FR | NL | EN
   Qui sommes nous?     Contact     Glossary index     Carte du site   

   Home > Risk IT

Risk IT     Print

Risk IT

The Risk IT framework, launched by ISACA in 2009, allows to understand Information Technology risks. Risk IT is a set of proven, real-world practices that help enterprises achieve their goals, seize opportunities and seek greater return with less risk. The framework integrates the management of IT risk into the overall Enterprise Risk Management of the organisation by aligning controls with business priorities.

In 2012, Risk IT has been integrated into COBIT 5

Why Risk IT?

In business today, risk plays a critical role. Almost every business decision requires executives and managers to balance risk and reward. Effectively managing the business risks is essential to an enterprise’s success. ISACA - Serving IT Governance Professionals

Risk IT allows management to make well informed decisions about the extent of the risk, the risk appetite and the risk response. The Risk IT framework examines the roles and responsibilities involved in risk governance, risk management and risk monitoring/reporting, and how those apply to the creation and maintenance of a risk glossary, a risk taxonomy and a risk register. The risk register is defined on an IT activity level, IT process level, IT level and business process level. A variety of incidents and corresponding potential consequences are outlined for each level of the risk register.


Risk IT is a framework based on a set of guiding principles for effective management of IT risk. Risk IT works at the intersection of business and IT and allows enterprises to manage—and even capitalise on—risk in the pursuit of objectives. The guiding principles are

  • Always connect to enterprise objectives
  • Align the management of IT-related business risk with overall enterprise risk management
  • Balance the costs and benefits of managing risk
  • Promote fair and open communication of IT risk
  • Establish the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well-defined tolerance levels
  • Understand that this is a continuous process and an important part of daily activities


Risk IT

  • Provides guidance to help executives and management ask the key questions, make better, more informed risk-adjusted decisions and guide their enterprises so risk is managed effectively
  • Helps save time, cost and effort with tools to address business risks
  • Integrates the management of IT-related business risks into overall enterprise risk management
  • Helps leadership understand the enterprise’s risk appetite and risk tolerance
  • Provides practical guidance driven by the needs of enterprise leadership around the world

Target groups

Within all enterprises using Information Technology (IT), Risk IT is usually for a large audience:

  • Boards and executive management; C-suite
  • IT security managers $Corporate and operational risk managers
  • Enterprise governance officers
  • IT management
  • Business managers
  • IT service managers
  • IT and external auditors
  • Regulators

Integration with CobiT

The framework complements COBIT®, a comprehensive framework for the governance and control of business-driven, IT-based solutions and services. While COBIT provides a set of controls to mitigate IT risk, Risk IT provides a framework for enterprises to identify, govern and manage IT risk. Simply put, COBIT provides the means of risk management; Risk IT provides the ends. Enterprises who have adopted COBIT as their IT governance framework can use Risk IT to enhance risk management.

The Framework

The model is divided into three domaines - Risk Governance, Risk Evaluation, Risk Response - each containing 3 processes:

  • Risk Governance (RG)
    • RG1: Establish and maintain a Common Risk View
    • RG2: Integrate with Enterprise Risk Management (ERM)
    • RG3: Make Risk-aware Business Decisions
  • Risk Evaluation (RE)
    • RE1: Collect Data
    • RE2: Analyse Risk
    • RE3: Maintain Risk Profile
  • Risk Response (RR)
    • RR1: Articulate Risk
    • RR2: Manage Risk
    • RR3: React to Events

The essentials

Within each Risk IT domain, the following essentiels have been integrated :

  • Risk Governance
    • Responsibility and accountability for risk
    • Risk appetite and tolerance
    • Awareness and communication
    • Risk culture
  • Risk Evaluation
    • Risk scenarios
    • Business impact descriptions
  • Risk Response
    • Key risk indicators (KRIs)
    • Risk response definition and prioritisation


Risk IT includes

  • The Risk IT Framework
    • Presents a summary, as well as core framework
    • Helps convey the risk landscape and processes and prioritise activities
    • Is available as a free download to all on the ISACA website.
  • The Risk IT Practitioner Guide
    • Provides practical guidance on improving risk management activities
    • Is available as a free download for ISACA members only

Source: ISACA


QAP © 2010 | advice[at] | audit[at]
   Audit     Conseil     Formations     Changement     Disclaimer     Copyright