Risk IT – A Risk Management Framework by Information Technology Governance Institute (ITGI)

22 07 2012

Risk assessment and risk management is integral part of IT security at any organizations, or at least should be an integral part of the IT security within an organization.

Although one would think that the IT being critical in nature to an organization’s operations, the risk related to IT and IT security were covered by many different risk management frameworks, however, such was not the case until recently. There was no comprehensive exclusively IT focused risk management framework, which covered the entire IT, until the Information Technology Governance Institute (ITGI – ISACA) developed and published “Risk IT”.  This framework is designed to address all IT risks, including IT security risks. This entire framework is based on best practices and developed with the help of the industry subject matter experts.  It was designed to connect the IT risk management, including IT security risks’ management, with the overall enterprise risk management.

Not only is “Risk IT” a framework for the IT risk assessment, but it is also integrated with both, the “COBIT 5” (Control Objectives for Information and Related Technologies) framework and “Val IT 2” frameworks (IT value management).  For the readers who are not familiar with the above frameworks,  COBIT framework is a widely used by organizations to implement IT controls and Val IT framework deals with the value and cost effectiveness aspect of IT and IT security measures. These close tie-ups between “Risk IT”, with COBIT & Val IT offers an entire eco-system in terms of IT controls, value proposition and IT Risk management, a first in the IT industry.

More on “Risk IT” framework

This framework, as suggested by ISACA (formerly, Information Systems Audit and Control Association), is the only business framework for the Governance and management of enterprise IT.

The “Risk IT” model is defined to handle the entire lifecycle of IT risks. The model is divided into three domains, Risk Governance, Risk Evaluations and Risk Response. First, Risk Governance focuses on establishing baseline for risk management within a particular organization, second, Risk Evaluations focuses efforts on performing risk assessments, and lastly Risk Response, is the final stage of risk management, manages and responds to ongoing risks. The framework provides a way to connect IT risks with the enterprise risks, and goes on to include the cost/benefits, and alignment with the business objectives, among other things. This approach, therefore, offers more openness to the IT risk environment and also to some degree focuses on aspects other than purely technical aspects of IT risks.

The framework categorizes IT risks in the following three categories,

  • IT Benefits/Value enablement risks, i.e., risks associated with missed opportunities.
  • IT programmer and project delivery risks, i.e., risks associated with the contribution of IT projects and programs.
  • IT Operations and service delivery risks, i.e., tasks associated with all aspects of the IT service and systems.

The above categorization offers to include not only the risks within the organizations, but also is an attempt to look at risks from not pursuing certain options in the IT environment.

Additionally, the framework is founded on the following principles about IT risks:

1)  Connect to Business objectives

2)  Align IT risk management with enterprise risk management.

3)  Balance cost/benefits of IT risk.

4)  Promote fair and open communications

5)  Establish a tone at the top and accountability

6)  Function as part of daily activities.

These principles are designed with the IT risks being the focal point and reaching out to accomplish various needs that exist within the IT environment for creating a more robust risk management structure within the IT environment.

The “Risk IT” provides detailed implementation of to the framework in the form of the following requirements:

Risk Governance: These requirements establish the overall governance of the IT risks management process and structure.

  • RG1 – Establish and maintain a common risk view.
  • RG2 – Integrate with ERM.
  • RG3 – Make risk-aware business decisions.

Risk Evaluations: These requirements establish the processes of data collection for risk monitoring, analyze risks and maintain risk profiles.

  • RE1 – Collect data.
  • RE2 – Analyze risk.
  • RE3 – Maintain risk profile.

Risk Response: These requirements establish the process for risk articulations, manage risks and react to events on an ongoing basis.

  • RR1 – Articulate risk.
  • RR2 – Manage risk.
  • RR3 – React to events.

As you may have noticed, the two very distinct features of this framework are that it is an effort to define tangible benefits in contrast to the often intangible benefits of many other risk management frameworks, and the framework covers the entire lifecycle of the IT risk management. These same features are also the strengths of “Risk IT” framework and can certainly be the catalysts for the organizations who are either looking to adopt this framework for the IT risk assessments or are included towards using this framework as opposed to other IT risk frameworks.

In my opinion,  the following can be some of the pros and cons of the “Risk IT” framework and approach to the IT risk assessment:


  • The touted benefits of the “Risk IT” frameworks include tangible benefits.
  • Entire lifecycle management of IT risks.
  • It encourages executives and senior management, along with the rest of the IT organization to partake in the IT risk management and provide clear visibility for risk management guided from top of the organization, and makes the risk-management  process very effective. Additionally, the framework does support a bottom up approach for IT risk management.
  • The “Risk IT” framework is an all-encompassing  approach, including IT controls, costs and risks. The close tie ups with the COBIT and Val IT framework provides the entire eco-system for IT controls, Value proposition and risk management. At the same time, this may be its drawback as well, see below.
  • This framework has appeal to the senior management since it offers to leverage the existing investments in IT controls for  IT risk management prior to new investments in IT controls.


  • While the framework’s purpose and design are to address Risk IT, the framework has been recently developed and therefore, the assessments of touted benefits are not available for longer terms.
  • The framework is left flexible and therefore, the incorrect or less robust implementation may not be able to provide the benefits, and may leave un-addressed or undetected risks within the enterprise IT organization.
  • The framework is maintained and published by ISACA, and not adopted by any standards body, such as ANSI, etc. but instead is based on best practices and therefore, the acceptability of the framework may not have wider appeal.
  • The framework relies on appropriate implementation of both COBIT and Val IT, which may not be the case at all organizations, and therefore, may offer hindrance in its acceptability within many organizations.
  • The comprehensive nature of the framework can quickly become a cost overhead of IT risk management, in spite of utilization of existing IT controls.


In conclusion, the focused approach to all IT risks is certainly a step in the right direction, and may help bridge the gap between the enterprise risk management and IT security risks by  offering a comprehensive IT risk management framework. The long-term benefits of the “Risk IT” framework will emerge only with the passage of time. As we all know, for something great to happen there always has to be a beginning and only time will tell!


ANSI, ITGI, ISACA, Risk IT, COBIT, Val IT and other terms are registered trademarks, service marks, etc. of respective organizations.


New Framework for Enterprise Risk Management in IT, Urs Fischer, CISA, CIA, CPA Swiss, IT systems Control Journal, Volume 4, 2008

Risk IT Framework for Management of IT Related Business Risks  (http://www.isaca.org/Knowledge-Center/Risk-IT-IT-Risk-Management/Pages/Risk-IT1.aspx)

COBIT 5: A Business Framework for the Governance and Management of Enterprise IT (http://www.isaca.org/COBIT/Pages/default.aspx)

Val IT Framework for Business Technology Management (http://www.isaca.org/Knowledge-Center/Val-IT-IT-Value-Delivery-/Pages/Val-IT1.aspx)


THE “Risk IT” FRAMEWORK (http://www.isaca.org/Knowledge-Center/Research/Documents/RiskIT_FW_30June2010_Research.pdf (registration required))

THE “Risk IT” PRACTITIONER GUIDE (http://www.isaca.org/Knowledge-Center/Research/Documents/RiskIT_PG_30June2010_Research.pdf (registration required))




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: