It Build An IT Risk Management Program R2

Build an IT Risk
Management Program
Mitigate the IT risks that could negatively
impact your organization.
Info-Tech Research Group Inc. is a global leader in providing IT research and

advice. Info-Tech’s products and services combine actionable insight and
relevant advice with ready-to-use tools and templates that cover the full
spectrum of IT concerns.
© 1997-2022 Info-Tech Research Group Inc.
Table of
Contents 3 Executive Brief
4 Analyst Perspective
5 Executive Summary
19 Phase 1: Review IT Risk Fundamentals & Governance
43 Phase 2: Identify and Assess IT Risk
74 Phase 3: Monitor, Communicate, and Respond to IT Risk
102 Appendix
108 Bibliography
Info-Tech Research Group | 2

Build an IT Risk
Management Program
Mitigate the IT risks that could negatively
impact your organization.
EXECUTIVE BRIEF
Analyst
Perspective Risk is an inherent part of life but not very well understood or executed within
Siloed risks are risky business for any organizations. This has led to risk being avoided or, when it’s implemented,
enterprise. being performed in isolated siloes with inconsistencies in understanding of
impact and terminology.
Looking at risk in an integrated way within an organization drives a truer sense
of the thresholds and levels of risks an organization is facing – making it easier
to manage and leverage risk while reducing risks associated with different
mitigation responses to the same risk events.
This opens the door to using risk information – not only to prevent negative
impacts but as a strategic differentiator in decision making. It helps you know
Valence Howden Brittany Lutes
which risks are worth taking, driving strong positive outcomes for your
Principal Research Senior Research Analyst,
Director, CIO Practice CIO Practice organization.
Executive Summary
Your Challenge Common Obstacles Info-Tech’s Approach
IT has several challenges when it comes to Many IT organizations realize these obstacles: • Transform your ad hoc IT risk management
addressing risk management: processes into a formalized, ongoing program
• IT risks and business risks are often addressed
and increase risk management success.
• Risk is unavoidable. Without a formal program separately, causing inconsistencies in the
to manage IT risk, you may be unaware of your approach. • Take a proactive stance against IT threats and
severest IT risks. vulnerabilities by identifying and assessing IT’s
• Security risk receives such a high profile that it
greatest risks before they occur.
• The business could be making decisions that are often eclipses other important IT risks, leaving
not informed by risk. the organization vulnerable. • Involve key stakeholders, including the
business senior management team, to gain buy-
• Reacting to risks after they occur can be costly • Failing to include the business in IT risk
in and to focus on the IT risks most critical to
and crippling, yet it is one of the most common management leaves IT leaders too accountable;
the organization.
tactics used by IT departments. the business must have accountability as well.
Info-Tech Insight
IT risk is business risk. Every IT risk has business implications. Create an IT risk management program that shares
accountability with the business.

Ad hoc approaches to managing risk
58% of organizations still
fail because… lack a systematic and robust
method to actually report on
If you are like the majority of IT departments, you do not have a risks
consistent and comprehensive strategy for managing IT risk.
1. Ad hoc risk management is reactionary.

2. Ad hoc risk management is often focused only on IT security.
3. Ad hoc risk management lacks alignment with business
objectives.
The results:
58%
• Increased business risk exposure caused by a lack of understanding of the impact of IT
risks on the business.
• Increased IT non-compliance, resulting in costly settlements and fines.
• IT audit failure.
• Ineffective management of risk caused by poor risk information and wrong risk response
decisions. Source: AICPA, 2021
• Increased unnecessary and avoidable IT failures and fixes.

Data is an invaluable asset – ensure it’s protected
Case Studies
Cognyte, a vendor hired to be a

In 2020, over 10.6 million
cybersecurity analytics company, had Facebook, the world’s largest social
customers experienced some
over five billion records exposed in media giant, had over 533 million
sort of data being accessible,
Spring 2021. The data was Facebook users’ personal data
with 1,300 having serious
compromised for four days, breached when data sets were able
personally identifying
providing attackers with plenty of to be cross-listed with one another.
information breached.
opportunities to obtain personally Business Insider, 2021
The New York Times, 2020
identifying information. Security Magazine, 2021
SecureBlink., 2021
Security Magazine, 2021

Risk management is a business
enabler
Formalize risk management to increase your likelihood of success. Only 12% of organizations are using
risk as a strategic tool most or all of
the time
By identifying areas of risk exposure and creating solutions proactively, obstacles can
be removed or circumvented before they become a real problem.
A certain amount of risk is healthy and can stimulate innovation: 12%

• A formal risk management strategy doesn’t mean trying to mitigate every possible risk; it
means exposing the organization to the right amount of risk.
• Taking a formal risk management approach allows an organization to thoughtfully
choose which risks it is willing to accept.
• Organizations with high risk management maturity will vault themselves ahead of the
competition because they will be aware of which risks to prepare for, which risks to
ignore, and which risks to take.
Source: AICPA, 2021

IT risk is enterprise risk
Accountability for IT risks and the decisions made to address them should be IT risks have a
shared between IT and the business. direct and often
aggregated impact
IT Risks People Risks
on enterprise risks
and opportunities in
the same way other
Digital Risks business risks can.
Finance Risks
This relationship
must be
understood and
addressed through
integrated risk
management to
ensure a consistent
approach to risk.

ENTERPRISE RISKS
Follow the steps of this blueprint to build or optimize your
IT risk management program
PHASE 3
Monitor, Report, and Respond to IT Risk
Governance
3.1 3.2
Monitor IT Risks and Report IT Risk
Develop Risk Priorities
Responses
PHASE 2
Identify and Assess IT Risk
Start Here
PHASE 1 2.1 2.2
Review IT Risk Fundamentals and
Governance Identify IT Risks Assess and Prioritize IT
Risks
1.1 1.2
Review IT Risk Establish a Risk
Management Governance Framework
Fundamentals
Key deliverable: Blueprint deliverables
Each step of this blueprint is accompanied by supporting deliverables to help
you accomplish your goals:
Risk Management
Program Manual
Integrated Risk Maturity Centralized Risk
Use the tools and activities in each phase Assessment Register
of the blueprint to create a comprehensive,
customized program manual for the
Assess the organization's The repository for all the
ongoing management of IT risk.
current maturity and risks that have been
readiness for integrated identified within your
risk management (IRM). environment.
Risk Costing Tool Risk Report &

Risk Event Action Pla
A potential cost-benefit
n A method to report risk
analysis of possible risk severity and hold risk
responses to determine a owners accountable for
good method to move chosen method of
forward. responding.
Benefit from industry-leading best practices
As a part of our research process, we used the COSO, ISO 31000, and COBIT 2019 frameworks. Contextualizing IT risk management
within these frameworks ensured that our project-focused approach is grounded in industry-leading best practices for managing IT risk.
COSO’s Enterprise Risk ISO 31000 COBIT 2019’s IT functions were used
Management —Integrating with Risk Management can help to develop and refine our Ten IT Risk
Strategy and Performance addresses organizations increase the Categories used in our top-down risk
the evolution of enterprise risk likelihood of achieving objectives, identification methodology.
management and the need for improve the identification of
organizations to improve their opportunities and threats, and
approach to managing risk to meet the effectively allocate and use
demands of an evolving business resources for risk treatment.
environment.
COSO ISO 3100 COBIT 201
0 9
Drivers of Formalized Risk
Abandon ad hoc risk Management:
management
Drivers External to IT
A strong risk management foundation is valuable when building External
your IT risk management program. Audit Internal
Audit
Mandated by
This research covers the following IT risk fundamentals: ERM
 Benefits of formalized risk management
Occurrence of Risk
 Key terms and definitions Event
 Risk management within ERM
Demonstrating IT’s
 Risk management independent of ERM value to the
Proactive initiative
 Four key principles of IT risk management business
 Importance of a risk management program manual Emerging IT risk

 Importance of buy-in and support from the business awareness
Grassroots Drivers

Blueprint benefits
IT Benefits Business Benefits

• Increased on-time, in-scope, and on-budget completion of IT
projects. • Reduced operational surprises or failures.
• Meet the business’ service requirements. • Improved IT flexibility when responding to risk events and market
fluctuations.
• Improved satisfaction with IT by senior leadership and business • Reduced budget uncertainty.
units.
• Improved ability to make decisions when developing long-term
• Fewer resources wasted on fire-fighting. strategies.
• Improved availability, integrity, and confidentiality of sensitive • Improved stakeholder and shareholder confidence.
data. • Achieved compliance with external regulations.
• More efficient use of resources. • Competitive advantage over organizations with immature risk
management practices.
• Greater ability to respond to evolving threats.

Info-Tech offers various levels of
support to best suit your needs
Guided Implementation
DIY Toolkit Workshop Consulting
“Our team has already made this “Our team knows that we need to “We need to hit the ground “Our team does not have the time
critical project a priority, and we fix a process, but we need running and get this project or the knowledge to take this
have the time and capability, but assistance to determine where to kicked off immediately. Our project on. We need assistance
some guidance along the way focus. Some check-ins along the team has the ability to take this through the entirety of this
would be helpful.” way would help keep us on over once we get a framework project.”
track.” and strategy in place.”
Diagnostics and consistent frameworks are used throughout all four options.

Guided Implementation A Guided
What does a typical GI on this topic look like? Implementation (GI) is a
series
of calls with an Info-
Tech analyst to help
Phase 1 Phase 2 Phase 3
implement our best
practices in your
organization.
Call #1: Call #2: Call #3: Call #5: Call #6:
Assess current Establish an IT Identify the risk Create a Establish a
risk maturity risk council categories used method to method to A typical GI is 6 to 8
and and determine
organizational IT risk
to organize risk assess risk monitor priority calls over the course of
events. event severity. risks and
buy-in. management consider possible 3 to 6 months.
program goals. risk
Call #4: Callresponses.
#7:
Identify the Communicate
threshold for risk priorities to
risk the the business and
organization implement risk
can withstand. management
plan.
Info-Tech
Info-Tech Research
Research Group| 17
Group | 17
Workshop Overview
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Day 1 Day 2 Day 3 Day 4 Day 5

Review IT Risk Fundamentals Identify IT Risks Assess IT Risks Monitor, Report, and Respond Next Steps and
and Governance to IT Risk Wrap-Up (offsite)
1.1 Assess current program 2.1 Identify risk events 3.1 Conduct risk severity level 4.1 Identify and assess risk 5.1 Complete in-progress
maturity (continued) assessment responses deliverables from
previous four days
1.2 Complete RACI chart 2.2 Augment risk event list 3.2 Document the proximity of 4.2 Risk response cost-benefit
using COBIT5 processes the risk event analysis 5.2 Set up review time for
1.3 Create the IT risk council
workshop deliverables
Activities
2.3 Determine the threshold for 3.3 Conduct expected cost 4.3 Create multi-year cost
1.4 Identify and engage key and to discuss next steps
stakeholders (un)acceptable risk assessment projections
2.4 Create impact and 3.4 Develop key risk indicators 4.4 Review techniques for
1.5 Add organization-specific
risk scenarios probability scales (KRIs) and escalation embedding risk management
protocols in IT
2.5 Select a technique to
1.6 Identify risk events
measure reputational cost 3.5 Perform root cause analysis 4.5 Finalize the Risk Report and
2.6 Conduct risk severity level 3.6 Identify and assess risk Risk Management Program
Manual
assessment responses
4.6 Transfer ownership of risk
responses to project
managers
1. Maturity Assessment 1. Finalized List of IT Risk 1. Risk Register 1. Risk Report 1. Workshop Report
2. Risk Management Program Events 2. Risk Event Action Plans 2. Risk Management Program
Manual 2. Risk Register 3. Risk Management Program Manual 2. Risk Management
Deliverables
Program Manual
3. Risk Management Program Manual
Manual

Phase 1 This phase will walk you through the
following activities:
• Gain buy-in from senior leadership

Review IT Risk Fundamentals and Governance
• Assess current program maturity
• Identify obstacles and pain points
• Determine the risk culture of the

organization
• Develop risk management goals
• Develop SMART project metrics

Phase 1 Phase 2 Phase 3
1.1 Review IT Risk 2.1 Identify IT Risks 3.1 Develop Risk Responses • Create the IT risk council
Management Fundamentals 2.2 Assess and Prioritize IT and Monitor IT Risks
• Complete a RACI chart
1.2 Establish a Risk Risks 3.2 Report IT Risk Priorities
Governance Framework This phase involves the following
participants:
• IT executive leadership
• Business executive leadership
Build an IT Risk Management Program

