Build an IT Risk Taxonomy
If integrated risk is your destination, your IT risk taxonomy is the road to get you there.
Book This Workshop
Follow Info-Tech’s approach to building an IT risk taxonomy.
- Create an IT risk taxonomy suitable for your organization.
- Strengthen your IT risk management and control framework.
- Set your organization up for more dynamic risk reporting and decision making.
Business leaders, driven by the need to make more risk-informed decisions, are putting pressure on IT to provide more timely and consistent risk reporting, but achieving fully integrated risk management and reporting is a complex exercise requiring collaboration across the enterprise. IT leaders are challenged with:
- Developing an IT risk taxonomy that will remain relevant over time while providing sufficient granularity and definitional clarity.
- The extent or organizational collaboration needed to gain acceptance and understanding of accountability.
- Having a full visual of risks and keeping the IT control framework resilient.
Book Your Workshop
Onsite Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our Project Workshops. We take you through every phase of your project and ensure that you have a road map in place to complete your project successfully.
Book NowModule 1: Review IT Risk Fundamentals and Governance
The Purpose
Review IT risk fundamentals and governance.
Key Benefits Achieved
Learn how enterprise risk management and IT risk management intersect and the role the IT taxonomy plays in integrated risk management.
| Activities: | Outputs: | |
|---|---|---|
| 1.1 | Discuss risk fundamentals and the benefits of integrated risk. |
|
| 1.2 | Create a cross-functional IT taxonomy working group. |
|
Module 2: Identify Level 1 Risk Types
The Purpose
Identify suitable IT level 1 risk types.
Key Benefits Achieved
Level 1 IT risk types are determined and have been tested against ERM level one risk types.
| Activities: | Outputs: | |
|---|---|---|
| 2.1 | Discuss corporate strategy, business risks, macro trends, and organizational opportunities and constraints. |
|
| 2.2 | Establish level 1 risk types. |
|
| 2.3 | Test soundness of IT level 1 types by mapping to ERM level 1 types. |
|
Module 3: Identify Level 2 and Level 3 Risk Types
The Purpose
Define level 2 and level 3 risk types.
Key Benefits Achieved
Level 2 and level 3 risk types have been determined.
| Activities: | Outputs: | |
|---|---|---|
| 3.1 | Establish level 2 risk types. |
|
| 3.2 | Establish level 3 risk types (and level 4 if appropriate for your organization). |
|
| 3.3 | Begin to test by working backward from controls to ensure risk events will aggregate consistently. |
|
Module 4: Monitor, Report, and Respond to IT Risk
The Purpose
Test the robustness of your IT risk taxonomy by populating the risk register with risk events and controls.
Key Benefits Achieved
Your IT risk taxonomy has been tested and your risk register has been updated.
| Activities: | Outputs: | |
|---|---|---|
| 4.1 | Continue to test robustness of taxonomy and iterate if necessary. |
|
| 4.2 | Optional activity: Draft your IT risk appetite statements. |
|
| 4.3 | Discuss communication and continual improvement plan. |
|