1252016 Risk IT - Wikipedia Risk IT From Wikipedia, the free encyclopedia Risk IT provides an end-to-end, comprehensive view of all risks related to the use of I’ and a similarly thorough treatment of risk management, from the tone and culture at the top, fo operational issues, Risk IT was published in 2009 by ISACAI" It is the result of a work group composed by industry experts and some academics of different nations, coming from organizations such as Ernst & Young, IBM, PricewaterhouseCoopers, Risk Management Insight, Swiss Life.and KPMG. Contents Definition Risk IT principles IT risk communication components Risk IT domains and processes # 4.1 Risk evaluation = 4.1.1 Risk scenarios = 4.2 Risk response = 5 Practitioner Guide Relationship with other ISACA frameworks Relationship with other frameworks = 7.1 18027005 = 7.2 18031000 = 73 COSO 8 Sev also 9 References 10 See also 11 External links a0 Aun e Definition IT risk is a part of business risk—specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. It consists of I'E-related events that could potentially impact the business. It ean occur with both uncertain frequency and magnitude, and it ereates challenges in meeting strategic goals and objectives!) Management of business risk is an essential component of the responsible administration of any organization, Due to IT's importance to the overall business, IT risk should be treated like other key busi i The Risk IT framework! explains IT risk and enables users to: = Integrate the management of IT risk with the overall ERM. = Compare assessed IT risk with risk appetite and risk tolerance of the organization = Understand how to manage the risk IT tisk is to be managed by all the key business leaders inside the organization: it is not just a technical issue of IT department. httoey/enwikipedia.oraNwikifRisk IT 16.1252016 Risk IT = Wikipedia IT risk can be categorised in different ways: IT Benefit/Value enabler risks related to missed opportunity to increase business value by IT enabled or improved processes IT Programme/Project delivery risks related to the management of IT related projects intended to enable or improve business: over budget or late delivery (or not delivery at all) of these projects IT Operation and Service Delivery risks associated to the day by day operations and service delivery of IT that can bring issues, inefficiency 10 the business operations of an organization . the risk of The Risk IT framework is based on the principles of enterprise risk management standards/frameworks such as Committee of Sponsoring Organizations of the Treadway Commission ERM and ISO 31000. In this way IT risk could be understood by upper management. Risk IT principles Risk IT is built around the following principles:!!) always align with business objectives align the IT risk management with ERM balance the costs and benefits of IT risk management, promote fair and open communication of IT risks establish the right tone at the top while defining and enforcing accountability are a continuous process and part of daily activities IT risk communication components Major IT risk communication flows are: = Expectation: what the organization expects as final result and what are the expected behaviour of employee and management: It encompasses strategy, policies, procedures, awareness training = Capability: it indicates how the organization is able to manage the risk = Status: information of the actual status of IT risk; It encompasses risk profile of the organization, Key Risk Indicator, events, root cause of loss events. An effective information should be: Clear Concise Useful Timely Aimed at the correct target audience Available on a need to know basis, Risk IT domains and processes The three domains of the Risk IT framework are listed below with the contained processes (three by domain); each process contains a number of activities: ee _1252016 Risk IT - Wikipedia 1, Risk Governance: Ensure that | risk management practices are embedded in the enterprise, enabling it to sccure optimal risk-adjusted return. It is based on the following processes:!!] 1. RGI Establish and Maintain a Common Risk View 1, RG1.1 Perform enterprise IT risk assessment 2. RG1.2 Propose IT risk tolerance thresholds 3. RG1.3 Approve IT risk tolerance 4. RGI4 Align IT risk policy 5. RG1.5 Promote IT risk aware culture 6. RGL.6 Encourage effective communication of IT risk 2. RG? Integrate With ERM 1, RG2.1 Establish and maintain accountability for IT risk management 2. RG2.2 Coordinate IT risk strategy and business risk strategy 3. RG2.3 Adapt IT risk practices to enterprise risk practices 4, RG2.4 Provide adequate resources for IT risk management 5. RG2.5 Provide independent assurance over IT risk management 3. RG3 Make Risk-aware Business Decisions 1, RG3.1 Gain management buy in for the IT risk analysis approach . RG3.2 Approve IT risk analysis . RG3.3 Embed IT risk consideration in strategie business decision making, . RG3.4 Accept IT risk 5. RG3.5 Prioritise IT risk response activities 2. Risk Evaluation: Ensure that [T-related risks and opportunities are identified, analysed and presented in business terms. It is based on the following processes: 1. REI Collect Data 1, REL.1 Establish and maintain a model for data collection 2. REI.2 Collect data on the operating environment 3. REL.3 Collect data on risk events 4, RE1.4 Identify risk factors 2. RE2 Analyse Risk 1, RE2.1 Define IT risk analysis scape 2. RE2.2 Estimate IT risk 3. RE2.3 Identify risk response options 4, RE2.4 Perform a peer review of IT risk analysis 3. RE3 Maintain Risk Profile 1, RE3.1 Map IT resources to business processes RE3.2 Determines business criticality of IT resources RE3.3 Understand IT capabilities . RE3.4 Update risk scenario components RE3.5 Maintain the IT risk register and iT risk map . RE3.6 Develop IT risk indicators 3. Risk Response: Ensure that 1T-related risk issues, opportunities and events are addressed in a cost-effective