Step 1.1 This step involves the following
participants:
Review IT Risk Management Fundamentals • IT executive leadership
Activities
Outcomes of this step
1.1.1 Gain buy-in from senior leadership • Reviewed key IT principles and
terminology
1.1.2 Assess current program maturity
• Gained understanding of the
relationship between IT risk
management and ERM
• Introduced to Info-Tech’s IT Risk

Management Framework
• Obtained the support of senior

leadership
Step 1.1 Step 1.2

Effective IT risk management is possible with or
without ERM
Whether or not your organization has ERM, integrating your IT risk management program with the business is
possible.
Most IT departments find themselves in one of these two organizational frameworks for managing IT risk:
Core Responsibilities With an ERM Without an ERM
• Risk Decision-Making
Authority Senior Leadership Team Senior Leadership Team
• Final Accountability
• Risk Governance
• Risk Prioritization & ERM
Communication
IT Risk Management
• Risk Identification
• Risk Assessment IT Risk Management
• Risk Monitoring
Pro: IT’s risk management responsibilities are defined (assessment Pro: IT is free to create its own IT risk council and develop
schedules, escalation and reporting procedures). customized processes that serve its unique needs.
Con: IT may lack autonomy to implement IT risk management best Con: Lack of clear reporting procedures and mechanisms to share
practices. accountability with the business.
Info-Tech’s IT risk management framework walks you through each
step to achieve risk readiness
IT Risk Management
Optimize Risk Framework Engage
Stakeholder
Risk Governance Management
Participation
Processes Risk Identification
Communication
Measure the Use Risk Compile
Assess Risk
Success of Identification IT-Related
Maturity
the Program Frameworks Risks
Business
Objectives
Establish Establish
Monitoring Thresholds for
Responsibilities Unacceptable
Monitoring Risk
Perform Report Risk Determine Risk

Calculate
Cost-Benefit Response Severity &
Risk Analysis Actions
Expected Cost
Prioritize IT Risk
Response Risks Assessment

Effective IT risk management
benefits
Obtain the support of the senior leadership team or IT steering committee by communicating how IT risk
impacts their priorities.
Risk management benefits To engage the business...

Identify the industry or legal legislation and regulations your organization
IT is compliant with external laws and regulations.
abides by.
Find relevant business compliance issues, and relate compliance failures to
IT provides support for business compliance.
cost.
Acknowledge the number of times IT and the business miscommunicate
IT regularly communicates costs, benefits, and risks to the business.
critical information.
Information and processing infrastructure are very secure. Point to past security breaches or potential vulnerabilities in your systems.
Bring up IT services that the business was unsatisfied with. Explain that their
IT services are usually delivered in line with business requirements.
inputs in identifying risks are correlated with project quality.
Make it clear that with no risk tracking process, business processes become
IT related business risks are managed very well.
exposed and tend to slow down.
Point out late or over-budget projects due to the occurrence of unforeseen
IT projects are completed on time and within budget.
risks.
Input Output
1.1.1 Gain buy-in from senior

leadership • List of IT personnel and
business stakeholders
• Buy-in from senior
leadership for an IT risk
management program
1-4 hours
The resource demands of IT risk management will vary from organization to
organization. Here are typical requirements:
• Occasional participation of key IT personnel and select business stakeholders in IT

risk council meetings (e.g. once every two weeks).
• Periodic risk assessments (e.g. 4 days, twice a year). Materials Participants
• IT personnel must take on risk monitoring responsibilities (e.g. 1-4 hours per
week). • IT executive leadership
• Risk Management Program
Manual • Business executive
• Record the results in the Program Manual sections 3.3, 3.4 and 3.5. leadership
Record the results in the Risk Management Program Manual.

Frequently and continually assessing your organization’s maturity toward
Integrated Risk integrated risk ensures the right risk management program can be adopted by
your organization.
Maturity
Assessment Integrated Risk Maturity
Assessment
A simple tool to understand if your
organization is ready to embrace
integrated risk management by
measuring maturity across four key
categories: Context & Strategic
Direction, Risk Culture & Authority,
The purpose of the Integrated Risk Risk Management Process, and Risk
Maturity Assessment is to assess the Program Optimization.
organization's current maturity and
readiness for integrated risk Use the results from this integrated risk maturity assessment to determine the type of risk
management (IRM) management program that can and should be adopted by your organizations.
Some organizations will need to remain siloed and focused on IT risk management only,
while others will be able to integrate risk-related information to start enabling automatic
controls that respond to this data.
Input Output
1.1.2 Assess current program maturity

• List of IT personnel and • Maturity scores across four
business stakeholders key risk categories
1-4 hours
This assessment is intended for frequent use; process completeness should be re-
evaluated on a regular basis.
How to Use This Assessment:
1. Download the Integrated Risk Management Maturity Assessment Tool.
2. Tab 2, "Data Entry:" This is a qualitative assessment of your integrated risk Materials Participants
management process and is organized by the categories of integrated risk
maturity. You will be asked to rate the extent to which you are executing the
activities required to successfully complete each phase of the assessment. Use the • Integrated Risk Maturity • IT executive leadership
Assessment Tool • Business executive
drop-down menus provided to select the appropriate level of execution for each leadership
activity listed.
3. Tab 3, "Results:" This tab will display your rate of IRM completeness/maturity.
You will receive a score for each category as well as an overall score. The results
will be displayed numerically, by percentage, and graphically.
Record the results in the Integrated Risk Maturity Assessment.

1 Discussion
Context and Strategic
Product Understanding
owner meets with
of sales team
the organization’s main objectives
1 Direction
and how risk can support or enhance those
objectives.
Examine if risk-based decisions are being made by

Integrated Risk 2
Risk Culture and
Authority
those with the right level of authority and if the
organization’s risk appetite is embedded in the culture.
Maturity
Categories Risk Management
Determine if the current process to identify, assess,
3 Process
respond, monitor, and report on risks is benefitting the
organization.
Risk Program Consider opportunities where risk-related data is being

4 Optimization
gathered, reported, and used to make informed
decisions across the enterprise.

participants:
Establish a Risk Governance Framework • IT executive leadership

Activities
1.2.1 Identify pain points/obstacles and opportunities
1.2.2 Determine the risk culture of the organization
1.2.3 Develop risk management goals
1.2.4 Develop SMART project metrics Outcomes of this step
• Developed goals for the risk
1.2.5 Create the IT risk council management program
1.2.6 Complete a RACI chart • Established the IT risk council
• Assigned accountability and

responsibility for risk management
processes
Review IT Risk Fundamentals and Governance
Step 1.1 Step 1.2

Create an IT risk
governance framework
that integrates with the
1 Self-assess your current approach to IT risk management.
business
2 Identify organizational obstacles and set attainable risk
management goals.
Follow these best practices to make 3 Track the effectiveness and success of the program using
SMART risk management metrics.
sure your requirements are solid:
4 Establish an IT risk council tasked with managing IT risk.
5 Set clear risk management accountabilities and

responsibilities for IT and business stakeholders.

Key metrics for your IT risk governance framework
Challenges: Key metrics:

• Key stakeholders are left out or consulted once risks have already • Number of risk management processes done ad hoc.
occurred.
• Frequency that IT risk appears as an agenda item at IT steering committee
• Failure to employ consistent risk identification methodologies meetings.
results in omitted and unknown risks. • Percentage of IT employees whose performance evaluations reflect risk
management objectives.
• Risk assessments do not reflect organizational priorities and may
not align with thresholds for acceptable risk. • Percentage of IT risk council members who are trained in risk management
activities.
• Risk assessment occurs sporadically or only after a major risk event
• Number of open positions in the IT risk council.
has already occurred.
• Cost of risk management program operations per year.
Info-Tech Insight
Metrics provide the foundation for determining the success of your IT risk management program and ensure ongoing funding to support appropriate
risk responses.

IT risk management success factors
Support and sponsorship from

Risk culture and awareness Organization size
senior leadership
A risk-aware organizational culture embraces Smaller organizations can often institute a
IT risk management has more success when new policies and processes that reflect a mature risk management program much more
initiated by a member of the senior leadership proactive approach to risk. quickly than larger organizations.
team or the board, rather than emerging from
IT as a grassroots initiative. An organization with a risk-aware culture is It is common for key personnel within smaller
better equipped to facilitate communication organizations to be responsible for multiple roles
Sponsorship increases the likelihood that risk vertically within the organization. associated with risk management, making it
management is prioritized and receives the easier to integrate IT and business risk
necessary resources and attention. It also Risk awareness can be embedded by revising job management.
ensures that IT risk accountability is assumed descriptions and performance assessments to
by senior leadership. reflect IT risk management responsibilities. Larger organizations may find it more difficult to
integrate a more complex and dispersed network
of individuals responsible for various risk
management responsibilities.
Input Output
1.2.1 Identify obstacles and pain points

• Integrated Risk Maturity • Obstacles and pain points
Assessment identified
1-4 hours
Anticipate potential challenges and “blind spots” by determining which success
factors are missing from your current situation.
Instructions:
1. List the potential obstacles and missing success factors that you must overcome
to effectively manage IT risk and build a risk management program.
Materials Participants
2. Consider some opportunities that could be leveraged to increase the success of

this program. • IT Risk Management • IT executive leadership
Success Factors • Business executive
leadership
3. Use this list in Activity 1.2.3 to develop program goals.

Risk Management
Replace the example pain points and
opportunities with real scenarios in your
organization.
Pain Points/Obstacles Opportunities
• Lack of leadership buy-in • Changes in regulations related to risk
• Skills and understanding around risk management within • Organization moving toward an integrated risk
IT management program
• Skills and understanding around risk management within • Ability to leverage lessons learned from similar companies
the organization
• Strong process management and adherence to policies by
• Lack of a defined risk management posture employees in the organization

1.2.2 Determine the risk culture of
your organization
1-3 hours
Determine how your organization fits the criteria listed below. Descriptions and examples do not have to match
your organization perfectly.
Risk Tolerant Moderate Risk Averse
• You have no compliance requirements.
• You have no sensitive data. • You have some compliance requirements, e.g.: • You have multiple, strict compliance and/or regulatory
• Customers do not expect you to have strong security o HIPAA requirements.
controls. • You house sensitive data, such as medical records.
o PIPEDA
• Revenue generation and innovative products take • Customers expect your organization to maintain strong
• You have sensitive data, and are required to retain
priority and risk is acceptable. and current security controls.
records.
• The organization does not have remote locations. • Information security is highly visible to senior
• Customers expect strong security controls.
• It is likely that your organization does not operate management and public investors.
• Information security is visible to senior leadership.
within the following industries: • The organization has multiple remote locations.
o Finance • The organization has some remote locations.
• Your organization operates within the following
o Health care • Your organization most likely operates within the industries:
following industries:
o Telecom o Finance
o Government
o Government o Healthcare
o Research
o Research o Telecom
o Education
o Education Info-Tech Research Group | 34
Be aware of the organization’s attitude
towards risk
Risk culture is an organization’s attitude towards taking risks. This attitude manifests itself in two ways:
One element of risk culture is what levels of risk the organization is willing to accept to pursue its objectives and what levels of risk are
deemed unacceptable. This is often called risk appetite.
Risk tolerant Risk averse

Risk-tolerant organizations embrace the potential of accelerating growth Risk-averse organizations prefer consistent, gradual growth and goal
and the attainment of business objectives by taking calculated risks. attainment by embracing a more cautious stance toward risk.
The other component of risk culture is the degree to which risk factors into decision making.
Risk conscious Unaware

Risk-conscious organizations place a high priority on being aware of all Organizations that are largely unaware of the impact of risk generally believe
risks impacting business objectives, regardless of whether they choose to there are few major risks impacting business objectives and choose to invest
accept or respond to those risks. resources elsewhere.
Info-Tech Insight
Organizations typically fall in the middle of these spectrums. While risk culture will vary depending on the industry and maturity of the organization, a
culture with a balanced risk appetite that is extremely risk conscious is able to make creative, dynamic decisions with reasonable limits placed on risk-
related decision making.
Input Output
1.2.3 Develop goals for the IT risk

management program • Integrated Risk Maturity
Assessment
• Goals for the IT risk
management program
• Risk Culture
• Pain Points and

1-4 hours Opportunities
Translate your maturity assessment and knowledge about organizational risk culture,
potential obstacles, and success factors to develop goals for your IT risk management
program.
Instructions:
1. In the Risk Management Program Manual, revise, replace, or add to the high-level
Materials Participants
goals provided in section 2.4.
2. Make sure that you have three to five high-level goals that reflect the current and • Risk Management Program • IT executive leadership
Manual • Business executive
targeted maturity of IT risk management processes. leadership
3. Integrate potential obstacles, pain points, and insights from the organization’s risk
culture.
Record the results in the Risk Management Program Manual.

