Organisation: To be defined during advisory engagement
Perimeter: To be defined during advisory engagement
Assessment timescale: To be defined during advisory engagement
Strategic drivers:
1.2 Governance Alignment Overview
|
Area |
Current |
Target |
Notes |
| Risk ownership | TBD | TBD |
|
| Resilience accountability model | TBD | TBD |
|
| IT Service Management alignment | TBD | TBD |
|
| Business Continuity Management integration | TBD | TBD |
|
|
Business Function |
Criticality Tier |
Desc. |
Key Output |
Dependency Summary |
|
TBD |
Tier 0 / Tier 1 / Tier 2 / Tier 3 |
TBD |
TBD |
TBD |
|
Function |
Financial Impact |
Operational Impact |
Reputational Impact |
Notes |
|
TBD |
High / Medium / Low |
High / Medium / Low |
High / Medium / Low |
|
Impact definitions: To be tailored during advisory engagement
|
Service / Function |
Business RTO |
Technical RTO |
Gap |
| TBD | TBD | TBD | TBD |
|
Service / Data Domain |
Business RPO |
Technical RPO |
Gap |
| TBD | TBD | TBD | TBD |
|
Tier |
Description |
Expected Availability |
RTO |
RPO |
|
Tier 0 |
Mission‑critical |
TBD |
TBD |
TBD |
|
Tier 1 |
High Importance |
TBD |
TBD |
TBD |
|
Tier 2 |
Standard |
TBD |
TBD |
TBD |
|
Tier 3 |
Non‑critical |
TBD |
TBD |
TBD |
|
Service |
Required Availability (%) |
Current Measured Availability (%) |
Gap |
|
TBD |
TBD |
TBD |
TBD |
|
Layer |
Identified SPoF |
Risk Level |
Mitigation Status |
|
Data Centre |
TBD |
TBD |
TBD |
|
Network |
TBD |
TBD |
TBD |
|
Computer |
TBD |
TBD |
TBD |
|
Storage |
TBD |
TBD |
TBD |
|
Application |
TBD |
TBD |
TBD |
|
Data Domain |
Backup Frequency |
Retention |
Storage Location(s) |
Resilience Assessment |
|
TBD |
TBD |
TBD |
TBD |
TBD |
|
System / Data |
Replication Method |
Target Site |
RPO Alignment |
Observations |
|
TBD |
Asynchronous / Synchronous / Snapshots |
TBD |
Aligned / Not Aligned |
TBD |
|
Primary Service |
Upstream Dependencies |
Downstream Dependencies |
Third‑Party Dependencies |
Notes |
| TBD | TBD | TBD | TBD |
|
|
Rating |
Impact |
|
Rating |
Probability |
|
1 |
Minimal impact exposure |
|
1 |
Rare |
|
2 |
Low impact exposure |
|
2 |
Unlikely |
|
3 |
Moderate impact exposure |
|
3 |
Possible |
|
4 |
High impact exposure |
|
4 |
Likely |
|
5 |
Critical impact exposure |
|
5 |
Almost certain |
Risk Score Formula: Impact × Probability
|
Level |
Label |
Definition |
| 0 | Non‑existent | No control defined |
| 1 | Initial | Partial / ad hoc control |
| 2 | Repeatable | Documented but inconsistently applied |
| 3 | Defined | Formalised and consistently applied |
| 4 | Managed | Measured and monitored |
| 5 | Optimised | Continuous improvement cycle |
|
Risk |
Inherent Score |
Control Maturity |
Residual Score |
Owner |
Notes |
|
TBD |
TBD |
TBD |
TBD |
TBD |
|
|
Option |
Criteria |
Governance Route |
| Accept | Within defined risk tolerance | Board / CIO / CISO decision |
| Mitigate | Investment required to reduce exposure | Architecture / Security / Programme Governance |
| Transfer | Insurance or contractual transfer | Finance / Legal |
| Avoid | Service redesign or decommission | Executive Committee |
|
Risk Level |
Escalation Point |
Required Action |
Timeframe |
| 1–4 | Operational Management | Track & report | Monthly |
| 5–9 | IT Leadership Team | Remediation plan | 30 days |
| 10–15 | CIO / CFO | Funding decision | 14 days |
| 16–25 | Executive Committee / Board | Strategic decision | 7 days |
RTO (Recovery Time Objective): Maximum acceptable outage duration for a service.
RPO (Recovery Point Objective): Maximum acceptable data loss measured in time.
SPoF (Single Point of Failure): Component whose failure interrupts the entire service.
BCM (Business Continuity Management): Governance framework for continuity planning.
DR (Disaster Recovery): Technical capability to restore services after disruption.
HA (High Availability): Design approach ensuring service continuity during component failures.
SLA (Service Level Agreement): Contractual service performance target.
OLA (Operational Level Agreement): Internal performance target supporting SLA delivery.
RACI (Responsible, Accountable, Consulted, Informed): Responsibility assignment model.
MTTR (Mean Time To Repair): Average time to restore a failed component.
If your organisation is approaching such a decision, or if you want to validate the direction already taken, an external assessment can provide the objectivity and structure required to move forward with certainty.
Ready to take control of your IT resilience?
This document is only a public template, designed to guide a discussion with a consulting specialist. It is not legal, regulatory, tax or insurance advice and does not create any advisory, fiduciary or client relationship. The content is provided “as is”, without warranties of completeness or fitness for a particular purpose. Implementation decisions remain the reader’s responsibility and must be validated against applicable laws, contracts and sector rules; where necessary, seek advice from qualified counsel or regulated professionals. Neither the author nor Brimbor Consulting accepts any liability for anything arising from reliance on this document.