Risk IT


Risk IT provides an end-to-end, comprehensive view of all risks related to the use of information technology and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.
Risk IT was published in 2009 by ISACA. It is the result of a work group composed by industry experts and some academics of different nations, coming from organizations such as Ernst & Young, IBM, PricewaterhouseCoopers, Risk Management Insight, Swiss Life,and KPMG.

Definition

is a part of business risk—specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. It consists of IT-related events that could potentially impact the business. It can occur with both uncertain frequency and magnitude, and it creates challenges in meeting strategic goals and objectives.
Management of business risk is an essential component of the responsible administration of any organization.
Owing to IT's importance to the overall business, IT risk should be treated like other key business risks.
The Risk IT framework explains IT risk and enables users to:
IT risk is to be managed by all the key business leaders inside the organization: it is not just a technical issue of IT department.
IT risk can be categorised in different ways:
;IT Benefit/Value enabler
;IT Programme/Project delivery
;IT Operation and Service Delivery
The Risk IT framework is based on the principles of enterprise risk management standards/frameworks such as Committee of Sponsoring Organizations of the Treadway Commission ERM and ISO 31000.
In this way IT risk could be understood by upper management.

Risk IT principles

Risk IT is built around the following principles:
Major IT risk communication flows are:
An effective information should be:
The three domains of the Risk IT framework are listed below with the contained processes ; each process contains a number of activities:
  1. Risk Governance: Ensure that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return. It is based on the following processes:
  2. # RG1 Establish and Maintain a Common Risk View
  3. ## RG1.1 Perform enterprise IT risk assessment
  4. ## RG1.2 Propose IT risk tolerance thresholds
  5. ## RG1.3 Approve IT risk tolerance
  6. ## RG1.4 Align IT risk policy
  7. ## RG1.5 Promote IT risk aware culture
  8. ## RG1.6 Encourage effective communication of IT risk
  9. # RG2 Integrate With ERM
  10. ## RG2.1 Establish and maintain accountability for IT risk management
  11. ## RG2.2 Coordinate IT risk strategy and business risk strategy
  12. ## RG2.3 Adapt IT risk practices to enterprise risk practices
  13. ## RG2.4 Provide adequate resources for IT risk management
  14. ## RG2.5 Provide independent assurance over IT risk management
  15. # RG3 Make Risk-aware Business Decisions
  16. ## RG3.1 Gain management buy in for the IT risk analysis approach
  17. ## RG3.2 Approve IT risk analysis
  18. ## RG3.3 Embed IT risk consideration in strategic business decision making
  19. ## RG3.4 Accept IT risk
  20. ## RG3.5 Prioritise IT risk response activities
  21. Risk Evaluation: Ensure that IT-related risks and opportunities are identified, analysed and presented in business terms. It is based on the following processes:
  22. # RE1 Collect Data
  23. ## RE1.1 Establish and maintain a model for data collection
  24. ## RE1.2 Collect data on the operating environment
  25. ## RE1.3 Collect data on risk events
  26. ## RE1.4 Identify risk factors
  27. # RE2 Analyse Risk
  28. ## RE2.1 Define IT risk analysis scope
  29. ## RE2.2 Estimate IT risk
  30. ## RE2.3 Identify risk response options
  31. ## RE2.4 Perform a peer review of IT risk analysis
  32. # RE3 Maintain Risk Profile
  33. ## RE3.1 Map IT resources to business processes
  34. ## RE3.2 Determines business criticality of IT resources
  35. ## RE3.3 Understand IT capabilities
  36. ## RE3.4 Update risk scenario components
  37. ## RE3.5 Maintain the IT risk register and iT risk map
  38. ## RE3.6 Develop IT risk indicators
  39. Risk Response: Ensure that IT-related risk issues, opportunities and events are addressed in a cost-effective manner and in line with business priorities. It is based on the following processes:
  40. # RR1 Articulate Risk
  41. ## RR1.1 Communicate IT risk analysis results
  42. ## RR1.2 Report IT risk management activities and state of compliance
  43. ## RR1.3 Interpret independent IT assessment findings
  44. ## RR1.4 Identify IT related opportunities
  45. # RR2 Manage Risk
  46. ## RR2.1 Inventory controls
  47. ## RR2.2 Monitor operational alignment with risk tolerance thresholds
  48. ## RR2.3 Respond to discovered risk exposure and opportunity
  49. ## RR2.4 Implement controls
  50. ## RR2.5 Report IT risk action plan progress
  51. # RR3 React to Events
  52. ## RR3.1 Maintain incident response plans
  53. ## RR3.2 Monitor IT risk
  54. ## RR3.3 Initiate incident response
  55. ## RR3.4 Communicate lessons learned from risk events
Each process is detailed by:
For each domain a Maturity Model is depicted.

Risk evaluation

The link between IT risk scenarios and ultimate business impact needs to be established to understand the effect of adverse events. Risk IT does not prescribe a single method. Different methods are available. Among them there are:
Risk scenarios is the hearth of risk evaluation process. Scenarios can be derived in two different and complementary ways:
Each risk scenarios is analysed determining frequency and impact, based on the risk factors.

Risk response

The purpose of defining a risk response is to bring risk in line with the overall defined risk appetite of the organization after risk analysis: i.e. the residual risk should be within the risk tolerance limits.
The risk can be managed according to four main strategies :
Key risk indicators are metrics capable of showing that the organizaztion is subject or has a high probability of being subject to a risk that exceeds the defined risk appetite.

Practitioner Guide

The second important document about Risk IT is the Practitioner Guide.
It is made up of eight sections:
  1. Defining a Risk Universe and Scoping Risk Management
  2. Risk Appetite and Risk Tolerance
  3. Risk Awareness, Communication and Reporting
  4. Expressing and Describing Risk
  5. Risk Scenarios
  6. Risk Response and Prioritisation
  7. A Risk Analysis Workflow
  8. Mitigation of IT Risk Using COBIT and Val IT

    Relationship with other ISACA frameworks

Risk IT Framework complements ISACA’s COBIT, which provides a comprehensive framework for the control and governance of business-driven information-technology-based solutions and services. While COBIT sets good practices for the means of risk management by providing a set of controls to mitigate IT risk, Risk IT sets good practices for the ends by providing a framework for enterprises to identify, govern and manage IT risk.
Val IT allows business managers to get business value from IT investments, by providing a governance framework. VAL IT can be used to evaluate the actions determined by the Risk management process.

Relationship with other frameworks

Risk IT accept Factor Analysis of Information Risk terminology and evaluation process.

ISO 27005

For a comparison of Risk IT processes and those foreseen by ISO/IEC 27005 standard, see IT risk management#Risk management methodology and IT risk management#ISO 27005 framework

ISO 31000

The Risk IT Practitioner Guide appendix 2 contains the comparison with ISO 31000

COSO

The Risk IT Practitioner Guide appendix 4 contains the comparison with COSO