All the agencies are required by government to have risk management policies
and practices that identify, assess and treat risks including IT risks that might
affect key business objectives. Failure to properly identify and treat IT risks
within reasonable timeframes increases the likelihood that agency objectives
will not be met