Risk IT

Risk IT provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.

Risk IT was published in 2009 by ISACA. It is the result of a work group composed by industry experts and some academics of different nations, coming from organizations such as Ernst & Young, IBM, PricewaterhouseCoopers, Risk Management Insight, Swiss Life,and KPMG.

IT risk is a part of business risk—specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. It consists of IT-related events that could potentially impact the business. It can occur with both uncertain frequency and magnitude, and it creates challenges in meeting strategic goals and objectives.

Management of business risk is an essential component of the responsible administration of any organization. Due to IT’s importance to the overall business, IT risk should be treated like other key business risks.

The Risk IT framework explains IT risk and enables users to:

IT risk is to be managed by all the key business leaders inside the organization: it is not just a technical issue of IT department.

IT risk can be categorised in different ways:

The Risk IT framework is based on the principles of enterprise risk management standards/frameworks such as Committee of Sponsoring Organizations of the Treadway Commission ERM and ISO 31000.

In this way IT risk could be understood by upper management.

Risk IT is built around the following principles:

Major IT risk communication flows are:

An effective information should be:

The three domains of the Risk IT framework are listed below with the contained processes (three by domain); each process contains a number of activities:

Each process is detailed by:

...
Wikipedia