Build an IT Risk Taxonomy
If integrated risk is your destination, your IT risk taxonomy is the road to get you there.
- Business leaders, driven by the need to make more risk-informed decisions, are putting pressure on IT to provide more timely and consistent risk reporting.
- IT risk managers need to balance the emerging threat landscape with not losing sight of the risks of today.
- IT needs to strengthen IT controls and anticipate risks in an age of disruption.
Our Advice
Critical Insight
A common understanding of risks, threats, and opportunities gives organizations the flexibility and agility to adapt to changing business conditions and drive corporate value.
Impact and Result
- Use this blueprint as a baseline to build a customized IT risk taxonomy suitable for your organization.
- Learn about the role and drivers of integrated risk management and the benefits it brings to enterprise decision-makers.
- Discover how to set up your organization up for success by understanding how risk management links to organizational strategy and corporate performance.
Workshop: Build an IT Risk Taxonomy
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Review IT Risk Fundamentals and Governance
The Purpose
Review IT risk fundamentals and governance.
Key Benefits Achieved
Learn how enterprise risk management and IT risk management intersect and the role the IT taxonomy plays in integrated risk management.
Activities
Outputs
Discuss risk fundamentals and the benefits of integrated risk.
- IT Risk Taxonomy Committee Charter Template
- Build an IT Risk Taxonomy Workbook
Create a cross-functional IT taxonomy working group.
Module 2: Identify Level 1 Risk Types
The Purpose
Identify suitable IT level 1 risk types.
Key Benefits Achieved
Level 1 IT risk types are determined and have been tested against ERM level one risk types.
Activities
Outputs
Discuss corporate strategy, business risks, macro trends, and organizational opportunities and constraints.
- Build an IT Risk Taxonomy Workbook
Establish level 1 risk types.
Test soundness of IT level 1 types by mapping to ERM level 1 types.
Module 3: Identify Level 2 and Level 3 Risk Types
The Purpose
Define level 2 and level 3 risk types.
Key Benefits Achieved
Level 2 and level 3 risk types have been determined.
Activities
Outputs
Establish level 2 risk types.
- Build an IT Risk Taxonomy Design Template
- Risk Register Tool
Establish level 3 risk types (and level 4 if appropriate for your organization).
Begin to test by working backward from controls to ensure risk events will aggregate consistently.
Module 4: Monitor, Report, and Respond to IT Risk
The Purpose
Test the robustness of your IT risk taxonomy by populating the risk register with risk events and controls.
Key Benefits Achieved
Your IT risk taxonomy has been tested and your risk register has been updated.
Activities
Outputs
Continue to test robustness of taxonomy and iterate if necessary.
- Build an IT Risk Taxonomy Design Template
- Risk Register Tool
- Build an IT Risk Taxonomy Workbook
Optional activity: Draft your IT risk appetite statements.
Discuss communication and continual improvement plan.
Build an IT Risk Taxonomy
If integrated risk is your destination, your IT risk taxonomy is the road to get you there.
Analyst Perspective
|
The pace and uncertainty of the current business environment introduce new and emerging vulnerabilities that can disrupt an organization’s strategy on short notice. Having a long-term view of risk while navigating the short term requires discipline and a robust and strategic approach to risk management. Managing emerging risks such as climate risk, the impact of digital disruption on internal technology, and the greater use of third parties will require IT leaders to be more disciplined in how they manage and communicate material risks to the enterprise. Establishing a hierarchical common language of IT risks through a taxonomy will facilitate true aggregation and integration of risks, enabling more effective decision making. This holistic, disciplined approach to risk management helps to promote a more sustainable risk culture across the organization while adding greater rigor at the IT control level. Donna Bales |
Executive Summary
|
Your Challenge |
Common Obstacles |
Info-Tech’s Approach |
|---|---|---|
|
IT has several challenges when managing and responding to risk events:
|
Many IT organizations encounter obstacles in these areas:
. |
|
Info-Tech Insight
A common understanding of risks, threats, and opportunities gives organizations the flexibility and agility to adapt to changing business conditions and drive corporate value.
