Risk IT Framework, published in 2009 by ISACA,^[1] provides an end-to-end, comprehensive view of all risks related to the use of information technology (IT) and a similarly thorough treatment of risk management, from the tone and culture at the top to operational issues. It is the result of a work group composed of industry experts and academics from different nations, from organizations such as Ernst & Young, IBM, PricewaterhouseCoopers, Risk Management Insight, Swiss Life, and KPMG.

Definition

IT risk is a part of business risk — specifically, the business risk associated with the use, ownership, operation, involvement, influence, and adoption of IT within an enterprise. It consists of IT-related events that could potentially impact the business. It can occur with both uncertain frequency and magnitude, and it creates challenges in meeting strategic goals and objectives.^[1]

Management of business risk is an essential component of the responsible administration of any organization. Owing to IT's importance to the overall business, IT risk should be treated like other key business risks.^{[citation needed]}

The Risk IT framework^[1] explains IT risk and enables users to:

• Integrate the management of IT risk with the overall ERM
• Compare assessed IT risk with risk appetite and risk tolerance of the organization
• Understand how to manage the risk

IT risk is to be managed by all the key business leaders inside the organization: it is not just a technical issue of IT department.

IT risk can be categorized in different ways:

IT Benefit/Value Enabler

risks related to missed opportunity to increase business value by IT enabled or improved processes

IT Program/Project Delivery

risks related to the management of IT related projects intended to enable or improve business: i.e. the risk of over-budgeting, late delivery, or no delivery at all of these projects

IT Operation and Service Delivery

risks associated with the day-to-day operations and service delivery of IT that can cause issues or inefficiency to the business operations of an organization

The Risk IT framework is based on the principles of enterprise risk management standards/frameworks such as Committee of Sponsoring Organizations of the Treadway Commission ERM and ISO 31000. In this way, IT risk could be understood by upper management

IT risk communication components

Major IT risk communication flows are:

• Expectation: what the organization expects as final result and what are the expected behaviour of employee and management; It encompasses strategy, policies, procedures, and awareness training
• Capability: it indicates how the organization is able to manage the risk
• Status: information of the actual status of IT risk; It encompasses risk profile of the organization, key risk indicator (KRI), events, and root cause of loss events.

Effective communication should be:

• Clear
• Concise
• Useful
• Timely
• Aimed at the correct target audience
• Available on a need to know basis^{[citation needed]}

Risk IT domains and processes

The three domains of the Risk IT framework are listed below with the contained processes (three per domain). Each process contains a number of activities:

1. Risk Governance: Ensure that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return. It is based on the following processes:^[1]
   1. RG1 Establish and Maintain a Common Risk View
      1. RG1.1 Perform enterprise IT risk assessment
      2. RG1.2 Propose IT risk tolerance thresholds
      3. RG1.3 Approve IT risk tolerance
      4. RG1.4 Align IT risk policy
      5. RG1.5 Promote IT risk aware culture
      6. RG1.6 Encourage effective communication of IT risk
   2. RG2 Integrate With ERM
      1. RG2.1 Establish and maintain accountability for IT risk management
      2. RG2.2 Coordinate IT risk strategy and business risk strategy
      3. RG2.3 Adapt IT risk practices to enterprise risk practices
      4. RG2.4 Provide adequate resources for IT risk management
      5. RG2.5 Provide independent assurance over IT risk management
   3. RG3 Make Risk-Aware Business Decisions
      1. RG3.1 Gain management buy-in for the IT risk analysis approach
      2. RG3.2 Approve IT risk analysis
      3. RG3.3 Embed IT risk consideration in strategic business decision making
      4. RG3.4 Accept IT risk
      5. RG3.5 Prioritize IT risk response activities
2. Risk Evaluation: Ensure that IT-related risks and opportunities are identified, analyzed, and presented in business terms. It is based on the following processes:
   1. RE1 Collect Data
      1. RE1.1 Establish and maintain a model for data collection
      2. RE1.2 Collect data on the operating environment
      3. RE1.3 Collect data on risk events
      4. RE1.4 Identify risk factors
   2. RE2 Analyze Risk
      1. RE2.1 Define IT risk analysis scope
      2. RE2.2 Estimate IT risk
      3. RE2.3 Identify risk response options
      4. RE2.4 Perform a peer review of IT risk analysis
   3. RE3 Maintain Risk Profile
      1. RE3.1 Map IT resources to business processes
      2. RE3.2 Determine business criticality of IT resources
      3. RE3.3 Understand IT capabilities
      4. RE3.4 Update risk scenario components
      5. RE3.5 Maintain the IT risk register and IT risk map
      6. RE3.6 Develop IT risk indicators
3. Risk Response: Ensure that IT-related risk issues, opportunities, and events are addressed in a cost-effective manner and in line with business priorities. It is based on the following processes:
   1. RR1 Articulate Risk
      1. RR1.1 Communicate IT risk analysis results
      2. RR1.2 Report IT risk management activities and state of compliance
      3. RR1.3 Interpret independent IT assessment findings
      4. RR1.4 Identify IT related opportunities
   2. RR2 Manage Risk
      1. RR2.1 Inventory controls
      2. RR2.2 Monitor operational alignment with risk tolerance thresholds
      3. RR2.3 Respond to discovered risk exposure and opportunity
      4. RR2.4 Implement controls
      5. RR2.5 Report IT risk action plan progress
   3. RR3 React to Events
      1. RR3.1 Maintain incident response plans
      2. RR3.2 Monitor IT risk
      3. RR3.3 Initiate incident response
      4. RR3.4 Communicate lessons learned from risk events

