450:
66:
234:
336:
113:
25:
179:
569:— specifically, the business risk associated with the use, ownership, operation, involvement, influence, and adoption of IT within an enterprise. It consists of IT-related events that could potentially impact the business. It can occur with both uncertain frequency and magnitude, and it creates challenges in meeting strategic goals and objectives.
1087:, which provides a comprehensive framework for the control and governance of business-driven, IT-based solutions and services. While COBIT sets best practices for managing risk by providing a set of controls to mitigate IT risk, Risk IT provides a framework of best practices for enterprises to identify, govern, and manage IT risk.
941:
The link between IT risk scenarios and ultimate business impact needs to be established to understand the effect of adverse events. Risk IT does not prescribe a single method. Different methods are available. Among them there are:
1167:
1150:
960:
572:
Management of business risk is an essential component of the responsible administration of any organization. Owing to IT's importance to the overall business, IT risk should be treated like other key business risks.
655:
Expectation: what the organization expects as final result and what are the expected behaviour of employee and management; It encompasses strategy, policies, procedures, and awareness training
848:: Ensure that IT-related risk issues, opportunities, and events are addressed in a cost-effective manner and in line with business priorities. It is based on the following processes:
617:
risks related to the management of IT related projects intended to enable or improve business: i.e. the risk of over-budgeting, late delivery, or no delivery at all of these projects
632:
1093:
allows business managers to get business value from IT investments, by providing a governance framework. Val IT can be used to evaluate the actions determined by the
712:
Ensure that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return. It is based on the following processes:
123:
623:
risks associated with the day-to-day operations and service delivery of IT that can cause issues or inefficiency to the business operations of an organization
255:
248:
534:
to operational issues. It is the result of a work group composed of industry experts and academics from different nations, from organizations such as
783:: Ensure that IT-related risks and opportunities are identified, analyzed, and presented in business terms. It is based on the following processes:
360:
of the topic and provide significant coverage of it beyond a mere trivial mention. If notability cannot be shown, the article is likely to be
138:
1334:
1291:
1262:
George
Westerman, Richard Hunter, IT risk: turning business threats into competitive advantage, Harvard Business School Press series
601:
IT risk is to be managed by all the key business leaders inside the organization: it is not just a technical issue of IT department.
469:
Please help improve this article by looking for better, more reliable sources. Unreliable citations may be challenged and removed.
1030:
are metrics capable of showing that the organization has a high probability of being subject to a risk that exceeds the defined
1250:
976:
Risk scenarios are the hearth of risk evaluation processes. Scenarios can be derived in two different and complementary ways:
1298:
1275:
1329:
1177:
1106:
965:
1314:
412:
298:
1267:
502:
484:
431:
317:
215:
160:
52:
384:
270:
1122:
921:
142:
980:
a top-down approach from the overall business objectives to the most likely risk scenarios that can impact them.
391:
277:
357:
1020:
Risk transfer: transferring to others part of the risk, by outsourcing dangerous activities or by insurance.
1126:
1339:
398:
284:
189:
1042:
The second important document about Risk IT is the
Practitioner Guide. It is made up of eight sections:
1172:
628:
581:
463:
353:
661:
Status: information of the actual status of IT risk; It encompasses risk profile of the organization,
983:
a bottom-up approach where a list of generic risk scenarios are applied to organizational situations.
369:
78:
380:
266:
458:
197:
38:
611:
risks related to missed opportunity to increase business value by IT enabled or improved processes
1203:
1023:
Risk acceptance: deliberately running the risk that has been identified, documented and measured.
988:
244:
1017:
Risk mitigation: adopting measures to detect and reduce the frequency and/or impact of the risk.