1.2.4 Develop SMART project
metrics
1-3 hours
Create metrics for measuring the success of the IT risk management program.
Ensure that all success metrics are SMART Instructions

1. Document a list of appropriate metrics to assess the success of the IT
S pecific
Make sure the objective is clear and detailed.
2.
risk management program on a whiteboard.
Use the sample metrics listed in the table on the next slide as a
starting point.
M easurable
Objectives are measurable if there are specific metrics
assigned to measure success. Metrics should be objective.
3. Fill in the chart to indicate the:
a) Name of the success metric
b) Method for measuring success
A ctionable
Objectives become actionable when specific initiatives designed
to achieve the objective are identified. c) Baseline measurement
d) Target measurement
R Objectives must be achievable given your current resources e) Actual measurements at various points throughout the process
ealistic or known available resources. of improving the risk management program
f) A deadline for each metric to meet the target measurement
T
An objective without a timeline can be put off indefinitely.
Furthermore, measuring success is challenging without a
ime-Bound timeline.

1.2.4 Develop SMART project Replace the example metrics with accurate KPIs or
metrics for your organization.
metrics (continued)
1-3 hours
Attach metrics to your goals to gauge the success of the IT risk management program.
Sample Metrics
Name Method Baseline Target Deadline Checkpoint 1 Checkpoint 2 Final
Number of risks identified
Risk register 0 100 Dec. 31
(per year)
Number of business units
represented (risk Meeting minutes 0 5 Dec. 31
identification)
Assessments recorded in risk
Frequency of risk assessment 0 2 per year Year 2
management program manual
Percentage of identified risk Ratio of risks assessed in the
events that undergo expected risk costing tool to risks 0 20% Dec. 31
cost assessment assessed in the risk register
Number of top risks without
Risk register 5 0 March 1
an identified risk response
Meeting frequency and
Cost of risk management
duration, multiplied by the $2,000 $5,000 Dec. 31
program operations per year
cost of participation Info-Tech Research Group | 38
Create the IT risk committee (ITRC)
Responsibilities of the ITRC: Must be on the ITRC:
1. Formalize risk management processes.  CIO
2. Identify and review major risks throughout the IT department.  CRO (if applicable)
3. Recommend an appropriate risk appetite or level of exposure.
 Senior Directors
4. Review the assessment of the impact and likelihood of identified risks.
 Security Officer
5. Review the prioritized list of risks.
 Head of Operations
6. Create a mitigation plan to minimize risk likelihood and impact.
7. Review and communicate overall risk impact and risk management success.
Should be on the ITRC:
8. Assign risk ownership responsibilities of key risks to ensure key risks are monitored and risk responses are
effectively implemented. CFO
9. Address any concerns in regards to the risk management program, including, but not limited to, reviewing their Senior representation from every business
risk management duties and resourcing. unit impacted by IT risk
10.Communicate risk reports to senior management annually.

11.Make any alterations to the committee roster and the individuals’ responsibilities as needed and document
changes.

Input Output
1.2.5 Create the IT risk council • List of IT personnel and • Goals for the IT risk
business stakeholders management program
1-4 hours
Identify the essential individuals from both the IT department and the business to
create a permanent committee that meets regularly and carries out IT risk
management activities.
Instructions:
1. Review sections 3.1 (Mandate) and 3.2 (Agenda and Responsibilities) of the IT
Risk Committee Charter, located in the Risk Management Program Manual. Make Materials Participants
any necessary revisions.
2. In section 3.3, document how frequently the council is scheduled to meet. • Risk Management Program • CIO
Manual • CRO (if applicable)
3. In section 3.4, document members of the IT risk council. • Senior Directors
• Head of Operations
4. Obtain sign-off for the IT risk council from the CIO or another member of the
senior leadership team in section 3.5 of the manual.
Record the results in the Risk Management Program

Manual.
1.2.6 Complete RACI chart
1-3 hours
A RACI diagram is a useful visualization that identifies redundancies and ensures that every role, project, or
task has an accountable party.
Instructions
RACI is an acronym made up of four participatory roles: 1. Use the template provided on the following slide, and add key
stakeholders who do not appear and are relevant for your
Responsible Stakeholders who undertake the activity. organization.
2. For each activity, assign each stakeholder a letter.
Stakeholders who are held responsible for failure
Accountable
or take credit for success.
3. There must be an accountable party for each activity (every
activity must have an “A”).
Consulted Stakeholders whose opinions are sought. 4. For activities that do not apply to a particular stakeholder, leave the
Informed Stakeholders who receive updates. space blank.
5. Once the chart is complete, copy/paste it into section 4.1 of the Risk
Management Program Manual.

1.2.6 Complete RACI chart
(continued)
1-3 hours
Assign risk management accountabilities and responsibilities to key stakeholders:
Risk
Stakeholder Risk Risk Risk Identify Cost-Benefit
Monitoring Decision
Coordination Identification Thresholds Assessment Responses Analysis
Making
ITRC
A R I R R R A C
ERM
C I C I I I I C
CIO
I A A A A A I R
CRO
I R C I R
CFO
I R C I R
CEO
I R C I A
Business
Units
I C C C
IT
I I I I I I R C
PMO
C C C
Legend: Responsible Accountable Consulted Informed

This phase will walk you through the
Phase 2
following activities:
• Add organization-specific risk scenarios
• Identify risk events

• Augment risk event list using COBIT
2019 processes
• Conduct a PESTLE analysis
• Determine the threshold for

(un)acceptable risk
• Create a financial impact assessment
scale
Phase 1 Phase 2 Phase 3 • Select a technique to measure
1.1 Review IT Risk 2.1 Identify IT Risks 3.1 Develop Risk Responses reputational cost
Management Fundamentals 2.2 Assess and Prioritize IT and Monitor IT Risks
1.2 Establish a Risk Risks 3.2 Report IT Risk Priorities • Create a likelihood scale
Governance Framework • Assess risk severity level
• Assess expected cost
This phase involves the following

participants:
• IT risk council
• Relevant business stakeholders

Build an IT Risk Management Program • Representation from senior management
team
• Business Risk Owners
participants:
Identify IT Risks • IT executive leadership
• IT Risk Council
Activities
2.1.1 Add organization-specific risk scenarios • Business risk owners
2.1.2 Identify risk events
2.1.3 Augment risk event list using COBIT 19 processes
2.1.4 Conduct a PESTLE analysis • Participation of key stakeholders
• Comprehensive list of IT risk events
Step 2.1 Step 2.2

Get to know what you don’t know
Key metrics:
1
Engage the right stakeholders in risk
identification.
• Total risks identified
• New risks identified
• Frequency of updates to the Risk Register Tool
2
Employ Info-Tech’s top-down
approach to risk identification. • Number of realized risk events not identified in the Risk Register Tool
• Level of business participation in enterprise IT risk identification
o Number of business units represented
o Number of meetings attended in person
Augment your risk event list using
3 alternative frameworks.
o Number of risk reports received
Info-Tech Insight
What you don’t know CAN hurt you. How do you identify IT-related threats and vulnerabilities that you are not already aware
of? Now that you have created a strong risk governance framework that formalizes risk management within IT and connects it to
the enterprise, follow the steps outlined in this section to reveal all of IT’s risks. Info-Tech Research Group | 45
Engage key stakeholders
Prioritizing and Selecting Stakeholders
Ensure that all key risks are identified by engaging key business
stakeholders. 1. Reliance on IT services and technologies to
Benefits of obtaining business involvement during the risk identification stage: achieve business objectives.
• You will identify risk events you had not considered or you weren’t aware of. 2. Relationship with IT, and willingness to engage
in risk management activities.
• You will identify risks more accurately.
• 3. Unique perspectives, skills, and experiences
Risk identification is an opportunity to raise awareness of IT risk management early in
the process. that IT may not possess.
Executive Participation:
• CIO participation is integral when building a comprehensive register of risk events
impacting IT. Info-Tech Insight
While IT personnel are better equipped to identify IT
• CIOs and IT directors possess a holistic view of all of IT’s functions. risk than anyone, IT does not always have an accurate
• view of the business’ exposure to IT risk. Strive to
CIOs and IT directors are uniquely placed to identify how IT affects other business
maintain a 3 to 1 ratio of IT to non-IT personnel
units and the attainment of business objectives. If applicable, CRO and CTO
involved in the process.
participation is also critical.

Enable IT to target risk holistically
Take a top-down approach to risk identification to guide brainstorming
Info-Tech’s risk categories are consistent with a risk identification method called Risk Prompting.
A risk prompt list is a list that categorizes risks into types or areas. The n10 risk categories encapsulate the services, activities,
responsibilities, and functions of most IT departments. Use these categories and the example risk scenarios provided as prompts to
guide brainstorming and organize risks.
Risk Scenario: An abstract profile representing Risk Event: Specific threats and vulnerabilities that fall under a
common risk groups that are more specific than risk particular risk scenario. Organizations are able to identify anywhere
categories. Typically, organizations are able to between 1 and 20 events for each scenario. See the Appendix of the
identify two to five scenarios for each category. Risk Management Program Manual for a list of risk event examples.
Risk Category: High-

level groupings that
describe risk
Risk Category Risk Scenario Risk Event
pertaining to major IT Regulatory compliance Being fined for not complying/being aware of a new regulation.
functions. See the Compliance
following slide for all Externally originated attack Phishing attack on the organization.
ten of Info-Tech’s IT
risk categories. Technology evaluation & Partnering with a vendor that is not in compliance with a key
Operational selection regulation.
Capacity planning Not having sufficient resources to support a DRP.
Vendor management Vendor performance requirements are improperly defined.
Third-Party Risk
Vendor selection Vendors are improperly selected to meet the defined use case.
2.1.1 Add organization-specific risk
scenarios
1-3 hours
Review Info-Tech’s ten IT risk categories and add risk scenarios to the examples provided.
IT Reputational IT Financial IT Strategic Operational Availability

• Organization prioritizes • Power outage
• Negative PR • Enterprise architecture
innovation but remains • Increased data workload
• Consumers writing • Stock prices drop • Technology evaluation
focused on operational • Single source of truth
negative reviews • Value of the organization and selection
• Unable to access data to • Lacking knowledge
• Employees writing is reduced • Capacity planning
support strategic transfer processes for
negative reviews • Operational errors
initiative critical tasks
Performance Compliance Security Third Party Digital

• Network failure
• Regulatory compliance • Malware • Vendor selection
• Service levels not being • No back-up process if
• Standards compliance • Internally originated • Vendor management
met automation fails
• Audit compliance attack • Contract termination
• Capacity overload

