8lsk managemenL conLexL 1 2 3 4 S
Lhe goals ob[ecLlves
sLraLegles scope and
parameLers Lo whlch Lhe
rlsk managemenL process ls
Lo be applled and Lhe need
for lnformaLlon and research

C30 ln pursulng lLs ob[ecLlves your organlzaLlon vlews rlsk as es No
O A LhreaL? 1 2
O An opporLunlLy? 1 2
O CLher? lleose speclfy below 1 2
O %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%






k|sk Ident|f|cat|on

C31 ?our organlzaLlon carrles ouL a comprehenslve and sysLemaLlc ldenLlflcaLlon of lLs rlsks
relaLlng Lo each of lLs declared alms and ob[ecLlves
Strong|y D|sagree D|sagree Neutra| Agree Strong|y Agree
1 2 3 4 S

C32 ln ldenLlfylng rlsks Lo whaL exLenL does your organlzaLlon conslder Lhe followlng sources of
rlsk C|rc|e a|| that app|y
Strateg|c
O ollLlcal? 1
O CpporLunlLy rlsks Lhe rlsk of mlsslng opporLunlLles Lo lmprove
on dellvery of Lhe organlzaLlon's ob[ecLlves? 2
O LnvlronmenLal? 3
O Alllance rlsk Lhe rlsk assoclaLed wlLh worklng wlLh
parLnerlng organlzaLlons? 4
O 8epuLaLlon rlsk rlsk of damage Lo Lhe organlzaLlon's
credlblllLy and repuLaLlon? S

Cperat|ona| rlsks assoclaLed wlLh dellvery of servlces
O llnanclal rlsk rlsks arlslng from spendlng on caplLal pro[ecLs
fraud?
O ro[ecL rlsk rlsks of lnLroduclng new sysLems?
O Compllance rlsk Lhe rlsk of falllng Lo meeL governmenL
sLandards/laws and regulaLlons?
O 8lsks arlslng from new ways of worklng publlc prlvaLe secLor
parLnershlps ouLsourclng?
O ubllc llablllLy rlsks publlc access safeLy? 10
O naLural hazard rlsks cllmaLlc condlLlons earLhquakes
bushflres floods vermln? 11
O 1echnologlcal rlsks lnnovaLlon obsolescence exploslons
and dependablllLy? 12
O Puman rlsks sLrlke by employees loss of key personnel? 13
O SecurlLy rlsks premlses/compuLer breaches? 14
O 8lsks arlslng from plloL pro[ecLs rlsk of noL learnlng from plloLs? 1S
O CLher? lleose speclfy below 1
O _____________________________________________________

C33 uoes your organlzaLlon ldenLlfy rlsks ln Lerms of es No
O WhaL can happen? 1 2
O Pow and why rlsks arlse? 1 2
O Area of lmpacL? 1 2
O 1he source of Lhe rlsk? 1 2

C34 uoes your organlzaLlon have a rlsk reglsLer/daLabase? es No
1 2

C33 lf es Lo C34 ln respecL of each ldenLlfled rlsk Lhe rlsk reglsLer/daLabase records
C|rc|e a|| that app|y
O Source? 1
O naLure? 2
O LxlsLlng conLrols? 3
O Consequences and llkellhood? 4
O lnlLlal rlsk raLlng? S
O vulnerablllLy Lo exLernal/lnLernal facLors?
O CLher? lleose speclfy below
O _______________________________________________

C36 uoes your organlzaLlon make use of compuLer sofLware for rlsk managemenL?
es No
1 2

C37 lf es to 3 please provlde Lhe name of Lhe appllcaLlon and wheLher lL ls developed
producL? C|rc|e a|| that app|y
O Cff Lhe shelf 1
O lnhouse 2

C38 ls rlsk managemenL sofLware used for C|rc|e a|| that App|y
O 8lsk ldenLlflcaLlon? 1
O 8lsk analysls and evaluaLlon? 2
O 8lsk LreaLmenL? 3
O 8lsk monlLorlng and reporLlng? 4














C39 WhaL Lools and Lechnlques are used by your organlzaLlon for ldenLlfylng rlsks
C|rc|e a|| that App|y
O AudlLs or physlcal lnspecLlon? 1
O 8ralnsLormlng? 2
O LxamlnaLlon of local/overseas experlence? 3
O SWC1 (sLrengLhs weaknesses opporLunlLles LhreaLs) analysls? 4
O lnLervlew/focus group dlscusslon? S
O !udgmenLal?
O Surveys/quesLlonnalres?
O Scenarlo analysls?
O CperaLlonal modellng?
O asL organlzaLlonal experlence? 10
O rocess analysls? 11
O CLher? lleose speclfy below 12
O %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

