Risk IT
Encyclopedia
Risk IT provides an end-to-end, comprehensive view of all risk
s related to the use of IT
and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.
Risk IT was published in 2009 by ISACA. It is the result of a work group composed by industry experts and some academics of different nations, coming from organizations such as IBM
, PricewaterhouseCoopers
, Risk Management Insight, Swiss Life
, and KPMG
.
is a part of business risk—specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. It consists of IT-related events that could potentially impact the business. It can occur with both uncertain frequency and magnitude, and it creates challenges in meeting strategic goals and objectives.
Management of business risk is an essential component of the responsible administration of any organization.
Due to IT’s importance to the overall business, IT risk should be treated like other key business risks.
The Risk IT framework explains IT risk and enables users to:
IT risk is to be managed by all the key business leaders inside the organization: it is not just a technical issue of IT department.
IT risk can be categorised in different ways:
IT Benefit/Value enabler
IT Programme/Project delivery
IT Operation and Service Delivery
The Risk IT framework is based on the principles of enterprise risk management standards/frameworks such as COSO ERM and ISO 31000
.
In this way IT risk could be understood by upper management.
An effective information should be:
(three by domain); each process contains a number of activities:
Each process is detailed by:
For each domain a Maturity Model is depicted.
Each risk scenarios is analysed determining frequency and impact, based on the risk factors
.
of the organization after risk analysis: i.e. the residual risk should be within the risk tolerance limits.
The risk can be managed according four main strategy (or a combination of them):
Key risk indicator
s are metrics capable of showing that the organizaztion is subject or has a high probability of being subject to a risk that exceeds the defined risk appetite
.
It is made up of eight sections:
, which provides a comprehensive framework for the control and governance of business-driven information-technology-based (IT-based) solutions and services. While COBIT sets good practices for the means of risk management by providing a set of controls to mitigate IT risk, Risk IT sets good practices for the ends by providing a framework for
enterprises to identify, govern and manage IT risk.
Val IT
allows business managers to get business value from IT investments, by providing a governance framework. VAL IT can be used to evaluate the actions determined by the Risk management
process.
terminology and evaluation process.
standard, see IT risk management#Risk management methodology and IT risk management#ISO 27005 framework
Risk
Risk is the potential that a chosen action or activity will lead to a loss . The notion implies that a choice having an influence on the outcome exists . Potential losses themselves may also be called "risks"...
s related to the use of IT
Information technology
Information technology is the acquisition, processing, storage and dissemination of vocal, pictorial, textual and numerical information by a microelectronics-based combination of computing and telecommunications...
and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.
Risk IT was published in 2009 by ISACA. It is the result of a work group composed by industry experts and some academics of different nations, coming from organizations such as IBM
IBM
International Business Machines Corporation or IBM is an American multinational technology and consulting corporation headquartered in Armonk, New York, United States. IBM manufactures and sells computer hardware and software, and it offers infrastructure, hosting and consulting services in areas...
, PricewaterhouseCoopers
PricewaterhouseCoopers
PricewaterhouseCoopers is a global professional services firm headquartered in London, United Kingdom. It is the world's largest professional services firm measured by revenues and one of the "Big Four" accountancy firms....
, Risk Management Insight, Swiss Life
Swiss Life
The Swiss Life Group is the largest life insurance company of Switzerland. The firm is headquartered is in Zurich. The Swiss Life Group has 7,500 employees and had assets under management of approximately CHF 133 billion in 2010.-Foundation and growth:...
, and KPMG
KPMG
KPMG is one of the largest professional services networks in the world and one of the Big Four auditors, along with Deloitte, Ernst & Young and PwC. Its global headquarters is located in Amstelveen, Netherlands....
.
Definition
IT riskIT risk
Information technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
is a part of business risk—specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. It consists of IT-related events that could potentially impact the business. It can occur with both uncertain frequency and magnitude, and it creates challenges in meeting strategic goals and objectives.
Management of business risk is an essential component of the responsible administration of any organization.
Due to IT’s importance to the overall business, IT risk should be treated like other key business risks.
The Risk IT framework explains IT risk and enables users to:
- Integrate the management of IT risk with the overall ERMEnterprise Risk ManagementEnterprise risk management in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives...
