Get Instant Access
to This Blueprint

Cio icon

What is an IT risk management program?

Mitigate the IT risks that could negatively impact your organization.

  • Risk is unavoidable. Keeping ahead of it requires an IT risk management program – a formal strategy to identify, assess, and mitigate cybersecurity risks to your organization, using specific policies, procedures, and technologies.
  • Without such a program, the business could be making decisions that are not informed by risk.
  • Reacting to risks AFTER they occur can be costly and crippling, yet it is one of the most common tactics used by IT departments.

Our Advice

Critical Insight

  • IT risk is business risk. Every IT risk has business implications. Create an IT risk management program that shares accountability with the business.

Impact and Result

  • Transform your ad hoc IT risk management processes into a formalized, ongoing program, and increase risk management success.
  • Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest risks before they occur.
  • Involve key stakeholders including the business senior management team to gain buy-in and to focus on IT risks most critical to the organization.

What is an IT risk management program? Research & Tools

1. Build an IT Risk Management Program – A holistic approach to managing IT risks within your organization and involving key business stakeholders.

Gain business buy-in to understanding the key IT risks that could negatively impact the organization and create an IT risk management program to properly identify, assess, respond, monitor, and report on those risks.

2. Risk Management Program Manual – A single source of truth for the risk management program to exist and be updated to reflect changes.

Leverage this Risk Management Program Manual to ensure that the decisions around how IT risks will be governed and managed can be documented in a single source accessible by those involved.

3. Risk Register & Risk Costing Tool – A set of tools to document identified risk events. Assess each risk event and consider the appropriate response based on your organization’s threshold for risk.

Engage these tools in your organization if you do not currently have a GRC tool to document risk events as they relate to the IT function. Consider the best risk response to high severity risk events to ensure all possible situations are considered.

4. Risk Event Action Plan and Risk Report – A template to document the chosen risk responses and ensure accountable owners agree on selected response method.

Establish clear guidelines and responses to risk events that will leave your organization vulnerable to unwanted threats. Ensure risk owners have agreed to the risk responses and are willing to take accountability for that response.


Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

8.8/10


Overall Impact

$27,793


Average $ Saved

9


Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

City of Menifee

Workshop

9/10

N/A

N/A

Technology Risk management is a brand new undertaking for the City as a formal, documented process. This workshop provided the Risk Management tea... Read More

Ideal Boilers Limited

Guided Implementation

9/10

N/A

1

Framework examples will help greatly; populated proformas (to set the framework in context) would have helped further.

Regina Catholic Schools

Guided Implementation

10/10

$10,000

5

Valence was very knowledgeable and gave great insights to specific areas to focus on and where we can make improvements to achieve our goals.

Midis Services FZ - LLC

Guided Implementation

9/10

N/A

14

assigning an unqualified resource from my end, since he wont be guided and the consultant expects the other party to have the minimum knowledge

Allegheny College

Guided Implementation

10/10

$6,850

3

City Of Charlotte

Guided Implementation

10/10

$34,250

5

Valence continues to keep us pointed in the right direction on this launch of an IT Controls Program. I appreciate that he not only takes the time ... Read More

South Australian Water Corporation

Guided Implementation

1/10

N/A

N/A

The analyst had not reviewed our current risk management framework and plan prior to the call - the meeting was not valuable.

Boston Dynamics

Guided Implementation

10/10

$68,500

5

Greg is very flexible, extremely experienced and we aligned easily on my desire to "right size" our risk management effort.

MDU Services LTD

Guided Implementation

10/10

N/A

29

Best: Having a framework, supporting tools & templates and a dedicated named expert in the subject (Donna Bales) to hand hold us through the progr... Read More

Johnson County Library

Guided Implementation

9/10

$2,599

5

MassMutual

Guided Implementation

10/10

$71,499

16

Fernco Inc

Workshop

9/10

N/A

10

Best parts since this was an update from previous years, Sumit provided pre-work prior to the workshop so that more discussion time could be spent ... Read More

Massey University

Workshop

3/10

N/A

N/A

Overall, I felt we gained very little from this exercise. It could be that we were starting from quite an advanced level of risk management to begi... Read More

Desert Lime Ltd

Guided Implementation

9/10

$20,500

23

Friendliness and support provided by the team

The University of Alabama at Birmingham

Guided Implementation

10/10

$2,479

5

Worst - I waited too long before engaging with Info-tech for advice. Best - Having an Info-tech professional look at where I was going and what I ... Read More

