Build an IT Risk Management Program
Mitigate the IT risks that could negatively impact your organization.
- Risk is unavoidable. Without a formal program to manage IT risk, you may be unaware of your severest IT risks.
- The business could be making decisions that are not informed by risk.
- Reacting to risks AFTER they occur can be costly and crippling, yet it is one of the most common tactics used by IT departments.
Our Advice
Critical Insight
- IT risk is business risk. Every IT risk has business implications. Create an IT risk management program that shares accountability with the business.
Impact and Result
- Transform your ad hoc IT risk management processes into a formalized, ongoing program, and increase risk management success.
- Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest risks before they occur.
- Involve key stakeholders including the business senior management team to gain buy-in and to focus on IT risks most critical to the organization.
Member Testimonials
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.
8.4/10
Overall Impact
$36,399
Average $ Saved
11
Average Days Saved
Client
Experience
Impact
$ Saved
Days Saved
Allegheny College
Guided Implementation
10/10
$6,499
3
South Australian Water Corporation
Guided Implementation
1/10
N/A
N/A
The analyst had not reviewed our current risk management framework and plan prior to the call - the meeting was not valuable.
Boston Dynamics
Guided Implementation
10/10
$64,999
5
Greg is very flexible, extremely experienced and we aligned easily on my desire to "right size" our risk management effort.
MDU Services LTD
Guided Implementation
10/10
N/A
29
Best: Having a framework, supporting tools & templates and a dedicated named expert in the subject (Donna Bales) to hand hold us through the progr... Read More
Johnson County Library
Guided Implementation
9/10
$2,599
5
MassMutual
Guided Implementation
10/10
$71,499
16
Fernco Inc
Workshop
9/10
N/A
10
Best parts since this was an update from previous years, Sumit provided pre-work prior to the workshop so that more discussion time could be spent ... Read More
Massey University
Workshop
3/10
N/A
N/A
Overall, I felt we gained very little from this exercise. It could be that we were starting from quite an advanced level of risk management to begi... Read More
Desert Lime Ltd
Guided Implementation
9/10
$20,500
23
Friendliness and support provided by the team
The University of Alabama at Birmingham
Guided Implementation
10/10
$2,479
5
Worst - I waited too long before engaging with Info-tech for advice. Best - Having an Info-tech professional look at where I was going and what I ... Read More
The Government of the Northwest Territories
Workshop
10/10
$22,000
50
Best - guided process by knowledgeable SMEs, InfoTechs flexibility in course delivery to meet our needs /Covid requirements. Deliverables are pract... Read More
University of Exeter
Guided Implementation
9/10
N/A
N/A
City of Carlsbad
Workshop
10/10
N/A
20
Integris Credit Union
Guided Implementation
9/10
$10,000
10
Being able to discuss our specific situation with a trusted resource is valuable, in order to right-size the solution. (IT Risk Mgmt). The Excel-... Read More
Dropbox
Guided Implementation
8/10
N/A
5
Pegasus Business Intelligence, LP d/b/a Onyx CenterSource
Guided Implementation
10/10
N/A
N/A
UMG RECORDINGS, INC.
Guided Implementation
10/10
N/A
N/A
The analyst was very knowledgeable and presented insights that were very relevant to our organization and goals. It served as good validation for ... Read More
AARP Inc
Guided Implementation
10/10
N/A
N/A
Fernco Inc
Workshop
10/10
$30,999
20
RPC Inc.
Guided Implementation
10/10
$2,546
10
Immediate response, thorough and complete explanation of the tools and process has helped tremendously
CFA Institute
Guided Implementation
8/10
N/A
N/A
Central Bank of Trinidad & Tobago
Guided Implementation
9/10
N/A
N/A
Kentucky Housing Corporation
Guided Implementation
10/10
$1,782
5
Bernie Gillies was great. Very friendly and informative. I enjoyed our conversation very much and feel as though I am much more equipped to take on... Read More
Trinidad and Tobago Unit Trust Corporation
Guided Implementation
10/10
$3,820
20
Really appreciated the quick response for assistance and the guidance and knowledge that was shared during this first interaction.