543:
527:
1223:
702:
346:
999:
The purpose of defining a risk response is to bring risk in line with the overall defined
8:
1027:
949:
662:
648:
449:
365:
1010:
The risk can be managed according to four main strategies (or a combination of them):
1294:
1271:
1263:
1003:
of the organization after risk analysis: i.e. the residual risk should be within the
405:
361:
291:
535:
1208:
1094:
531:
130:
83:
1213:
1004:
987:
Each risk scenario is analyzed to determine frequency and impact, based on the
701:
The three domains of the Risk IT framework are listed below with the contained
591:
134:
1323:
1198:
1118:
1031:
1000:
587:
566:
689:
87:
44:
65:
658:
Capability: it indicates how the organization is able to manage the risk
1149:
The Risk IT Practitioner Guide appendix 4 contains the comparison with
1137:
The Risk IT Practitioner Guide appendix 2 contains the comparison with
767:
RG3.3 Embed IT risk consideration in strategic business decision making
547:
1188:
1138:
636:
530:(IT) and a similarly thorough treatment of risk management, from the
233:
1014:
Risk avoidance: exiting the activities that give rise to the risk.
874:
RR2.2 Monitor operational alignment with risk tolerance thresholds
857:
RR1.2 Report IT risk management activities and state of compliance
741:
RG2.1 Establish and maintain accountability for IT risk management
705:(three per domain). Each process contains a number of activities:
562:
352:
Please help to demonstrate the notability of the topic by citing
633:
Committee of
Sponsoring Organizations of the Treadway Commission
1218:
1090:
639:. In this way, IT risk could be understood by upper management
761:
RG3.1 Gain management buy-in for the IT risk analysis approach
1183:
1162:
1084:
1080:
576:
The Risk IT framework explains IT risk and enables users to:
519:
1117:
For a comparison of Risk IT processes and those foreseen by
744:
RG2.2 Coordinate IT risk strategy and business risk strategy
1193:
1071:
926:
753:
RG2.5 Provide independent assurance over IT risk management
551:
523:
747:
RG2.3 Adapt IT risk practices to enterprise risk practices
877:
RR2.3 Respond to discovered risk exposure and opportunity
539:
789:
RE1.1 Establish and maintain a model for data collection
750:
RG2.4 Provide adequate resources for IT risk management
1100:
580:
Integrate the management of IT risk with the overall
1046:
Defining a Risk
Universe and Scoping Risk Management
826:
RE3.2 Determine business criticality of IT resources
627:
The Risk IT framework is based on the principles of
522:, provides an end-to-end, comprehensive view of all
141:, and by adding encyclopedic content written from a
835:
RE3.5 Maintain the IT risk register and IT risk map
642:
900:RR3.4 Communicate lessons learned from risk events
860:RR1.3 Interpret independent IT assessment findings
733:RG1.6 Encourage effective communication of IT risk
1321:
696:
16:Key component of information assurance practices
815:RE2.4 Perform a peer review of IT risk analysis
792:RE1.2 Collect data on the operating environment
192:for grammar, style, cohesion, tone, or spelling
1123:IT risk management#Risk management methodology
933:For each domain a Maturity Model is depicted.
715:RG1 Establish and Maintain a Common Risk View
604:IT risk can be categorized in different ways:
665:(KRI), events, and root cause of loss events.
1067:Mitigation of IT Risk Using COBIT and Val IT
1052:Risk Awareness, Communication, and Reporting
823:RE3.1 Map IT resources to business processes
773:RG3.5 Prioritize IT risk response activities
718:RG1.1 Perform enterprise IT risk assessment
53:Learn how and when to remove these messages
854:RR1.1 Communicate IT risk analysis results
721:RG1.2 Propose IT risk tolerance thresholds
1287:
1285:
1283:
883:RR2.5 Report IT risk action plan progress
503:Learn how and when to remove this message
485:Learn how and when to remove this message
432:Learn how and when to remove this message
318:Learn how and when to remove this message
216:Learn how and when to remove this message
161:Learn how and when to remove this message
1072:Relationship with other ISACA frameworks
863:RR1.4 Identify IT related opportunities
758:RG3 Make Risk-Aware Business Decisions
1322:
1280:
1246:
1244:
1242:
1240:
1127:IT risk management#ISO 27005 framework
891:RR3.1 Maintain incident response plans
254:Please improve this article by adding
122:contains content that is written like
1292:The Risk IT Practitioner Guide, ISACA
1037:
832:RE3.4 Update risk scenario components
1109:terminology and evaluation process.