Input Output
2.1.2 Identify risk events

• IT risk categories • Risk events identified and
categorized
1-4 hours
Use Info-Tech’s IT risk categories and scenarios to brainstorm a comprehensive list of IT-
related threats and vulnerabilities impacting your organization.
Instructions:
1. Document risk events in the Risk Register Tool.
2. List risk scenarios (organized by risk category) in the Risk Events/Threats column.
3. Disseminate the list to key stakeholders who were unable to participate and solicit their
feedback. Materials Participants
• Consult the RACI chart located in section 4.1 of the Risk Management Program
Manual. • IT risk council
• Risk Register Tool
• Relevant business
4. Attack one scenario at a time, exhausting all realistic risk events for that grouping stakeholders
before moving onto the next scenario. Each scenario should take approximately 45-60 • Representation from senior
management team
minutes. • Business risk owners
• CRO (if applicable)
Tip: If disagreement arises regarding whether a specific risk event is relevant to the
organization or not and it cannot be resolved quickly, include it in the list. The applicability
of these risks will become apparent during the assessment process.
Record the results in the Risk Register Tool.
2.1.3 Augment the risk event list using COBIT
2019 processes (Optional)
1-3 hours
Other industry-leading frameworks provide alternative ways of conceptualizing the functions and
responsibilities of IT and may help you uncover additional risk events.
1. Managed IT Management Framework 21. Managed IT Change Acceptance and Transitioning
2. Managed Strategy 22. Managed Knowledge Instructions
3. Managed Enterprise Architecture 23. Managed Assets
1. Review COBIT 2019’s 40 IT
4. Managed Innovation 24. Managed Configuration
5. Managed Portfolio 25. Managed Projects processes and identify additional
6. Managed Budget and Costs 26. Managed Operations risk events.
7. Managed Human Resources 27. Managed Service Requests and Incidents
8. Managed Relationships 28. Managed Problems 2. Match risk events to the
9. Managed Service Agreements 29. Managed Continuity corresponding risk category and
10. Managed Vendors 30. Managed Security Services scenario and add them to the Risk
11. Managed Quality 31. Managed Business Process Controls Register Tool.
12. Managed Risk 32. Managed Performance and Conformance Monitoring
13. Managed Security 33. Managed System of Internal Control
14. Managed Data 34. Managed Compliance with External Requirements
15. Managed Programs 35. Managed Assurance
16. Managed Requirements Definition 36. Ensured Governance Framework Setting and Maintenance
17. Managed Solutions Identification and Build 37. Ensured Benefits Delivery
18. Managed Availability and Capacity 38. Ensured Risk Optimization
19. Managed Organizational Change Enablement 39. Ensured Resource Optimization
20. Managed IT Changes 40. Ensured Stakeholder Engagement
2.1.4 Finalize your risk register by conducting
a PESTLE analysis (Optional)
1-3 hours
Explore alternative identification techniques to incorporate external factors and avoid “groupthink.”
Consider the External Environment – PESTLE Avoid “Groupthink” – Nominal Group Technique
Analysis The Nominal Group Technique uses the silent generation of ideas and an
enforced “safe” period of time where ideas are shared but not discussed to
Despite efforts to encourage equal participation in the risk identification
encourage judgement-free idea generation.
process, key risks may not have been shared in previous exercises.
• Ideas are generated silently and independently.
Conduct a PESTLE analysis as a final safety net to ensure that all key
risk events have been identified. • Ideas are then shared and documented; however, discussion is delayed
until all of the group’s ideas have been recorded.
List the following factors influencing the risk event:
• Political factors • Idea generation can occur before the meeting and be kept anonymous.
• Economic factors
Note: Employing either of these techniques will lengthen an already time-consuming process.
• Social factors Only consider these techniques if you have concerns regarding the homogeneity of the ideas
being generated or if select individuals are dominating the exercise.
• Technological factors
• Legal factors
participants:
Assess and Prioritize IT Risks • IT risk council

Activities
• Representation from senior
2.2.1 Determine the threshold for (un)acceptable risk management team
2.2.2 Create a financial impact assessment scale • Business risk owners
2.2.3 Select a technique to measure reputational cost

2.2.4 Create a likelihood scale
2.2.5 Risk severity level assessment
2.2.6 Expected cost assessment

• Business-approved thresholds for
Identify and Assess IT Risk unacceptable risk
• Completed Risk Register Tool with

risks prioritized according to severity
Step 2.1 Step 2.2
• Expected cost calculations for high-
priority risks
Reveal the organization’s greatest IT threats
and vulnerabilities
Key metrics:
Frequency of IT risk assessments
1
Establish business-approved risk
thresholds for acceptable and (Annually, bi-annually, etc.)
unacceptable risk. Assessment accuracy
Percentage of risk assessments that are substantiated by later occurrences or testing
Ratio of cumulative actual costs to expected costs
2
Conduct a streamlined assessment of Assessment consistency
all risks to separate acceptable and Percentage of risk assessments that are substantiated by third-party audit
unacceptable risks. Assessment rigor
Percentage of identified risk events that undergo first-level assessment (severity scores)
Percentage of identified risk events that undergo second-level assessment (expected cost)
Perform a deeper, cost-based assessment of
3
Stakeholder oversight and participation
prioritized risks. Level of executive participation in IT risk assessment (attend in person, receive report, etc.)
Number of business stakeholder reviews per risk assessment
Info-Tech Insight
Risk is money. It’s impossible to make intelligent decisions about risks without knowing what their financial impact will
be.
Review risk assessment
fundamentals
Risk assessment provides you with the raw materials to conduct an informed cost-benefit analysis and
make robust risk response decisions.
In this section, you will be prioritizing your IT risks according to their risk severity, which is a reflection of their expected cost.
Calculating risk severity Which must be evaluated

against thresholds for
Produces a dollar value or acceptable risk and the cost of
How much you expect a risk event to Calibrated by how likely the
“severity level” for risk responses.
cost if it were to occur: risk is to occur:
comparing risks:
Risk Tolerance
Likelihood of Likelihood of
Risk Occurrence Risk Severity
Risk Impact X = Risk Response
e.g. $250,000 or “High” e.g. 10% or “Low” e.g. $25,000 or “Medium” CBA
Cost-benefit analysis

Maintain the engagement of key stakeholders in the risk
assessment process
1 2 3
Engage the Business During Assessment Verify the Risk Impact and Assessment Identify Where the Business Focuses
Process Attention
Asking business stakeholders to make If IT has ranked risk events appropriately, While verifying, pay attention to the risk events
significant contributions to the assessment the business will be more likely to offer that the business stresses as key risks. Keep
exercise may be unrealistic (particularly for their input. Share impact and likelihood these risks in mind when prioritizing risk
members of the senior leadership team, other values for key risks to see if they agree responses as they are more likely to receive
than the CIO). with the calculated risk severity scores. funding.
Ensure that they work with you to finalize Try to communicate the assessments of these
thresholds for acceptable or unacceptable risk. risk events in terms of expected cost to attract
the attention of business leaders.
Info-Tech Insight
If business executives still won’t provide the necessary information to update your initial risk assessments, IT should
approach business unit leaders and lower-level management. Lean on strong relationships forged over time between IT and
business managers or supervisors to obtain any additional information.
Info-Tech recommends a two-level approach to risk
assessment
Review the two levels of risk assessment offered in this blueprint.
Risk severity level assessment
(mandatory)Information Assess Likelihood Assess Impact Output
Number of risks: Risk Severity
1
Assess all risk events Negligible Negligible Level:
Moderate
identified in Phase 1. Low Low
Units of measurement:
Use customized likelihood Moderate X Moderate =
and impact “levels.” High High Chart risk events according to risk
Time required: One to severity as this allows you to
five minutes per risk Very High Very High
organize and prioritize IT risks.
event.
Assess all of your identified risk events with a risk severity-level assessment.
• By creating a likelihood and impact assessment scale divided into three to nine “levels” (sometimes referred to as “buckets”), you
can evaluate every risk event quickly while being confident that risks are being assessed accurately.
• In the following activities, you will create likelihood and impact scales that align with your organizational risk appetite and
tolerance.
• Severity-level assessment is a “first pass” of your risk list, revealing your organization’s most severe IT risks, which can be assessed
in greater detail by incorporating expected cost into your evaluation. Info-Tech Research Group | 56
Info-Tech recommends a two-level approach to risk
assessment (continued)
Expected cost assessment (optional)
Information Assess Likelihood Assess Impact Output
Number of risks:
2
Only assess high-priority Expected
risks revealed by severity- Cost:
level assessment. 15% X $100,000 = $15,000
Units of measurement:
Use actual likelihood values Expected cost is useful for
(%) and impact costs ($). High conducting cost-benefit analysis
Moderate
Time required: 10-20 and comparing IT risks to non-IT
minutes per risk event. risks and other budget priorities for
the business.
Conduct expected cost assessments for IT’s greatest risks.
For risk events warranting further analysis, translate risk severity levels into hard expected-cost numbers.
Why conduct expected cost assessments? Why is expected cost assessment optional?
• Expected cost represents how much you would expect to pay in an • Determining robust likelihood values and precise impact estimates can
average year for each risk event. be challenging and time consuming.
• Communicate risk priorities to the business in language they can • Some risk events may require extensive data gathering and industry
understand. analysis.
• While risk severity levels are useful for comparing one IT risk to Info-Tech Research Group | 57
another, expected cost data allows the business to compare IT risks to

Implement and
leverage a
centralized risk
register
Use this tool to:
1. Collect and maintain a repository for all IT risk events impacting the organization
and relevant information for each risk.
• Capture all relevant IT risk information in one location.
The purpose of the risk register is to • Organize risk identification and assessment information for transparent risk
act as the repository for all the risks management, stakeholder review, and/or internal audit.
that have been identified within your 2. Calculate risk severity scores to prioritize risk events and determine which risks
environment. require a risk response.
• Separate acceptable and unacceptable risks (as determined by the business).
• Rank risks based on severity levels.
3. Assess risk responses and calculate residual risk.
• Evaluate the effect that proposed risk response actions will have on top risk
events and quantify residual risk magnitude.
• This step will be completed in section 3.1. Info-Tech Research Group | 58
Input Output
2.2.1 Determine the threshold for

(un)acceptable risk • Risk events
• Risk appetite
• Threshold for risk identified
1-4 hours
Instructions:
There are times when the business needs to know about IT risks with high expected costs.
1. Create an expected cost threshold that defines what constitutes an acceptable and
unacceptable risk for the organization. This figure should be a concrete dollar value. In
the next exercises, you will build risk impact and likelihood scales with this value in
mind, ensuring that “high” or “extreme” risks are immediately communicated to senior Materials Participants
leadership.
2. Do not consider IT budget restrictions when developing this number. The acceptable
risk threshold should reflect the business’ tolerance/appetite for risk. • Risk Register Tool • IT risk council
• Risk Management Program • Relevant business
stakeholders
This threshold is typically based on the organization’s ability to absorb financial losses, and Manual • Representation from senior
its tolerance/appetite towards risk. management team
• Business risk owner
If your organization has ERM, adopt the existing acceptability threshold.
Record this threshold in section 5.3 of the Risk Management Program Manual

Input Output
2.2.2 Create a financial impact

assessment scale • Risk events
• Risk threshold
• Financial impact scale
created
1-4 hours
Instructions:
1. Create a scale to assess the financial impact of risk events.

• Typically, risk impacts are assessed on a scale of 1-5; however, some
organizations may prefer to assess risks using 3, 4, 7, or 9-point scales.
2. Ensure that the unacceptable risk threshold is reflected in the scale.