Risk Management
Please note: This course will be updated in October 2023.
"Hope" is not a risk management strategy.
This course makes up part of the Security & Risk Certificate.
- Course Modules: 4
- Estimated Completion Time: 2-2.5 hours
- Featured Analysts:
- David Yackness, Sr. Research Director, CIO Practice
- Gord Harrison, SVP of Research and Advisory
Workshop: Build an IT Risk Management Program
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Review IT Risk Fundamentals and Governance
The Purpose
- To assess current risk management maturity, develop goals, and establish IT risk governance.
Key Benefits Achieved
- Identified obstacles to effective IT risk management.
- Established attainable goals to increase maturity.
- Clearly laid out risk management accountabilities and responsibilities for IT and business stakeholders.
Activities
Outputs
Assess current program maturity
- Maturity Assessment
Complete RACI chart
- Risk Management Program Manual
Create the IT risk council
Identify and engage key stakeholders
Add organization-specific risk scenarios
- Risk Register
Identify risk events
Module 2: Identify IT Risks
The Purpose
- Identify and assess all IT risks.
Key Benefits Achieved
- Created a comprehensive list of all IT risk events.
- Risk events prioritized according to risk severity – as defined by the business.
Activities
Outputs
Identify risk events (continued)
- Finalized List of IT Risk Events
Augment risk event list using COBIT 5 processes
- Risk Register
Determine the threshold for (un)acceptable risk
- Risk Management Program Manual
Create impact and probability scales
Select a technique to measure reputational cost
Conduct risk severity level assessment
Module 3: Identify IT Risks (continued)
The Purpose
- Prioritize risks, establish monitoring responsibilities, and develop risk responses for top risks.
Key Benefits Achieved
- Risk monitoring responsibilities are established.
- Risk response strategies have been identified for all key risks.
Activities
Outputs
Conduct risk severity level assessment
- Risk Register
Document the proximity of the risk event
- Risk Management Program Manual
Conduct expected cost assessment
Develop key risk indicators (KRIs) and escalation protocols
Root cause analysis
Identify and assess risk responses
- Risk Event Action Plans
Module 4: Monitor, Report, and Respond to IT Risk
The Purpose
- Assess and select risk responses for top risks and effectively communicate recommendations and priorities to the business.
Key Benefits Achieved
- Thorough analysis has been conducted on the value and effectiveness of risk responses for high severity risk events.
- Authoritative risk response recommendations can be made to senior leadership.
- A finalized Risk Management Program Manual is ready for distribution to key stakeholders.
Activities
Outputs
Identify and assess risk responses
- Risk Report
Risk response cost-benefit analysis
Create multi-year cost projections
Review techniques for embedding risk management in IT
- Risk Management Program Manual
Finalize the Risk Report and Risk Management Program Manual
Transfer ownership of risk responses to project managers
Build an IT Risk Management Program
Mitigate the IT risks that could negatively impact your organization.
Table of Contents
3 Executive Brief
4 Analyst Perspective
5 Executive Summary
19 Phase 1: Review IT Risk Fundamentals & Governance
43 Phase 2: Identify and Assess IT Risk
74 Phase 3: Monitor, Communicate, and Respond to IT Risk
102 Appendix
108 Bibliography
Build an IT Risk Management Program
Mitigate the IT risks that could negatively impact your organization.
EXECUTIVE BRIEF
Analyst Perspective
Siloed risks are risky business for any enterprise.
Valence Howden Principal Research Director, CIO Practice |
Brittany Lutes Senior Research Analyst, CIO Practice |
Risk is an inherent part of life but not very well understood or executed within organizations. This has led to risk being avoided or, when it’s implemented, being performed in isolated siloes with inconsistencies in understanding of impact and terminology.
Looking at risk in an integrated way within an organization drives a truer sense of the thresholds and levels of risks an organization is facing – making it easier to manage and leverage risk while reducing risks associated with different mitigation responses to the same risk events.