The Government of the Northwest Territories

Workshop

10/10

$22,000

50

Best - guided process by knowledgeable SMEs, InfoTechs flexibility in course delivery to meet our needs /Covid requirements. Deliverables are pract... Read More

University of Exeter

Guided Implementation

9/10

N/A

N/A

City of Carlsbad

Workshop

10/10

N/A

20

Integris Credit Union

Guided Implementation

9/10

$10,000

10

Being able to discuss our specific situation with a trusted resource is valuable, in order to right-size the solution. (IT Risk Mgmt). The Excel-... Read More

Dropbox

Guided Implementation

8/10

N/A

5

Pegasus Business Intelligence, LP d/b/a Onyx CenterSource

Guided Implementation

10/10

N/A

N/A

UMG RECORDINGS, INC.

Guided Implementation

10/10

N/A

N/A

The analyst was very knowledgeable and presented insights that were very relevant to our organization and goals. It served as good validation for ... Read More

AARP Inc

Guided Implementation

10/10

N/A

N/A

Fernco Inc

Workshop

10/10

$30,999

20

RPC Inc.

Guided Implementation

10/10

$2,546

10

Immediate response, thorough and complete explanation of the tools and process has helped tremendously

CFA Institute

Guided Implementation

8/10

N/A

N/A

Central Bank of Trinidad & Tobago

Guided Implementation

9/10

N/A

N/A

Kentucky Housing Corporation

Guided Implementation

10/10

$1,782

5

Bernie Gillies was great. Very friendly and informative. I enjoyed our conversation very much and feel as though I am much more equipped to take on... Read More

Trinidad and Tobago Unit Trust Corporation

Guided Implementation

10/10

$3,820

20

Really appreciated the quick response for assistance and the guidance and knowledge that was shared during this first interaction.


Risk Management

Please note: This course will be updated in October 2023.

"Hope" is not a risk management strategy.
This course makes up part of the Security & Risk Certificate.

  • Course Modules: 4
  • Estimated Completion Time: 2-2.5 hours
  • Featured Analysts:
  • David Yackness, Sr. Research Director, CIO Practice
  • Gord Harrison, SVP of Research and Advisory

Now Playing:
Academy: Risk Management | Executive Brief

An active membership is required to access Info-Tech Academy

Workshop: What is an IT risk management program?

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Review IT Risk Fundamentals and Governance

The Purpose

  • To assess current risk management maturity, develop goals, and establish IT risk governance.

Key Benefits Achieved

  • Identified obstacles to effective IT risk management.
  • Established attainable goals to increase maturity.
  • Clearly laid out risk management accountabilities and responsibilities for IT and business stakeholders.

Activities

Outputs

1.1

Assess current program maturity

  • Maturity Assessment
1.2

Complete RACI chart

  • Risk Management Program Manual
1.3

Create the IT risk council

1.4

Identify and engage key stakeholders

1.5

Add organization-specific risk scenarios

  • Risk Register
1.6

Identify risk events

Module 2: Identify IT Risks

The Purpose

  • Identify and assess all IT risks.

Key Benefits Achieved

  • Created a comprehensive list of all IT risk events.
  • Risk events prioritized according to risk severity – as defined by the business.

Activities

Outputs

2.1

Identify risk events (continued)

  • Finalized List of IT Risk Events
2.2

Augment risk event list using COBIT 5 processes

  • Risk Register
2.3

Determine the threshold for (un)acceptable risk

  • Risk Management Program Manual
2.4

Create impact and probability scales

2.5

Select a technique to measure reputational cost

2.6

Conduct risk severity level assessment

Module 3: Identify IT Risks (continued)

The Purpose

  • Prioritize risks, establish monitoring responsibilities, and develop risk responses for top risks.

Key Benefits Achieved

  • Risk monitoring responsibilities are established.
  • Risk response strategies have been identified for all key risks.

Activities

Outputs

3.1

Conduct risk severity level assessment

  • Risk Register
3.2

Document the proximity of the risk event

  • Risk Management Program Manual
3.3

Conduct expected cost assessment

3.4

Develop key risk indicators (KRIs) and escalation protocols

3.5

Root cause analysis

3.6

Identify and assess risk responses

  • Risk Event Action Plans

Module 4: Monitor, Report, and Respond to IT Risk

The Purpose

  • Assess and select risk responses for top risks and effectively communicate recommendations and priorities to the business.

