Percentage of IT operating costs, excluding depreciation/amortization, dedicated to manage IT resilience and risk

This measure calculates the percentage of IT operating costs, excluding depreciation/amortization, allocated to the process “manage IT resilience and risk" which involves developing IT compliance, risk, and security strategy, developing IT resilience strategy, controlling IT risk, compliance, and security, planning and managing IT continuity, developing and managing IT security, privacy, and data protection, conducting and analyzing IT compliance assessments, developing and executing IT resilience and continuity and managing IT user identity and authorization. In this measure, operating expense includes internal personnel cost, external personnel cost, hardware cost for both owned and leased hardware excluding hardware dedicated to data and voice networks, software cost to include both purchased software and software as a service, data and voice network costs as well as equipment dedicated to data networks and allocations to IT for shared sites and services (e.g., and allocation for corporate facilities and general overhead). It is part of a set of Supplemental Information measures that help companies evaluate additional variables not covered elsewhere for the process "manage IT resilience and risk".

Benchmark Data


Sorry! Not all users have access to all of our resources.

Want to unlock access to all of our resources?

Learn about Membership icon--arrow--right

Measure Category:
Supplemental Information
Measure Id:
Total Sample Size:
560 All Companies
Key Performance

Compute this Measure

Units for this measure are percent.

Back to Top

Percentage allocation of IT operating costs, excluding depreciation/amortization, to managing IT resilience and risk

Key Terms

Back to Top

Supplemental Information

Supplemental information is data that APQC determines is relevant to decision support for a specific process, but does not fit into the other measure categories such as cost effectiveness, cycle time, or staff productivity.

Measure Scope

Back to Top

Cross Industry (7.3.0)

