Align organizational objectives with performance targets in the decision-making criteria.

Back

CONTROL ID
12843

CONTROL TYPE
Process or Activity

CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS

This Control directly supports the implied Control(s):

Establish, implement, and maintain a decision management strategy., CC ID: 06913

There are no implementation support Controls.

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

The purpose of the measurement and reporting practice is to support good decision-making and continual improvement by decreasing the levels of uncertainty. This is achieved through the collection of relevant data on various managed objects and the valid assessment of this data in an appropriate cont… (5.1.5 ¶ 1, ITIL Foundation, 4 Edition)
Work with the business to define a balanced set of performance targets and have them approved by the business and other relevant stakeholders. Define benchmarks with which to compare the targets, and identify available data to be collected to measure the targets. Establish processes to collect timel… (ME1.2 Definition and Collection of Monitoring Data, CobiT, Version 4.1)
Objectives should be consistent with the decision making criteria set for acceptable levels of residual risk, performance, and compliance in light of the stated mission, vision, and values and the frame of reference. (OCEG GRC Capability Model, v. 3.0, A2.1 Apply Decision-Making Criteria, OCEG GRC Capability Model, v 3.0)
sets expectations for the organization using robust decision-making processes (see 6.8.3); (§ 6.7.3.1 ¶ 3 Bullet 1, ISO 37000:2021, Governance of organizations â Guidance, First Edition)
Furthermore, the governing body, and its members, should demonstrate commitment to the organizational purpose and values by leading the organization to fulfil its organizational purpose and behaving in accordance with the organizational values. (§ 6.1.3.4 ¶ 3, ISO 37000:2021, Governance of organizations â Guidance, First Edition)
The organization shall make decisions and take actions based on the findings in service reports. The agreed actions shall be communicated to interested parties. (§ 9.4 ¶ 3, ISO/IEC 20000-1:2018, Information technology â Service management âPart 1: Service management system requirements, Third Edition)
The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: (§ 8.5.1.3 ¶ 1, ISO/IEC 20000-1:2018, Information technology â Service management âPart 1: Service management system requirements, Third Edition)
The organization sets targets to monitor the performance of the entity and support the achievement of the business objectives. For instance: (Setting Performance Measures and Targets ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
Aligning risk-aware behaviors and decision-making with performance: Remuneration and incentive programs are aligned to the core values of the organization including expected behaviors, adherence to codes of conduct, and promoting accountability for risk-aware decision-making and judgment. (Embracing a Risk-Aware Culture ¶ 1 Bullet 4, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
The alignment of the institution's business plans with its technology and operational plans for retail payment systems. (App A Tier 1 Objectives and Procedures Objective 3:1 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)