• In the example provided, the unacceptable risk threshold ($100,000) is Materials Participants
represented as “High” on the impact scale.
3. Attach labels to each point on the scale. Effective labels will easily distinguish • Risk Register Tool • IT risk council
between risks on either side of the unacceptable risk threshold. • Risk Management Program • Relevant business
stakeholders
Manual • Representation from senior
management team
Record the risk impact scale in section 5.3 of the Risk Management Program Manual

Convert project overruns and service
outages into costs
Use the tables below to quickly convert impacts typically measured in units of time to financial cost. Replace the values in the table with those that reflect
your own costs.
• While project overruns and service outages may have intangible impacts beyond the unexpected costs stemming from paying employees and lost revenue
(such as adding complexity to project management and undermining the business’ confidence in IT), these measurements will provide adequate impact
estimations for risk assessment.
$250,000 Extreme
• Remember, complex risk events can be analyzed further with an expected cost assessment.
Project Overruns $100,000 High
Number of Average cost per
Project Time (days) Estimated cost
employees employee (per day)
Moderate
$60,000
20 days 8 $300 $48,000
$35,000 Low
$10,000 Negligible
Service Outages
Service Time (hours) Lost revenue (per Estimated cost Impact scale
hour)
4 hours $10,000 $40,000 Low

2.2.3 Select a technique to measure
reputational cost (1 of 3)
1-3 hours
Realized risk events may have profound reputational costs that do not immediately impact your bottom line.
Technique #1 – Use financial indicators:

Reputational cost can take several forms, including the internal and For-profit companies typically experience reputational loss as a gradual
external perception of: decline in the strength of their brand, exclusion from industry groups, or lost
revenue.
1. Brand likeability
If possible, use these measures to put a price on reputational loss:
2. Product quality
• Lost revenue attributable to reputation loss
3. Leadership capability • Loss of market share attributable to reputation loss
4. Social responsibility • Drops in share price attributable to reputation loss (for public companies)
Match this dollar value to the corresponding level on the impact scale
Based on your industry and the nature of the risk, select one of the
created in Activity 2.2.2.
three techniques described in this section to incorporate reputational
costs into your risk assessment.
• If you are not able to effectively translate all reputational costs into
financial costs, proceed to techniques 2 and 3 on the following slides.
1-3 hours
Technique #2 – Calculate the value of avoiding
reputational cost:
1. Imagine that the particular risk event you are assessing has occurred.
It is common for public sector or not-for-profit Describe the resulting reputational cost using qualitative language.
organizations to have difficulty putting a price tag on For example:
intangible reputational costs.
A data breach, which caused the unsanctioned disclosure of 2,000 client files, has
• For example, a government organization may be unable to inflicted high reputational costs on the organization. These have impacted the
organization in the following ways:
directly quantify the cost of losing the confidence and/or
support of the public. • Loss of organizational trust in IT
• IT’s reputation as a value provider to the organization is tarnished
• A helpful technique is to reframe how reputation is assigned • Loss of client trust in the organization
value.
• Potential for a public reprimand of the organization by the government to
restore public trust
2. Then, determine (hypothetically) how much money the organization would
be willing to spend to prevent the reputational cost from being incurred.
3. Match this dollar value to the corresponding level on the impact scale created
in Activity 2.2.2.
1-3 hours
If you feel that the other techniques have not reflected reputational impacts in the overall severity level of the risk, create a parallel scale that roughly
matches your financial impact scale.
Technique #3 – Create a parallel scale for reputational Example:

impact:
Visibility is a useful metric for measuring reputational impact. Visibility measures how
widely knowledge of the risk event has spread and how negatively the organization is External, High Amp. Extreme
perceived. Visibility has two main dimensions: (regulators, lawsuits)
• Internal vs. External High
• Low Amplification vs. High Amplification

Internal/External: The further outside of the organization that the risk event is visible, Moderate
the higher the reputational impact.
Low/High Amplification: The greater the ability of the actor to communicate and Internal, High Amp.
Low
(CEO)
amplify the occurrence of a risk event, the higher the reputational impact.
After establishing a scale for reputational impact, test whether it reflects the severity of Internal, Low Amp. Negligible
the financial impact levels in the financial impact scale. (IT)
• For example, if the media learns about a recent data breach, does that feel like a
$100,000 loss? Info-Tech Research Group | 64
2.2.4 Create a likelihood scale
1-3 hours
Instructions:
1. Create a scale to assess the likelihood that a risk event will occur over a given period of
time.
80–99% Extreme
• Info-Tech recommends assessing the likelihood that the risk event will occur over
a period of one year (the IT risk council should be reassessing the risk event no 60–79% High
less than once per year).
2. Ensure that the likelihood scale contains the same number of levels as the financial 40–59% Moderate
impact scale (3, 4, 5, 7, or 9).
3. The example provided is likely to satisfy most IT departments; however, you may 20–39% Low
customize the distribution of likelihood values to reflect the organization’s aversion
towards uncertainty. 1–19% Negligible
• For example, an extremely risk-averse organization may consider any risk event
with a likelihood greater than 20% to have a “High” likelihood of occurrence.
4. Attach the same labels used for the financial impact scale (Low, Moderate, High, etc.)
Record the risk impact scale in section 5.3 of the Risk Management Program Manual
Info-Tech Insight
Note: Info-Tech endorses the use of likelihood values (1-99%) rather than frequency (3 times per year) as a measurement.
For an explanation of why likelihood values lead to more precise and robust risk assessment, see the Appendix. Info-Tech Research Group | 65
Input Output
2.2.5 Risk severity level • Risk events identified • Assessed the
assessment likelihood of
occurrence and
impact for all
6-10 hours identified risk events
Instructions:
1. Document the “Risk Category” and “Existing Controls.” in the Risk Register Tool.
• (See the slide following this activity for tips on identifying existing controls.)
2. Assign each risk event a likelihood and impact level.

• Remember, you are assessing the impact that a risk event will have on the organization as a
whole, not just on IT. Materials Participants
3. When assigning a financial impact level to a risk event, factor in the likely number of instances
that the event will occur within the time frame for which you are assessing (usually one year). • Risk Register Tool • IT risk council
• Relevant business
• For risk events like third-party service outages that typically occur a few times each year, stakeholders
assign them an impact level that reflects the likelihood of financial impact the risk event • Representation from
will have over the entire year. senior management
team
• E.g. If your organization is likely to experience two major service outages next year and • Business risk owner
each outage costs the organization approximately $15,000, the total financial impact is
$30,000.
Record results in the Risk Register Tool Info-Tech Research Group | 66

2.2.5 Risk severity level assessment (continued)
Instructions (continued): Tips for Selecting Likelihood

4. Assign a risk owner to non-negligible risk events.
Values:
• For organizations that practice ongoing risk management and frequently
reassess their risk portfolio (minimum once per year), risk ownership does not Does ~10% sound right?
need to be assigned to “Negligible” or low-level risks.
• View the following slides for advice on how to select a risk owner and Test a likelihood estimate by assessing the truth of
information on their responsibilities. the following statements:
5. As you input the first few likelihood and impact values, compare them to one another
to ensure consistency and accuracy: • The risk event will likely occur once in the next
• Is a service outage really twice as impactful as our primary software provider ten years (if the environment remains nearly
going out of business? identical).
• Is a data breach far more likely than a >1 hour web-services outage? • If ten organizations existed that were nearly
identical to our own, it is likely that one out of
ten would experience the risk event this year.

Identify current risk controls
Consider how IT is already addressing key risks.
Types of current risk control
Tactical controls Tactical Strategic controls Strategic

risk risk
control Apply to multiple risks. control
Apply to individual risks only.
Example: A tactical control for Example: A strategic control for

backup/replication failure is Risk backup/replication failure is Risk Risk
event implementing formal DR plans. event event
faster WAN lines.
Info-Tech Insight
Identifying existing risk controls (past risk
responses) provides a clear picture of the
measures already in place to avoid, mitigate,
or transfer key risks. This reveals
opportunities to improve existing risk
Consider both tactical and strategic controls already in place when filling out risk event controls, or where new strategies are needed,
information in the Risk Register Tool. to reduce risk severity levels below business
thresholds.

Assign a risk owner for each risk event
Designate a member of the IT risk council to be responsible for each risk event.
Selecting the Appropriate Risk Owner Risk Owner Responsibilities
Risk ownership means that an individual is responsible for the following
Use the following considerations to determine the best owner for
activities:
each risk:
• Monitoring the threat or vulnerability for changes in the likelihood of
• The risk owner should be familiar with the process, project, or IT
occurrence and/or likely impact.
function related to the risk event.
• Monitoring changes in the market and external environment that may alter the
• The risk owner should have access to the necessary data to monitor severity of the risk event.
and measure the severity of the risk event.
• Monitoring changes of closely related risks with interdependencies.
• The risk owner’s performance assessment should reflect their
• Developing and using key risk indicators (KRIs) to measure changes in risk
ability to demonstrate the ongoing management of their assigned
severity.
risk events.
• Regularly reporting changes in risk severity to the IT risk council.
• If necessary, escalating the risk event to other IT risk council personnel or

senior management for reassessment.
• Monitoring risk severity levels for risk events after a risk response has been
Use Info-Tech’s
Risk Costing Tool
to calculate the
expected cost of Use this tool to:
IT’s high-priority 1. Conduct a deeper analysis of severe risks.
risks • Determine specific likelihood and financial impact values to communicate the severity
of the risk in the Expected Cost tab.
(optional) • Identify the maximum financial impact that the risk event may inflict.
2. Assess the effectiveness of multiple risk responses for each risk event.
• Determine how proposed risk events will change the likelihood of occurrence and
financial impact of the risk event.
3. Incorporate risk proximity into your cost-benefit analysis of risk responses.
• Illustrate how spending decisions will impact the expected cost of the risk event over
time.

2.2.6 Expected cost assessment (optional)
Assign likelihood and financial impact values to high-priority risks.
Select risks with these characteristics: Determine which risks require a

Strongly consider conducting an expected cost assessment for risk events that meet one or
more of the following criteria. deeper assessment:
The risk: Info-Tech recommends conducting a second-level
• Has been assigned to the highest risk severity level. assessment for 5-15% of your IT risk register.
• Has exposed the organization previously and had severe implications.
Communicating the expected cost of high-priority
• Exceeds the organization’s threshold for financial impact.
risks significantly increases awareness of IT risks
• Involves an IT function that is highly visible to the business. by the business.
• Will likely require risk response actions that will exceed current IT budgetary constraints.
• Is conducive to expected cost assessment: Communicating risks to the business using their
language also increases the likelihood that risk
o There is general consensus on likelihood estimates.
responses will receive the necessary support and
o There is general consensus on financial impact estimates. investment.
o Historical data exists to support estimates.
Record the list of risk events requiring second-level assessment in the Risk Costing Tool.
• Transfer the likelihood and impact levels for each event into the Risk Costing Tool using data
from the Risk Register Tool.

2.2.6 Expected cost assessment (continued)
Assign likelihood and financial impact values to high-priority risks.
Instructions: Who should participate?
1. Go through the list of prioritized risks in the Risk Costing Tool one by one. Indicate the likelihood
and impact level (from the Risk Register Tool) for the risk event being assessed. • Depending on the size of your IT risk
2. Record likelihood values (1-99%) and impact values ($) from participants. council, you may want to consider
• Only record values from individuals that indicate they are fairly confident with their conducting this exercise in a smaller
estimates. group.
• Keep likelihood estimates to values that are multiples of five.
• Ideally, you should try to find the right
3. Estimate and record the maximum impact that the risk event could inflict. balance between ensuring that the necessary
• See Appendix III for information on how the possibility of high-impact scenarios may experience and knowledge is in the room
influence your decision making. while insulating the exercise from outlier
4. Discuss the estimates provided. Eliminate outliers and retracted estimates. opinions, noise, and distractions.
• If you are unable to achieve consensus, take the average of the values provided.
5. If you are having difficulty arriving at a likelihood or impact value, select the median value of the
level assigned to the risk during the risk severity level assessment.
• E.g. Risk event assigned to likelihood level “Moderate” (20-39%). Select a likelihood value
of 30%.

