The Risk IT framework is to be used to help implement IT IT RISK IN BUSINESS TERMS
governance, and enterprises that have adopted (or are planning to adopt) COBIT as their IT governance framework can use Risk IT to enhance risk management.
COBIT Information Criteria (Business Requirements for
Information) The COBIT information criteria allow for the expression of business aspects related to the use of IT. They express a condition to which information (in the widest sense), as provided through IT, must conform for it to be beneficial to the enterprise. The business impact of any IT-related event lies in the consequence of not achieving the information criteria. By IT Risk Categories describing impact in these terms, this remains a sort of intermediate technique, not fully describing business impact, e.g., impact on customers or in financial terms.
COBIT Business Goals and Balanced Scorecard
A further technique is based on the ‘business goals’ concept introduced in COBIT. Indeed, business risk lies in any combination of those business goals not being achieved. The C OBIT business goals are structured in line with the four classic balanced scorecard (BSC) perspectives: financial, customer, internal and growth.
Extended BSC Criteria
A variant of the approach described in the previous section, COBIT Business Goals and Balanced Scorecard, goes one step further, linking the BSC dimensions to a limited set of more IT benefit/value enablement risk tangible criteria. The set of criteria described in figure 12 can be used selectively, and the user should be aware that there are still - Associated with (missed) opportunities to use cause-effect relationships included in this table (e.g., customer [dis]satisfaction can impact competitive advantage and/or market technology to improve efficiency or share). Usually a subset of these criteria is used to express risk in effectiveness of business processes, or as an business terms. enabler for new business initiatives. Westerman 4 ‘A’s IT programme and project delivery risk - which defines IT risk as the potential for an unplanned event involving IT to threaten any of four interrelated IT operations and service delivery enterprise objectives 1. Agility – possess the capability to change with managed cost and speed. 2. Accuracy – provide correct, timely and complete information that meets the requirements of management, staff, customers, suppliers and regulators. 3. Access – ensure appropriate access to data and systems, so that the right people have the access they need and the wrong people do not. 4. Availability – keep the systems (and their business processes) running, and recover from interruptions. Risk responses COSO ERM