- Compare assessed IT risk with risk appetiteRisk appetiteRisk Appetite is a method to help guide an organisation’s approach to risk and risk management.-Definition:The level of risk that an organisation is prepared to accept, before action is deemed necessary to reduce it...
and risk tolerance of the organization - Understand how to manage the risk
IT risk is to be managed by all the key business leaders inside the organization: it is not just a technical issue of IT department.
IT risk can be categorised in different ways:
IT Benefit/Value enabler
- risks related to missed opportunity to increase business value by IT enabled or improved processes
IT Programme/Project delivery
- risks related to the management of IT related projects intended to enable or improve business: i.e. the risk of over budget or late delivery (or not delivery at all) of these projects
IT Operation and Service Delivery
- risks associated to the day by day operations and service delivery of IT that can bring issues, inefficiency to the business operations of an organization
The Risk IT framework is based on the principles of enterprise risk management standards/frameworks such as COSO ERM and ISO 31000
ISO 31000
ISO 31000 is intended to be a family of standards relating to risk management codified by the International Organization for Standardization. The purpose of ISO 31000:2009 is to provide principles and generic guidelines on risk management...
.
In this way IT risk could be understood by upper management.
Risk IT principles
Risk IT is built around the following principles:- always align with business objectives
- align the IT risk management with ERM
- balance the costs and benefits of IT risk management
- promote fair and open communication of IT risks
- establish the right tone at the top while defining and enforcing accountability
- are a continuous process and part of daily activities
IT risk communication components
Major IT risk communication flows are:- Expectation: what the organization expects as final result and what are the expected behaviour of employee and management; It encompasses strategy, policies, procedures, awareness training
- Capability: it indicates how the organization is able to manage the risk
- Status: information of the actual status of IT risk; It encompasses risk profile of the organization, Key Risk IndicatorKey Risk IndicatorA Key Risk Indicator, also known as a KRI, is a measure used in management to indicate how risky an activity is. It differs from a Key Performance Indicator in that the latter is meant as a measure of how well something is being done while the former is an indicator of the possibility of future...
, events, root cause of loss events.
An effective information should be:
- Clear
- Concise
- Useful
- Timely
- Aimed at the correct target audience
- Available on a need to knowNeed to knowThe term "need to know", when used by government and other organizations , describes the restriction of data which is considered very sensitive...
basis
Risk IT domains and processes
The three domains of the Risk IT framework are listed below with the contained processesProcess (engineering)
In engineering a process is a set of interrelated tasks that, together, transform inputs into outputs. These tasks may be carried out by people, nature, or machines using resources; so an engineering process must be considered in the context of the agents carrying out the tasks, and the resource...
(three by domain); each process contains a number of activities:
- Risk Governance: Ensure that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return. It is based on the following processes:
- RG1 Establish and Maintain a Common Risk View
- RG1.1 Perform enterprise IT risk assessment
- RG1.2 Propose IT risk tolerance thresholds
- RG1.3 Approve IT risk tolerance
- RG1.4 Align IT risk policy
- RG1.5 Promote IT risk aware culture
- RG1.6 Encourage effective communication of IT risk
- RG2 Integrate With ERM
- RG2.1 Establish and maintain accountability fro IT risk management
- RG2.2 Coordinate IT risk strategy and business risk strategy
- RG2.3 Adapt IT risk practices to enterprise risk practices
- RG2.4 Provide adequate resources for IT risk management
- RG2.5 Provide independent assurance over IT risk management
- RG3 Make Risk-aware Business Decisions
- RG3.1 Gain management buy in for the IT risk analysis approach
- RG3.2 Approve IT risk analysis
- RG3.3 Embed IT risk consideration in strategic business decision making
- RG3.4 Accept IT risk
- RG3.5 Prioritise IT risk response activities
- RG1 Establish and Maintain a Common Risk View
- Risk Evaluation: Ensure that IT-related risks and opportunities are identified, analysed and presented in business terms. It is based on the following processes:
- RE1 Collect Data
- RE1.1 Establish and maintain a model for data collection
- RE1.2 Collect data on the operating environment
- RE1.3 Collect data on risk events
- RE1.4 Identify risk factors
- RE2 Analyse Risk