Each process is detailed by:

• Process components
• Management practice
• Inputs and Outputs
• RACI charts
• Goal and metrics

For each domain a Maturity Model is depicted.^{[citation needed]}

Risk evaluation

The link between IT risk scenarios and ultimate business impact needs to be established to understand the effect of adverse events. Risk IT does not prescribe a single method. Different methods are available. Among them there are:

• COBIT Information criteria
• Balanced scorecard
• Extended balanced scorecard
• Westerman ^[2]
• COSO
• Factor Analysis of Information Risk

Risk scenarios

Risk scenarios are the hearth of risk evaluation processes. Scenarios can be derived in two different and complementary ways:

• a top-down approach from the overall business objectives to the most likely risk scenarios that can impact them.
• a bottom-up approach where a list of generic risk scenarios are applied to organizational situations.

Each risk scenario is analyzed to determine frequency and impact, based on the risk factors.

Risk response

The purpose of defining a risk response is to bring risk in line with the overall defined risk appetite of the organization after risk analysis: i.e. the residual risk should be within the risk tolerance limits.

The risk can be managed according to four main strategies (or a combination of them):

• Risk avoidance: exiting the activities that give rise to the risk.
• Risk mitigation: adopting measures to detect and reduce the frequency and/or impact of the risk.
• Risk transfer: transferring to others part of the risk, by outsourcing dangerous activities or by insurance.
• Risk acceptance: deliberately running the risk that has been identified, documented and measured.

Key risk indicators are metrics capable of showing that the organization has a high probability of being subject to a risk that exceeds the defined risk appetite.

Practitioner Guide

The second important document about Risk IT is the Practitioner Guide.^[3] It is made up of eight sections:

1. Defining a Risk Universe and Scoping Risk Management
2. Risk Appetite and Risk Tolerance
3. Risk Awareness, Communication, and Reporting
4. Expressing and Describing Risk
5. Risk Scenarios
6. Risk Response and Prioritization
7. Risk Analysis Workflow
8. Mitigation of IT Risk Using COBIT and Val IT^{[citation needed]}

Relationship with other ISACA frameworks

Risk IT Framework complements ISACA’s COBIT, which provides a comprehensive framework for the control and governance of business-driven, IT-based solutions and services. While COBIT sets best practices for managing risk by providing a set of controls to mitigate IT risk, Risk IT provides a framework of best practices for enterprises to identify, govern, and manage IT risk.

Val IT allows business managers to get business value from IT investments, by providing a governance framework. Val IT can be used to evaluate the actions determined by the Risk management process.

Relationship with other frameworks

Risk IT accepts Factor Analysis of Information Risk terminology and evaluation process.

ISO 27005

For a comparison of Risk IT processes and those foreseen by ISO/IEC 27005 standard, see IT risk management#Risk management methodology and IT risk management#ISO 27005 framework.

ISO 31000

The Risk IT Practitioner Guide^[3] appendix 2 contains the comparison with ISO 31000.

COSO

The Risk IT Practitioner Guide^[3] appendix 4 contains the comparison with COSO.