IT Governance Institute’s New Framework-Risk IT

IT risk is gaining increased attention from executive management, stakeholders and regulators alike. The COBIT framework provides a generally accepted framework for IT but this does not deal with risk management in a comprehensive manner. The ITGI has now remedied this gap with their latest initiative-a framework for IT related risk management.

On Feb 4, 2009, the IT Governance issued an exposure draft of its research publication Enterprise Risk: Identify Govern and Manage Risk, The Risk IT Framework. This IT enterprise risk management framework is designed to allow business managers to identify and assess IT-related business risks and manage them effectively. It provides the missing link between enterprise risk management (ERM) and IT risk management and control, fitting in the overall IT governance framework of ITGI, and building upon all existing risk related components within the current frameworks, i.e., COBIT and Val IT.

The exposure draft is posted for 45 day public exposure and comment. At the conclusion of the exposure period, the authors will use the feedback, comments and suggestions provided to improve the publication for issue. A link to the exposure draft and online questionnaire is posted in the ITGI and ISACA home pages.

This document provides a high level overview of this framework and the reason behind this initiative.  It will cover some basic concepts relating to IT related risk, frameworks and how existing frameworks measure up.Subsequent blog entries will provide insights into the frameworks key concepts and definitions.

  • IT related Risk Management

This covers all IT related risks and is not just to Information Security. Examples include inadequate resources, obsolete infrastructure, staff with inadequate skills etc. In short it covers all business risks arising from IT related activities

  • Essentials of a good risk management framework for IT related risk

The following are the essential features of risk management framework-

  1. Provides comprehensive coverage and not restrict itself to the technical aspects of IT.
  2. IT related focus
  3. Covers the full IT life cycles i.e. broadest view on IT related risk
  4. Translates IT related risks into impact on business
  5. Provides a continuous process from risk identification to continuous monitoring and feedback.
  6. Provides risk treatment options
  7. It should be easily accessible/available to users-easily downloadable, not expensive

  • How does COBIT stack up against these essential features:


As can be seen from the graphic above COBIT provides limited guidance on risk management. Reference to risk management is limited to Process P09 of CoBIT 4.1. A similar evaluation of other frameworks COSO-ERM, ISO27000 series produced the same results. These frameworks provided only a partial coverage of IT related risk management.

The summary of this evaluation is shown below:GAP Analysis of other Frameworks

So for e.g. COSO scores really high on the completeness of risk management scope but it does not provide in-depth coverage of IT. So is essence there is no comprehensive IT related risk management framework currently available.

  • The Risk IT Framework (Risk IT)

Risk IT framework has been defined by the ITGI to ensure that this framework will bridge the gap in the comprehensiveness/coverage space. The framework will address all risk management activities and domains and not just controls (as is the case with COBIT). It will cover all IT related risks that will affect realization on business objectives.

Comments are closed.