- RE2.1 Define IT risk analysis scope
- RE2.2 Estimate IT risk
- RE2.3 Identify risk response options
- RE2.4 Perform a peer review of IT risk analysis
- RE3 Maintain Risk Profile
- RE3.1 Map IT resources to business processes
- RE3.2 Determines business criticality of IT resources
- RE3.3 Understand IT capabilities
- RE3.4 Update risk scenario components
- RE3.5 Maintain the IT risk register and iT risk map
- RE3.6 Develop IT risk indicators
- RE1 Collect Data
- Risk Response: Ensure that IT-related risk issues, opportunities and events are addressed in a cost-effective manner and in line with business priorities. It is based on the following processes:
- RR1 Articulate Risk
- RR1.1 Communicate IT risk analysis results
- RR1.2 Report IT risk management activities and state of compliance
- RR1.3 Interpret independent IT assessment findings
- RR1.4 Identify IT related opportunities
- RR2 Manage Risk
- RR2.1 Inventory controls
- RR2.2 Monitor operational alignment with risk tolerance thresholds
- RR2.3 Respond to discovered risk exposure and opportunity
- RR2.4 Implement controls
- RR2.5 Report IT risk action plan progress
- RR3 React to Events
- RR3.1 Maintain incident response plans
- RR3.2 Monitor IT risk
- RR3.3 Initiate incident response
- RR3.4 Communicate lessons learned from risk events
- RR1 Articulate Risk
Each process is detailed by:
- Process components
- Management practice
- Inputs and Outputs
- RACI chartsResponsibility assignment matrixA responsibility assignment matrix , also known as RACI matrix or Linear Responsibility Chart , describes the participation by various roles in completing tasks or deliverables for a project or business process...
- GoalGoalA goal is an objective, or a projected computation of affairs, that a person or a system plans or intends to achieve.Goal, GOAL or G.O.A.L may also refer to:Sport...
and metrics
For each domain a Maturity Model is depicted.
Risk evaluation
The link between IT risk scenarios and ultimate business impact needs to be established to understand the effect of adverse events. Risk IT does not prescribe a single method. Different methods are available. Among them there are:- Cobit Information criteria
- Balanced scorecardBalanced scorecardThe Balanced Scorecard is a strategic performance management tool - a semi-standard structured report, supported by proven design methods and automation tools, that can be used by managers to keep track of the execution of activities by the staff within their control and to monitor the...
- Extended balanced scorecard
- Westerman
- COSO
- Factor Analysis of Information RiskFactor Analysis of Information RiskFactor analysis of information risk is a taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of loss events...
Risk scenarios
Risk scenarios is the hearth of risk evaluation process. Scenarios can be derived in two different and complementary ways:- a top-down approach from the overall business objectives to the most likely risk scenarios that can impact them.
- a bottom-up approach where a list of generic risk scenarios are applied to the organizaztion situation
Each risk scenarios is analysed determining frequency and impact, based on the risk factors
Risk factor (computing)
In Information security, Risk factor is a collectively name for circumstances affecting the likelihood or the impact of a security risk.- FAIR :...
.
Risk response
The purpose of defining a risk response is to bring risk in line with the overall defined risk appetiteRisk appetite
Risk Appetite is a method to help guide an organisation’s approach to risk and risk management.-Definition:The level of risk that an organisation is prepared to accept, before action is deemed necessary to reduce it...
of the organization after risk analysis: i.e. the residual risk should be within the risk tolerance limits.
The risk can be managed according four main strategy (or a combination of them):
- Risk avoidance, exiting the activities that give rise to the risk
- Risk mitigation, adopting measures to detect, reduce the frequency and/or impact of the risk
- Risk transfer, transferring to others part of the risk, by outsourcing dangerous activities or by insurance
- Risk acceptance: deliberately running the risk that has been identified, documented and measured.
Key risk indicator
Key Risk Indicator
A Key Risk Indicator, also known as a KRI, is a measure used in management to indicate how risky an activity is. It differs from a Key Performance Indicator in that the latter is meant as a measure of how well something is being done while the former is an indicator of the possibility of future...
s are metrics capable of showing that the organizaztion is subject or has a high probability of being subject to a risk that exceeds the defined risk appetite
Risk appetite
Risk Appetite is a method to help guide an organisation’s approach to risk and risk management.-Definition:The level of risk that an organisation is prepared to accept, before action is deemed necessary to reduce it...