812:RE2.3 Identify risk response options
685:Aimed at the correct target audience
443:
329:
227:
172:
106:
59:
18:
1315:Risk IT main page on ISACA web site
1237:
1178:Factor analysis of information risk
1107:Factor Analysis of Information Risk
966:Factor Analysis of Information Risk
806:RE2.1 Define IT risk analysis scope
730:RG1.5 Promote IT risk aware culture
669:Effective communication should be:
13:
1101:Relationship with other frameworks
936:
14:
1351:
1335:Information technology governance
1308:
971:
795:RE1.3 Collect data on risk events
620:IT Operation and Service Delivery
597:Understand how to manage the risk
34:This article has multiple issues.
1061:Risk Response and Prioritization
1049:Risk Appetite and Risk Tolerance
994:
897:RR3.3 Initiate incident response
838:RE3.6 Develop IT risk indicators
829:RE3.3 Understand IT capabilities
643:IT risk communication components
448:
334:
232:
177:
111:
64:
23:
724:RG1.3 Approve IT risk tolerance
42:or discuss these issues on the
1256:
1226:for cyber security investments
1055:Expressing and Describing Risk
764:RG3.2 Approve IT risk analysis
586:Compare assessed IT risk with
1:
1230:
908:Each process is detailed by:
697:Risk IT domains and processes
631:standards/frameworks such as
557:
256:secondary or tertiary sources
1132:
1112:
347:general notability guideline
7:
1330:Risk analysis methodologies
1251:ISACA THE RISK IT FRAMEWORK
1156:
954:Extended balanced scorecard
798:RE1.4 Identify risk factors
614:IT Program/Project Delivery
546:, Risk Management Insight,
532:tone and culture at the top
77:to comply with Knowledge's
10:
1356:
1173:Enterprise risk management
946:COBIT Information criteria
820:RE3 Maintain Risk Profile
727:RG1.4 Align IT risk policy
629:enterprise risk management
354:reliable secondary sources
343:The topic of this article
345:may not meet Knowledge's
880:RR2.4 Implement controls
871:RR2.1 Inventory controls
608:IT Benefit/Value Enabler
90:may contain suggestions.
75:may need to be rewritten
1301:(registration required)
1253:(registration required)
1204:Risk factor (computing)
1144:
738:RG2 Integrate With ERM
518:, published in 2009 by
457:Some of this article's
1064:Risk Analysis Workflow
809:RE2.2 Estimate IT risk
544:PricewaterhouseCoopers
528:information technology
526:related to the use of
243:relies excessively on
894:RR3.2 Monitor IT risk
143:neutral point of view
888:RR3 React to Events
851:RR1 Articulate Risk
770:RG3.4 Accept IT risk
1028:Key risk indicators
915:Management practice
594:of the organization
135:promotional content
1340:IT risk management
1038:Practitioner Guide
950:Balanced scorecard
918:Inputs and Outputs
912:Process components
663:key risk indicator
649:risk communication
349:
196:You can assist by
137:and inappropriate
1299:978-1-60420-116-1
1276:978-1-4221-0666-2
1224:Gordon–Loeb model
1077:Risk IT Framework
803:RE2 Analyze Risk
786:RE1 Collect Data
536:Ernst & Young
516:Risk IT Framework
513:
512:
505:
495:
494:
487:
442:
441:
434:
416:
344:
328:
327:
320:
302:
226:
225:
218:
171:
170:
163:
105:
104:
79:quality standards
57:
1347:
1302:
1289:
1278:
1260:
1254:
1248:
1105:Risk IT accepts
