IT risk is gaining increased attention from executive management, stakeholders and regulators alike. The COBIT framework provides a generally accepted framework for IT but this does not deal with risk management in a comprehensive manner. The ITGI has now remedied this gap with their latest initiative-a framework for IT related risk management.
On Feb 4, 2009, the IT Governance issued an exposure draft of its research publication Enterprise Risk: Identify Govern and Manage Risk, The Risk IT Framework. This IT enterprise risk management framework is designed to allow business managers to identify and assess IT-related business risks and manage them effectively. It provides the missing link between enterprise risk management (ERM) and IT risk management and control, fitting in the overall IT governance framework of ITGI, and building upon all existing risk related components within the current frameworks, i.e., COBIT and Val IT.
This document provides a high level overview of this framework and the reason behind this initiative. It will cover some basic concepts relating to IT related risk, frameworks and how existing frameworks measure up.Subsequent blog entries will provide insights into the frameworks key concepts and definitions.
- IT related Risk Management
This covers all IT related risks and is not just to Information Security. Examples include inadequate resources, obsolete infrastructure, staff with inadequate skills etc. In short it covers all business risks arising from IT related activities
- Essentials of a good risk management framework for IT related risk
The following are the essential features of risk management framework-
- Provides comprehensive coverage and not restrict itself to the technical aspects of IT.
- IT related focus
- Covers the full IT life cycles i.e. broadest view on IT related risk
- Translates IT related risks into impact on business
- Provides a continuous process from risk identification to continuous monitoring and feedback.
- Provides risk treatment options
- It should be easily accessible/available to users-easily downloadable, not expensive
- How does COBIT stack up against these essential features:
As can be seen from the graphic above COBIT provides limited guidance on risk management. Reference to risk management is limited to Process P09 of CoBIT 4.1. A similar evaluation of other frameworks COSO-ERM, ISO27000 series produced the same results. These frameworks provided only a partial coverage of IT related risk management.
The summary of this evaluation is shown below:
So for e.g. COSO scores really high on the completeness of risk management scope but it does not provide in-depth coverage of IT. So is essence there is no comprehensive IT related risk management framework currently available.
- The Risk IT Framework (Risk IT)
Risk IT framework has been defined by the ITGI to ensure that this framework will bridge the gap in the comprehensiveness/coverage space. The framework will address all risk management activities and domains and not just controls (as is the case with COBIT). It will cover all IT related risks that will affect realization on business objectives.