.
Practitioner Guide
The second important document about Risk IT is the Practitioner Guide.It is made up of eight sections:
- Defining a Risk Universe and Scoping Risk Management
- Risk Appetite and Risk Tolerance
- Risk Awareness, Communication and Reporting
- Expressing and Describing Risk
- Risk Scenarios
- Risk Response and Prioritisation
- A Risk Analysis Workflow
- Mitigation of IT Risk Using COBIT and Val IT
Relationship with other ISACA frameworks
Risk IT Framework complements ISACA’s COBITCOBIT
COBIT is a framework created by ISACA for information technology management and IT Governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.-Overview:...
, which provides a comprehensive framework for the control and governance of business-driven information-technology-based (IT-based) solutions and services. While COBIT sets good practices for the means of risk management by providing a set of controls to mitigate IT risk, Risk IT sets good practices for the ends by providing a framework for
enterprises to identify, govern and manage IT risk.
Val IT
Val IT
Val IT is a governance framework that can be used to create business value from IT investments. It consists of a set of guiding principles and a number of processes and best practices that are further defined as a set of key management practices to support and help executive management and boards...
allows business managers to get business value from IT investments, by providing a governance framework. VAL IT can be used to evaluate the actions determined by the Risk management
Risk management
Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...
process.
Relationship with other frameworks
Risk IT accept Factor Analysis of Information RiskFactor Analysis of Information Risk
Factor analysis of information risk is a taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of loss events...
terminology and evaluation process.
ISO 27005
For a comparison of Risk IT processes and those foreseen by ISO/IEC 27005ISO/IEC 27005
ISO/IEC 27005, part of a growing family of ISO/IEC ISMS standards, the 'ISO/IEC 27000 series', is an information security standard published by the International Organization for Standardization and the International Electrotechnical Commission...
standard, see IT risk management#Risk management methodology and IT risk management#ISO 27005 framework
ISO 31000
The Risk IT Practitioner Guide appendix 2 contains the comparison with ISO 31000ISO 31000
ISO 31000 is intended to be a family of standards relating to risk management codified by the International Organization for Standardization. The purpose of ISO 31000:2009 is to provide principles and generic guidelines on risk management...
See also
- Balanced scorecardBalanced scorecardThe Balanced Scorecard is a strategic performance management tool - a semi-standard structured report, supported by proven design methods and automation tools, that can be used by managers to keep track of the execution of activities by the staff within their control and to monitor the...
- COBITCOBITCOBIT is a framework created by ISACA for information technology management and IT Governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.-Overview:...
- COSO
- Enterprise risk managementEnterprise Risk ManagementEnterprise risk management in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives...
- Factor Analysis of Information RiskFactor Analysis of Information RiskFactor analysis of information risk is a taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of loss events...
- ISACA
- ISO 31000ISO 31000ISO 31000 is intended to be a family of standards relating to risk management codified by the International Organization for Standardization. The purpose of ISO 31000:2009 is to provide principles and generic guidelines on risk management...
- IT riskIT riskInformation technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
- Key Risk IndicatorKey Risk IndicatorA Key Risk Indicator, also known as a KRI, is a measure used in management to indicate how risky an activity is. It differs from a Key Performance Indicator in that the latter is meant as a measure of how well something is being done while the former is an indicator of the possibility of future...
- RiskRiskRisk is the potential that a chosen action or activity will lead to a loss . The notion implies that a choice having an influence on the outcome exists . Potential losses themselves may also be called "risks"...
- Risk appetiteRisk appetiteRisk Appetite is a method to help guide an organisation’s approach to risk and risk management.-Definition:The level of risk that an organisation is prepared to accept, before action is deemed necessary to reduce it...
- Risk factor (computing)Risk factor (computing)In Information security, Risk factor is a collectively name for circumstances affecting the likelihood or the impact of a security risk.- FAIR :...
- Risk managementRisk managementRisk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...
- Risk tolerance
- Val ITVal ITVal IT is a governance framework that can be used to create business value from IT investments. It consists of a set of guiding principles and a number of processes and best practices that are further defined as a set of key management practices to support and help executive management and boards...