fbpx
Wikipedia

Risk IT

January 01, 1970

Risk IT Framework, published in 2009 by ISACA,[1] provides an end-to-end, comprehensive view of all risks related to the use of information technology (IT) and a similarly thorough treatment of risk management, from the tone and culture at the top to operational issues. It is the result of a work group composed of industry experts and academics from different nations, from organizations such as Ernst & Young, IBM, PricewaterhouseCoopers, Risk Management Insight, Swiss Life, and KPMG.

Definition edit

IT risk is a part of business risk — specifically, the business risk associated with the use, ownership, operation, involvement, influence, and adoption of IT within an enterprise. It consists of IT-related events that could potentially impact the business. It can occur with both uncertain frequency and magnitude, and it creates challenges in meeting strategic goals and objectives.[1]

Management of business risk is an essential component of the responsible administration of any organization. Owing to IT's importance to the overall business, IT risk should be treated like other key business risks.[citation needed]

The Risk IT framework[1] explains IT risk and enables users to:

  • Integrate the management of IT risk with the overall ERM
  • Compare assessed IT risk with risk appetite and risk tolerance of the organization
  • Understand how to manage the risk

IT risk is to be managed by all the key business leaders inside the organization: it is not just a technical issue of IT department.

IT risk can be categorized in different ways:

IT Benefit/Value Enabler
risks related to missed opportunity to increase business value by IT enabled or improved processes
IT Program/Project Delivery
risks related to the management of IT related projects intended to enable or improve business: i.e. the risk of over-budgeting, late delivery, or no delivery at all of these projects
IT Operation and Service Delivery
risks associated with the day-to-day operations and service delivery of IT that can cause issues or inefficiency to the business operations of an organization

The Risk IT framework is based on the principles of enterprise risk management standards/frameworks such as Committee of Sponsoring Organizations of the Treadway Commission ERM and ISO 31000. In this way, IT risk could be understood by upper management

IT risk communication components edit

Major IT risk communication flows are:

  • Expectation: what the organization expects as final result and what are the expected behaviour of employee and management; It encompasses strategy, policies, procedures, and awareness training
  • Capability: it indicates how the organization is able to manage the risk
  • Status: information of the actual status of IT risk; It encompasses risk profile of the organization, key risk indicator (KRI), events, and root cause of loss events.

Effective communication should be:

Risk IT domains and processes edit

The three domains of the Risk IT framework are listed below with the contained processes (three per domain). Each process contains a number of activities:

  1. Risk Governance: Ensure that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return. It is based on the following processes:[1]
    1. RG1 Establish and Maintain a Common Risk View
      1. RG1.1 Perform enterprise IT risk assessment
      2. RG1.2 Propose IT risk tolerance thresholds
      3. RG1.3 Approve IT risk tolerance
      4. RG1.4 Align IT risk policy
      5. RG1.5 Promote IT risk aware culture
      6. RG1.6 Encourage effective communication of IT risk
    2. RG2 Integrate With ERM
      1. RG2.1 Establish and maintain accountability for IT risk management
      2. RG2.2 Coordinate IT risk strategy and business risk strategy
      3. RG2.3 Adapt IT risk practices to enterprise risk practices
      4. RG2.4 Provide adequate resources for IT risk management
      5. RG2.5 Provide independent assurance over IT risk management
    3. RG3 Make Risk-Aware Business Decisions
      1. RG3.1 Gain management buy-in for the IT risk analysis approach
      2. RG3.2 Approve IT risk analysis
      3. RG3.3 Embed IT risk consideration in strategic business decision making
      4. RG3.4 Accept IT risk
      5. RG3.5 Prioritize IT risk response activities
  2. Risk Evaluation: Ensure that IT-related risks and opportunities are identified, analyzed, and presented in business terms. It is based on the following processes:
    1. RE1 Collect Data
      1. RE1.1 Establish and maintain a model for data collection
      2. RE1.2 Collect data on the operating environment
      3. RE1.3 Collect data on risk events
      4. RE1.4 Identify risk factors
    2. RE2 Analyze Risk
      1. RE2.1 Define IT risk analysis scope
      2. RE2.2 Estimate IT risk
      3. RE2.3 Identify risk response options
      4. RE2.4 Perform a peer review of IT risk analysis
    3. RE3 Maintain Risk Profile
      1. RE3.1 Map IT resources to business processes
      2. RE3.2 Determine business criticality of IT resources
      3. RE3.3 Understand IT capabilities
      4. RE3.4 Update risk scenario components
      5. RE3.5 Maintain the IT risk register and IT risk map
      6. RE3.6 Develop IT risk indicators
  3. Risk Response: Ensure that IT-related risk issues, opportunities, and events are addressed in a cost-effective manner and in line with business priorities. It is based on the following processes:
    1. RR1 Articulate Risk
      1. RR1.1 Communicate IT risk analysis results
      2. RR1.2 Report IT risk management activities and state of compliance
      3. RR1.3 Interpret independent IT assessment findings
      4. RR1.4 Identify IT related opportunities
    2. RR2 Manage Risk
      1. RR2.1 Inventory controls
      2. RR2.2 Monitor operational alignment with risk tolerance thresholds
      3. RR2.3 Respond to discovered risk exposure and opportunity
      4. RR2.4 Implement controls
      5. RR2.5 Report IT risk action plan progress
    3. RR3 React to Events
      1. RR3.1 Maintain incident response plans
      2. RR3.2 Monitor IT risk
      3. RR3.3 Initiate incident response
      4. RR3.4 Communicate lessons learned from risk events

