This article has multiple issues. Please help
improve it or discuss these issues on the
talk page. (
Learn how and when to remove these template messages)
|
Risk IT Framework, published in 2009 by ISACA, [1] provides an end-to-end, comprehensive view of all risks related to the use of information technology (IT) and a similarly thorough treatment of risk management, from the tone and culture at the top to operational issues. It is the result of a work group composed of industry experts and academics from different nations, from organizations such as Ernst & Young, IBM, PricewaterhouseCoopers, Risk Management Insight, Swiss Life, and KPMG.
IT risk is a part of business risk — specifically, the business risk associated with the use, ownership, operation, involvement, influence, and adoption of IT within an enterprise. It consists of IT-related events that could potentially impact the business. It can occur with both uncertain frequency and magnitude, and it creates challenges in meeting strategic goals and objectives. [1]
Management of business risk is an essential component of the responsible administration of any organization. Owing to IT's importance to the overall business, IT risk should be treated like other key business risks.[ citation needed]
The Risk IT framework [1] explains IT risk and enables users to:
IT risk is to be managed by all the key business leaders inside the organization: it is not just a technical issue of IT department.
IT risk can be categorized in different ways:
The Risk IT framework is based on the principles of enterprise risk management standards/frameworks such as Committee of Sponsoring Organizations of the Treadway Commission ERM and ISO 31000. In this way, IT risk could be understood by upper management
Major IT risk communication flows are:
Effective communication should be:
The three domains of the Risk IT framework are listed below with the contained processes (three per domain). Each process contains a number of activities:
Each process is detailed by:
For each domain a Maturity Model is depicted.[ citation needed]
The link between IT risk scenarios and ultimate business impact needs to be established to understand the effect of adverse events. Risk IT does not prescribe a single method. Different methods are available. Among them there are:
Risk scenarios are the hearth of risk evaluation processes. Scenarios can be derived in two different and complementary ways:
Each risk scenario is analyzed to determine frequency and impact, based on the risk factors.
The purpose of defining a risk response is to bring risk in line with the overall defined risk appetite of the organization after risk analysis: i.e. the residual risk should be within the risk tolerance limits.
The risk can be managed according to four main strategies (or a combination of them):
Key risk indicators are metrics capable of showing that the organization has a high probability of being subject to a risk that exceeds the defined risk appetite.
The second important document about Risk IT is the Practitioner Guide. [3] It is made up of eight sections:
Risk IT Framework complements ISACA’s COBIT, which provides a comprehensive framework for the control and governance of business-driven, IT-based solutions and services. While COBIT sets best practices for managing risk by providing a set of controls to mitigate IT risk, Risk IT provides a framework of best practices for enterprises to identify, govern, and manage IT risk.
Val IT allows business managers to get business value from IT investments, by providing a governance framework. Val IT can be used to evaluate the actions determined by the Risk management process.
Risk IT accepts Factor Analysis of Information Risk terminology and evaluation process.
For a comparison of Risk IT processes and those foreseen by ISO/IEC 27005 standard, see IT risk management#Risk management methodology and IT risk management#ISO 27005 framework.
The Risk IT Practitioner Guide [3] appendix 2 contains the comparison with ISO 31000.
The Risk IT Practitioner Guide [3] appendix 4 contains the comparison with COSO.
This article has multiple issues. Please help
improve it or discuss these issues on the
talk page. (
Learn how and when to remove these template messages)
|
Risk IT Framework, published in 2009 by ISACA, [1] provides an end-to-end, comprehensive view of all risks related to the use of information technology (IT) and a similarly thorough treatment of risk management, from the tone and culture at the top to operational issues. It is the result of a work group composed of industry experts and academics from different nations, from organizations such as Ernst & Young, IBM, PricewaterhouseCoopers, Risk Management Insight, Swiss Life, and KPMG.
IT risk is a part of business risk — specifically, the business risk associated with the use, ownership, operation, involvement, influence, and adoption of IT within an enterprise. It consists of IT-related events that could potentially impact the business. It can occur with both uncertain frequency and magnitude, and it creates challenges in meeting strategic goals and objectives. [1]
Management of business risk is an essential component of the responsible administration of any organization. Owing to IT's importance to the overall business, IT risk should be treated like other key business risks.[ citation needed]
The Risk IT framework [1] explains IT risk and enables users to:
IT risk is to be managed by all the key business leaders inside the organization: it is not just a technical issue of IT department.
IT risk can be categorized in different ways:
The Risk IT framework is based on the principles of enterprise risk management standards/frameworks such as Committee of Sponsoring Organizations of the Treadway Commission ERM and ISO 31000. In this way, IT risk could be understood by upper management
Major IT risk communication flows are:
Effective communication should be:
The three domains of the Risk IT framework are listed below with the contained processes (three per domain). Each process contains a number of activities:
Each process is detailed by:
For each domain a Maturity Model is depicted.[ citation needed]
The link between IT risk scenarios and ultimate business impact needs to be established to understand the effect of adverse events. Risk IT does not prescribe a single method. Different methods are available. Among them there are:
Risk scenarios are the hearth of risk evaluation processes. Scenarios can be derived in two different and complementary ways:
Each risk scenario is analyzed to determine frequency and impact, based on the risk factors.
The purpose of defining a risk response is to bring risk in line with the overall defined risk appetite of the organization after risk analysis: i.e. the residual risk should be within the risk tolerance limits.
The risk can be managed according to four main strategies (or a combination of them):
Key risk indicators are metrics capable of showing that the organization has a high probability of being subject to a risk that exceeds the defined risk appetite.
The second important document about Risk IT is the Practitioner Guide. [3] It is made up of eight sections:
Risk IT Framework complements ISACA’s COBIT, which provides a comprehensive framework for the control and governance of business-driven, IT-based solutions and services. While COBIT sets best practices for managing risk by providing a set of controls to mitigate IT risk, Risk IT provides a framework of best practices for enterprises to identify, govern, and manage IT risk.
Val IT allows business managers to get business value from IT investments, by providing a governance framework. Val IT can be used to evaluate the actions determined by the Risk management process.
Risk IT accepts Factor Analysis of Information Risk terminology and evaluation process.
For a comparison of Risk IT processes and those foreseen by ISO/IEC 27005 standard, see IT risk management#Risk management methodology and IT risk management#ISO 27005 framework.
The Risk IT Practitioner Guide [3] appendix 2 contains the comparison with ISO 31000.
The Risk IT Practitioner Guide [3] appendix 4 contains the comparison with COSO.