This opens the door to using risk information – not only to prevent negative impacts but as a strategic differentiator in decision making. It helps you know which risks are worth taking, driving strong positive outcomes for your organization.
Executive Summary
Your Challenge
IT has several challenges when it comes to addressing risk management:
- Risk is unavoidable. Without a formal program to manage IT risk, you may be unaware of your severest IT risks.
- The business could be making decisions that are not informed by risk.
- Reacting to risks after they occur can be costly and crippling, yet it is one of the most common tactics used by IT departments.
Common Obstacles
Many IT organizations realize these obstacles:
- IT risks and business risks are often addressed separately, causing inconsistencies in the approach.
- Security risk receives such a high profile that it often eclipses other important IT risks, leaving the organization vulnerable.
- Failing to include the business in IT risk management leaves IT leaders too accountable; the business must have accountability as well.
Info-Tech’s Approach
- Transform your ad hoc IT risk management processes into a formalized, ongoing program and increase risk management success.
- Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest risks before they occur.
- Involve key stakeholders, including the business senior management team, to gain buy-in and to focus on the IT risks most critical to the organization.
Info-Tech Insight
IT risk is business risk. Every IT risk has business implications. Create an IT risk management program that shares accountability with the business.
Ad hoc approaches to managing risk fail because…
If you are like the majority of IT departments, you do not have a consistent and comprehensive strategy for managing IT risk.
- Ad hoc risk management is reactionary.
- Ad hoc risk management is often focused only on IT security.
- Ad hoc risk management lacks alignment with business objectives.
The results:
- Increased business risk exposure caused by a lack of understanding of the impact of IT risks on the business.
- Increased IT non-compliance, resulting in costly settlements and fines.
- IT audit failure.
- Ineffective management of risk caused by poor risk information and wrong risk response decisions.
- Increased unnecessary and avoidable IT failures and fixes.
58% of organizations still lack a systematic and robust method to actually report on risks (Source: AICPA, 2021)
Data is an invaluable asset – ensure it’s protected
Case Studies
|
|
|
Risk management is a business enabler
Formalize risk management to increase your likelihood of success.
By identifying areas of risk exposure and creating solutions proactively, obstacles can be removed or circumvented before they become a real problem.
A certain amount of risk is healthy and can stimulate innovation:
- A formal risk management strategy doesn’t mean trying to mitigate every possible risk; it means exposing the organization to the right amount of risk.
- Taking a formal risk management approach allows an organization to thoughtfully choose which risks it is willing to accept.
- Organizations with high risk management maturity will vault themselves ahead of the competition because they will be aware of which risks to prepare for, which risks to ignore, and which risks to take.
Only 12% of organizations are using risk as a strategic tool most or all of the time (Source: AICPA, 2021)
IT risk is enterprise risk
Accountability for IT risks and the decisions made to address them should be shared between IT and the business.
 |
IT risks have a direct and often aggregated impact on enterprise risks and opportunities in the same way other business risks can. This relationship must be understood and addressed through integrated risk management to ensure a consistent approach to risk. |
Follow the steps of this blueprint to build or optimize your IT risk management program
 Start Here |
PHASE 1Review IT Risk Fundamentals and Governance |
PHASE 2Identify and Assess IT Risk |
PHASE 3Monitor, Report, and Respond to IT Risk |
|||
1.1Review IT Risk Management Fundamentals |
1.2Establish a Risk Governance Framework |
2.1Identify IT Risks |
2.2Assess and Prioritize IT Risks |
3.1Monitor IT Risks and Develop Risk Responses |
3.2Report IT Risk Priorities |
|
Integrate Risk and Use It to Your Advantage
Accelerate and optimize your organization by leveraging meaningful risk data to make intelligent enterprise risk decisions.
Risk management is more than checking an audit box or demonstrating project due diligence.