  • 8.3.1 - Develop IT compliance, risk, and security strategy (20707) - Ensuring that the organization effectively manages risk. Develop rules and standards for robust IT operations, manage risk, and adopt measures to protect integrity, confidentiality, and security of IT assets.
    • - Determine and evaluate IT regulatory and audit requirements (20708) - Determining and evaluating IT regulatory and audit requirements. Train employees on regulatory and audit requirements. Records for the appropriate regulatory and audit agencies must be maintained and the new product process must be approved by the appropriate regulatory body before it is published to the organization.
    • - Understand business unit risk tolerance (20940) - Understand the risk tolerance levels of individual business units, given risk-return trade-offs for one or more anticipated and predictable consequences.
    • - Establish IT risk tolerance (20709) - Determine the specific maximum risk to take in quantitative terms for each relevant risk sub-category, including strategic, operational, financial, and compliance risks.
    • - Establish risk ownership (20710) - Establish an individual or a group who is ultimately accountable for ensuring that IT risks are managed appropriately.
    • - Establish and maintain risk management roles (20711) - Determine and maintain roles that are specialized in each risk areas and coordinating all risk management activities for IT function with due escalation structure.
    • - Establish compliance objectives (20712) - Establishing compliance objectives which ensures that the organization has systems of internal controls that adequately measure and manage IT risk.
    • - Identify systems to support compliance (20941) - Identifying and adopting information technology solutions to support changing regulatory compliance. Safeguard compliance and manage risk by outlining the risk policies and procedures.
    • - Identify and evaluate IT risk (20713) - Developing a timely and continuous process to identify and evaluate activities that might hinder IT operations or an IT project's goals.
    • - Evaluate IT-related risks resiliency (20714) - Assess IT-related risk resilience strategies to ensure that the organization effectively manages its risk.
    • - Create IT risk mitigation strategies and approaches (20715) - Developing activities to improve performance opportunities and lessen threats in IT. Evolve strategies and policies to attain organizational objectives.
  • 8.3.2 - Develop IT resilience strategy (20716) - Developing resilience strategies of IT across the organization so that prospective risks can be avoided.
    • - Determine IT delivery resiliency (20717) - Determining resilience strategies to ensure that IT effectively manages it's delivery process to mitigate risk.
    • - Determine critical IT risks (20718) - Determining risks that could disrupt objectives of IT.
    • - Prioritize IT risks (20719) - Prioritize potential IT risks based on business need to ensure overall IT stability.
    • - Establish mitigation approaches for IT risks (20720) - Establishing activities to improve opportunities and lessen threats for IT.
  • 8.3.3 - Control IT risk, compliance, and security (20721) - Ensure effective control in overall IT risk management, formulate and execute guidelines in-line with regulatory bodies, and manage organizational security throughout the business operations.
    • - Evaluate enterprise regulatory and compliance obligations (20722) - Evaluation of dynamic, strategic, and integrated approach to manage regulatory requirements and compliance obligations.
    • - Analyze IT security threat impact (20723) - Analyzing the impact of threats to critical IT assets across different departments and functions in the organization in terms of quantifiable results.
    • - Create and maintain IT compliance requirements (20724) - Develop and maintain IT compliance standards. Maintaining requirements set forth by such directives as GRCP, PMI RMP, CGRC, CGEIT, CRMA.
    • - Create and maintain IT security policies, standards, and procedures (20942) - Develop and maintain an architecture for securing and ensuring the privacy of data flows throughout the organization. Create, test, evaluate, and implement IT security policies to ensure the safe use of IT services and solutions.
    • - Develop and deploy risk management training (20725) - Develop and implement training in regard to managing IT risks, understanding criticality, impact, and opportunities associated with business objectives.
    • - Establish risk reporting capabilities and responsibilities (20726) - Establishing processes to communicate IT risk to the organization.
    • - Establish communication standards (20727) - Establishing standards for communications within the organization which creates the road map for successful understanding of strategic initiatives for both business units and information technology services.
    • - Conduct IT risk and threat assessments (20728) - Evaluate IT risk and threat assessments by way of IT assets, information security, and breach points within the organization.
    • - Monitor and manage IT activity risk (20729) - Monitoring and managing risks related to IT adoption within the organization.
    • - Identify, supervise and monitor IT risk mitigation measures (20730) - Identifying and supervising a blueprint of measures for managing risk in IT. Monitor actions to enhance opportunities and reduce threats to project objectives.
  • 8.3.4 - Plan and manage IT continuity (20731) - Planning and managing IT's ability to recover from exposure to internal and external threats.
    • - Evaluate IT continuity (20732) - Evaluating IT business needs and IT's ability to recover from internal or external threat exposure.
    • - Identify IT continuity gaps (20733) - Identifying the limitations of the IT organization's ability to remediate disruptions in IT services.
    • - Manage IT business continuity (20734) - Integrating the disciplines of Emergency Response, Crisis Management, Disaster Recovery (technology continuity) and Business Continuity for IT.
  • 8.3.5 - Develop and manage IT security, privacy, and data protection (20735) - Creating and deploying an architecture for securing and ensuring the privacy of data flows throughout the organization. Create and develop protocols that ensure proper and efficient use of IT services and solutions