Evaluate likelihood and impact
Refine your risk assessment process by developing more accurate measurements of likelihood and impact.
Intersubjective likelihood Justifying Your Estimates:

The goal of the expected cost assessment is to develop robust intersubjective estimates When asked to explain the numbers you arrived at during the risk assessment,
of likelihood and financial impact. pointing to an assessment methodology gives greater credibility to your
estimates.
By aggregating a number of expert opinions of what they deem to be the “correct” value,
you will arrive at a collectively determined value that better reflects reality than an • Assign one individual to take notes during the assessment exercise.
individual opinion. • Have them document the main rationale behind each value and the level
of consensus.
Example: The Delphi Method
The Delphi Method is a common technique to produce a judgement that is representative Info-Tech Insight
of the collective opinion of a group. The underlying assumption behind intersubjective
forecasting is that group judgements are more accurate than
• Participants are sent a series of sequential questionnaires (typically by email). individual judgements. However, this may not be the case
at all.
• The first questionnaire asks them what the likelihood, likely impact, and expected cost is
for a specific risk event. Sometimes, a single expert opinion is more valuable than
many uninformed opinions. Defining whose opinion is
• Data from the questionnaire is compiled and then communicated in a subsequent valuable and whose is not is an unpleasant exercise;
questionnaire, which encourages participants to restate or revise their estimates given therefore, selecting the right personnel to participate in the
the group’s judgements. exercise is crucially important.
• With each successive questionnaire, responses will typically converge around a single Info-Tech Research Group | 73
intersubjective value.
This phase will walk you through the
Phase 3 following activities:

• Develop key risk indicators (KRIs) and
escalation protocols
Monitor, Respond, and Report on IT Risk • Establish the reporting schedule
• Identify and assess risk responses
• Analyze risk response cost-benefit
• Create multi-year cost projections
• Obtain executive approval for risk

action plans
Phase 1 Phase 2 Phase 3 • Socialize the Risk Report
1.1 Review IT Risk 2.1 Identify IT Risks 3.1 Monitor IT Risks and
Management Fundamentals 2.2 Assess and Prioritize IT Develop Risk Responses • Transfer ownership of risk responses to
1.2 Establish a Risk Risks 3.2 Report IT Risk Priorities project managers
Governance Framework
• Finalize the Risk Management Program
Manual
This phase involves the following

participants:
• IT risk council

Build an IT Risk Management Program
• Representation from senior management
team
• Risk business owner
participants:
Monitor IT Risks and Develop Risk Responses • IT risk council

Activities
3.1.1 Develop key risk indicators (KRIs) and escalation protocols management team

3.1.2 Establish the reporting schedule
3.1.3 Identify and assess risk responses

3.1.4 Risk response cost-benefit analysis • Completed risk event action plans
3.1.5 Create multi-year cost projections • Risk responses identified and assessed
for top risks
• Risk response selected for top risks
Monitor, Respond, and Report on IT Risk
Step 3.1 Step 3.2

Manage risks in between risk assessments and create a paper trail
Use Info-Tech’s for key risks that exceed the unacceptable risk threshold. Use a
new form for every high-priority risk that requires tracking.
Risk Event
Action Plan to
manage high-
priority risks Risk Event
Action Plan
Obtaining sign-off from the senior leadership team or from the ERM office is an important
step of the risk management process. The Risk Event Action Plan ensures that high-priority
risks are closely monitored and that changes in risk severity are detected and reported.
Clear documentation is a way to ensure that critical information is shared with management
so that they can make informed risk decisions. These reports should be succinct yet
comprehensive; depending on time and resources, it is good practice to fill out this form and
obtain sign-off for the majority of IT risks.
3.1.1 Develop key risk indicators (KRIs)
and escalation protocols
The risk owner should be held accountable for monitoring their
assigned risks but may delegate responsibility for these tasks.
What are KRIs?
• KRIs should be observable metrics that alert the IT risk
council and management when risk severity exceeds
Instructions:
1. Design key risk indicators (KRIs) for risks that measure changes in acceptable risk thresholds.
their severity and document them in the Risk Event Action Plan. • KRIs should serve as tripwires or early-warning indicators
• See the following slide for examples. that trigger further actions to be taken on the risk.
• Further actions may include:
2. Clearly document the risk owner and the individual(s) carrying out o Escalation to the risk owner (if delegated) or to a
risk monitoring activities (delegates) in the Risk Event Action Plan.
member of the senior leadership team.
o Reporting to the IT risk council or IT steering
Note: Examples of KRIs can be found on the following slide. committee.
o Reassessment.
Document KRIs, escalation thresholds, and escalation protocols for each risk in a Risk o Updating the risk monitoring schedule.
Event Action Plan.

Developing KRIs for success
Risk Event
Intermediate Intermediate
Step Step
KRI KRI
Measurement Measurement
Examples of KRIs
• Number of resources who quit or were fired who had access to • Number of employees who did not report phishing attempts
critical data • Amount of time required to get critical operations access to
• Number of risk mitigation initiatives unfunded necessary data
• Changes in time horizon of mitigation implementation • Number of days it takes to implement a new regulation or
compliance control Info-Tech Research Group | 78
3.1.2 Establish the reporting schedule
For each risk event, document how frequently the risk owner must report to the IT risk council in the Risk Event
Action Plan.
• A clear reporting schedule enforces accountability for each risk event, ensuring that risk owners are fulfilling their monitoring responsibilities.
• The ongoing discussion of risks between assessment cycles also increases overall awareness of how IT risks are not static but constantly evolving.
Reporting Risk Event
Weekly reports to ITRC Extreme
Bi-weekly reports to ITRC High
Monthly reports to ITRC Moderate
Report to ITRC only if KRI thresholds triggered Low
No reports; reassessed bi-annually Negligibl

e

Use Info-Tech’s tools to identify, analyze, and select
risk responses
Tool Information
1
• Develop risk responses for all risk events pre-populated on the “2. Risk Register” sheet of the Risk
Register Tool.
• Document the root cause of the risk (Activity 3.1.3) and other contributing factors (Activity 3.1.4).
• Identify risk responses (Activity 3.1.5).
• Predict the effectiveness of the risk response, if implemented, by estimating the residual likelihood and
impact of the risk (Activity 3.1.5).
• The tool will calculate the residual severity of the risk after applying the risk response.
[Mandatory] Risk Register Tool
Tool Information
2
• Continue your second-level risk analysis for top risks for which you calculated expected cost in section
2.2.
• Activity 3.1.5:
o Identify between one and four risk response options for each risk.
o Develop precise values for residual likelihood and impact.
o Compare expected cost of the risk event to expected residual cost.
o Select the risk response to recommend to senior leadership and document it in the Risk Register
[Optional] Tool.
Risk Costing Tool

Determine the root cause of The Five Whys Methodology
IT risks Risk event:

Root cause analysis Network outage
Symptom Why?
Use the “Five Whys” methodology to identify the root cause and Network congestion
contributing/exacerbating factors for each risk event.
Why?
Diagnosing the root cause of a risk as well as the environmental factors that
increase its potential impact and likelihood of occurring allow you to Inadequate bandwidth for latency-sensitive
applications
identify more effective risk responses. Contributing
Why?
Factors
Risk responses that only address the symptoms of the risk are less likely to
Increased business use of latency-sensitive
succeed than responses that address the core issue. applications
Why?
Business units rely on “real-time” data gathered

Root from latency-sensitive applications
Cause
Root
Cause Why?

Identify factors that contribute to the
severity of the risk
Environmental factors interact with the root cause to increase the likelihood or impact of the risk event.
Develop risk responses that target contributing factors.
What factors matter?
Root cause: Contributing factors: Symptoms:
Identify relevant actors and assets that amplify or diminish Business units rely on “real-time” Unreliable router software Network outage
the severity of the risk. data gathered from latency- Actors: Network provider, router Actors: All business
sensitive applications vendor, router software vendor, IT
Actors units, network provider
Actors: department
• Internal (business units) Enterprise App users (Finance, Asset/resource:
Product Development, Product Asset/resource: Network, router, Network, business
Management) router software operations, employee
• External (vendor, regulator, market, competitor, hostile
Asset/resource: Applications, Risk response: productivity
actor)
network Replace the vendor that provides Risk response:
Assets/Resources routers and router software.
• Infrastructure • Personnel Risk response: Replace legacy systems.
Decrease the use of latency-
• Applications • Reputation sensitive applications. ✓ X
• Processes • Operations
X
• Information/data
Replacing the vendor would Replacing legacy

Decreasing the use of key apps reduce network outages at a systems would be too
contradicts business objectives. relatively low cost. costly.

3.1.3 Identify and assess risk responses
Instructions:
Complete the following steps for each risk event. Document the following in the Risk Event Action Plan for each
1. Identify a risk response action that will help reduce the likelihood of risk event:
occurrence or the impact if the event were to occur. • Risk response actions
• Indicate the type of risk response (avoidance, mitigation, transfer,
acceptance, or no risk exists). • Residual likelihood and impact levels
2. Assign each risk response action a residual likelihood level and a residual • Residual risk severity level
impact level.
• Review the following slides about the four types of risk
• This is the same step performed in Activity 2.2.6, when initial likelihood
response to help complete the activity.
and impact levels were determined; however, now you are estimating the
likelihood and impact of the risk event after the risk response action has 1. Avoidance
been implemented successfully.
• The Risk Register Tool will generate a residual risk severity level for each 2. Mitigation
risk event. 3. Transfer
3. Identify the potential Risk Action Owner (Project Manager) if the response is
selected and turned into an IT project, and document this in the Risk Register 4. Acceptance
Tool.
Record the results in the Risk Event Action Plan.

Take actions to avoid the
risk entirely
Risk Avoidance
• Risk avoidance involves taking evasive maneuvers to avoid the risk event.
• Risk avoidance targets risk likelihood, decreasing the likelihood of the risk
event occurring.
• Since risk avoidance measures are fairly drastic, the likelihood is often
reduced to negligible levels.
• However, risk avoidance response actions often sacrifice potential benefits to
eliminate the possibility of the risk entirely.
• Typically, risk avoidance measures should only be taken for risk events with
extremely high severity and when the severity (expected cost) of the risk
event exceeds the cost (benefits sacrificed) of avoiding the risk.
Example
Risk event: Information security vulnerability from third-party cloud services
provider.
• Risk avoidance action: Store all data in-house.
• Benefits sacrificed: Cost savings, storage flexibility, etc.
Pursue projects that reduce the likelihood or
impact of the risk event
Risk Mitigation
• Risk mitigation actions are risk responses that reduce the likelihood and impact of the risk event.
• Risk mitigation actions can be to either implement new controls or enhance existing ones.
Example 1 Example 2 Example 3

Most risk responses will reduce both the However, some risk responses will have a greater Others will reduce the potential impact without
likelihood of the risk event occurring and its effect on decreasing the likelihood of a risk event decreasing its likelihood of occurring.
potential impact. with little effect on decreasing impact.
Example
Example Example
Mitigation: Use robust encryption for all
Mitigation: Purchase and implement enterprise Mitigation: Create policies that restrict which sensitive data.
mobility management (EMM) software with personnel can access sensitive data on mobile
remote wipe capability. devices. • Corporate-issued mobile phones are just as
likely to fall into the hands of nefarious
• EMM reduces the likelihood that sensitive • This mitigation decreases the number of actors, but the financial impact they can
data is accessed by a nefarious actor. corporate phones that have access to (or are inflict on the organization is greatly reduced.
storing) sensitive data, thereby decreasing
• The remote-wipe capability reduces the the likelihood that a device is compromised.
impact by closing the window that sensitive Info-Tech Research Group | 85
data can be accessed from.

Pursue projects that reduce the likelihood or impact of
the risk event (continued)
Use the following IT functions to guide your selection of risk mitigation actions:
Process Improvement Infrastructure Management
Key processes that would most directly improve the risk • Disaster Recovery Plan/Business Continuity Plan
profile:
• Redundancy and Resilience
• Change Management
• Preventative Maintenance
• Project Management
• Physical Environment Security
• Vendor Management
Rationalization and Simplification

Personnel
This is a foundational activity, as complexity is a major source of risk:
• Greater staff depth in key areas
• Application Rationalization – reducing the number of applications
• Increased discipline around documentation
• Knowledge Management • Data Management – reducing the volume and locations of data
• Training

Transfer risks to a third party
Risk transfer: the exchange of uncertain future costs for fixed present costs.
Insurance Other Forms of Risk Transfer
The most common form of risk transfer is the purchase of insurance.
Other forms of risk transfer include:
• The uncertain future cost of an IT risk event can be transferred to an
• Self-insurance
insurance company who assumes the risk in exchange for insurance
premiums. o Appropriate funds can be set aside in advance to address the financial
impact of a risk event should it occur.
• The most common form of IT-relevant insurance is cyberinsurance.
• Warranties
Not all risks can be insured. Insurable risks typically possess the following
five characteristics: • Contractual transfer
1. The loss must be accidental (the risk event cannot be insured if it could o The financial impact of a risk event can be transferred to a third party
have been avoided by taking reasonable actions). through clauses agreed to in a contract.
2. The insured cannot profit from the occurrence of the risk event. o For example, a vendor can be contractually obligated to assume all
costs resulting from failing to secure the organization’s data.
3. The loss must be able to be measured in monetary terms.
To… Insurance Co.
4. The organization must have an insurable interest (it must be the party Cc…
Send
that incurs the loss).
Subject IT Risk Transfer
5. An insurance company must offer insurance against that risk. Info-Tech Research Group | 87
Accept risks that fall below
established thresholds
Risk Acceptance
You may choose to accept a risk event for one of the following three reasons:
Accepting a risk means
1. The risk severity (expected cost) of the risk event falls below acceptability thresholds
tolerating the expected cost
and does not justify an investment in a risk avoidance, mitigation, or transfer measure.
of a risk event. It is a
2. The risk severity (expected cost) exceeds acceptability thresholds but all effective risk
avoidance, mitigation, and transfer measures are ineffective or prohibitively expensive. conscious and deliberate
3. The risk severity (expected cost) exceeds acceptability thresholds but there are no decision to retain the threat.
feasible risk avoidance, mitigation, and transfer measures to be implemented.
Info-Tech Insight
Constant monitoring and the assignment of responsibility and accountability for accepted risk
events is crucial for effective management of these risks. No IT risk should be accepted without
detailed documentation outlining the reasoning behind that decision and evidence of approval
by senior management.
3.1.4 Risk response cost-benefit analysis
(optional)
The purpose of a cost-benefit analysis (CBA) is to guide financial decision making.
This helps IT make risk-conscious investment decisions that fall within the IT budget and helps the organization make sound budgetary decisions for risk
response projects that cannot be addressed by IT’s existing budget.
Instructions:
1. Reopen the Risk Costing Tool. For each risk that you conducted an expected
cost assessment in section 2.2 for, find the Excel sheet that corresponds to the
risk number (e.g. R001).
2. Identify between one and four risk response options for the risk event and
document them in the Risk Costing Tool.
• The “Risk Response 1” field will be automatically populated with expected
cost data for a scenario where no action was taken (risk acceptance). This
will serve as a baseline for comparing alternative responses.
• For the following steps, go through the risk responses one by one.
3. Estimate the first-year cost for the risk response.
• This cost should reflect initial capital expenditures and first-year operating
expenditures.
Record the results in the Risk Costing Tool.

