Risk IT

Last updated

Risk IT Framework, published in 2009 by ISACA, [1] provides an end-to-end, comprehensive view of all risks related to the use of information technology (IT) and a similarly thorough treatment of risk management, from the tone and culture at the top to operational issues. It is the result of a work group composed of industry experts and academics from different nations, from organizations such as Ernst & Young, IBM, PricewaterhouseCoopers, Risk Management Insight, Swiss Life, and KPMG.

Contents

Definition

IT risk is a part of business risk — specifically, the business risk associated with the use, ownership, operation, involvement, influence, and adoption of IT within an enterprise. It consists of IT-related events that could potentially impact the business. It can occur with both uncertain frequency and magnitude, and it creates challenges in meeting strategic goals and objectives. [1]

Management of business risk is an essential component of the responsible administration of any organization. Owing to IT's importance to the overall business, IT risk should be treated like other key business risks.[ citation needed ]

The Risk IT framework [1] explains IT risk and enables users to:

IT risk is to be managed by all the key business leaders inside the organization: it is not just a technical issue of IT department.

IT risk can be categorized in different ways:

IT Benefit/Value Enabler
risks related to missed opportunity to increase business value by IT enabled or improved processes
IT Program/Project Delivery
risks related to the management of IT related projects intended to enable or improve business: i.e. the risk of over-budgeting, late delivery, or no delivery at all of these projects
IT Operation and Service Delivery
risks associated with the day-to-day operations and service delivery of IT that can cause issues or inefficiency to the business operations of an organization

The Risk IT framework is based on the principles of enterprise risk management standards/frameworks such as Committee of Sponsoring Organizations of the Treadway Commission ERM and ISO 31000. In this way, IT risk could be understood by upper management

IT risk communication components

Major IT risk communication flows are:

Effective communication should be:

Risk IT domains and processes

The three domains of the Risk IT framework are listed below with the contained processes (three per domain). Each process contains a number of activities:

  1. Risk Governance: Ensure that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return. It is based on the following processes: [1]
    1. RG1 Establish and Maintain a Common Risk View
      1. RG1.1 Perform enterprise IT risk assessment
      2. RG1.2 Propose IT risk tolerance thresholds
      3. RG1.3 Approve IT risk tolerance
      4. RG1.4 Align IT risk policy
      5. RG1.5 Promote IT risk aware culture
      6. RG1.6 Encourage effective communication of IT risk
    2. RG2 Integrate With ERM
      1. RG2.1 Establish and maintain accountability for IT risk management
      2. RG2.2 Coordinate IT risk strategy and business risk strategy
      3. RG2.3 Adapt IT risk practices to enterprise risk practices
      4. RG2.4 Provide adequate resources for IT risk management
      5. RG2.5 Provide independent assurance over IT risk management
    3. RG3 Make Risk-Aware Business Decisions
      1. RG3.1 Gain management buy-in for the IT risk analysis approach
      2. RG3.2 Approve IT risk analysis
      3. RG3.3 Embed IT risk consideration in strategic business decision making
      4. RG3.4 Accept IT risk
      5. RG3.5 Prioritize IT risk response activities
  2. Risk Evaluation: Ensure that IT-related risks and opportunities are identified, analyzed, and presented in business terms. It is based on the following processes:
    1. RE1 Collect Data
      1. RE1.1 Establish and maintain a model for data collection
      2. RE1.2 Collect data on the operating environment
      3. RE1.3 Collect data on risk events
      4. RE1.4 Identify risk factors
    2. RE2 Analyze Risk
      1. RE2.1 Define IT risk analysis scope
      2. RE2.2 Estimate IT risk
      3. RE2.3 Identify risk response options
      4. RE2.4 Perform a peer review of IT risk analysis
    3. RE3 Maintain Risk Profile
      1. RE3.1 Map IT resources to business processes
      2. RE3.2 Determine business criticality of IT resources
      3. RE3.3 Understand IT capabilities
      4. RE3.4 Update risk scenario components
      5. RE3.5 Maintain the IT risk register and IT risk map
      6. RE3.6 Develop IT risk indicators
  3. Risk Response: Ensure that IT-related risk issues, opportunities, and events are addressed in a cost-effective manner and in line with business priorities. It is based on the following processes:
    1. RR1 Articulate Risk
      1. RR1.1 Communicate IT risk analysis results
      2. RR1.2 Report IT risk management activities and state of compliance
      3. RR1.3 Interpret independent IT assessment findings
      4. RR1.4 Identify IT related opportunities
    2. RR2 Manage Risk
      1. RR2.1 Inventory controls
      2. RR2.2 Monitor operational alignment with risk tolerance thresholds
      3. RR2.3 Respond to discovered risk exposure and opportunity
      4. RR2.4 Implement controls
      5. RR2.5 Report IT risk action plan progress
    3. RR3 React to Events
      1. RR3.1 Maintain incident response plans
      2. RR3.2 Monitor IT risk
      3. RR3.3 Initiate incident response
      4. RR3.4 Communicate lessons learned from risk events