Key Benefits Achieved

  • Thorough analysis has been conducted on the value and effectiveness of risk responses for high severity risk events.
  • Authoritative risk response recommendations can be made to senior leadership.
  • A finalized Risk Management Program Manual is ready for distribution to key stakeholders.

Activities

Outputs

4.1

Identify and assess risk responses

  • Risk Report
4.2

Risk response cost-benefit analysis

4.3

Create multi-year cost projections

4.4

Review techniques for embedding risk management in IT

  • Risk Management Program Manual
4.5

Finalize the Risk Report and Risk Management Program Manual

4.6

Transfer ownership of risk responses to project managers


What is IT risk management?

IT risk management is a formal strategy to identify, assess, and mitigate cybersecurity risks to an organization, using specific policies, procedures, and technologies. Not having a formal IT risk management plan and relying instead on a reactive approach leaves the organization vulnerable such risks, which can be costly and damaging.



Build an IT Risk Management Program

Mitigate the IT risks that could negatively impact your organization.

Build an IT Risk Management Program

Mitigate the IT risks that could negatively impact your organization.

EXECUTIVE BRIEF

Analyst Perspective

Siloed risks are risky business for any enterprise.

Photo of Valence Howden, Principal Research Director, CIO Practice.
Valence Howden
Principal Research Director, CIO Practice
Photo of Brittany Lutes, Senior Research Analyst, CIO Practice.
Brittany Lutes
Senior Research Analyst, CIO Practice

Risk is an inherent part of life but not very well understood or executed within organizations. This has led to risk being avoided or, when it’s implemented, being performed in isolated siloes with inconsistencies in understanding of impact and terminology.

Looking at risk in an integrated way within an organization drives a truer sense of the thresholds and levels of risks an organization is facing – making it easier to manage and leverage risk while reducing risks associated with different mitigation responses to the same risk events.

This opens the door to using risk information – not only to prevent negative impacts but as a strategic differentiator in decision making. It helps you know which risks are worth taking, driving strong positive outcomes for your organization.

Executive Summary

Your Challenge

IT has several challenges when it comes to addressing risk management:

  • Risk is unavoidable. Without a formal program to manage IT risk, you may be unaware of your severest IT risks.
  • The business could be making decisions that are not informed by risk.
  • Reacting to risks after they occur can be costly and crippling, yet it is one of the most common tactics used by IT departments.

Common Obstacles

Many IT organizations realize these obstacles:

  • IT risks and business risks are often addressed separately, causing inconsistencies in the approach.
  • Security risk receives such a high profile that it often eclipses other important IT risks, leaving the organization vulnerable.
  • Failing to include the business in IT risk management leaves IT leaders too accountable; the business must have accountability as well.

Info-Tech’s Approach

  • Transform your ad hoc IT risk management processes into a formalized, ongoing program and increase risk management success.
  • Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest risks before they occur.
  • Involve key stakeholders, including the business senior management team, to gain buy-in and to focus on the IT risks most critical to the organization.

Info-Tech Insight

IT risk is business risk. Every IT risk has business implications. Create an IT risk management program that shares accountability with the business.

Ad hoc approaches to managing risk fail because…

If you are like the majority of IT departments, you do not have a consistent and comprehensive strategy for managing IT risk.

  1. Ad hoc risk management is reactionary.
  2. Ad hoc risk management is often focused only on IT security.
  3. Ad hoc risk management lacks alignment with business objectives.

The results:

  • Increased business risk exposure caused by a lack of understanding of the impact of IT risks on the business.
  • Increased IT non-compliance, resulting in costly settlements and fines.
  • IT audit failure.
  • Ineffective management of risk caused by poor risk information and wrong risk response decisions.
  • Increased unnecessary and avoidable IT failures and fixes.

58% of organizations still lack a systematic and robust method to actually report on risks (Source: AICPA, 2021)

Data is an invaluable asset – ensure it’s protected

Case Studies

Logo for Cognyte.

Cognyte, a vendor hired to be a cybersecurity analytics company, had over five billion records exposed in Spring 2021. The data was compromised for four days, providing attackers with plenty of opportunities to obtain personally identifying information. (SecureBlink., 2021 & Security Magazine, 2021)

Logo for Facebook.

Facebook, the world’s largest social media giant, had over 533 million Facebook users’ personal data breached when data sets were able to be cross-listed with one another. (Business Insider, 2021 & Security Magazine, 2021)

Logo for MGM Resorts.