3.1.4 Risk response cost-benefit analysis
(continued)
The purpose of a cost-benefit analysis (CBA) is to guide financial decision making.
Instructions:
4. Estimate residual risk likelihood and financial impact for Year 1 with the risk response in place.
• Rather than estimating the likelihood level (low, medium, high), determine a precise likelihood value of the risk event occurring once the response has
been implemented.
• Estimate the dollar value of financial impacts if the risk event were to occur with the risk response in place.
The tool will calculate the expected residual cost of the risk
event:
(Financial Impact x Likelihood) - Costs = Expected Residual
Cost
5. Select the highest value risk response and document it in the Risk Register Tool.
6. Document your analysis and recommendations in the Risk Event Action Plan.
Note: See Activity 3.1.5 to build multi-year cost projections for risk responses. Info-Tech Research Group | 90
3.1.5 Create multi-year cost projections
(optional)
Select between risk response options by projecting their costs and benefits over multiple years.
• It can be difficult to choose between risk response options that require different payment schedules. A risk response project with costs spread out over
more than one year (e.g. incremental upgrades to an IT system) may be more advantageous than a project with costs concentrated up front that may cost less
in the long run (e.g. replacing the system).
• However, the impact that risk response projects have on reducing risk severity is not necessarily static. For example, an expensive project like replacing a
system may drastically reduce the risk severity of a system failure. Whereas, incremental system upgrades may only marginally reduce risk severity in the
short term but reach similar levels as a full system replacement in a few years.
Instructions:
Calculate expected cost for multiple years using the Risk Costing Tool for:
• Risk events that are subject to change in severity over time.
• Risk responses that reduce the severity of the risk gradually.
• Risk responses that cannot be implemented immediately.
Copy and paste the graphs into the Risk Report and the Risk Event Action Plan for the
risk event. Record the results in the Risk Costing Tool.

participants:
Report IT Risk Priorities • IT risk council

Activities
3.2.1 Obtain executive approval for risk action plans management team
3.2.2 Socialize the Risk Report

3.2.3 Transfer ownership of risk responses to project managers • Obtained approval for risk action
plans
3.2.4 Finalize the Risk Management Program Manual • Communicated IT’s risk
recommendations to senior leadership
• Embedded risk management into day-

to-day IT operations
Monitor, Respond, and Report on IT Risk
Step 3.1 Step 3.2

Effectively deliver IT risk
expertise to the business Create a strong paper trail and obtain sign-off for the ITRC’s recommendations.
Now that you have collected all of the necessary raw data, you must communicate your insights
and recommendations effectively.
Communicate IT risk management in A fundamental task of risk management is communicating risk information to senior
two directions: management. It is your responsibility to enable them to make informed risk decisions. This can
be considered upward communication.
1. Up to senior leadership (and ERM if
The two primary goals of upward communication are:
applicable)
1. Transferring accountability for high-priority IT risks to the ERM or to senior
2. Down to IT employees (embedding risk leadership.
awareness) 2. Obtaining funds for risk response projects recommended by the ITRC.
Senior Leadership Good risk management also has a trickle-down effect impacting all of IT. This can be
considered downward communication.
The two primary goals of downward communication are:
3. Fostering a risk-aware IT culture.
4. Ensuring that the IT risk management program maintains momentum and runs
effectively.
IT Personnel Info-Tech Research Group | 93

3.2.1 Obtain executive approval for risk
action plans
Best Practices and Key Benefits
Best practice is for all acceptable risks to also be signed-off by senior leadership. However, for ITRCs that brainstorm 100+ risks, this may not be possible. If
this is the case, prioritize accepted risks that were assessed to be closest to the organization’s thresholds.
By receiving a stamp of approval for each key risk from senior management, you ensure that:
1. The organization is aware of important IT risks that may impact business objectives.
2. The organization supports the risk assessment conducted by the ITRC.
3. The organization supports the plan of action and monitoring responsibilities proposed by the ITRC.
4. If a risk event were to occur, the organization holds ultimate accountability.
Task:
All IT risks that were flagged for exceeding the organization’s severity thresholds must obtain sign-off by the CIO or another member of the senior
leadership team.
• In the assessment phase, you evaluated risks using severity thresholds approved by the business and determined whether or not they justified a risk response.
• Whether your recommendation was to accept the risk or to analyze possible risk responses, the business should be made aware of most IT risks.
3.2.2 Socialize the risk report
Create a succinct,
impactful document
that summarizes the The Risk Report contains:
outcomes of risk • An executive summary page highlighting the main takeaways for
assessment and senior management:
highlights the IT risk o A short summary of results from the most recent risk
assessment
council’s top o Dashboard
recommendations to o A list of top 10 risks ordered from most severe to least
the senior leadership • Subsequent individual risk analyses (1 to 10)

o Detailed risk assessment data
team. o Risk responses
o Risk response analysis
o Multi-year cost projection (see the following slide)
o Dashboard
o Recommendations
Risk Report

Pursue projects that reduce the likelihood or
impact of the risk event
Encourage risk awareness to extend the benefits of risk management to every aspect of IT.
Benefits of risk awareness:
• More preventative and proactive approaches to IT projects are discussed and considered.
• Changes to the IT threat landscape are more likely to be detected, communicated, and acted upon.
• IT possesses a realistic perception of its ability to perform functions and provide services.
• Contingency plans are put in place to hedge against risk events.
• Fewer IT risks go unidentified.
• CIOs and business executives make better risk decisions.
Consequences of low risk awareness:

• False confidence about the number of IT risks impacting the organization and their severity.
• Risk-relevant information is not communicated to the ITRC, which may result in inaccurate risk assessments.
• Confusion surrounding whose responsibility it is to consider how risk impacts IT decision making.
• Uncertainty and panic when unanticipated risks impact the IT department and the organization.

Embedding risk management in the IT department
is a full-time job
Take concrete steps to increase risk-aware decision making in IT.
The IT risk council plays an instrumental role in fostering a culture of risk awareness throughout the IT department. In addition to periodic risk
assessments, fulfilling reporting requirements, and undertaking ongoing monitoring responsibilities, members of the ITRC can take a number of actions
to encourage other IT employees to adopt a risk-focused approach, particularly at the project planning stage.
Embed risk management in project Embed risk management with employee

planning development
Train IT staff on the ITRC’s planned responses to specific
Make time for discussing project risks at every
project kick-off. risk events.
• A main benefit of including senior personnel from • If a response to a particular risk event is not to implement a
across IT in the ITRC is that they are able to project but rather to institute new policies or procedures,
disseminate the IT risk council’s findings to their ensure that changes are communicated to employees and
respective practices. that they receive training.
• At project kick-off meetings, schedule time to identify Provide risk management education opportunities.
and assess project-specific risks. • Remember that a more risk-aware IT employee provides
• Encourage the project team to identify strategies to more value to the organization.
reduce the likelihood and impact of those risks and • Invest in your employees by encouraging them to pursue
document these in the project charter. education opportunities like receiving risk management
• Lead by example by being clear and open about what accreditation or providing them with educational
constitutes acceptable and unacceptable risks. experiences such as workshops, seminars, and eLearning.
Embedding risk management in the IT department
is a full-time job (continued)
Encourage risk awareness by adjusting performance metrics and job titles.
Performance metrics:
Depending on the size of your IT department and the amount of resources dedicated to ongoing risk management, you may consider embedding risk
management responsibilities into the performance assessments of certain ITRC members or other IT personnel.
• Personalize the risk management program metrics you have documented in your Risk Management Program Manual.
• Evidence that KPIs are monitored and frequently reported is also a good indicator that risk owners are fulfilling their risk management
responsibilities.
Info-Tech Insight
If risk management responsibilities are not built into performance assessments, it is less likely that they
will invest time and energy into these tasks. Adding risk management metrics to performance assessments
directly links good job performance with good risk management, making it more likely that ITRC activities
and initiatives gain traction throughout the IT department.
Job descriptions:
Changing job titles to reflect the focus of an individual’s role on managing IT risk may be a good way to distinguish personnel tasked with developing
KRIs and monitoring risks on a week-to-week basis.
• Some examples include IT Risk Officer, IT Risk Manager, and IT Risk Analyst.
3.2.3 Transfer ownership of risk responses
to project managers
Once risk responses have obtained approval and funding, it is time to transform them into fully-fledged
projects.
• Assign responsibility for executing the specific risk response action to a project manager.
• For advice on how to optimize project management, read Info-Tech’s blueprint Tailor IT Project Management Processes to Fit Your Projects.

3.2.4 Finalize the Risk Management
Program Manual
“Upon completing the Info-
Go back through the Risk Management Program Manual and ensure that the material will accurately Tech workshop, the
reflect your approach to risk management going forward.
deliverables that we were left
Remember, the program manual is a living document that should be evolving alongside your risk
management program, reflecting best practices, knowledge, and experiences accrued from your own
with were really outstanding.
assessments and experienced risk events. We put together a 3-year
The best way to ensure that the program manual continues to guide and document your risk management project plan from a high
program is to make it the focal point of every ITRC meeting and ensure that one participant is tasked with
making necessary adjustments and additions. level, outlining projects that
will touch upon our high risk
areas.”
– Director of Security & Risk,
Water Management Company
Risk Management Program

Manual

Don’t allow your risk
management program to
flatline 54%
Don’t be lulled into a false sense of security. It might be your greatest
risk.
So you’ve identified the most important IT risks and implemented projects to protect
IT and the business.
Unfortunately, your risk assessment is already outdated.
Perform regular health checks to keep your finger on the pulse of the key risks
threatening the business and your reputation. of small businesses haven’t
To continue the momentum of your newly forged IT risk management program, read implemented controls to respond
Info-Tech’s research on conducting periodic risk assessments and “health checks”: to the threat of cyber attacks
Revive Your Risk Management Program With a Regular Health Check Source: Insurance Bureau of Canada, 2021,
 Complete Info-Tech’s Risk  Our focus is on using data to make IT

Management Health Check to seize risk assessment less like an art and
the momentum you created by more like a science. Ongoing data-
building a robust IT risk driven risk management is self-
management program and create a improving and grounded in historical
process for conducting periodic data.
health checks and embedding
Appendix I: Familiarize yourself with key risk terminology
Review important risk management terms and definitions.