C40 ?our organlzaLlon has developed and applled procedures for Lhe sysLemaLlc ldenLlflcaLlon
of opporLunlLles
Strong|y D|sagree D|sagree Neutra| Agree Strong|y Agree
1 2 3 4 S

C41 WhaL are Lhe quallflcaLlons of Lhe personnel responslble/accounLable for Lhe rlsk
managemenL ln your organlzaLlon? C|rc|e a|| that App|y
O M 1
O 8lnCL 2
O M8A 3
O CLher lleose speclfy below 4

C42 ?our organlzaLlon has an effecLlve Lwo way flow of lnformaLlon beLween lLself and
sLakeholders (lnLernal/exLernal) abouL rlsks and beneflLs? es No Not Sure
1 2 3

k|sk Ana|ys|s Lva|uat|on and 1reatment

C43 Are rlsks analyzed ln Lerms of es No
O Llkellhood? 1 2
O Consequence? 1 2
O llnanclal lmpacL? 1 2
O 8epuLaLlon lmpacL? 1 2
O AchlevemenL of ob[ecLlves? 1 2
O CLher? lleose speclfy below 1 2
O %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

C44 1o whaL exLenL are Lhe organlzaLlon's rlsks assessed by uslng
Some 1|mes
Not at A|| A|ways
O CuallLaLlve analysls meLhods
eg hlgh moderaLe low? 1 2 3 4 S
O CuanLlLaLlve analysls meLhods
LhaL ls ldenLlflcaLlon of a preclse 1 2 3 4 S
level eg an evenL whlch wlll
happen aL leasL once a year wlLh
hlgh lmpacL?

C43 uslng Lhe Lools Lechnlques of Lhe rlsk managemenL your organlzaLlon
Strong|yD|sagree D|sagree Neutra| Agree Strong|yAgree
O CollaLes rlsks for declslon 1 2 3 4 S
maklng on whaL acLlons Lo
Lake
O knows abouL Lhe sLrengLhs and 1 2 3 4 S
weaknesses of Lhe rlsk managemenL
sysLems of oLher organlzaLlons lL
works wlLh
O Analyzes and evaluaLes opporLunlLles
lL has Lo achleve ob[ecLlves 1 2 3 4 S

C46 1he rlsks your organlzaLlon faces are dlfflculL Lo
Strong|yD|sagree D|sagree Neutra| Agree Strong|yAgree
O assess ln Lerms of occurrence 1 2 3 4 S
llkellhood
O assess ln Lerms of poLenLlal lmpacLs 1 2 3 4 S
O prlorlLlze 1 2 3 4 S
O develop and revlew rlsk mlLlgaLlon 1 2 3 4 S
sLraLegles
O monlLor 1 2 3 4 S

C47 ?our organlzaLlons' response Lo analyzed rlsks lncludes
Strong|yD|sagree D|sagree Neutra| Agree Strong|yAgree
O an evaluaLlon of Lhe effecLlve 1 2 3 4 S
ness of exlsLlng conLrols and
rlsk managemenL responses
O an assessmenL of Lhe cosLs and 1 2 3 4 S
beneflLs of addresslng rlsks
O prlorlLlzlng of rlsks and selecLlng 1 2 3 4 S
Lhose LhaL need acLlve
managemenL
O prlorlLlzlng rlsk LreaLmenLs where 1 2 3 4 S
Lhere are resource consLralnLs on
rlsk LreaLmenL lmplemenLaLlon

C48 uoes your organlzaLlon have an up Lo daLe es No
O 8uslness conLlnulLy plan? 1 2
O ulsasLer recovery plan for lnformaLlon Lechnology? 1 2
O 8lsk managemenL plan? 1 2

C49 ln Lhe lasL 3 years Lhe level of rlsk faced by your organlzaLlon has
Increased Decreased Not Changed Not Sure
1 2 3 4

C30 ln your organlzaLlon rlsk managemenL revlews conslder |ease se|ect
O 8lsks Loday 1
O 8lsks over Lhe nexL 12 years 2
O 8lsks beyond 2 years 3