Risk Starter Kit

Introduction and Getting Started

Risk
2 RISK STARTER KIT:INTRODUCTION AND GETTING STARTED

CONTENTS

3 Introduction
3 / Toolkit Components
4 Getting Started with the Toolkit
5 Acknowledgments

© 2022 ISACA. All Rights Reserved.

3 RISK STARTER KIT:INTRODUCTION AND GETTING STARTED

Introduction
Risk management is a business capability or, simply, a set assist in quickly evaluating which risk is in alignment with
of coordinated activities to direct and control an management objectives for risk-taking, and which risk
enterprise with regard to risk. The Risk Starter Kit consists needs further analysis or investigation.
of multiple tools to facilitate these activities. The risk
management capability underpins all business processes
to ensure the enterprise continuously creates and delivers
value. Toolkit Components
The following tools are included:
Risk management activities require purposeful
interactions among people, processes, technologies and • Risk Appetite Statement—Provides guidance on what

systems with oversight at the highest levels of the components to consider when creating a risk tolerance

enterprise. Risk management works best when risk- statement. Includes a statement template.

related activities are integrated with the regular workflow • Risk Assessment Template—Provides guidance on the key

of management and staff rather than treated as add-ons. components to consider, using a variety of techniques and

methods, when identifying and assessing risk. Includes an

The creators of the Risk Starter Kit are risk experts who
assessment template.
have many years of experience across a wide spectrum of
• Risk Reporting—Provides guidance on how to intake and
industries and regions. The purpose of the kit is to
document key risk and major areas of concern for reporting to
facilitate risk management processes such as risk
senior leadership and the board of directors.
assessment, risk tolerance, risk maturity assessment, risk
• Risk Governance—Provides guidance on key governance
policy creation and related tasks. The purpose of each
structure components that are essential for effective risk
tool is to provide a template for a standard risk
management:
management task to eliminate the need for an enterprise
• IT Risk Management Policy—Provides guidance on
to create it independently.
necessary components of a risk policy, which should be
aligned with the enterprise’s risk appetite and fully
The purpose of each tool is to provide a template for a
supported by the risk committee and board of directors.
standard risk management task to eliminate the need for
an enterprise to create it independently. Includes a policy template.

• Risk Committee Charter—Specifies attributes that should

These standard templates may not fit every enterprise.
be considered for a risk committee depending on
However, each tool includes attributes to assist users in
enterprise size, structure and needs.
identifying the specific variables present within their
• Risk Maturity Assessment—Identifies levels of maturity of a
enterprise. Further, each tool can be downloaded and
risk management program, describing components and
customized to fit the specific needs of each entity and to
attributes that may exist at each level.
facilitate the performance of key risk management
• IT Risk Job Descriptions—Inform a risk leader and/or human
functions.
resources of the key risk job functions necessary to build a risk
Positioning risk in the context of the mission, strategy and management program.
objectives of the enterprise is the first step in making sure • Risk Scenarios—Facilitate communication in risk management
that risk management activities add value to the through construction of narratives that inspire people to act.
enterprise’s overall risk management process. The Enhance the risk management effort by helping the risk team
determination of risk appetite and risk tolerances can

© 2022 ISACA. All Rights Reserved.

4 RISK STARTER KIT:INTRODUCTION AND GETTING STARTED

understand and explain risk to business process owners and identified controls to risk in order to monitor mitigation

other stakeholders. Includes a template that facilitates creation effectiveness and identify needed modifications.

of a fully thought-out risk scenario and explains how it would • Risk Register—Provides a template to identify the components

integrate with and impact other parts of the enterprise. necessary to supply adequate information for each risk.

• Risk and Controls Library—Provides a template to assist in

building a repository of key risk for the enterprise. Maps the

Getting Started with the Toolkit

To use the toolkit, users simply download and save the
Risk Starter Kit zip file and then extract the components
that will be used. Files can be saved locally and edited to
accommodate a particular organizational context.

As an enterprise embarks on its risk journey, there are

many ISACA resources that can help:
• The ISACA Journal contains a multitude of articles relate to IT

risk.

• ISACA hosts an online forum on risk management where

participants can share information and ask questions of their

peers.

ISACA has a dedicated web page for risk-related topics

and resources.

© 2022 ISACA. All Rights Reserved.

