Beruflich Dokumente
Kultur Dokumente
Risk IT provides an end-to-end, comprehensive view of IT Operation and Service Delivery risks associated to
all risks related to the use of IT and a similarly thorough the day by day operations and service delivery of IT
treatment of risk management, from the tone and culture that can bring issues, inefficiency to the business op-
at the top, to operational issues. erations of an organization
Risk IT was published in 2009 by ISACA.[1] It
is the result of a work group composed by indus- The Risk IT framework is based on the principles of en-
try experts and some academics of different nations, terprise risk management standards/frameworks such as
coming from organizations such as Ernst & Young, Committee of Sponsoring Organizations of the Treadway
IBM, PricewaterhouseCoopers, Risk Management In- Commission ERM and ISO 31000.
sight, Swiss Life,and KPMG. In this way IT risk could be understood by upper man-
agement.
1 Definition
2 Risk IT principles
IT risk is a part of business risk—specifically, the busi-
ness risk associated with the use, ownership, operation,
Risk IT is built around the following principles:[1]
involvement, influence and adoption of IT within an en-
terprise. It consists of IT-related events that could poten-
tially impact the business. It can occur with both uncer- • always align with business objectives
tain frequency and magnitude, and it creates challenges
• align the IT risk management with ERM
in meeting strategic goals and objectives.[1]
Management of business risk is an essential component of • balance the costs and benefits of IT risk management
the responsible administration of any organization. Due
• promote fair and open communication of IT risks
to IT’s importance to the overall business, IT risk should
be treated like other key business risks. • establish the right tone at the top while defining and
The Risk IT framework[1] explains IT risk and enables enforcing accountability
users to:
• are a continuous process and part of daily activities
• Integrate the management of IT risk with the overall
ERM
• Compare assessed IT risk with risk appetite and risk
3 IT risk communication compo-
tolerance of the organization nents
• Understand how to manage the risk
Major IT risk communication flows are:
IT risk is to be managed by all the key business leaders
inside the organization: it is not just a technical issue of • Expectation: what the organization expects as final
IT department. result and what are the expected behaviour of em-
IT risk can be categorised in different ways: ployee and management; It encompasses strategy,
policies, procedures, awareness training
IT Benefit/Value enabler risks related to missed oppor-
• Capability: it indicates how the organization is able
tunity to increase business value by IT enabled or
to manage the risk
improved processes
IT Programme/Project delivery risks related to the • Status: information of the actual status of IT risk;
management of IT related projects intended to en- It encompasses risk profile of the organization, Key
able or improve business: i.e. the risk of over bud- Risk Indicator, events, root cause of loss events.
get or late delivery (or not delivery at all) of these
projects An effective information should be:
1
2 4 RISK IT DOMAINS AND PROCESSES
• Management practice • Risk avoidance, exiting the activities that give rise to
the risk
• Inputs and Outputs
• Risk mitigation, adopting measures to detect, reduce
• RACI charts the frequency and/or impact of the risk
• Goal and metrics • Risk transfer, transferring to others part of the risk,
by outsourcing dangerous activities or by insurance
For each domain a Maturity Model is depicted. • Risk acceptance: deliberately running the risk that
has been identified, documented and measured.
4.1 Risk evaluation Key risk indicators are metrics capable of showing that
the organizaztion is subject or has a high probability of
The link between IT risk scenarios and ultimate business being subject to a risk that exceeds the defined risk ap-
impact needs to be established to understand the effect petite.
of adverse events. Risk IT does not prescribe a single
method. Different methods are available. Among them
there are: 5 Practitioner Guide
• Cobit Information criteria The second important document about Risk IT is the
Practitioner Guide.[3] It is made up of eight sections:
• Balanced scorecard
1. Defining a Risk Universe and Scoping Risk Man-
• Extended balanced scorecard agement
• a top-down approach from the overall business ob- 6 Relationship with other ISACA
jectives to the most likely risk scenarios that can im- frameworks
pact them.
Risk IT Framework complements ISACA’s COBIT,
• a bottom-up approach where a list of generic risk
which provides a comprehensive framework for the
scenarios are applied to the organizaztion situation
control and governance of business-driven information-
technology-based (IT-based) solutions and services.
Each risk scenarios is analysed determining frequency While COBIT sets good practices for the means of risk
and impact, based on the risk factors. management by providing a set of controls to mitigate IT
4 11 EXTERNAL LINKS
risk, Risk IT sets good practices for the ends by provid- • Risk management
ing a framework for enterprises to identify, govern and
manage IT risk. • Risk tolerance
• ISACA
• ISO 31000
• IT risk
• Risk
• Risk appetite
12.2 Images
• File:Ambox_important.svg Source: https://upload.wikimedia.org/wikipedia/commons/b/b4/Ambox_important.svg License: Public do-
main Contributors: Own work, based off of Image:Ambox scales.svg Original artist: Dsmurat (talk · contribs)
• File:Edit-clear.svg Source: https://upload.wikimedia.org/wikipedia/en/f/f2/Edit-clear.svg License: Public domain Contributors: The
Tango! Desktop Project. Original artist:
The people from the Tango! project. And according to the meta-data in the file, specifically: “Andreas Nilsson, and Jakub Steiner (although
minimally).”
• File:Monitor_padlock.svg Source: https://upload.wikimedia.org/wikipedia/commons/7/73/Monitor_padlock.svg License: CC BY-SA
3.0 Contributors: Own work (Original text: self-made) Original artist: Lunarbunny (talk)