Each process is detailed by:

  • Process components
  • Management practice
  • Inputs and Outputs
  • RACI charts
  • Goal and metrics

For each domain a Maturity Model is depicted.[citation needed]

Risk evaluation edit

The link between IT risk scenarios and ultimate business impact needs to be established to understand the effect of adverse events. Risk IT does not prescribe a single method. Different methods are available. Among them there are:

Risk scenarios edit

Risk scenarios are the hearth of risk evaluation processes. Scenarios can be derived in two different and complementary ways:

  • a top-down approach from the overall business objectives to the most likely risk scenarios that can impact them.
  • a bottom-up approach where a list of generic risk scenarios are applied to organizational situations.

Each risk scenario is analyzed to determine frequency and impact, based on the risk factors.

Risk response edit

The purpose of defining a risk response is to bring risk in line with the overall defined risk appetite of the organization after risk analysis: i.e. the residual risk should be within the risk tolerance limits.

The risk can be managed according to four main strategies (or a combination of them):

  • Risk avoidance: exiting the activities that give rise to the risk.
  • Risk mitigation: adopting measures to detect and reduce the frequency and/or impact of the risk.
  • Risk transfer: transferring to others part of the risk, by outsourcing dangerous activities or by insurance.
  • Risk acceptance: deliberately running the risk that has been identified, documented and measured.

Key risk indicators are metrics capable of showing that the organization has a high probability of being subject to a risk that exceeds the defined risk appetite.

Practitioner Guide edit

The second important document about Risk IT is the Practitioner Guide.[3] It is made up of eight sections:

  1. Defining a Risk Universe and Scoping Risk Management
  2. Risk Appetite and Risk Tolerance
  3. Risk Awareness, Communication, and Reporting
  4. Expressing and Describing Risk
  5. Risk Scenarios
  6. Risk Response and Prioritization
  7. Risk Analysis Workflow
  8. Mitigation of IT Risk Using COBIT and Val IT[citation needed]

Relationship with other ISACA frameworks edit

Risk IT Framework complements ISACA’s COBIT, which provides a comprehensive framework for the control and governance of business-driven, IT-based solutions and services. While COBIT sets best practices for managing risk by providing a set of controls to mitigate IT risk, Risk IT provides a framework of best practices for enterprises to identify, govern, and manage IT risk.

Val IT allows business managers to get business value from IT investments, by providing a governance framework. Val IT can be used to evaluate the actions determined by the Risk management process.

Relationship with other frameworks edit

Risk IT accepts Factor Analysis of Information Risk terminology and evaluation process.

ISO 27005 edit

For a comparison of Risk IT processes and those foreseen by ISO/IEC 27005 standard, see IT risk management#Risk management methodology and IT risk management#ISO 27005 framework.

ISO 31000 edit

The Risk IT Practitioner Guide[3] appendix 2 contains the comparison with ISO 31000.

COSO edit

The Risk IT Practitioner Guide[3] appendix 4 contains the comparison with COSO.

See also edit

References edit

  1. ^ a b c d ISACA THE RISK IT FRAMEWORK (registration required)
  2. ^ George Westerman, Richard Hunter, IT risk: turning business threats into competitive advantage, Harvard Business School Press series ISBN 1-4221-0666-7, ISBN 978-1-4221-0666-2
  3. ^ a b c The Risk IT Practitioner Guide, ISACA ISBN 978-1-60420-116-1 (registration required)