5 RISK STARTER KIT:INTRODUCTION AND GETTING STARTED
Acknowledgments
ISACA would like to acknowledge:
Development Team
Evan Wheeler, CRISC, Capital One, Inc.,
USA
Sunil Bakshi, CISA, CRISC, CISM, CGEIT,
CDPSE, AMIIB, CEH, CISSP, ISO 27001 LA,
MCA, PMP, Freelance Consultant, India
Ilker Tutu, CISA, CRISC, CISM, CGEIT,
CISSP, CIA, PCI ISA Paypal Europe,
Luxembourg
Prometheus Yang, CISA, CRISC, CISM,
CFE, ISO 27001 LA, Standard Chartered
Bank, China
Board of Directors
Gregory Touhill, Chair Former Chief Risk Officer, Hudson City
CISM, CISSP Bancorp, USA
Director, CERT Division of Carnegie Mellon Brennan P. Baybeck
University’s Software Engineering Institute,
CISA, CISM, CRISC, CISSP
USA
ISACA Board Chair, 2019-2020
Pamela Nigro, Vice-Chair Vice President and Chief Information
CISA, CGEIT, CRISC, CDPSE, CRMA Security Officer for Customer Services,
Vice President, Security, Medecision, USA Oracle Corporation, USA
John De Santis Rob Clyde
Former Chairman and Chief Executive CISM
Officer, HyTrust, Inc., USA ISACA Board Chair, 2018-2019
Independent Director, Titus, and Executive
Niel Harper
Chair, White Cloud Security, USA
CISA, CRISC, CDPSE, CISSP
Former Chief Information Security Officer
and Privacy Officer, United Nations Office
for Project Services (UNOPS), Denmark
Gabriela Hernandez-Cardoso
Independent Board Member, Mexico
Maureen O’Connell
Board Chair, Acacia Research (NASDAQ),
Former Chief Financial Officer and Chief
Administration Officer, Scholastic, Inc.,
USA
Veronica Rose
CISA, CDPSE
Founder, Encrypt Africa, Kenya
David Samuelson
Chief Executive Officer, ISACA, USA
Gerrard Schmid
President and Chief Executive Officer,
Diebold Nixdorf, USA
Asaf Weisberg
CISA, CISM, CGEIT, CRISC
Chief Executive Officer, introSight Ltd.,
Israel
Tracey Dedrick
ISACA Board Chair, 2020-2021
© 2022 ISACA. All Rights Reserved.
6 RISK STARTER KIT:INTRODUCTION AND GETTING STARTED

About ISACA
For more than 50 years, ISACA® (www.isaca.org) has advanced the best
1700 E. Golf Road, Suite 400
talent, expertise and learning in technology. ISACA equips individuals with
Schaumburg, IL 60173, USA
knowledge, credentials, education and community to progress their careers
and transform their organizations, and enables enterprises to train and build
Phone: +1.847.660.5505
quality teams that effectively drive IT audit, risk management and security
priorities forward. ISACA is a global professional association and learning Fax: +1.847.253.1755
organization that leverages the expertise of more than 150,000 members who
Support: support.isaca.org
work in information security, governance, assurance, risk and privacy to drive
innovation through technology. It has a presence in 188 countries, including Website: www.isaca.org
more than 220 chapters worldwide. In 2020, ISACA launched One In Tech, a
philanthropic foundation that supports IT education and career pathways for
under-resourced, under-represented populations.

Provide Feedback:
DISCLAIMER
www.isaca.gov/risk-starter-kit
ISACA has designed and created the Risk Starter Kit - Introduction and Getting
Started (the “Work”) primarily as an educational resource for professionals. Participate in the ISACA Online
ISACA makes no claim that use of any of the Work will assure a successful Forums:
outcome. The Work should not be considered inclusive of all proper https://engage.isaca.org/onlineforums

information, procedures and tests or exclusive of other information, Twitter:

www.twitter.com/ISACANews
procedures and tests that are reasonably directed to obtaining the same
results. In determining the propriety of any specific information, procedure or LinkedIn:
www.linkedin.com/company/isaca
test, professionals should apply their own professional judgment to the
specific circumstances presented by the particular systems or information Facebook:
www.facebook.com/ISACAGlobal
technology environment.
Instagram:
www.instagram.com/isacanews/
RESERVATION OF RIGHTS

© 2022 ISACA. All rights reserved.

Risk Starter Kit

© 2022 ISACA. All Rights Reserved.