Risk Drivers
|
 |
Only 7% of organizations are in a “leading” or “aspirational” level of risk maturity. (OECD, 2021) | 63% of organizations struggle when it comes to defining their appetite toward strategy related risks. (“Global Risk Management Survey,” Deloitte, 2021) | Late adopters of risk management were 70% more likely to use instinct over data or facts to inform an efficient process. (Clear Risk, 2020) | 55% of organizations have little to no training on ERM to properly implement such practices. (AICPA, NC State Poole College of Management, 2021) |
| 1. Assess Enterprise Risk Maturity | 3. Build a Risk Management Program Plan | 4. Establish Risk Management Processes | 5. Implement a Risk Management Program | ||
| 2. Determine Authority with Governance
Unfortunately, less than 50% of those in risk focused roles are also in a governance role where they have the authority to provide risk oversight. (Governance Institute of Australia, 2020) |
|||||
| IT can improve the maturity of the organization’s risk governance and help identify risk owners who have authority and accountability.
Governance and related decision making is optimized with integrated and aligned risk data. |
 |
ERM incorporates the different types of risk, including IT, security, digital, vendor, and other risk types. The program plan is meant to consider all the major risk types in a unified approach. |
 |
Implementation of an integrated risk management program requires ongoing access to risk data by those with decision making authority who can take action. | |
Blueprint deliverables
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
Key deliverable:Risk Management Program ManualUse the tools and activities in each phase of the blueprint to create a comprehensive, customized program manual for the ongoing management of IT risk.  |
Integrated Risk Maturity Assessment
Assess the organization's current maturity and readiness for integrated risk management (IRM). |
 |
Centralized Risk Register
The repository for all the risks that have been identified within your environment. |
 |
| Risk Costing Tool
A potential cost-benefit analysis of possible risk responses to determine a good method to move forward. |
 |
Risk Report & Risk Event Action Plan
A method to report risk severity and hold risk owners accountable for chosen method of responding. |
 |
Benefit from industry-leading best practices
As a part of our research process, we used the COSO, ISO 31000, and COBIT 2019 frameworks. Contextualizing IT risk management within these frameworks ensured that our project-focused approach is grounded in industry-leading best practices for managing IT risk.
|
Risk Management can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats, and effectively allocate and use resources for risk treatment. (ISO 31000) |
|
Abandon ad hoc risk management
A strong risk management foundation is valuable when building your IT risk management program.This research covers the following IT risk fundamentals:
|
Drivers of Formalized Risk Management: |
|
| Drivers External to IT | ||
| External Audit | Internal Audit | |
| Mandated by ERM | ||
| Occurrence of Risk Event | ||
| Demonstrating IT’s value to the business | Proactive initiative | |
| Emerging IT risk awareness | ||
| Grassroots Drivers | ||
Blueprint benefits
IT Benefits
|
Business Benefits
|
Info-Tech offers various levels of support to best suit your needs
DIY Toolkit |
Guided Implementation |
Workshop |
Consulting |
| "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." | "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." | "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." | "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project." |
Diagnostics and consistent frameworks used throughout all four options
Guided Implementation
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is 6 to 8 calls over the course of 3 to 6 months.
What does a typical GI on this topic look like?
- Call #1: Assess current risk maturity and organizational buy-in.
- Call #2: Establish an IT risk council and determine IT risk management program goals.
- Call #3: Identify the risk categories used to organize risk events.
- Call #4: Identify the threshold for risk the organization can withstand.
- Call #5: Create a method to assess risk event severity.
- Call #6: Establish a method to monitor priority risks and consider possible risk responses.
- Call #7: Communicate risk priorities to the business and implement risk management plan.
