Risk IT

Risk IT provides an end-to-end, comprehensive view of IT Operation and Service Delivery risks associated to
all risks related to the use of IT and a similarly thorough the day by day operations and service delivery of IT
treatment of risk management, from the tone and culture that can bring issues, inefficiency to the business op-
at the top, to operational issues. erations of an organization
Risk IT was published in 2009 by ISACA.[1] It
is the result of a work group composed by indus- The Risk IT framework is based on the principles of en-
try experts and some academics of different nations, terprise risk management standards/frameworks such as
coming from organizations such as Ernst & Young, Committee of Sponsoring Organizations of the Treadway
IBM, PricewaterhouseCoopers, Risk Management In- Commission ERM and ISO 31000.
sight, Swiss Life,and KPMG. In this way IT risk could be understood by upper man-
agement.

1 Definition
2 Risk IT principles
IT risk is a part of business risk—specifically, the busi-
ness risk associated with the use, ownership, operation,
Risk IT is built around the following principles:[1]
involvement, influence and adoption of IT within an en-
terprise. It consists of IT-related events that could poten-
tially impact the business. It can occur with both uncer- • always align with business objectives
tain frequency and magnitude, and it creates challenges
• align the IT risk management with ERM
in meeting strategic goals and objectives.[1]
Management of business risk is an essential component of • balance the costs and benefits of IT risk management
the responsible administration of any organization. Due
• promote fair and open communication of IT risks
to IT’s importance to the overall business, IT risk should
be treated like other key business risks. • establish the right tone at the top while defining and
The Risk IT framework[1] explains IT risk and enables enforcing accountability
users to:
• are a continuous process and part of daily activities
• Integrate the management of IT risk with the overall
ERM
• Compare assessed IT risk with risk appetite and risk
3 IT risk communication compo-
tolerance of the organization nents
• Understand how to manage the risk
Major IT risk communication flows are:
IT risk is to be managed by all the key business leaders
inside the organization: it is not just a technical issue of • Expectation: what the organization expects as final
IT department. result and what are the expected behaviour of em-
IT risk can be categorised in different ways: ployee and management; It encompasses strategy,
policies, procedures, awareness training
IT Benefit/Value enabler risks related to missed oppor-
• Capability: it indicates how the organization is able
tunity to increase business value by IT enabled or
to manage the risk
improved processes
IT Programme/Project delivery risks related to the • Status: information of the actual status of IT risk;
management of IT related projects intended to en- It encompasses risk profile of the organization, Key
able or improve business: i.e. the risk of over bud- Risk Indicator, events, root cause of loss events.
get or late delivery (or not delivery at all) of these
projects An effective information should be:

