ITG best practice rulings on risk
The body behind the COBIT blueprint for the management and delivery of IT services is putting the finishing touches to a comparable guide for the management of IT-related risk.
If COBIT spells out what comprises IT governance, then the new Risk-IT guide will map out a framework for enterprises to help executives decide how best to identify, govern and manage IT risk.
The IT Governance Institute said it will be looking for public comment on the IT risk framework over the coming 45 days, and will then work on a final draft of its recommendations.
It has worked up proposals that give end-to-end guidance on how to manage IT-related risks, beyond purely technical control measures and security.
It said the guide will also help IT staffs understand how they can capitalise on an investment made in an IT internal control system already in place to manage IT-related risk.
The scheme follows a similar line to the ITGI-led Val-IT proposal, a framework launched a couple of years ago or so that addresses the governance of IT-enabled business investments.
That too is tightly integrated with the COBIT (Control Objectives for Information and related Technology) collection of approved ‘best practice’ processes for IT governance. Specifically, Val-IT focuses on the investment decision, and the realisation of benefits.
The idea behind Risk-IT is to lay out a common language for IT risk in large organisations that will help get the executive board and senior management talking the same language as the chief information officer (CIO) and auditors.
Only by the promotion of risk responsibility and its acceptance throughout the enterprise will IT-risk be properly managed and contained, said the ITGI.
The COBiT framework was created by the Information Systems Audit and Control Association (ISACA), in conjunction with its affiliate, the ITGI back in the 90s as an outgrowth of corporate audit activities. It and other frameworks such as ITIL, have gained new attention thanks to enactment of Sarbanes-Oxley and other regulatory ties.
Over time COBiT controls have been mapped to ITIL, because IT governance has an obvious synergy with service management - as it does with IT value and investment management, and enterprise IT risk control.
The Risk-IT framework will have nine business processes divided into three domains of risk governance, risk evaluation and risk response. It also offers management guidelines, RACI (responsible, accountable, consulted and informed) charts, maturity models, and goals and metrics. Take a look at www.itgi.org/riskit.