Increasing threat landscape
The risk landscape is continually evolving, putting greater pressure on the risk function to work collaboratively throughout the organization to strengthen operational resilience and minimize strategic, financial, and reputational impact.
|
Financial Impact |
Strategic Risk |
Reputation Risk |
|---|---|---|
|
In IBM’s 2021 Cost of a Data Breach Report, the Ponemon Institute found that data security breaches now cost companies $4.24 million per incident on average – the highest cost in the 17-year history of the report. |
58% percent of CROs who view inability to manage cyber risks as a top strategic risk. EY’s 2022 Global Bank Risk Management survey revealed that Chief Risk Officers (CROs) view the inability to manage cyber risk and the inability to manage cloud and data risk as the top strategic risks. |
Protiviti’s 2023 Executive Perspectives on Top Risks survey featured operational resilience within its top ten risks. An organization’s failure to be sufficiently resilient or agile in a crisis can significantly impact operations and reputation. |
Persistent and emerging threats
Organizations should not underestimate the long-term impact on corporate performance if emerging risks are not fully understood, controlled, and embedded into decision-making.
|
Talent Risk |
Sustainability |
Digital Disruption |
|---|---|---|
|
Protiviti’s 2023 Executive Perspectives on Top Risks survey revealed talent risk as the top risk organizations face, specifically organizations’ ability to attract and retain top talent. Of the 38 risks in the survey, it was the only risk issue rated at a “significant impact” level. |
Sustainability is at the top of the risk agenda for many organizations. In EY’s 2022 Global Bank Risk Management survey, environmental, social, and governance (ESG) risks were identified as a risk focus area, with 84% anticipating it to increase in priority over the next three years. Yet Info-Tech’s Tech Trends 2023 report revealed that only 24% of organizations could accurately report on their carbon footprint. Source: Info-Tech 2023 Tech Trends Report |
The risks related to digital disruption are vast and evolving. In the short term, risks surface in compliance and skills shortage, but Protiviti’s 2023 Executive Perspectives survey shows that in the longer term, executives are concerned that the speed of change and market forces may outpace an organization’s ability to compete. |
Blueprint benefits
|
IT Benefits |
Business Benefits |
|---|---|
|
|
Blueprint deliverables
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
|
IT Risk Taxonomy Committee Charter Template Create a cross-functional IT risk taxonomy committee. |
|
Build an IT Risk Taxonomy Guideline Use IT risk taxonomy as a baseline to build your organization’s approach. |
|
|
Build an IT Risk Taxonomy Design Template Use this template to design and test your taxonomy. |
|
Risk Register Tool Update your risk register with your IT risk taxonomy. |
|
Key deliverable:
Build an IT Risk Taxonomy Workbook
Use the tools and activities in each phase of the blueprint to customize your IT risk taxonomy to suit your organization’s needs.
Benefit from industry-leading best practices
As a part of our research process, we used the COSO, ISO 31000, and COBIT 2019 frameworks. Contextualizing IT risk management within these frameworks ensures that our project-focused approach is grounded in industry-leading best practices for managing IT risk.
|
COSO’s Enterprise Risk Management —Integrating with Strategy and Performance addresses the evolution of enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment. |
ISO 31000 – Risk Management can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats, and effectively allocate and use resources for risk treatment. |
COBIT 2019’s IT functions were used to develop and refine the ten IT risk categories used in our top-down risk identification methodology. |
Info-Tech offers various levels of support to best suit your needs
DIY Toolkit“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” |
Guided Implementation“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” |
Workshop“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” |
Consulting“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.” |
Diagnostics and consistent frameworks used throughout all four options
Guided Implementation
| Phase 1 | Phase 2 | Phase 3 |
|---|---|---|
|
Call #1: Review risk management fundamentals. |
Call #2: Review the role of an IT risk taxonomy in risk management. Call #3: Establish a cross-functional team. |
Calls #4-5: Identify level 1 IT risk types. Test against enterprise risk management. Call #6: Identify level 2 and level 3 risk types. Call #7: Align risk events and controls to level 3 risk types and test. Call #8: Update your risk register and communicate taxonomy internally. |
A Guided Implementation (GI) is a series
of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is 6 to 8 calls over the course of 3 to 6 months.
