• Percent of critical business processes, IT services and IT-enabled business programmes covered by
risk assessment
• Number of significant IT-related incidents that were not identified in risk assessment
• Percent of enterprise risk assessments including IT-related risk
• Frequency of update of risk profile

• Level of business user satisfaction with quality and timeliness (or availability) of
management information
• Number of business process incidents caused by non-availability of information
• Ratio and extent of erroneous business decisions where erroneous or unavailable information
was a key factor

• Percent of investment business cases with clearly defined and approved expected IT-related costs
and benefits
• Percent of IT services with clearly defined and approved operational costs and expected benefits
• Satisfaction survey of key stakeholders regarding the level of transparency, understanding and
accuracy of IT financial information

• Number of security incidents causing financial loss, business disruption or public embarrassment
• Number of IT services with outstanding security requirements
• Time to grant, change and remove access privileges, compared to agreed-on service levels
• Frequency of security assessment against latest standards and guidelines

• Number of customer service interruptions causing significant incidents
• Business cost of incidents
• Number of business processing hours lost due to unplanned service interruptions
• Percent of complaints as a function of committed service availability targets

• Percent of critical business objectives and services covered by risk assessment
• Ratio of significant incidents that were not identified in risk assessments vs. total incidents
• Frequency of update of risk profile