    • - Assess IT regulatory and confidentiality requirements and policies (20736) - Evaluate principles or rules employed in controlling, directing, or managing IT services. Assessing requirements and policies related to confidentiality.
    • - Create IT security, privacy, and data protection risk governance (20737) - Defining and managing organization's approach to governing IT security and ensuring the privacy of data flows throughout the organization. Establish and manage tools to support the governance process in order to avoid misuse of information and breach of organizational privacy.
    • - Define IT data security and privacy policies, standards, and procedures (20738) - Outlining and establishing policies, regulations, standards, and procedures for IT data security and privacy.
    • - Review and monitor physical and logical IT data security measures (20739) - Identifying, examining, and reviewing physical and logical IT data security measures such as hardware security (smart cards), cryptographic protocols, and access control.
    • - Review and monitor application security controls (20740) - Identifying, examining, and reviewing security control for IT applications. Test, analyze, and implement security protocols in order to safeguard IT applications.
    • - Review and monitor IT physical environment security controls (20741) - Identifying and examining security controls for physical environment of information technology such as business facilities, equipment, and resources.
    • - Monitor/analyze network intrusion detection data and resolve threats (20742) - Monitoring and evaluating network intrusion detection for any malicious activity or policy violations. Identify the gaps in order to resolve threats and enhance existing network security.
  • 8.3.6 - Conduct and analyze IT compliance assessments (20743) - Evaluate and analyze the IT environment for the compliance of industry regulations and government legislation. Ensure that IT capability and resources meet the set standards.
    • - Conduct projects to enhance IT compliance and remediate risk (20744) - Conducting projects in order to enhance set standards, established guidelines, and risk preventive measures for IT risk and resilience.
    • - Conduct IT compliance control auditing of internal and external services (20745) - Examine compliance control systems and tools implemented for internal and external IT services.
    • - Perform IT compliance reporting (20746) - Execute IT compliance reporting in order to review processes, standards, regulations, and laws are followed as laid out by the regulatory bodies.
    • - Identify and escalate IT compliance issues and remediation requirements (20747) - Identify and escalate issues related to IT compliance to ensure that corrective measures are taken.
    • - Support external audits and reports (20748) - Supporting audits and reports through external resources. This process requires the organization to follow all the regulations set forth by external auditors.
  • 8.3.7 - Develop and execute IT resilience and continuity operations (20749) - Create and execute a process to rapidly adapt and respond to any internal or external opportunity, demand, disruption, or threat in IT. Maintain continuous IT operations to protect employees, assets, and overall brand equity.
    • - Conduct IT resilience improvement projects (20750) - Conducting projects to improve the strategy and process for rapidly adapting to any threat in IT.
    • - Develop, document, and maintain IT business continuity planning (20751) - Develop, document, and maintain plans to ensure uninterrupted operations of critical IT services. Determine resources such as specialized personnel, equipment, support infrastructure, legal and financial aspects.
    • - Implement and enforce change control procedures (20752) - Implement and enforce procedures and policies in order to control changes in IT services and solutions. Manage changes in a rational and predictable manner for optimum resource utilization.
    • - Execute recurring IT service provider business continuity (20753) - Review and implement resources (including external parties) necessary to support uninterrupted operations of critical IT services.
    • - Provide IT resilience training (20754) - Conduct and manage employee training programs on IT resilience so that prospective risks can be avoided.
    • - Execute recurring IT business operations continuity (20755) - Implement regular resources supporting uninterrupted operations of critical IT services.
  • 8.3.8 - Manage IT user identity and authorization (20756) - The process of identifying, authenticating, and authorizing IT users to have access to applications, systems, IT components, or networks by associating user rights and restrictions with established identities.
    • - Support integration of identity and authorization policies (20757) - Create and implement policies that integrate authorization policies with authorized profiles of users meant to access network resources.
    • - Manage IT user directory (20758) - Managing directory of user profiles and access requirements across different levels in the organization's IT network.
    • - Manage IT user authorization (20759) - Managing the process of authorizing IT users to access applications, systems, IT components, or networks by associating user rights.
    • - Manage IT user authentication mechanisms (20760) - Create and manage the process to authenticate IT users from user directory based on the internal policies.
    • - Audit IT user identity and authorization systems (20761) - Examine the processes responsible for reviewing IT user identity and authorization.
    • - Respond to IT information security and network breaches (20762) - Address any form of unauthorized network breach such as unauthorized access or usage of data, applications, services, networks, and/or devices. Identify the root cause and take corrective measures to resolve the breach.
    • - Conduct penetration testing (20763) - Conduct penetration testing (pen test) through an authorized stimulated attack to identify security weakness in an IT environment by evaluating the system or network with various harmful techniques.
    • - Audit integration of user identity and authorization systems (20764) - Reviewing the processes responsible for integration of user identity and access authorization in order to confirm that all the required regulations are followed.