Each process is detailed by:

For each domain a Maturity Model is depicted.[ citation needed ]

Risk evaluation

The link between IT risk scenarios and ultimate business impact needs to be established to understand the effect of adverse events. Risk IT does not prescribe a single method. Different methods are available. Among them there are:

Risk scenarios

Risk scenarios are the hearth of risk evaluation processes. Scenarios can be derived in two different and complementary ways:

  • a top-down approach from the overall business objectives to the most likely risk scenarios that can impact them.
  • a bottom-up approach where a list of generic risk scenarios are applied to organizational situations.

Each risk scenario is analyzed to determine frequency and impact, based on the risk factors.

Risk response

The purpose of defining a risk response is to bring risk in line with the overall defined risk appetite of the organization after risk analysis: i.e. the residual risk should be within the risk tolerance limits.

The risk can be managed according to four main strategies (or a combination of them):

Key risk indicators are metrics capable of showing that the organization has a high probability of being subject to a risk that exceeds the defined risk appetite.

Practitioner Guide

The second important document about Risk IT is the Practitioner Guide. [3] It is made up of eight sections:

  1. Defining a Risk Universe and Scoping Risk Management
  2. Risk Appetite and Risk Tolerance
  3. Risk Awareness, Communication, and Reporting
  4. Expressing and Describing Risk
  5. Risk Scenarios
  6. Risk Response and Prioritization
  7. Risk Analysis Workflow
  8. Mitigation of IT Risk Using COBIT and Val IT[ citation needed ]

Relationship with other ISACA frameworks

Risk IT Framework complements ISACA’s COBIT, which provides a comprehensive framework for the control and governance of business-driven, IT-based solutions and services. While COBIT sets best practices for managing risk by providing a set of controls to mitigate IT risk, Risk IT provides a framework of best practices for enterprises to identify, govern, and manage IT risk.

Val IT allows business managers to get business value from IT investments, by providing a governance framework. Val IT can be used to evaluate the actions determined by the Risk management process.

Relationship with other frameworks

Risk IT accepts Factor Analysis of Information Risk terminology and evaluation process.

ISO 27005

For a comparison of Risk IT processes and those foreseen by ISO/IEC 27005 standard, see IT risk management#Risk management methodology and IT risk management#ISO 27005 framework.

ISO 31000

The Risk IT Practitioner Guide [3] appendix 2 contains the comparison with ISO 31000.

COSO

The Risk IT Practitioner Guide [3] appendix 4 contains the comparison with COSO.

See also

Related Research Articles

<span class="mw-page-title-main">Risk management</span> Identification, evaluation and control of risks

Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.

Information technology (IT)governance is a subset discipline of corporate governance, focused on information technology (IT) and its performance and risk management. The interest in IT governance is due to the ongoing need within organizations to focus value creation efforts on an organization's strategic objectives and to better manage the performance of those responsible for creating this value in the best interest of all stakeholders. It has evolved from The Principles of Scientific Management, Total Quality Management and ISO 9001 Quality management system.

COBIT is a framework created by ISACA for information technology (IT) management and IT governance.

The chief risk officer (CRO), chief risk management officer (CRMO), or chief risk and compliance officer (CRCO) of a firm or corporation is the executive accountable for enabling the efficient and effective governance of significant risks, and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic, reputational, operational, financial, or compliance-related. CROs are accountable to the Executive Committee and The Board for enabling the business to balance risk and reward. In more complex organizations, they are generally responsible for coordinating the organization's Enterprise Risk Management (ERM) approach. The CRO is responsible for assessing and mitigating significant competitive, regulatory, and technological threats to a firm's capital and earnings. The CRO roles and responsibilities vary depending on the size of the organization and industry. The CRO works to ensure that the firm is compliant with government regulations, such as Sarbanes–Oxley, and reviews factors that could negatively affect investments. Typically, the CRO is responsible for the firm's risk management operations, including managing, identifying, evaluating, reporting and overseeing the firm's risks externally and internally to the organization and works diligently with senior management such as chief executive officer and chief financial officer.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an organization that develops guidelines for businesses to evaluate internal controls, risk management, and fraud deterrence. In 1992, COSO published the Internal Control – Integrated Framework, commonly used by businesses in the United States to design, implement, and conduct systems of internal control over financial reporting and assessing their effectiveness.

Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives, assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring process. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall.

ISACA is an international professional association focused on IT governance. On its IRS filings, it is known as the Information Systems Audit and Control Association, although ISACA now goes by its acronym only. ISACA currently offers 8 certification programs, as well as other micro-certificates.

An incident is an event that could lead to loss of, or disruption to, an organization's operations, services or functions. Incident management (IcM) is a term describing the activities of an organization to identify, analyze, and correct hazards to prevent a future re-occurrence. These incidents within a structured organization are normally dealt with by either an incident response team (IRT), an incident management team (IMT), or Incident Command System (ICS). Without effective incident management, an incident can disrupt business operations, information security, IT systems, employees, customers, or other vital business functions.

Governance, risk management and compliance (GRC) is the term covering an organization's approach across these three practices: governance, risk management, and compliance.

Val IT is a governance framework that can be used to create business value from IT investments. It consists of a set of guiding principles and a number of processes and best practices that are further defined as a set of key management practices to support and help executive management and boards at an enterprise level. The latest release of the framework, published by IT Governance Institute (ITGI), based on the experience of global practitioners and academics, practices and methodologies was named Enterprise Value: Governance of IT Investments, The Val IT Framework 2.0. It covers processes and key management practices for three specific domains and goes beyond new investments to include IT services, assets, other resources and principles and processes for IT portfolio management.

Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core of ISM includes information risk management, a process that involves the assessment of the risks an organization must deal with in the management and protection of assets, as well as the dissemination of the risks to all appropriate stakeholders. This requires proper asset identification and valuation steps, including evaluating the value of confidentiality, integrity, availability, and replacement of assets. As part of information security management, an organization may implement an information security management system and other best practices found in the ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27035 standards on information security.

A key risk indicator (KRI) is a measure used in management to indicate how risky an activity is. Key risk indicators are metrics used by organizations to provide an early signal of increasing risk exposures in various areas of the enterprise. It differs from a key performance indicator (KPI) in that the latter is meant as a measure of how well something is being done while the former is an indicator of the possibility of future adverse impact. KRI give an early warning to identify potential events that may harm continuity of the activity/project.

ISO/IEC 27005 "Information technology — Security techniques — Information security risk management" is an international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) providing good practice guidance on managing risks to information. It is a core part of the ISO/IEC 27000-series of standards, commonly known as ISO27k.

Risk appetite is the level of risk that an organization is prepared to accept in pursuit of its objectives, before action is deemed necessary to reduce the risk. It represents a balance between the potential benefits of innovation and the threats that change inevitably brings. The ISO 31000 risk management standard refers to risk appetite as the "Amount and type of risk that an organization is prepared to pursue, retain or take". This concept helps guide an organization's approach to risk and risk management.

ISO 31000 is a family of international standards relating to risk management codified by the International Organization for Standardization. The standard is intended to provide a consistent vocabulary and methodology for assessing and managing risk, resolving the historic ambiguities and differences in the ways risk are described.

In information security, risk factor is a collective name for circumstances affecting the likelihood or impact of a security risk.

<span class="mw-page-title-main">IT risk management</span>

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

NIST Cybersecurity Framework (CSF) is a set of guidelines for mitigating organizational cybersecurity risks, published by the US National Institute of Standards and Technology (NIST) based on existing standards, guidelines, and practices. The framework "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes", in addition to guidance on the protection of privacy and civil liberties in a cybersecurity context. It has been translated to many languages, and is used by several governments and a wide range of businesses and organizations.

ISO 22300:2021, Security and resilience – Vocabulary, is an international standard developed by ISO/TC 292 Security and resilience. This document defines terms used in security and resilience standards and includes 360 terms and definitions. This edition was published in the beginning of 2021 and replaces the second edition from 2018.

References

  1. 1 2 3 4 ISACA THE RISK IT FRAMEWORK (registration required)
  2. George Westerman, Richard Hunter, IT risk: turning business threats into competitive advantage, Harvard Business School Press series ISBN   1-4221-0666-7, ISBN   978-1-4221-0666-2
  3. 1 2 3 The Risk IT Practitioner Guide, ISACA ISBN   978-1-60420-116-1 (registration required)
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.