In 2020, over 10.6 million customers experienced some sort of data being accessible, with 1,300 having serious personally identifying information breached. (The New York Times, 2020)

Risk management is a business enabler

Formalize risk management to increase your likelihood of success.

By identifying areas of risk exposure and creating solutions proactively, obstacles can be removed or circumvented before they become a real problem.

A certain amount of risk is healthy and can stimulate innovation:

  • A formal risk management strategy doesn’t mean trying to mitigate every possible risk; it means exposing the organization to the right amount of risk.
  • Taking a formal risk management approach allows an organization to thoughtfully choose which risks it is willing to accept.
  • Organizations with high risk management maturity will vault themselves ahead of the competition because they will be aware of which risks to prepare for, which risks to ignore, and which risks to take.

Only 12% of organizations are using risk as a strategic tool most or all of the time (Source: AICPA, 2021)

IT risk is enterprise risk

Accountability for IT risks and the decisions made to address them should be shared between IT and the business.

Multiple types of risk, 'Finance', 'IT', 'People', and 'Digital', funneling into 'ENTERPRISE RISKS'. IT risks have a direct and often aggregated impact on enterprise risks and opportunities in the same way other business risks can. This relationship must be understood and addressed through integrated risk management to ensure a consistent approach to risk.

Follow the steps of this blueprint to build or optimize your IT risk management program

Cycle of 'Goverance' beginning with '1. Identify', '2. Assess', '3. Respond', '4. Monitor', '5. Report'.

Start Here

PHASE 1
Review IT Risk Fundamentals and Governance
PHASE 2
Identify and Assess IT Risk
PHASE 3
Monitor, Report, and Respond to IT Risk

1.1

Review IT Risk Management Fundamentals

1.2

Establish a Risk Governance Framework

2.1

Identify IT Risks

2.2

Assess and Prioritize IT Risks

3.1

Monitor IT Risks and Develop Risk Responses

3.2

Report IT Risk Priorities

Integrate Risk and Use It to Your Advantage

Accelerate and optimize your organization by leveraging meaningful risk data to make intelligent enterprise risk decisions.

Risk management is more than checking an audit box or demonstrating project due diligence.

Risk Drivers
  • Audit & compliance
  • Preserve value & avoid loss
  • Previous risk impact driver
  • Major transformation
  • Strategic opportunities
Arrow pointing right. Only 7% of organizations are in a “leading” or “aspirational” level of risk maturity. (OECD, 2021) 63% of organizations struggle when it comes to defining their appetite toward strategy related risks. (“Global Risk Management Survey,” Deloitte, 2021) Late adopters of risk management were 70% more likely to use instinct over data or facts to inform an efficient process. (Clear Risk, 2020) 55% of organizations have little to no training on ERM to properly implement such practices. (AICPA, NC State Poole College of Management, 2021)
1. Assess Enterprise Risk Maturity 3. Build a Risk Management Program Plan 4. Establish Risk Management Processes 5. Implement a Risk Management Program
2. Determine Authority with Governance
Unfortunately, less than 50% of those in risk focused roles are also in a governance role where they have the authority to provide risk oversight. (Governance Institute of Australia, 2020)
IT can improve the maturity of the organization’s risk governance and help identify risk owners who have authority and accountability.

Governance and related decision making is optimized with integrated and aligned risk data.

List of 'Integrated Risk Maturity Categories': '1. Context & Strategic Direction', '2. Risk Culture and Authority', '3. Risk Management Process', and '4. Risk Program Optimization'. The five types of a risk in 'Enterprise Risk Management (ERM)': 'IT', 'Security', 'Digital', 'Vendor/TPRM', and 'Other'.

ERM incorporates the different types of risk, including IT, security, digital, vendor, and other risk types.

The program plan is meant to consider all the major risk types in a unified approach.

The 'Risk Process' cycle starting with '1. Identify', '2. Assess', '3. Respond', '4. Monitor', '5. Report', and back to the beginning. Implementation of an integrated risk management program requires ongoing access to risk data by those with decision making authority who can take action.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Key deliverable:

Risk Management Program Manual

Use the tools and activities in each phase of the blueprint to create a comprehensive, customized program manual for the ongoing management of IT risk.

Sample of the key deliverable, Risk Manangement Program Fund.
Integrated Risk Maturity Assessment

Assess the organization's current maturity and readiness for integrated risk management (IRM).

Sample of the Integrated Risk Maturity Assessment blueprint. Centralized Risk Register

The repository for all the risks that have been identified within your environment.

