IT Risk Framework

Figure 1.1
Scope of I&T-related Risk Relative to Other Major Categories of Risk

Enterprise Risk

Strategic Environmental Market Credit Operational Compliance

Risk Risk Risk Risk Risk Risk

I&T-related Risk

I&T Benefit/Value IT Program IT Operations and Cyber and Information

Enablement Risk Project-delivery Risk Service-delivery Risk Security Risk

Figure 2.1
Balance
Principles of Risk Management
cost/benefit
of I&T-related
risk

Promote
Align
ethical and open
with ERM
communication

Risk
Management
Principles

Connect to Establish tone

enterprise at the top and
objectives accountability

Use a
consistent
approach
aligned to
strategy

© 2020 ISACA. All Rights Reserved.

Figure 3.1
Alignment of I&T-related Risk Management Principles with COBIT Objectives EDM03 and APO12

Balance Promote Establish Use a

Connect to
Align cost/benefit ethical tone at the consistent
enterprise
with ERM of I&T-related and open top and approach aligned
objectives
risk communication accountability to strategy

Risk Management Principles

Aligns to EDM03 Aligns to APO12

Ensured Risk Optimization Managed Risk

Risk Governance Risk Management

Ensure that the enterprise’s risk appetite and Continually identify, assess and reduce I&T-related
tolerance are understood, articulated and risk within tolerance levels set by enterprise
communicated, and that risk to enterprise value executive management.
related to the use of I&T is identified and managed.

Collect data. Identify and collect relevant data to

Direct risk management.
Direct the establishment of risk management
practices to provide reasonable assurance that
I&T risk management practices are appropriate
and that actual I&T risk does not exceed the
board’s risk appetite.
enable effective I&T-related risk identification,
analysis and reporting.
Analyze risk. Develop a substantiated view on
actual I&T risk, in support of risk decisions.

Monitor risk management. Maintain a risk profile. Maintain an inventory of

Monitor the key goals and metrics of the risk known risk and risk attributes, including expected
management processes. Determine how deviations frequency, potential impact and responses.
or problems will be identified, tracked and reported Document related resources, capabilities and
for remediation. current control activities related to risk items.

Evaluate risk management. Articulate risk. Communicate information on the

Continually examine and evaluate the effect of risk
on the current and futureuse of I&T in the enterprise.
Consider whether the enterprise’s risk appetite is
appropriate and ensure that risk to enterprise value
related to the use of I&T is identified and managed.
current state of I&T-related exposures and
opportunities in a timely manner to all required
stakeholders for appropriate response.
Define a risk management action portfolio. Manage
opportunities to reduce risk to an acceptable level
as a portfolio.

Respond to risk. Respond in a timely manner to

materialized risk events with effective measures to
limit the magnitude of loss.

© 2020 ISACA. All Rights Reserved.

Figure 4.1
Risk Capacity, Risk Appetite and Actual Risk

10 10

5 5

0 0
Actual Risk Risk Appetite Risk Capacity Actual Risk Risk Appetite Risk Capacity

Source: ISACA, COBIT® 5 for Risk, USA, 2013, fig. 68, https://www.isaca.org/bookstore/cobit-5/wcb5rk

Figure 5.1
Risk Management Flow

Setting Context

Communication

Example Type
Risk Reporting and and Risk Identification
Communication
Categories of Risk and Assessment

Strategic
Operational
IT Risk
Cybersecurity
Information Security
Risk Analysis and
Risk Response
Business Impact Evaluation

Source: Adapted from ISACA, Getting Started With Risk Management, USA, 2018, fig. 2, https://www.isaca.org/bookstore/bookstore-wht_papers-digital/whpgsr

© 2020 ISACA. All Rights Reserved.

IT Risk Framework
Figure 6.1
I&T-related Risk Scenario Development

Business Objectives

Top-down Identify business

objectives
Scenario
Identification Identify scenarios with
impact on achievement
of objectives
Refined and
Estimated
Generic Risk Scenarios Specific I&T I&T
Frequency and
Risk Risk
Impact
Scenarios
Bottom-up Identify all hypothetical
Scenario scenarios

Identification
Reduce through
high-level analysis

External Internal Risk IT IT-related

Environmental Environmental Management Capability Business
Factors Factors Capability Capability

Risk Factors

I N T E R N AT I O N A L H E A D Q U A R T E R S
1700 E. Golf Road | Suite 400 | Schaumburg, IL 60173 | USA
isaca.org

© 2020 ISACA. All Rights Reserved.

Figure 6.2
Risk Scenario/Loss Event Structure and Components

Risk Scenario/Loss Event

Actor/Threat Intent/ Threat Asset/

Effect Timing
Community Motivation Event Resource

Figure 7.1
Components of I&T Risk Communication

The globally recognized Risk IT

Framework, develops the language of
risk specifically in the context of
information technology and cyberse- Expectations:
curity, fosters open conversation about Strategy,
the countless facets of enterprise risk, Policies, Procedures,
Awareness,
codifies guidelines and practices that Training, etc.
optimize risk, opportunity, security
and business value, and helps
practitioners build consensus
regarding risk IT decisions at all
enterprise levels. The framework has Effective
been updated with new information I&T Risk
and guidance, facilitating easier, and Communication
tailored implementation.

This document provides an overview Status: Risk Capability: Risk

Profile, Key Risk
of the Risk IT Framework figures. Management
Indicators, Process Maturity
This excerpt is available as a compli- Loss Data, etc.
mentary PDF at www.isaca.org/? and
for purchase in hard copy at
www.isaca.org/bookstore. We
encourage you to share this document
with your enterprise leaders, team
members, clients and/or consultants.
Additional information is available at
isaca.org/?.

© 2020 ISACA. All Rights Reserved.

Figure 8.1
Risk Response Selection and Prioritization

Risk Analysis
Tolerance
Risk
Estimate of
Frequency and Risk
Impact
Risk
Analysis

Parameters
for Risk Response
Risk Exceeding Selection
Risk-tolerance Level
Cost of Response
to Reduce Risk within
Tolerance Levels
Select Risk
Response Options Magnitude of Risk

Capability to
Implement Response

Effectiveness of
Risk Response Options
Response
1 2 3 4
Avoid Reduce/ Share/ Accept Efficiency of
Mitigate Transfer Response

Risk Responses Risk Response

Prioritization

Prioritize Risk Business Quick

Current Risk Level

Response Options Case Wins

Prioritized Risk
Responses Defer Business
Case

Risk Action Plan Effectiveness/Cost Ratio

Risk Response

© 2020 ISACA. All Rights Reserved.