Phase 1
Phase 2
Phase 3
Workshop Overview
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
| Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
| Activities | Review IT Risk Fundamentals and Governance1.1 Assess current program maturity 1.2 Complete RACI chart 1.3 Create the IT risk council 1.4 Identify and engage key stakeholders 1.5 Add organization-specific risk scenarios 1.6 Identify risk events |
Identify IT Risks2.1 Identify risk events (continued) 2.2 Augment risk event list using COBIT5 processes 2.3 Determine the threshold for (un)acceptable risk 2.4 Create impact and probability scales 2.5 Select a technique to measure reputational cost 2.6 Conduct risk severity level assessment |
Assess IT Risks3.1 Conduct risk severity level assessment 3.2 Document the proximity of the risk event 3.3 Conduct expected cost assessment 3.4 Develop key risk indicators (KRIs) and escalation protocols 3.5 Perform root cause analysis 3.6 Identify and assess risk responses |
Monitor, Report, and Respond to IT Risk4.1 Identify and assess risk responses 4.2 Risk response cost-benefit analysis 4.3 Create multi-year cost projections 4.4 Review techniques for embedding risk management in IT 4.5 Finalize the Risk Report and Risk Management Program Manual 4.6 Transfer ownership of risk responses to project managers |
Next Steps and Wrap-Up (offsite)5.1 Complete in-progress deliverables from previous four days 5.2 Set up review time for workshop deliverables and to discuss next steps |
| Outcomes |
|
|
|
|
|
Build an IT Risk Management Program
Phase 1
Review IT Risk Fundamentals and Governance
Phase 1
|
Phase 2
|
Phase 3
|
This phase will walk you through the following activities:
- Gain buy-in from senior leadership
- Assess current program maturity
- Identify obstacles and pain points
- Determine the risk culture of the organization
- Develop risk management goals
- Develop SMART project metrics
- Create the IT risk council
- Complete a RACI chart
This phase involves the following participants:
- IT executive leadership
- Business executive leadership
Step 1.1
Review IT Risk Management Fundamentals
Activities
- 1.1.1 Gain buy-in from senior leadership
- 1.1.2 Assess current program maturity
This step involves the following participants:
- IT executive leadership
- Business executive leadership
Outcomes of this step
- Reviewed key IT principles and terminology
- Gained understanding of the relationship between IT risk management and ERM
- Introduced to Info-Tech’s IT Risk Management Framework
- Obtained the support of senior leadership
| Step 1.1 | Step 1.2 |
About Info-Tech
Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.
We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.
What Is a Blueprint?
A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.
Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.
Need Extra Help?
Speak With An Analyst
Get the help you need in this 3-phase advisory process. You'll receive 8 touchpoints with our researchers, all included in your membership.
Guided Implementation 1: Review IT risk fundamentals and governance
- Call 1: Assess current risk maturity and organizational buy-in.
- Call 2: Establish an IT risk council and determine IT risk management program goals.
Guided Implementation 2: Identify and assess IT risk
- Call 1: Identify the risk categories used to organize risk events.
- Call 2: Identify the threshold for risk the organization can withstand.
- Call 3: Prepare for risk assessment by selecting tools and methodologies.
Guided Implementation 3: Monitor, respond, and report on IT risk
- Call 1: Create a method to assess risk event severity.
- Call 2: Establish a method to monitor priority risks and consider possible risk responses.
- Call 3: Communicate risk priorities to the business and implement risk management plan.
Contributors
- Daisha Pennie, IT Risk Management, Oklahoma State University
- Ken Piddington CIO and Executive Advisor, MRE Consulting
- Tamara Dwarika, Internal Auditor, A leading North American Utility
- Anne Leroux, Director ES Computer Training
- Michel Fossé, Consulting Services Manager, IBM Canada (LGS)
- Steve Woodward, Research Director, CEO, Cloud Perspectives
- 10 anonymous contributors
Optimize IT Governance for Dynamic Decision-Making
Maximize Business Value From IT Through Benefits Realization
Build an IT Risk Management Program
Review and Improve Your IT Policy Library
Establish a Sustainable ESG Reporting Program
Take Control of Compliance Improvement to Conquer Every Audit
Establish an Effective System of Internal IT Controls to Mitigate Risks
Integrate IT Risk Into Enterprise Risk
The ESG Imperative and Its Impact on Organizations
Make Your IT Governance Adaptable
Build an IT Risk Taxonomy