1
2 4
• Clear
• Concise
• Useful
• Timely
• Aimed at the correct target audience
• Available on a need to know basis
4 Risk IT domains and processes
The three domains of the Risk IT framework are listed
below with the contained processes (three by domain);
each process contains a number of activities:
1. Risk Governance: Ensure that IT risk management
practices are embedded in the enterprise, enabling it
to secure optimal risk-adjusted return. It is based on
the following processes:[1]
(a) RG1 Establish and Maintain a Common Risk
View
i. RG1.1 Perform enterprise IT risk assess-
ment
ii. RG1.2 Propose IT risk tolerance thresh-
olds
iii. RG1.3 Approve IT risk tolerance
iv. RG1.4 Align IT risk policy
v. RG1.5 Promote IT risk aware culture
vi. RG1.6 Encourage effective communica-
tion of IT risk
(b) RG2 Integrate With ERM
i. RG2.1 Establish and maintain account-
ability for IT risk management
ii. RG2.2 Coordinate IT risk strategy and
business risk strategy
iii. RG2.3 Adapt IT risk practices to enter-
prise risk practices
iv. RG2.4 Provide adequate resources for IT
risk management
v. RG2.5 Provide independent assurance
over IT risk management
(c) RG3 Make Risk-aware Business Decisions
i. RG3.1 Gain management buy in for the
IT risk analysis approach
ii. RG3.2 Approve IT risk analysis
iii. RG3.3 Embed IT risk consideration in
strategic business decision making
iv. RG3.4 Accept IT risk
v. RG3.5 Prioritise IT risk response activi-
ties
RISK IT DOMAINS AND PROCESSES
2. Risk Evaluation: Ensure that IT-related risks and
opportunities are identified, analysed and presented
in business terms. It is based on the following pro-
cesses:
(a) RE1 Collect Data
i. RE1.1 Establish and maintain a model for
data collection
ii. RE1.2 Collect data on the operating envi-
ronment
iii. RE1.3 Collect data on risk events
iv. RE1.4 Identify risk factors
(b) RE2 Analyse Risk
i. RE2.1 Define IT risk analysis scope
ii. RE2.2 Estimate IT risk
iii. RE2.3 Identify risk response options
iv. RE2.4 Perform a peer review of IT risk
analysis
(c) RE3 Maintain Risk Profile
i. RE3.1 Map IT resources to business pro-
cesses
ii. RE3.2 Determines business criticality of
IT resources
iii. RE3.3 Understand IT capabilities
iv. RE3.4 Update risk scenario components
v. RE3.5 Maintain the IT risk register and
iT risk map
vi. RE3.6 Develop IT risk indicators
3. Risk Response: Ensure that IT-related risk issues,
opportunities and events are addressed in a cost-
effective manner and in line with business priorities.
It is based on the following processes:
(a) RR1 Articulate Risk
i. RR1.1 Communicate IT risk analysis re-
sults
ii. RR1.2 Report IT risk management activ-
ities and state of compliance
iii. RR1.3 Interpret independent IT assess-
ment findings
iv. RR1.4 Identify IT related opportunities
(b) RR2 Manage Risk
i. RR2.1 Inventory controls
ii. RR2.2 Monitor operational alignment
with risk tolerance thresholds
iii. RR2.3 Respond to discovered risk expo-
sure and opportunity
iv. RR2.4 Implement controls
v. RR2.5 Report IT risk action plan progress
(c) RR3 React to Events
i. RR3.1 Maintain incident response plans
ii. RR3.2 Monitor IT risk
4.2 Risk response 3

iii. RR3.3 Initiate incident response 4.2 Risk response

iv. RR3.4 Communicate lessons learned
from risk events
Each process is detailed by:
• Process components
The purpose of defining a risk response is to bring risk in
line with the overall defined risk appetite of the organi-
zation after risk analysis: i.e. the residual risk should be
within the risk tolerance limits.
The risk can be managed according four main strategy (or
a combination of them):

• Management practice • Risk avoidance, exiting the activities that give rise to
the risk
• Inputs and Outputs
• Risk mitigation, adopting measures to detect, reduce
• RACI charts the frequency and/or impact of the risk

• Goal and metrics • Risk transfer, transferring to others part of the risk,
by outsourcing dangerous activities or by insurance

For each domain a Maturity Model is depicted. • Risk acceptance: deliberately running the risk that
has been identified, documented and measured.

4.1 Risk evaluation Key risk indicators are metrics capable of showing that
the organizaztion is subject or has a high probability of
The link between IT risk scenarios and ultimate business being subject to a risk that exceeds the defined risk ap-
impact needs to be established to understand the effect petite.
of adverse events. Risk IT does not prescribe a single
method. Different methods are available. Among them
there are: 5 Practitioner Guide
• Cobit Information criteria The second important document about Risk IT is the
Practitioner Guide.[3] It is made up of eight sections:
• Balanced scorecard
1. Defining a Risk Universe and Scoping Risk Man-
• Extended balanced scorecard agement

• Westerman [2] 2. Risk Appetite and Risk Tolerance

• COSO 3. Risk Awareness, Communication and Reporting

4. Expressing and Describing Risk

• Factor Analysis of Information Risk
5. Risk Scenarios

4.1.1 Risk scenarios 6. Risk Response and Prioritisation

7. A Risk Analysis Workflow

Risk scenarios is the hearth of risk evaluation process.
Scenarios can be derived in two different and comple- 8. Mitigation of IT Risk Using COBIT and Val IT
mentary ways:

• a top-down approach from the overall business ob- 6 Relationship with other ISACA
jectives to the most likely risk scenarios that can im- frameworks
pact them.
Risk IT Framework complements ISACA’s COBIT,
• a bottom-up approach where a list of generic risk
which provides a comprehensive framework for the
scenarios are applied to the organizaztion situation
control and governance of business-driven information-
technology-based (IT-based) solutions and services.
Each risk scenarios is analysed determining frequency While COBIT sets good practices for the means of risk
and impact, based on the risk factors. management by providing a set of controls to mitigate IT
4 11 EXTERNAL LINKS

risk, Risk IT sets good practices for the ends by provid- • Risk management
ing a framework for enterprises to identify, govern and
manage IT risk. • Risk tolerance

Val IT allows business managers to get business value • Val IT

from IT investments, by providing a governance frame-
work. VAL IT can be used to evaluate the actions deter-
mined by the Risk management process. 9 References
Note from a novice: I read the instructions and can't figure
7 Relationship with other frame- out how to fix broken reference links, so I'll mention them
works here. The first reference below (whose URL contains:
18Nov09-Research.pdf) should be:
Risk IT accept Factor Analysis of Information Risk ter- http://www.isaca.org/Knowledge-Center/Research/
minology and evaluation process. Documents/Risk-IT-Framework_fmk_Eng_0610.pdf
The third reference below (to the Risk IT Practitioner
Guide) should be:
7.1 ISO 27005
http://www.isaca.org/Knowledge-Center/Research/
For a comparison of Risk IT processes and those fore- Documents/Risk-IT-Practitioner-Guide_res_Eng_
seen by ISO/IEC 27005 standard, see IT risk manage- 0610.pdf
ment#Risk management methodology and IT risk man-
agement#ISO 27005 framework
[1] ISACA THE RISK IT FRAMEWORK (registration re-
quired)
7.2 ISO 31000
[2] George Westerman, Richard Hunter, IT risk: turn-
ing business threats into competitive advantage, Harvard
The Risk IT Practitioner Guide[3] appendix 2 contains the
Business School Press series ISBN 1-4221-0666-7, ISBN
comparison with ISO 31000 978-1-4221-0666-2

[3] The Risk IT Practitioner Guide, ISACA ISBN 978-1-

7.3 COSO 60420-116-1 (registration required)

The Risk IT Practitioner Guide[3] appendix 4 contains the

comparison with COSO 10 See also
• LWG Consulting, Inc.
8 See also
• Balanced scorecard 11 External links
• COBIT
• Risk IT main page on ISACA web site
• COSO

• Enterprise risk management

• Factor Analysis of Information Risk

• ISACA

• ISO 31000

• IT risk

• Key Risk Indicator

• Risk

• Risk appetite

• Risk factor (computing)

 5

12 Text and image sources, contributors, and licenses

12.1 Text
• Risk IT Source: https://en.wikipedia.org/wiki/Risk_IT?oldid=741788913 Contributors: DVdm, SmackBot, Kvng, Cydebot, Magioladitis,
Sue Gardner, Peterhgregory, Mild Bill Hiccup, Leszek Jańczuk, AnomieBOT, LilHelpa, MichaelAwad, Michael.goldshmidt, Pastore Italy,
Helpful Pixie Bot, Codename Lisa, Anguish, Hum robot and Anonymous: 5

12.2 Images
• File:Ambox_important.svg Source: https://upload.wikimedia.org/wikipedia/commons/b/b4/Ambox_important.svg License: Public do-
main Contributors: Own work, based off of Image:Ambox scales.svg Original artist: Dsmurat (talk · contribs)
• File:Edit-clear.svg Source: https://upload.wikimedia.org/wikipedia/en/f/f2/Edit-clear.svg License: Public domain Contributors: The
Tango! Desktop Project. Original artist:
The people from the Tango! project. And according to the meta-data in the file, specifically: “Andreas Nilsson, and Jakub Steiner (although
minimally).”
• File:Monitor_padlock.svg Source: https://upload.wikimedia.org/wikipedia/commons/7/73/Monitor_padlock.svg License: CC BY-SA
3.0 Contributors: Own work (Original text: self-made) Original artist: Lunarbunny (talk)

12.3 Content license

• Creative Commons Attribution-Share Alike 3.0