External links edit

  • Risk IT main page on ISACA web site

January 01, 1970
risk, this, article, multiple, issues, please, help, improve, discuss, these, issues, talk, page, learn, when, remove, these, template, messages, this, article, require, cleanup, meet, wikipedia, quality, standards, cleanup, reason, been, specified, please, he. This article has multiple issues Please help improve it or discuss these issues on the talk page Learn how and when to remove these template messages This article may require cleanup to meet Wikipedia s quality standards No cleanup reason has been specified Please help improve this article if you can January 2011 Learn how and when to remove this message The topic of this article may not meet Wikipedia s general notability guideline Please help to demonstrate the notability of the topic by citing reliable secondary sources that are independent of the topic and provide significant coverage of it beyond a mere trivial mention If notability cannot be shown the article is likely to be merged redirected or deleted Find sources Risk IT news newspapers books scholar JSTOR November 2011 Learn how and when to remove this message This article contains content that is written like an advertisement Please help improve it by removing promotional content and inappropriate external links and by adding encyclopedic content written from a neutral point of view February 2018 Learn how and when to remove this message This article relies excessively on references to primary sources Please improve this article by adding secondary or tertiary sources Find sources Risk IT news newspapers books scholar JSTOR February 2018 Learn how and when to remove this message Learn how and when to remove this message Risk IT Framework published in 2009 by ISACA 1 provides an end to end comprehensive view of all risks related to the use of information technology IT and a similarly thorough treatment of risk management from the tone and culture at the top to operational issues It is the result of a work group composed of industry experts and academics from different nations from organizations such as Ernst amp Young IBM PricewaterhouseCoopers Risk Management Insight Swiss Life and KPMG Contents 1 Definition 2 IT risk communication components 3 Risk IT domains and processes 3 1 Risk evaluation 3 1 1 Risk scenarios 3 2 Risk response 4 Practitioner Guide 5 Relationship with other ISACA frameworks 6 Relationship with other frameworks 6 1 ISO 27005 6 2 ISO 31000 6 3 COSO 7 See also 8 References 9 External linksDefinition editIT risk is a part of business risk specifically the business risk associated with the use ownership operation involvement influence and adoption of IT within an enterprise It consists of IT related events that could potentially impact the business It can occur with both uncertain frequency and magnitude and it creates challenges in meeting strategic goals and objectives 1 Management of business risk is an essential component of the responsible administration of any organization Owing to IT s importance to the overall business IT risk should be treated like other key business risks citation needed The Risk IT framework 1 explains IT risk and enables users to Integrate the management of IT risk with the overall ERM Compare assessed IT risk with risk appetite and risk tolerance of the organization Understand how to manage the risk IT risk is to be managed by all the key business leaders inside the organization it is not just a technical issue of IT department IT risk can be categorized in different ways IT Benefit Value Enabler risks related to missed opportunity to increase business value by IT enabled or improved processes IT Program Project Delivery risks related to the management of IT related projects intended to enable or improve business i e the risk of over budgeting late delivery or no delivery at all of these projects IT Operation and Service Delivery risks associated with the day to day operations and service delivery of IT that can cause issues or inefficiency to the business operations of an organization The Risk IT framework is based on the principles of enterprise risk management standards frameworks such as Committee of Sponsoring Organizations of the Treadway Commission ERM and ISO 31000 In this way IT risk could be understood by upper managementIT risk communication components editMajor IT risk communication flows are Expectation what the organization expects as final result and what are the expected behaviour of employee and management It encompasses strategy policies procedures and awareness training Capability it indicates how the organization is able to manage the risk Status information of the actual status of IT risk It encompasses risk profile of the organization key risk indicator KRI events and root cause of loss events Effective communication should be Clear Concise Useful Timely Aimed at the correct target audience Available on a need to know basis citation needed Risk IT domains and processes editThe three domains of the Risk IT framework are listed below with the contained processes three per domain Each process contains a number of activities Risk Governance Ensure that IT risk management practices are embedded in the enterprise enabling it to secure optimal risk adjusted return It is based on the following processes 1 RG1 Establish and Maintain a Common Risk View RG1 1 Perform enterprise IT risk assessment RG1 2 Propose IT risk tolerance thresholds RG1 3 Approve IT risk tolerance RG1 4 Align IT risk policy RG1 5 Promote IT risk aware culture RG1 6 Encourage effective communication of IT risk RG2 Integrate With ERM RG2 1 Establish and maintain accountability for IT risk management RG2 2 Coordinate IT risk strategy and business risk strategy RG2 3 Adapt IT risk practices to enterprise risk practices RG2 4 Provide adequate resources for IT risk management RG2 5 Provide independent assurance over IT risk management RG3 Make Risk Aware