manner and in line with business priorities. It is based on the following processes: 1. RRI Articulate Risk 1. RR1.1 Communicate IT risk analysis results 2. RRI.2 Report IT risk management activities and state of compliance 3. RRL.3 Interpret independent IT ment findings 4, RRIA Identify IT related opportunities 2. RR2 Manage Risk 1, RR2.1 Inventory controls 2. RR2.2 Monitor operational alignment with risk tolerance thresholds 3. RR2.3 Respond to discovered risk exposure and opportunity 4, RR24 Implement controls 5. RR2.5 Report IT risk action plan progress 3. RR3 React to Events AwRLN ee1252016 Risk IT = Wikipedia 1, RR3.1 Maintain incident response plans 2. RR3.2 Monitor IT risk 3. RR3.3 Initiate incident response 4, RR3.4 Communicate lessons learned from risk events Each process is detailed by: = Process components = Management practice = Inputs and Outputs = RACT charts = Goal and metries For cach domain a Maturity Model is depicted. Risk evaluation The link between IT risk scenarios and ultimate business impact needs to be established to understand the effect of adverse events, Risk IT does not prescribe a single method, Different methods are available, Among them there are: COBIT Information criteria Balanced scorecard Extended balanced scorecard Westerman U7) coso Factor Analysis of Information Risk Risk scenarios Risk scenarios is the hearth of risk evaluation process. Scenarios can be derived in two different and complementary ways: = a top-down approach from the overall business objectives to the most likely risk scenarios that can impact them. = a bottom-up approach where a list of generic risk cenario s are applied to the organizaztion situation Each risk scenarios is analysed determining frequeney and impact, based on the risk factors. Risk response The purpose of defining a tisk response is to bring risk in line with the overall defined risk appetite of the organization after risk analysis: ie. the residual r The risk can be managed according four main strategy (or a combination of them): = Risk avoidance, exiting the activities that give rise to the risk = Risk mitigation, adopting measures to detect, reduce the frequency and/or impact of the risk = Risk transfer, transferring to others part of the risk, by outsourcing dangerous activities or by insurance = Risk acceptance: deliberately running the risk that has been identified, documented and measured. Key risk indicators are metries capable of showing that the organizaztion is subject or has a high probability of being subject to a risk that exceeds the defined risk appetite. ee1252016 Risk IT = Wikipedia Practitioner Guide The second important document about Risk IT is the Practitioner Guide. It is made up of eight sections: 1. Defining a Risk Universe and Scoping Risk Management . Risk Appetite and Risk Tolerance . Risk Awareness, Communication and Reporting . Expressing and Describing Risk . Risk Scenarios >. Risk Response and Prioritisation A Risk Analysis Workflow . Mitigation of IT Risk Using COBIT and Val IT ey aHaAwD Relationship with other ISACA frameworks Risk IT Framework complements ISACA’s COBIT, which provides a comprehensive framework for the control and governance of business-driven information-technology-based (IT-based) solutions and services. While COBIT sets good practices for the means of risk management by providing a set of controls to mitigate IT risk, Risk IT sets good practices for the ends by providing a framework for enterprises to identify, govern and manage IT risk. Val IT allows business managers to get business value from IT investments, by providing a governance framework. VAL IT can be used to evaluate the actions determined by the Risk management process. Relationship with other frameworks Risk IT accept Factor Analysis of Information Risk terminology and evaluation process. ISO 27005 For a comparison of Risk IT processes and those foreseen by ISO/IEC 27005 standard, see IT risk management#Risk management methodology and IT risk managementi#1SO 27005 framework ISO 31000 The Risk IT Practitioner Guidel*) appendix 2 contains the comparison with ISO 31000 coso The Risk IT Practitioner Guide! appendix 4 contains the comparison with COSO See also Balanced scorecard COBIT coso Enterprise risk management Factor Analysis of Information Risk ISACA ISO 31000 ee qo1252016 Risk IT - Wikipedia = IT risk Key Risk Indicator Risk Risk appetite Risk factor (computing) Risk management Risk tolerance Val IT References Note from a novice: I read the instructions and can’t figure out how to fix broken reference links, so Pll mention them here. The first reference below (whose URL contains: I18Nov09-Research.pdf) should be: hhttp://men.isaca.ong/Knowledge-Center /Research/Docunents/Risk-IT-Franework_fak_Eng_0610.pd¢ The third reference below (to the Risk IT Practitioner Guide) should be: {netp://mwAsaca.org/Knovledge-Center/Research/docurent's /Risk- IT-Practitioner-Guice_res_tng_0610.pde 1. ISACA THE RISK IT FRAMEWORK (registration required) (http://www.isaca.org/Knowledge-Center/Research/Docum ents/RiskIT-FW- I8NovO8-Research pdt) 2. George Westerman, Richard Hunter, IT risk: tuning business threats into competitive advantage, Harvard Business School Press series ISBN 1-4221-0666-7, ISBN 978-1-4221-0666-2 3. The Risk IT Practitioner Guide, ISACA ISBN 978-1-60420-116-1 (registration required) (hitp://www.isaca.org/Knowled ne-Center/Research/ResearchDeliverables/Pages/ The-Risk-IT-Practitioner-Guide.asps) See also = LWG Consulting, Inc External links = Risk IT main page on ISACA web site (http://www. isaca.org/Knowledge-Center/Risk-IT-IT-Ris nt/Pages/Risk-IT aspx) Retrieved from "https://en.wikipedia.org/w/index.php?title=Risk_IT&oldid=743823077" Categories: Risk analysis methodologies | Information technology governance | IT risk management = This page was last modified on 11 October 2016, at 13:27. = Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization. httoey/enwikipedia.oraNwikifRisk IT