Continually identify, assess and reduce IT-related risk within levels of tolerance set by enterprise executive management.


Integrate the management of IT-related enterprise risk with overall ERM, and balance the costs and benefits of managing IT-related enterprise risk.




  • Evaluation of risk management activities
  • Approved process for measuring risk management
  • Key objectives to be monitored for risk management
  • Risk management policies
  • Gaps and risk related to current capabilities
  • Risk assessment initiatives
  • Identified supplier delivery risk
  • Incident status and trends report
  • Business impact analysis
  • Evaluations of potential threats
  • Business impact analyses
  • Evaluations of potential threats
  • Approved risk tolerance levels
  • Risk appetite guidance
  • Identified supplier delivery risk
  • Evaluations of potential threats
  • Remedial actions to address risk management deviations


  • Data on the operating environment relating to risk
  • Data on risk events and contributing factors
  • Emerging risk issues and factors
  • Documented risk scenarios by line of business and function
  • Aggregated risk profile, including status of risk management actions
  • Risk analysis and risk profile reports for stakeholders
  • Results of third-party risk assessments
  • Opportunities for acceptance of greater risk
  • Project proposals for reducing risk
  • Risk-related incident response plans
  • Risk impact communications
  • Risk-related root causes


  • Threat advisories

Task Instructions:

Collect Data

    1. Establish and maintain a method for the collection, classification, and analysis of IT risk-related data, accommodating multiple types of events, multiple categories of IT risk, and multiple risk factors.
    2. Record relevant data on the enterprise’s internal and external operating environment that could play a significant role in the management of IT risk.
    3. Survey and analyze the historical IT risk data and loss experience from externally available data and trends, industry peers through industry-based event logs, databases, and industry agreements for common event disclosure.
    4. Record data on risk events that have caused or may cause impacts to IT benefit/value enablement, IT program and project delivery, and/or IT operations and service delivery. Capture relevant data from related issues, incidents, problems and investigations.
    5. For similar classes of events, organize the collected data, and highlight contributing factors. Determine common contributing factors across multiple events.
    6. Determine the specific conditions that existed or were absent when risk events occurred and the way the conditions affected event frequency and loss magnitude.
    7. Perform periodic event and risk factor analysis to identify new or emerging risk issues and to gain an understanding of the associated internal and external risk factors.

Analyse Risk

    1. Define the appropriate breadth and depth of risk analysis efforts, considering all risk factors and the business criticality of assets. Set the risk analysis scope after performing a cost-benefit analysis.
    2. Build and regularly update IT risk scenarios, including compound scenarios of cascading and/or coincidental threat types, and develop expectations for specific control activities, capabilities to detect, and other response measures.
    3. Estimate the frequency and magnitude of loss or gain associated with IT risk scenarios. Take into account all applicable risk factors, evaluate known operational controls, and estimate residual risk levels.
    4. Compare residual risk to acceptable risk tolerance and identify exposures that may require a risk response.
    5. Analyze cost-benefit of potential risk response options such as avoid, reduce/mitigate, transfer/share, and accept and exploit/seize. Propose the optimal risk response.
    6. Specify high-level requirements for projects or programs that will implement the selected risk responses. Identify requirements and expectations for appropriate key controls for risk mitigation responses.
    7. Validate the risk analysis results before using them in decision making, confirming that the analysis aligns with enterprise requirements and verifying that estimations were properly calibrated and scrutinized for bias.

Maintain a Risk Profile

    1. Inventory business processes, including supporting personnel, applications, infrastructure, facilities, critical manual records, vendors, suppliers and outsourcers, and document the dependency on IT service management processes and IT infrastructure resources.
    2. Determine and agree on which IT services and IT infrastructure resources are essential to sustain the operation of business processes. Analyze dependencies and identify weak links.
    3. Aggregate current risk scenarios by category, business line, and functional area.
    4. On a regular basis, capture all risk profile information and consolidate it into an aggregated risk profile.
    5. Based on all risk profile data, define a set of risk indicators that allow the quick identification and monitoring of current risk and risk trends.
    6. Capture information on IT risk events that have materialized, for inclusion in the IT risk profile of the enterprise.
    7. Capture information on the status of the risk action plan for inclusion in the IT risk profile of the enterprise.

Articulate Risk

    1. Report the results of risk analysis to all affected stakeholders in terms and formats useful to support enterprise decisions. Wherever possible, include probabilities and ranges of loss or gain along with confidence levels that enable management to balance risk-return.
    2. Provide decision-makers with an understanding of worst-case and most-probable scenarios, due diligence exposures, and significant reputation, legal or regulatory considerations.
    3. Report the current risk profile to all stakeholders, including the effectiveness of the risk management process, control effectiveness, gaps, inconsistencies, redundancies, remediation status, and their impacts on the risk profile.
    4. Review the results of objective third-party assessments, internal audit, and quality assurance reviews, and map them to the risk profile. The review identified gaps and exposures to determine the need for additional risk analysis.
    5. On a periodic basis, for areas with relative risk and risk capacity parity, identify IT-related opportunities that would allow the acceptance of greater risk and enhanced growth and return.

Define A Risk Management Action Portfolio

    1. Maintain an inventory of control activities that are in place to manage risk and that enable risk to be taken in line with risk appetite and tolerance. Classify control activities and map them to specific IT risk statements and aggregations of IT risk.
    2. Determine whether each organizational entity monitors risk and accepts accountability for operating within its individual and portfolio tolerance levels.
    3. Define a balanced set of project proposals designed to reduce risk and/or projects that enable strategic enterprise opportunities, considering cost/benefits, the effect on the current risk profile, and regulations.

Respond to Risk

    1. Prepare, maintain, and test plans that document the specific steps to take when a risk event may cause a significant operational or development incident with serious business impact. Ensure that plans include pathways of escalation across the enterprise.
    2. Categorize incidents, and compare actual exposures against risk tolerance thresholds. Communicate business impacts to decision-makers as part of reporting, and update the risk profile.
    3. Apply the appropriate response plan to minimize the impact when risk incidents occur.
    4. Examine past adverse events/losses and missed opportunities and determine root causes. Communicate root cause, additional risk response requirements, and process improvements to appropriate decision-makers and ensure that the cause, response requirements, and process improvement are included in risk governance processes.