Sample of the Centralized Risk Register blueprint.
Risk Costing Tool

A potential cost-benefit analysis of possible risk responses to determine a good method to move forward.

Sample of the Risk Costing Tool blueprint. Risk Report & Risk Event Action Plan

A method to report risk severity and hold risk owners accountable for chosen method of responding.

Samples of the Risk Report & Risk Event Action Plan blueprints.

Benefit from industry-leading best practices

As a part of our research process, we used the COSO, ISO 31000, and COBIT 2019 frameworks. Contextualizing IT risk management within these frameworks ensured that our project-focused approach is grounded in industry-leading best practices for managing IT risk.

Logo for COSO.

COSO’s Enterprise Risk Management — Integrating with Strategy and Performance addresses the evolution of enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment. (COSO)

Logo for ISO.

ISO 31000
Risk Management can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats, and effectively allocate and use resources for risk treatment. (ISO 31000)

Logo for COBIT.

COBIT 2019’s IT functions were used to develop and refine our Ten IT Risk Categories used in our top-down risk identification methodology. (COBIT 2019)

Abandon ad hoc risk management

A strong risk management foundation is valuable when building your IT risk management program.

This research covers the following IT risk fundamentals:

  • Benefits of formalized risk management
  • Key terms and definitions
  • Risk management within ERM
  • Risk management independent of ERM
  • Four key principles of IT risk management
  • Importance of a risk management program manual
  • Importance of buy-in and support from the business

Drivers of Formalized Risk Management:

Drivers External to IT
External Audit Internal Audit
Mandated by ERM
Occurrence of Risk Event
Demonstrating IT’s value to the business Proactive initiative
Emerging IT risk awareness
Grassroots Drivers

Blueprint benefits

IT Benefits

  • Increased on-time, in-scope, and on-budget completion of IT projects.
  • Meet the business’ service requirements.
  • Improved satisfaction with IT by senior leadership and business units.
  • Fewer resources wasted on fire-fighting.
  • Improved availability, integrity, and confidentiality of sensitive data.
  • More efficient use of resources.
  • Greater ability to respond to evolving threats.

Business Benefits

  • Reduced operational surprises or failures.
  • Improved IT flexibility when responding to risk events and market fluctuations.
  • Reduced budget uncertainty.
  • Improved ability to make decisions when developing long-term strategies.
  • Improved stakeholder and shareholder confidence.
  • Achieved compliance with external regulations.
  • Competitive advantage over organizations with immature risk management practices.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

Guided Implementation

Workshop

Consulting

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 6 to 8 calls over the course of 3 to 6 months.

What does a typical GI on this topic look like?

    Phase 1

  • Call #1: Assess current risk maturity and organizational buy-in.
  • Call #2: Establish an IT risk council and determine IT risk management program goals.
  • Phase 2

  • Call #3: Identify the risk categories used to organize risk events.
  • Call #4: Identify the threshold for risk the organization can withstand.
  • Phase 3

  • Call #5: Create a method to assess risk event severity.
  • Call #6: Establish a method to monitor priority risks and consider possible risk responses.
  • Call #7: Communicate risk priorities to the business and implement risk management plan.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com1-888-670-8889

Day 1 Day 2 Day 3 Day 4 Day 5
Activities
Review IT Risk Fundamentals and Governance

1.1 Assess current program maturity

1.2 Complete RACI chart

1.3 Create the IT risk council

1.4 Identify and engage key stakeholders

1.5 Add organization-specific risk scenarios

1.6 Identify risk events

Identify IT Risks

2.1 Identify risk events (continued)

2.2 Augment risk event list using COBIT5 processes

2.3 Determine the threshold for (un)acceptable risk

2.4 Create impact and probability scales

2.5 Select a technique to measure reputational cost

2.6 Conduct risk severity level assessment

Assess IT Risks

3.1 Conduct risk severity level assessment

3.2 Document the proximity of the risk event

3.3 Conduct expected cost assessment

3.4 Develop key risk indicators (KRIs) and escalation protocols

3.5 Perform root cause analysis

3.6 Identify and assess risk responses

Monitor, Report, and Respond to IT Risk

4.1 Identify and assess risk responses

4.2 Risk response cost-benefit analysis

4.3 Create multi-year cost projections

4.4 Review techniques for embedding risk management in IT

4.5 Finalize the Risk Report and Risk Management Program Manual

4.6 Transfer ownership of risk responses to project managers

Next Steps and Wrap-Up (offsite)