Workshop Overview
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
| Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
|---|---|---|---|---|---|
|
Review IT Risk Fundamentals and Governance |
Identify Level 1 IT Risk Types |
Identify Level 2 and Level 3 Risk Types |
Monitor, Report, and Respond to IT Risk |
Next Steps and |
|
| Activities |
1.1 Discuss risk fundamentals and the benefits of integrated risk. 1.2 Create a cross-functional IT taxonomy working group. |
2.1 Discuss corporate strategy, business risks, macro trends, and organizational opportunities and constraints. 2.2 Establish level 1 risk types. 2.3 Test soundness of IT level 1 types by mapping to ERM level 1 types. |
3.1 Establish level 2 risk types. 3.2 Establish level 3 risk types (and level 4 if appropriate for your organization). 3.3 Begin to test by working backward from controls to ensure risk events will aggregate consistently. |
4.1 Continue to test robustness of taxonomy and iterate if necessary. 4.2 Optional activity: Draft your IT risk appetite statements. 4.3 Discuss communication and continual improvement plan. |
5.1 Complete in-progress deliverables from previous four days. 5.2 Set up review time for workshop deliverables and to discuss next steps. |
| Deliverables |
|
|
|
|
|
Phase 1
Understand Risk Management Fundamentals
|
Phase 1 |
Phase 2 |
Phase 3 |
|---|---|---|
|
|
|
Governance, risk, and compliance (GRC)
Risk management is one component of an organization’s GRC function.
GRC principles are important tools to support enterprise management.
Governance sets the guardrails to ensure that the enterprise is in alignment with standards, regulations, and board decisions. A governance framework will communicate rules and expectations throughout the organization and monitor adherence.
Risk management is how the organization protects and creates enterprise value. It is an integral part of an organization’s processes and enables a structured decision-making approach.
Compliance is the process of adhering to a set of guidelines; these could be external regulations and guidelines or internal corporate policies.
GRC principles are tightly bound and continuous
Enterprise risk management
Regardless of size or structure, every organization makes strategic and operational decisions that expose it to uncertainties.
Enterprise risk management (ERM) is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio (RIMS).
An ERM is program is crucial because it will:
- Help shape business objectives, drive revenue growth, and execute risk-based decisions.
- Enable a deeper understanding of risks and assessment of current risk profile.
- Support forward-looking risk management and more constructive dialogue with the board and regulatory agencies.
- Provide insight on the robustness and efficacy of risk management processes, tools, and controls.
- Drive a positive risk culture.
ERM is supported by strategy, effective processes, technology, and people
Risk frameworks
Risk frameworks are leveraged by the industry to “provide a structure and set of definitions to allow enterprises of all types and sizes to understand and better manage their risk environments.” COSO Enterprise Risk Management, 2nd edition
- Many organizations lean on the Committee of Sponsoring Organizations’ Enterprise Risk Management framework (COSO ERM) and ISO 31000 to view organizational risks from an enterprise perspective.
- Prior to the introduction of standardized risk frameworks, it was difficult to quantify the impact of a risk event on the entire enterprise, as the risk was viewed in a silo or as an individual risk component.
- Recently, the National Institute of Science and Technology (NIST) published guidance on developing an enterprise risk management approach. The guidance helps to bridge the gap between best practices in enterprise risk management and processes and control techniques that cybersecurity professionals use to meet regulatory cybersecurity risk requirements.
Source: National Institute of Standards and Technology
New NIST guidance (NISTIR 8286) emphasizes the complexity of risk management and the need for the risk management process to be carried out seamlessly across three tiers with the overall objective of continuous improvement.
Enterprise risk appetite
“The amount of risk an organization is willing to take in pursuit of its objectives”
– Robert R. Moeller, COSO ERM Framework Model
- A primary role of the board and senior management is to balance value creation with effectively management of enterprise risks.
- As part of this role, the board will approve the enterprise’s risk appetite. Placing this responsibility with the board ensures that the risk appetite is aligned with the company’s strategic objectives.
