Frequently Asked Questions
- What is the basis for Risk IT?
- How is Risk IT relevant to the governance of enterprise IT?
- What are the Risk IT publications?
- How can I secure copies of the Risk IT publications?
- What are the principles upon which Risk IT is based?
- How is the Risk IT framework structured?
- What does the Risk IT practitioner guidance cover?
- Where does Risk IT fit with other risk material guidance available?
- What future developments are planned for Risk IT?
- Can I implement Risk IT without COBIT (or Val IT)?
- At what level (i.e. business size) does Risk IT become feasible/helpful? What would you suggest a small company with very limited resources and people implement relative to Risk IT?
1. What is the basis for Risk IT?
Risk IT is based on COBIT, from ISACA. COBIT provides a comprehensive framework for the management and delivery of high-quality information-technology-based (IT-based) services. It works at the intersection of business and IT and allows enterprises to manage—and even capitalize on—risk in the pursuit of its objectives.
Risk IT extends COBIT and saves time, cost and effort by providing enterprises with a way to focus effectively on IT-related business risk areas, including risks related to late project delivery, compliance, misalignment, obsolete IT architecture and IT service delivery problems.
2. How is Risk IT relevant to the governance of enterprise IT ?
ISACA regards risk management as one of the five focus areas of IT governance, alongside strategic alignment, value delivery, performance measurement and resource management.
Effective governance starts with leadership, commitment and support from the top. However, such leadership, while critical, is not enough. Risk IT supports the leadership by providing clear and consistently applied processes; a clear understanding of executive, business, and IT roles and responsibilities; relevant information; and appropriate organizational structures.
To optimize the way enterprises govern and manage IT-related risks, an approach based on sound principles, effective processes and practical techniques is required. Risk IT provides the principles; a comprehensive, structured process approach and practice-based guidance to do this. Further, in doing so, Risk IT fosters a close partnership between IT and business areas of the enterprise, with clear and unambiguous accountabilities and measurements—another key requirement for effective governance.
3. What are the Risk IT publications?
There are two publication deliverables in the Risk IT series of products:
- The Risk IT Framework
- The Risk IT Practitioner Guide
4. How can I secure copies of the Risk IT publications?
The Risk IT publication is available through the ISACA web site:
Download Risk IT
5. What are the principles upon which Risk IT is based?
Risk IT is based on the following principles. Effective enterprise governance and management of IT risk:
- Always connects to business objectives
- Aligns the management of IT-related business risk with overall ERM—if applicable, i.e., if ERM is implemented in the enterprise
- Balances the costs and benefits of managing IT risk
- Promotes fair and open communication of IT risk
- Establishes the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well-defined tolerance levels
- Is a continuous process and part of daily activities
6. How is the Risk IT framework structured?
The Risk IT framework is structured according to three domains:
- Risk Governance
- Risk Evaluation
- Risk Response
Each of these domains contains three processes that have objectives that are achieved by performing a number of activities.
7. What does the Risk IT practitioner guidance cover?
Concepts and techniques in the practitioner guidance include:
- Building enterprise-specific scenarios, based on a set of generic IT risk scenarios
- Building a risk map, using techniques to describe the impact and frequency of scenarios
- Building impact criteria with business relevance
- Defining key risk indicators (KRIs)
- Using COBIT and Val IT to mitigate risk; the link between risk and COBIT control objectives and Val IT key management practice
8. Where does Risk IT fit with other risk material guidance available?
The Risk IT framework fills the gap between generic risk management frameworks such as COSO ERM and ISO 31000 and its British equivalent, A Risk Management Standard (ARMS), and detailed (primarily security-related) IT risk management frameworks.
9. What future developments are planned for Risk IT?
Future plans are to link together and reinforce all the major ISACA frameworks, including Risk IT and its supporting guidance, through the development of
10. Can I implement Risk IT without COBIT (or Val IT)?
Yes. Risk IT has been designed as a complete framework covering risk governance, risk evaluation and risk response processes, objectives and activities. Risk IT complements COBIT and Val IT but delivers value to enterprises in its own right. The links to COBIT and Val IT are explicitly addressed in The Risk IT Practitioner Guide.
11. At what level (i.e., business size) does Risk IT become feasible/helpful? What would you suggest a small company with very limited resources and people implement relative to Risk IT?
The Risk IT principles are applicable to any type or size of enterprise. The implementation of the processes and activities supporting them can and should be scaled to fit the size (and culture) of a particular enterprise.