868:RR2 Manage Risk
710:Risk Governance:
508:
501:
490:
483:
479:
476:
470:
452:
444:
437:
430:
426:
423:
417:
415:
374:
338:
337:
330:
323:
316:
312:
309:
303:
301:
260:
236:
228:
221:
214:
210:
207:
201:
181:
180:
173:
166:
159:
155:
152:
146:
124:an advertisement
115:
114:
107:
100:
97:
91:
68:
60:
49:
27:
26:
19:
1355:
1354:
1350:
1349:
1348:
1346:
1345:
1344:
1320:
1319:
1311:
1306:
1305:
1290:
1281:
1261:
1257:
1249:
1238:
1233:
1209:Risk management
1159:
1147:
1135:
1115:
1103:
1095:Risk management
1074:
1040:
997:
974:
939:
937:Risk evaluation
781:Risk Evaluation
699:
688:Available on a
645:
560:
509:
498:
497:
496:
491:
480:
474:
471:
468:
453:
438:
427:
421:
418:
375:
373:
351:
339:
335:
324:
313:
307:
304:
261:
259:
253:
249:primary sources
237:
222:
211:
205:
202:
195:
182:
178:
167:
156:
150:
147:
128:
116:
112:
101:
95:
92:
82:
69:
28:
24:
17:
12:
11:
5:
1353:
1343:
1342:
1337:
1332:
1318:
1317:
1310:
1309:External links
1307:
1304:
1303:
1279:
1255:
1235:
1234:
1232:
1229:
1228:
1227:
1221:
1216:
1214:Risk tolerance
1211:
1206:
1201:
1196:
1191:
1186:
1181:
1175:
1170:
1165:
1158:
1155:
1146:
1143:
1134:
1131:
1121:standard, see
1114:
1111:
1102:
1099:
1073:
1070:
1069:
1068:
1065:
1062:
1059:
1058:Risk Scenarios
1056:
1053:
1050:
1047:
1039:
1036:
1025:
1024:
1021:
1018:
1015:
1005:risk tolerance
996:
993:
985:
984:
981:
973:
972:Risk scenarios
970:
969:
968:
963:
958:
955:
952:
947:
938:
935:
931:
930:
924:
919:
916:
913:
906:
905:
904:
903:
902:
901:
898:
895:
892:
886:
885:
884:
881:
878:
875:
872:
866:
865:
864:
861:
858:
855:
843:
842:
841:
840:
839:
836:
833:
830:
827:
824:
818:
817:
816:
813:
810:
807:
801:
800:
799:
796:
793:
790:
778:
777:
776:
775:
774:
771:
768:
765:
762:
756:
755:
754:
751:
748:
745:
742:
736:
735:
734:
731:
728:
725:
722:
719:
698:
695:
694:
693:
686:
683:
680:
677:
674:
667:
666:
659:
656:
644:
641:
625:
624:
621:
618:
615:
612:
609:
599:
598:
595:
592:risk tolerance
584:
559:
556:
511:
510:
493:
492:
475:September 2024
459:listed sources
456:
454:
447:
440:
439:
342:
340:
333:
326:
325:
240:
238:
231:
224:
223:
206:September 2024
185:
183:
176:
169:
168:
139:external links
119:
117:
110:
103:
102:
96:September 2024
72:
70:
63:
58:
32:
31:
29:
22:
15:
9:
6:
4:
3:
2:
1352:
1341:
1338:
1336:
1333:
1331:
1328:
1327:
1325:
1316:
1313:
1312:
1300:
1296:
1293:
1288:
1286:
1284:
1277:
1273:
1269:
1268:1-4221-0666-7
1265:
1259:
1252:
1247:
1245:
1243:
1241:
1236:
1225:
1222:
1220:
1217:
1215:
1212:
1210:
1207:
1205:
1202:
1200:
1199:Risk appetite
1197:
1195:
1192:
1190:
1187:
1185:
1182:
1179:
1176:
1174:
1171:
1169:
1166:
1164:
1161:
1160:
1154:
1152:
1142:
1140:
1130:
1128:
1124:
1120:
1119:ISO/IEC 27005
1110:
1108:
1098:
1096:
1092:
1088:
1086:
1082:
1078:
1066:
1063:
1060:
1057:
1054:
1051:
1048:
1045:
1044:
1043:
1035:
1033:
1032:risk appetite
1029:
1022:
1019:
1016:
1013:
1012:
1011:
1008:
1006:
1002:
1001:risk appetite
995:Risk response
992:
990:
982:
979:
978:
977:
967:
964:
962:
959:
956:
953:
951:
948:
945:
944:
943:
934:
928:
925:
923:
920:
917:
914:
911:
910:
909:
899:
896:
893:
890:
889:
887:
882:
879:
876:
873:
870:
869:
867:
862:
859:
856:
853:
852:
850:
849:
847:
846:Risk Response
844:
837:
834:
831:
828:
825:
822:
821:
819:
814:
811:
808:
805:
804:
802:
797:
794:
791:
788:
787:
785:
784:
782:
779:
772:
769:
766:
763:
760:
759:
757:
752:
749:
746:
743:
740:
739:
737:
732:
729:
726:
723:
720:
717:
716:
714:
713:
711:
708:
707:
706:
704:
691:
687:
684:
681:
678:
675:
672:
671:
670:
664:
660:
657:
654:
653:
652:
650:
640:
638:
634:
630:
622:
619:
616:
613:
610:
607:
606:
605:
602:
596:
593:
589:
588:risk appetite
585:
583:
579:
578:
577:
574:
570:
568:
567:business risk
565:is a part of
564:
555:
553:
549:
545:
541:
537:
533:
529:
525:
521:
517:
507:
504:
489:
486:
478:
466:
465:
460:
455:
451:
446:
445:
436:
433:
425:
422:November 2011
414:
411:
407:
404:
400:
397:
393:
390:
386:
383: –
382:
378:
377:Find sources:
371:
367:
363:
359:
355:
348:
341:
332:
331:
322:
319:
311:
308:February 2018
300:
297:
293:
290:
286:
283:
279:
276:
272:
269: –
268:
264:
263:Find sources:
257:
251:
250:
246:
241:This article
239:
235:
230:
229:
220:
217:
209:
199:
193:
191:
186:This article
184:
175:
174:
165:
162:
154:
151:February 2018
144:
140:
136:
132:
126:
125:
120:This article
118:
109:
108:
99:
89:
85:
80:
76:
73:This article
71:
67:
62:
61:
56:
54:
47:
46:
41:
40:
35:
30:
21:
20:
1258:
1148:
1136:
1116:
1104:
1089:
1079:complements
1076:
1075:
1041:
1026:
1009:
998:
989:risk factors
986:
975:
940:
932:
907:
845:
780:
709:
700:
690:need to know
668:
646:
626:
603:
600:
575:
571:
561:
515:
514:
499:
481:
472:
461:
428:
419:
409:
402:
395:
388:
376:
314:
305:
295:
288:
281:
274:
262:
242:
212:
203:
190:copy editing
188:may require
187:
157:
148:
133:by removing
129:Please help
121:
93:
84:You can help
74:
50:
43:
37:
36:Please help
33:
929:and metrics
922:RACI charts
651:flows are:
462:may not be
358:independent
1324:Categories
1231:References
957:Westerman
558:Definition
548:Swiss Life
392:newspapers
366:redirected
278:newspapers
245:references
198:editing it
131:improve it
39:improve it
1189:ISO 31000
1139:ISO 31000
1133:ISO 31000
1113:ISO 27005
1097:process.
703:processes
647:Major IT
637:ISO 31000
381:"Risk IT"
356:that are
267:"Risk IT"
88:talk page
45:talk page
1157:See also
1007:limits.
635:ERM and
464:reliable
676:Concise
563:IT risk
406:scholar
370:deleted
292:scholar
1297:
1274:
1266:
1219:Val IT
1180:(FAIR)
1091:Val IT
682:Timely
679:Useful
550:, and
408:
401:
394:
387:
379:
362:merged
294:
287:
280:
273:
265:
86:. The
1184:ISACA
1163:COBIT
1085:COBIT
1081:ISACA
692:basis
673:Clear
524:risks
520:ISACA
413:JSTOR
399:books
368:, or
299:JSTOR
285:books
1295:ISBN
1272:ISBN
1264:ISBN
1194:Risk
1168:COSO
1151:COSO
1145:COSO
1125:and
961:COSO
927:Goal
590:and
552:KPMG
385:news
271:news
1083:’s
582:ERM
540:IBM
247:to
1326::
1282:^
1270:,
1239:^
1153:.
1141:.
1129:.
1034:.
991:.
554:.
542:,
538:,
364:,
258:.
48:.
506:)
500:(
488:)
482:(
477:)
473:(
467:.
435:)
429:(
424:)
420:(
410:·
403:·
396:·
389:·
372:.
350:.
321:)
315:(
310:)
306:(
296:·
289:·
282:·
275:·
252:.
219:)
213:(
208:)
204:(
200:.
194:.
164:)
158:(
153:)
149:(
145:.
127:.
98:)
94:(
81:.
55:)
51:(
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.