Ensure that IT-related enterprise risk does not exceed risk appetite and risk tolerance, the impact of IT risk on enterprise value is identified and managed,
and the potential for compliance failures is minimized.


Ensure that the enterprise’s risk appetite and tolerance are understood, articulated, and communicated, and that risk to enterprise value related to the use of IT is identified and managed.




  • Emerging Risk Issues and Factors
  • Aggregated risk profile, including the status of risk management actions
  • Risk Analysis Results
  • Opportunities for acceptance of greater risk
  • Results of third-party risk assessments
  • Risk analysis and risk profile reports for stakeholders


  • Risk Appetite Guidance
  • Approved Risk Tolerance Levels
  • Evaluation of Risk Management Activities
  • Risk Management Policies
  • Key Objectives to be Monitored for Risk Management
  • Approved Process for Measuring Risk Management
  • Remedial Actions to Address Risk Management Deviations
  • Risk Management Issues for the Board


  • Enterprise Risk Management Principles
  • Enterprise risk management (ERM) profiles and mitigation plans

Task Instructions:

Evaluate Risk Management

    1. Determine the level of IT-related risk that the enterprise is willing to take to meet its objectives (risk appetite).
    2. Evaluate and approve proposed IT risk tolerance thresholds against the enterprise’s acceptable risk and opportunity levels.
    3. Determine the extent of alignment of the IT risk strategy to the enterprise risk strategy.
    4. Proactively evaluate IT risk factors in advance of pending strategic enterprise decisions and ensure that risk-aware enterprise decisions are made.
    5. Determine that IT use is subject to appropriate risk assessment and evaluation, as described in relevant international and national standards.
    6. Evaluate risk management activities to ensure alignment with the enterprise’s capacity for IT-related loss and leadership’s tolerance of it.

Direct Risk Management.

    1. Promote an IT risk-aware culture and empower the enterprise to proactively identify IT risks, opportunities, and potential business impacts.
    2. Direct the integration of the IT risk strategy and operations with the organization’s strategic risk decisions and operations.
    3. Direct the development of risk communication plans (covering all levels of the organization) as well as risk action plans.
    4. Direct implementation of the appropriate mechanisms to respond quickly to changing risks and report immediately to appropriate levels of management, supported by agreed-on principles of escalation (what to report, when, where, and how).
    5. Direct that risks, opportunities, issues, and concerns may be identified and reported by anyone at any time. Risk should be managed by published policies and procedures and escalated to the relevant decision-makers.
    6. Identify key goals and metrics of risk governance and management processes to be monitored, and approve the approaches, methods, techniques, and processes for capturing and reporting the measurement information.

Monitor Risk Management

    1. Monitor the extent to which the risk profile is managed within the risk appetite thresholds.
    2. Monitor key goals and metrics of risk governance and management processes against targets, analyze the cause of any deviations, and initiate remedial actions to address the underlying causes.
    3. Enable key stakeholders’ review of the enterprise’s progress towards identified goals.
    4. Report any risk management issues to the board or executive committee.