An uncertain event or set of events which, should it occur, will have an effect on the achievement of objectives. A
Risk risk consists of a combination of the likelihood of a perceived threat or opportunity occurring and the magnitude of
its impact on objectives (Office of Government Commerce, 2007).
Threat An event that can create a negative outcome (e.g. hostile cyber/physical attacks, human errors).
Vulnerability A weakness that can be taken advantage of in a system (e.g. weakness in hardware, software, business processes).
Risk The systematic application of principles, approaches, and processes to the tasks of identifying and assessing risks,
and then planning and implementing risk responses. This provides a disciplined environment for proactive decision
Management making (Office of Government Commerce, 2007).
Distinct from a risk event, a category is an abstract profile of risk. It represents a common group of risks. For
Risk Category example, you can group certain types of risks under the risk category of IT Operations Risks.
A specific occurrence of an event that falls under a particular risk category. For example, a phishing attack is a risk
Risk Event event that falls under the risk category of IT Security Risks.
An organization’s attitude towards risk taking, which determines the amount of risk that it considers acceptable.
Risk Appetite Risk appetite also refers to an organization’s willingness to take on certain levels of exposure to risk, which is
influenced by the organization’s capacity to financially bear risk.
Enterprise Risk (ERM) – A strategic business discipline that supports the achievement of an organization’s objectives by addressing the
full spectrum of organizational risks and managing the combined impact of those risks as an interrelated risk portfolio
Management (RIMS, 2015).
Appendix II: Likelihood vs. Frequency
Why we measure likelihood, not frequency:
The basic formula of Likelihood x Impact = Severity is a common methodology used across risk management frameworks. However, some
frameworks measure likelihood using Frequency rather than Likelihood.
Frequency is typically measured as the number of instances an event occurs over a given period of time (e.g. once per month).
• For risk assessment, historical data regarding the frequency of a risk event is commonly used to indicate the likelihood that the event
will happen in the future.
Likelihood is a numerical representation of the “degree of belief” that the risk event will occur in a given future timeframe (e.g. 25%
likelihood that the event will occur within the next year).
False Objectivity
While some may argue that frequency provides an objective measurement of likelihood, it is well understood in the field of likelihood
theory that historical data regarding the frequency of a risk event may have little bearing over the likelihood of that event happening in the
future. Frequency is often an indication of future likelihood but should not be considered an objective measurement of it.
Likelihood scales that use frequency underestimate the magnitude of risks that lack historical precedent. For example, an IT department
that has never experienced a high-impact data breach would adopt a very low likelihood score using the frequentist approach. However, if
all of the organization’s major competitors have suffered a major breach within the last two years, they ought to possess a much higher
degree of belief that the risk event will occur within the next year.
Likelihood is a more comprehensive measurement of future likelihood, as frequency can be used to inform the selection of a likelihood
value. The process of selecting intersubjective likelihood values will naturally internalize historical data such as the frequency that the
event occurred in the past. Further, the frequency that the event is expected to occur in the future can be captured by the expected impact
value. For example, a risk event that has an expected impact per occurrence of $10,000 that is expected to occur three times over the next
year has an expected impact of $30,000.
Appendix III: Should max impacts sway decision making?
Don’t just fixate on the most likely impact – be aware of high-impact outcomes.
Fig. 1
During assessment, risks are evaluated according to their most likely financial impact. Normal Likelihood
• For example, a service outage will likely last for two hours and may have an expected cost of Distribution
$14,000.
Naturally, focusing on the most likely financial impact will exclude higher impacts that – while
Likelihood
theoretically possible – are so unlikely that they do not warrant any real consideration.
• For example, it is possible that a service outage could last for days; however, the likelihood for such
an event may be well below 1%.
While the risk severity level assessment allows you to present impacts as a range of values (e.g.
$50,000 to $75,000), the expected cost assessment requires you to select specific values.
Financial Impact
• However, this analysis may fail to consider much higher potential impacts that have non-negligible
Fig. 2
likelihood values (likelihood values that you cannot ignore).
• What you consider “non-negligible” will depend on your organizational risk tolerance/appetite. Fat-Tailed Likelihood
Distribution
Most Likely
Impact
Sometimes called Black Swan events or Fat-Tailed outcomes, high-impact events may occur when the
far right of the likelihood distribution – or the “tail” – is thicker than a normal distribution (see fig. 2).
Likelihood
• A good example is a data breach. While small to medium impacts are far more likely to occur than a
devastating intrusion, the high-impact scenario cannot be ignored completely.
Fat-Tailed
For risk events that contain non-negligible likelihoods (too high to be ignored) consider elevating Outcomes
the risk severity level or expected cost.
Financial Impact

Leverage Info-Tech’s research on security and compliance risk
to identify additional risk events
Info-Tech Insight
Don’t gamble recklessly with external compliance. Play a
winning system and take calculated risks to stack the odds in
your favor.
Take an agile approach to analyze your gaps and prioritize your
remediations. You don’t always have to be fully compliant as long as
your organization understands and can live with the consequences.
Take Control of Compliance Improvement to Conq
uer Every Audit
Info-Tech Insight
Security risk management equals cost effectiveness.
Time spent upfront identifying and prioritizing risks can mean the
difference between spending too much and staying on budget.
Develop and Implement a Security Risk Management Pro

gram
Research Contributors and Experts
Sandi Conrad Aadil Nanji Frank Sewell
Research Director Research Director
Principal Research Director
Info-Tech Research Group Info-Tech Research Group
Info-Tech Research Group
Christine Coz Andy Neill Andrew Sharpe

Executive Counsellor Research Director
Associate Vice-President of Research
Chris Warner
Milena Litoiu Daisha Pennie Consulting Director- Security
Principal Research Director IT Risk Management Info-Tech Research Group
Info-Tech Research Group Oklahoma State University
Scott Magerfleisch Ken Piddington Sterling Bjorndahl

Executive Advisor CIO and Executive Advisor Director of IT Operations
Info-Tech Research Group MRE Consulting eHealth Saskatchewan

Research Contributors and Experts
Ibrahim Abdel-Kader Ian Mulholland Petar Hristov
Research Director Research Director
Research Analyst
Tamara Dwarika Michel Fossé Steve Woodward

Internal Auditor Research Director
Consulting Services Manager
A leading North American Utility CEO, Cloud Perspectives
IBM Canada (LGS)
Anne Leroux
Director
ES Computer Training
*Plus 10 additional interviewees who wish to remain anonymous. Info-Tech Research Group | 107
Bibliography
“2021 State of the CIO.” IDG, 28 January 2021. Web. Eden, C. and F. Ackermann. Making Strategy: The Journey of Strategic
Management. Sage Publications, 1998.
“4 Reasons Why CIOs Lose Their Jobs.” Silverton Consulting, 2012. Web.
“Enterprise Risk Management Maturity Model.” OECD, 9 February 2021.
Beasley, Mark, Bruce Branson, and Bonnie Hancock. “The State of Risk Web.
Oversight,” AICPA, April 2021. Web.
Ganguly, Saptarshi, Holger Harreis, Ben Margolis, and Kayvaun
COBIT 2019. ISACA, 2019. Web. Rowshankish. “Digital Risks: Transforming risk management for the 2020s.”
“Cognyte jeopardized its database exposing 5 billion records, including McKinsey & Company, 10 February 2017. Web.
earlier data breaches.” SecureBlink, 21 June 2021. Web. “Governance Institute of Australia Risk Management Survey 2020.”
Culp, Steve. “Accenture 2019 Global Risk Management Study, Financial Governance Institute of Australia, 2020. Web.
Services Report.” Accenture, 2019. Web. “Guidance on Enterprise Risk Management.” COSO, 2022. Web.
Curtis, Patchin, and Mark Carey. “Risk Assessment in Practice.” COSO Henriquez, Maria. “The Top 10 Data Breaches of 2021” Security Magazine,
Committee of Sponsoring Organizations of the Treadway Commission, 9 December 2021. Web.
Deloitte & Touche LLP, 2012. Web.
Holmes, Aaron. “533 million Facebook users’ phone numbers and personal
“Cyber Risk Management.” Insurance Bureau of Canada (IBC), 2022. Web. data have been leaked online.” Business Insider, 3 April 2021. Web.
Eccles, Robert G., Scott C. Newquist, and Roland Schatz. “Reputation and
Its Risks.” Harvard Business Review, February 2007. Web.

Bibliography
“Integrated Risk and Compliance Management for Banks and Financial “Measuring and Mitigating Reputational Risk.” Marsh, September 2014.
Services Organizations: Benefits of a Holistic Approach.” MetricStream, Web.
2022. Web.
Natarajan, Aarthi. “The Top 6 Business Risks you should Prepare for in
“ISACA’s Risk IT Framework Offers a Structured Methodology for 2022.” Diligent, 22 December 2021. Web.
Enterprises to Manage Information and Technology Risk.” ISACA, 25 June
2020. Web. “Operational Risk Management Excellence – Get to Strong Survey:
Executive Report.” KMPG and RMA, 2014. Web.
ISO 31000 Risk Management. ISO, 2018. Web.
“Third-party risk is becoming a first priority challenge.” Deloitte, 2022.
Lawton, George. “10 Enterprise Risk Management Trends in 2022.” Web.
TechTarget, 2 February 2022. Web.
Thomas, Adam, and Dan Kinsella. “Extended Enterprise Risk Management
Levenson, Michael. “MGM Resorts Says Data Breach Exposed Some Survey, 2020.” Deloitte, 2021. Web.
Guests’ Personal Information.” The New York Times, 19 February 2020. Web.
Treasury Board Secretariat. “Guide to Integrated Risk Management.”
Management of Risk (M_o_R): Guidance for Practitioners. Office of Government of Canada, 12 May 2016. Web.
Government Commerce, 2007. Web.
Webb, Rebecca. “6 Reasons Data is Key for Risk Management.” ClearRisk,
“Many small businesses vulnerable to cyber attacks.” Insurance Bureau of 13 January 2021. Web.
Canada (IBC), 5 October 2021.
“What is Enterprise Risk Management (ERM)?” RIMS, 2015. Web.
Maxwell, Phil. “Why risk-informed decision-making matters.” EY, 3
December 2019. Web. Wiggins, Perry. “Do you spend enough time assessing strategic risks?” CFO,
26 January 2022. Web.

It Build An IT Risk Management Program R2

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

It Build An IT Risk Management Program R2

Uploaded by

Copyright:

Available Formats

Build an IT Risk

Info-Tech Research Group Inc. is a global leader in providing IT research and

19 Phase 1: Review IT Risk Fundamentals & Governance

43 Phase 2: Identify and Assess IT Risk

74 Phase 3: Monitor, Communicate, and Respond to IT Risk

Info-Tech Research Group | 2

Info-Tech Research Group | 5

1. Ad hoc risk management is reactionary.

Info-Tech Research Group | 6

Cognyte, a vendor hired to be a

Info-Tech Research Group | 7

A certain amount of risk is healthy and can stimulate innovation: 12%

Info-Tech Research Group | 8

Info-Tech Research Group | 9

Risk Costing Tool Risk Report &

 Importance of a risk management program manual Emerging IT risk

Info-Tech Research Group | 14

IT Benefits Business Benefits

Info-Tech Research Group | 15

Info-Tech Research Group | 16

Day 1 Day 2 Day 3 Day 4 Day 5

Info-Tech Research Group | 18

• Gain buy-in from senior leadership

• Identify obstacles and pain points

• Determine the risk culture of the

• Develop risk management goals

• Develop SMART project metrics

• Business executive leadership

Build an IT Risk Management Program

Info-Tech Research Group | 19

Review IT Risk Management Fundamentals • IT executive leadership

• Business executive leadership

• Introduced to Info-Tech’s IT Risk

• Obtained the support of senior

Step 1.1 Step 1.2

Info-Tech Research Group | 20

Perform Report Risk Determine Risk

Info-Tech Research Group | 22

Risk management benefits To engage the business...

1.1.1 Gain buy-in from senior

• Occasional participation of key IT personnel and select business stakeholders in IT

Record the results in the Risk Management Program Manual.

Info-Tech Research Group | 24

1.1.2 Assess current program maturity

How to Use This Assessment:

1. Download the Integrated Risk Management Maturity Assessment Tool.

Info-Tech Research Group | 26

Examine if risk-based decisions are being made by

Risk Program Consider opportunities where risk-related data is being

Info-Tech Research Group | 27

Establish a Risk Governance Framework • IT executive leadership

• Business executive leadership

• Assigned accountability and

Review IT Risk Fundamentals and Governance

Step 1.1 Step 1.2

Info-Tech Research Group | 28

4 Establish an IT risk council tasked with managing IT risk.

5 Set clear risk management accountabilities and

Info-Tech Research Group | 29

Challenges: Key metrics:

Info-Tech Research Group | 30

Support and sponsorship from