- The risk appetite is used throughout the organization to assess and respond to individual risks, acting as a constant to make sure that risks are managed within the organization’s acceptable limits.
- Each year, or in reaction to a risk trigger, the enterprise risk appetite will be updated and approved by the board.
- Risk appetite will vary across organizations for several reasons, such as industry, company culture, competitors, the nature of the objectives pursued, and financial strength.
Change or new risks » adjust enterprise risk profile » adjust risk appetite
Risk profile vs. risk appetite
Risk profile is the broad parameters an organization considers in executing its business strategy. Risk appetite is the amount of risk an entity is willing to accept in pursuit of its strategic objectives. The risk appetite can be used to inform the risk profile or vice versa. Your organization’s risk culture informs and is used to communicate both.
|
Risk Tolerant |
Moderate |
Risk Averse |
|---|---|---|
|
|
|
Where the IT risk appetite fits into the risk program
- Your organization’s strategy and associated risk appetite cascade down to each business department. Overall strategy and risk appetite also set a strategy and risk appetite for each department.
- Both risk appetite and risk tolerances set boundaries for how much risk an organization is willing or prepared to take. However, while appetite is often broad, tolerance is tactical and focused.
- Tolerances apply to specific objectives and provide guidance to those executing on a day-to-day basis. They measure the variation around performance expectations that the organization will tolerate.
- Ideally, they are incorporated into existing governance, risk, and compliance systems and are also considered when evaluated business cases.
- IT risk appetite statements are based on IT level 1 risk types.
The risk appetite has a risk lens but is also closely linked to corporate performance.
Statements of risk
|
Risk Appetite |
Risk Tolerance |
|---|---|
|
|
Risk scenarios
Risk scenarios serve two main purposes: to help decision makers understand how adverse events can affect organizational strategy and objectives and to prepare a framework for risk analysis by clearly defining and decomposing the factors contributing to the frequency and the magnitude of adverse events.
ISACA
- Organizations’ pervasive use of and dependency on technology has increased the importance of scenario analysis to identify relevant and important risks and the potential impacts of risk events on the organization if the risk event were to occur.
- Risk scenarios provide “what if” analysis through a structured approach, which can help to define controls and document assumptions.
- They form a constructive narrative and help to communicate a story by bringing in business context.
- For the best outcome, have input from business and IT stakeholders. However, in reality, risk scenarios are usually driven by IT through the asset management practice.
- Once the scenarios are developed, they are used during the risk analysis phase, in which frequency and business impacts are estimated. They are also a useful tool to help the risk team (and IT) communicate and explain risks to various business stakeholders.
Top-down approach – driven by the business by determining the business impact, i.e. what is the impact on my customers, reputation, and bottom line if the system that supports payment processing fails?
Bottom-up approach – driven by IT by identifying critical assets and what harm could happen if they were to fail.
About Info-Tech
Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.
We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.
What Is a Blueprint?
A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.
Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.
Need Extra Help?
Speak With An Analyst
Get the help you need in this 3-phase advisory process. You'll receive 7 touchpoints with our researchers, all included in your membership.
Guided Implementation 1: Understand risk management fundamentals
- Call 1: Review risk management fundamentals.
Guided Implementation 2: Set your organization up for success
- Call 1: Review the role of an IT risk taxonomy in risk management.
- Call 2: Establish a cross-functional team.
Guided Implementation 3: Structure your IT risk taxonomy
- Call 1: Identify level 1 IT risk types. Test against enterprise risk management.
- Call 2: Identify level 2 and level 3 risk types.
- Call 3: Align risk events and controls to level 3 risk types and test.
- Call 4: Update your risk register and communicate taxonomy internally.
Optimize IT Governance for Dynamic Decision-Making
Maximize Business Value From IT Through Benefits Realization
Build an IT Risk Management Program
Review and Improve Your IT Policy Library
Establish a Sustainable ESG Reporting Program
Take Control of Compliance Improvement to Conquer Every Audit
Establish an Effective System of Internal IT Controls to Mitigate Risks
Integrate IT Risk Into Enterprise Risk
The ESG Imperative and Its Impact on Organizations
Make Your IT Governance Adaptable
Build an IT Risk Taxonomy