Business Decisions RG3 1 Gain management buy in for the IT risk analysis approach RG3 2 Approve IT risk analysis RG3 3 Embed IT risk consideration in strategic business decision making RG3 4 Accept IT risk RG3 5 Prioritize IT risk response activities Risk Evaluation Ensure that IT related risks and opportunities are identified analyzed and presented in business terms It is based on the following processes RE1 Collect Data RE1 1 Establish and maintain a model for data collection RE1 2 Collect data on the operating environment RE1 3 Collect data on risk events RE1 4 Identify risk factors RE2 Analyze Risk RE2 1 Define IT risk analysis scope RE2 2 Estimate IT risk RE2 3 Identify risk response options RE2 4 Perform a peer review of IT risk analysis RE3 Maintain Risk Profile RE3 1 Map IT resources to business processes RE3 2 Determine business criticality of IT resources RE3 3 Understand IT capabilities RE3 4 Update risk scenario components RE3 5 Maintain the IT risk register and IT risk map RE3 6 Develop IT risk indicators Risk Response Ensure that IT related risk issues opportunities and events are addressed in a cost effective manner and in line with business priorities It is based on the following processes RR1 Articulate Risk RR1 1 Communicate IT risk analysis results RR1 2 Report IT risk management activities and state of compliance RR1 3 Interpret independent IT assessment findings RR1 4 Identify IT related opportunities RR2 Manage Risk RR2 1 Inventory controls RR2 2 Monitor operational alignment with risk tolerance thresholds RR2 3 Respond to discovered risk exposure and opportunity RR2 4 Implement controls RR2 5 Report IT risk action plan progress RR3 React to Events RR3 1 Maintain incident response plans RR3 2 Monitor IT risk RR3 3 Initiate incident response RR3 4 Communicate lessons learned from risk events Each process is detailed by Process components Management practice Inputs and Outputs RACI charts Goal and metrics For each domain a Maturity Model is depicted citation needed Risk evaluation edit The link between IT risk scenarios and ultimate business impact needs to be established to understand the effect of adverse events Risk IT does not prescribe a single method Different methods are available Among them there are COBIT Information criteria Balanced scorecard Extended balanced scorecard Westerman 2 COSO Factor Analysis of Information Risk Risk scenarios edit Risk scenarios are the hearth of risk evaluation processes Scenarios can be derived in two different and complementary ways a top down approach from the overall business objectives to the most likely risk scenarios that can impact them a bottom up approach where a list of generic risk scenarios are applied to organizational situations Each risk scenario is analyzed to determine frequency and impact based on the risk factors Risk response edit The purpose of defining a risk response is to bring risk in line with the overall defined risk appetite of the organization after risk analysis i e the residual risk should be within the risk tolerance limits The risk can be managed according to four main strategies or a combination of them Risk avoidance exiting the activities that give rise to the risk Risk mitigation adopting measures to detect and reduce the frequency and or impact of the risk Risk transfer transferring to others part of the risk by outsourcing dangerous activities or by insurance Risk acceptance deliberately running the risk that has been identified documented and measured Key risk indicators are metrics capable of showing that the organization has a high probability of being subject to a risk that exceeds the defined risk appetite Practitioner Guide editThe second important document about Risk IT is the Practitioner Guide 3 It is made up of eight sections Defining a Risk Universe and Scoping Risk Management Risk Appetite and Risk Tolerance Risk Awareness Communication and Reporting Expressing and Describing Risk Risk Scenarios Risk Response and Prioritization Risk Analysis Workflow Mitigation of IT Risk Using COBIT and Val IT citation needed Relationship with other ISACA frameworks editRisk IT Framework complements ISACA s COBIT which provides a comprehensive framework for the control and governance of business driven IT based solutions and services While COBIT sets best practices for managing risk by providing a set of controls to mitigate IT risk Risk IT provides a framework of best practices for enterprises to identify govern and manage IT risk Val IT allows business managers to get business value from IT investments by providing a governance framework Val IT can be used to evaluate the actions determined by the Risk management process Relationship with other frameworks editRisk IT accepts Factor Analysis of Information Risk terminology and evaluation process ISO 27005 edit For a comparison of Risk IT processes and those foreseen by ISO IEC 27005 standard see IT risk management Risk management methodology and IT risk management ISO 27005 framework ISO 31000 edit The Risk IT Practitioner Guide 3 appendix 2 contains the comparison with ISO 31000 COSO edit The Risk IT Practitioner Guide 3 appendix 4 contains the comparison with COSO See also editCOBIT COSO Enterprise risk management Factor analysis of information risk FAIR ISACA ISO 31000 Risk Risk appetite Risk factor computing Risk management Risk tolerance Val IT Gordon Loeb model for cyber security investments citation needed References edit a b c d ISACA THE RISK IT FRAMEWORK registration required George Westerman Richard Hunter IT risk turning business threats into competitive advantage Harvard Business School Press series ISBN 1 4221 0666 7 ISBN 978 1 4221 0666 2 a b c The Risk IT Practitioner Guide ISACA ISBN 978 1 60420 116 1 registration required External links editRisk IT main page on ISACA web site Retrieved from https en wikipedia org w index php title Risk IT amp oldid 1210402311, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.