Risk IT Framework, published in 2009 by ISACA,[1] provides an end-to-end, comprehensive view of all risks related to the use of information technology (IT) and a similarly thorough treatment of risk management, from the tone and culture at the top to operational issues. It is the result of a work group composed of industry experts and academics from different nations, from organizations such as Ernst & Young, IBM, PricewaterhouseCoopers, Risk Management Insight, Swiss Life, and KPMG.
IT risk is a part of business risk — specifically, the business risk associated with the use, ownership, operation, involvement, influence, and adoption of IT within an enterprise. It consists of IT-related events that could potentially impact the business. It can occur with both uncertain frequency and magnitude, and it creates challenges in meeting strategic goals and objectives.[1]
Management of business risk is an essential component of the responsible administration of any organization.
Owing to IT's importance to the overall business, IT risk should be treated like other key business risks.[citation needed]
The Risk IT framework[1] explains IT risk and enables users to:
Integrate the management of IT risk with the overall ERM
IT risk is to be managed by all the key business leaders inside the organization: it is not just a technical issue of IT department.
IT risk can be categorized in different ways:
IT Benefit/Value Enabler
risks related to missed opportunity to increase business value by IT enabled or improved processes
IT Program/Project Delivery
risks related to the management of IT related projects intended to enable or improve business: i.e. the risk of over-budgeting, late delivery, or no delivery at all of these projects
IT Operation and Service Delivery
risks associated with the day-to-day operations and service delivery of IT that can cause issues or inefficiency to the business operations of an organization
Expectation: what the organization expects as final result and what are the expected behaviour of employee and management; It encompasses strategy, policies, procedures, and awareness training
Capability: it indicates how the organization is able to manage the risk
Status: information of the actual status of IT risk; It encompasses risk profile of the organization, key risk indicator (KRI), events, and root cause of loss events.
The three domains of the Risk IT framework are listed below with the contained processes (three per domain). Each process contains a number of activities:
Risk Governance: Ensure that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return. It is based on the following processes:[1]
RG1 Establish and Maintain a Common Risk View
RG1.1 Perform enterprise IT risk assessment
RG1.2 Propose IT risk tolerance thresholds
RG1.3 Approve IT risk tolerance
RG1.4 Align IT risk policy
RG1.5 Promote IT risk aware culture
RG1.6 Encourage effective communication of IT risk
RG2 Integrate With ERM
RG2.1 Establish and maintain accountability for IT risk management
RG2.2 Coordinate IT risk strategy and business risk strategy
RG2.3 Adapt IT risk practices to enterprise risk practices
RG2.4 Provide adequate resources for IT risk management
RG2.5 Provide independent assurance over IT risk management
RG3 Make Risk-Aware Business Decisions
RG3.1 Gain management buy-in for the IT risk analysis approach
RG3.2 Approve IT risk analysis
RG3.3 Embed IT risk consideration in strategic business decision making
RG3.4 Accept IT risk
RG3.5 Prioritize IT risk response activities
Risk Evaluation: Ensure that IT-related risks and opportunities are identified, analyzed, and presented in business terms. It is based on the following processes:
RE1 Collect Data
RE1.1 Establish and maintain a model for data collection
RE1.2 Collect data on the operating environment
RE1.3 Collect data on risk events
RE1.4 Identify risk factors
RE2 Analyze Risk
RE2.1 Define IT risk analysis scope
RE2.2 Estimate IT risk
RE2.3 Identify risk response options
RE2.4 Perform a peer review of IT risk analysis
RE3 Maintain Risk Profile
RE3.1 Map IT resources to business processes
RE3.2 Determine business criticality of IT resources
RE3.3 Understand IT capabilities
RE3.4 Update risk scenario components
RE3.5 Maintain the IT risk register and IT risk map
RE3.6 Develop IT risk indicators
Risk Response: Ensure that IT-related risk issues, opportunities, and events are addressed in a cost-effective manner and in line with business priorities. It is based on the following processes:
RR1 Articulate Risk
RR1.1 Communicate IT risk analysis results
RR1.2 Report IT risk management activities and state of compliance
RR1.3 Interpret independent IT assessment findings
RR1.4 Identify IT related opportunities
RR2 Manage Risk
RR2.1 Inventory controls
RR2.2 Monitor operational alignment with risk tolerance thresholds
RR2.3 Respond to discovered risk exposure and opportunity
RR2.4 Implement controls
RR2.5 Report IT risk action plan progress
RR3 React to Events
RR3.1 Maintain incident response plans
RR3.2 Monitor IT risk
RR3.3 Initiate incident response
RR3.4 Communicate lessons learned from risk events
The link between IT risk scenarios and ultimate business impact needs to be established to understand the effect of adverse events. Risk IT does not prescribe a single method. Different methods are available. Among them there are:
The purpose of defining a risk response is to bring risk in line with the overall defined risk appetite of the organization after risk analysis: i.e. the residual risk should be within the risk tolerance limits.
The risk can be managed according to four main strategies (or a combination of them):
Risk avoidance: exiting the activities that give rise to the risk.
Risk mitigation: adopting measures to detect and reduce the frequency and/or impact of the risk.
Risk transfer: transferring to others part of the risk, by outsourcing dangerous activities or by insurance.
Risk acceptance: deliberately running the risk that has been identified, documented and measured.
Key risk indicators are metrics capable of showing that the organization has a high probability of being subject to a risk that exceeds the defined risk appetite.
Risk IT Framework complements ISACA’s COBIT, which provides a comprehensive framework for the control and governance of business-driven, IT-based solutions and services. While COBIT sets best practices for managing risk by providing a set of controls to mitigate IT risk, Risk IT provides a framework of best practices for enterprises to identify, govern, and manage IT risk.
Val IT allows business managers to get business value from IT investments, by providing a governance framework. Val IT can be used to evaluate the actions determined by the Risk management process.
^George Westerman, Richard Hunter, IT risk: turning business threats into competitive advantage, Harvard Business School Press series
ISBN1-4221-0666-7, ISBN978-1-4221-0666-2