Unit 2: Risk Governance and Management

IT value is not just about cost savings, but also the impact and contributions of IT investments in value creation process of the enterprise.

Risk Optimization: IT risk management is about preserving value, not impeding it, and should be integrated into enterprise risk management activities.

Resource Optimization: Ensures appropriate capabilities for executing strategic plans, provides effective resources, and focuses on data and information exploitation.

Risk Governance: Sets the direction and strategy for risk management, ensures risk-aware business decisions, and monitors risk management performance.

Effective risk governance establishes a common view of risk, integrates risk management into the enterprise, makes risk-aware business decisions, and ensures risk management controls are implemented and operating correctly.

Risk Management: Managers need accurate information to understand risks, mitigate negative outcomes, and make informed decisions. Effective risk management considers various factors, including enterprise dependencies, risks from economic, political changes, and possible natural disasters.

I&T Risk Governance and Management: The implementation of a risk strategy that reflects enterprise management's culture, appetite, and tolerance levels, considers technology and budgets, and addresses regulatory and compliance requirements.

An effective I&T risk management strategy connects I&T-related risk to business or mission objectives, aligns it with enterprise risk management when possible, balances costs and benefits, and promotes ethical and open communication.

A consistent approach to I&T risk management is crucial, integrated into daily activities, and aligned with the enterprise strategy.

Risk Communication Description:

Establishes the enterprise's strategy towards IT risk management (risk strategy, policies, procedures).

Monitors and predicts the state of risk management (status).

Offers solutions to manage risks effectively (options to mitigate risk).

Communicates risk events and their causes (event/loss data).

Stakeholder Communication About Risk:

Enhances understanding of IT risk management roles and responsibilities for various stakeholders.

Improves identification of key operational losses and risk indicators for operational risk managers.

Provides clearer positioning of security risk among other IT-related risks for IT security managers.

Enhances understanding of risk significance in investment and portfolio management for CFOs.

Supports informed monitoring and reviewing of IT governance roles for enterprise governance officers.

Improves understanding of operational IT-related risks for business managers.

Offers more effective risk assessment and management strategies for IT auditors.

Increases transparency and compliance understanding for regulators.

Improves evaluation of enterprise risk management practices for external auditors.

Provides clearer understanding of risk exposure for policy formulation for insurers.

Improves evaluation of enterprise risk management for rating agencies.

Enhances trust through transparent risk management practices for customers.

Increases awareness for informed decision-making for employees.

2.5.2 Risk Policy, Scope, and Workflow:

Establishes a foundation for managing risk across an enterprise with a clear articulation of the enterprise's tolerance for risk (risk appetite), specific thresholds indicating acceptable risk levels (risk tolerance), structured processes for risk identification, assessment, and management (risk governance), defined mechanisms for reporting risks to relevant stakeholders (risk reporting), and ensuring alignment with legal and regulatory requirements (risk compliance).

Defines the boundaries within which risk management activities operate (risk scope), which includes aligning risk management with organizational goals, defining parameters and methodologies for assessing risk, involving relevant stakeholders in risk identification and mitigation, and outlining processes for recording and maintaining risk-related information.

Outlines the sequence of risk management activities, including recognizing potential risks that could affect objectives (risk identification), evaluating identified risks in terms of impact and likelihood (risk analysis), assessing the significance of risks against established criteria (risk evaluation), and selecting and implementing measures to mitigate, transfer, or accept risks (risk treatment).

Continuously oversees and reassesses risks over time (risk monitoring).

Policies should be comprehensive and provide a superior management framework, with a hierarchical structure and a focus on integrating risk management norms or conditions into the enterprise policy framework, including defining scope and authority, roles and responsibilities of stakeholders, consequences of failing to comply with the policy, and the means for handling exceptions.

Risk Policy Types:

Defines how the risk of an enterprise needs to be governed and managed according to its business objectives (core IT risk policy).

Sets behavioral guidelines in protecting corporate information and associated systems and infrastructure (information security policy).

Sets guidelines on how to act in crisis situations and details the sequence for dealing with risk areas (crisis management policy).

Manages risk related to third-party services (third-party IT service delivery management policy).