5.1 Complete in-progress deliverables from previous four days

5.2 Set up review time for workshop deliverables and to discuss next steps

Outcomes
  1. Maturity Assessment
  2. Risk Management Program Manual
  1. Finalized List of IT Risk Events
  2. Risk Register
  3. Risk Management Program Manual
  1. Risk Register
  2. Risk Event Action Plans
  3. Risk Management Program Manual
  1. Risk Report
  2. Risk Management Program Manual
  1. Workshop Report
  2. Risk Management Program Manual

Build an IT Risk Management Program

Phase 1

Review IT Risk Fundamentals and Governance

Phase 1

  • 1.1 Review IT Risk Management Fundamentals
  • 1.2 Establish a Risk Governance Framework

Phase 2

  • 2.1 Identify IT Risks
  • 2.2 Assess and Prioritize IT Risks

Phase 3

  • 3.1 Develop Risk Responses and Monitor IT Risks
  • 3.2 Report IT Risk Priorities

This phase will walk you through the following activities:

  • Gain buy-in from senior leadership
  • Assess current program maturity
  • Identify obstacles and pain points
  • Determine the risk culture of the organization
  • Develop risk management goals
  • Develop SMART project metrics
  • Create the IT risk council
  • Complete a RACI chart

This phase involves the following participants:

  • IT executive leadership
  • Business executive leadership

Step 1.1

Review IT Risk Management Fundamentals

Activities
  • 1.1.1 Gain buy-in from senior leadership
  • 1.1.2 Assess current program maturity

This step involves the following participants:

  • IT executive leadership
  • Business executive leadership

Outcomes of this step

  • Reviewed key IT principles and terminology
  • Gained understanding of the relationship between IT risk management and ERM
  • Introduced to Info-Tech’s IT Risk Management Framework
  • Obtained the support of senior leadership
Step 1.1 Step 1.2

Effective IT risk management is possible with or without ERM

Whether or not your organization has ERM, integrating your IT risk management program with the business is possible.

Most IT departments find themselves in one of these two organizational frameworks for managing IT risk:

Core Responsibilities With an ERM Without an ERM
  • Risk Decision-Making Authority
  • Final Accountability
Senior Leadership Team Senior Leadership Team
  • Risk Governance
  • Risk Prioritization & Communication
ERM IT Risk Management
  • Risk Identification
  • Risk Assessment
  • Risk Monitoring
IT Risk Management
Pro: IT’s risk management responsibilities are defined (assessment schedules, escalation and reporting procedures).
Con: IT may lack autonomy to implement IT risk management best practices.
Pro: IT is free to create its own IT risk council and develop customized processes that serve its unique needs.
Con: Lack of clear reporting procedures and mechanisms to share accountability with the business.

Mitigate the IT risks that could negatively impact your organization.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

MEMBER RATING

8.8/10
Overall Impact

$27,793
Average $ Saved

9
Average Days Saved

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Read what our members are saying

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 3-phase advisory process. You'll receive 8 touchpoints with our researchers, all included in your membership.

Guided Implementation 1: Review IT risk fundamentals and governance
  • Call 1: Assess current risk maturity and organizational buy-in.
  • Call 2: Establish an IT risk council and determine IT risk management program goals.

Guided Implementation 2: Identify and assess IT risk
  • Call 1: Identify the risk categories used to organize risk events.
  • Call 2: Identify the threshold for risk the organization can withstand.
  • Call 3: Prepare for risk assessment by selecting tools and methodologies.

Guided Implementation 3: Monitor, respond, and report on IT risk
  • Call 1: Create a method to assess risk event severity.
  • Call 2: Establish a method to monitor priority risks and consider possible risk responses.
  • Call 3: Communicate risk priorities to the business and implement risk management plan.

Authors

Valence Howden

Ibrahim Abdel-Kader

Brittany Lutes

Contributors

  • Daisha Pennie, IT Risk Management, Oklahoma State University
  • Ken Piddington CIO and Executive Advisor, MRE Consulting
  • Tamara Dwarika, Internal Auditor, A leading North American Utility
  • Anne Leroux, Director ES Computer Training
  • Michel Fossé, Consulting Services Manager, IBM Canada (LGS)
  • Steve Woodward, Research Director, CEO, Cloud Perspectives
  • 10 anonymous contributors
Visit our Exponential IT Research Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019