I had the privilege of being on the task force that created the original version of ISACA’s Risk IT Framework several years ago. At the time, I felt Risk IT was an important contribution to the profession, as it provided an explicitly risk-focused context from which information security, audit, and technology professionals could think and operate. But, as with the first draft of anything, room for improvement existed. Furthermore — especially in today’s dynamic risk landscape — periodic updates are necessary in order to maintain the value of any framework. With that in mind, ISACA recently put together a task force to update and refine Risk IT, and once again I was invited to take part — this time as a reviewer.
For those readers who are not already familiar with Risk IT, it is a structured framework that helps organizations to better understand and manage information and technology risk. It accomplishes this by providing descriptions and guidance for the key elements of a risk management program, including:
- Risk governance
- Risk management
- Risk assessment
- Risk awareness, reporting and communication
- Risk response
The Risk IT Framework, 2nd Edition, focuses on fundamental IT risk management principles and the necessary elements within a program. The Risk IT Practitioner Guide, 2nd Edition, dives into more detail regarding execution of the Risk IT principles, while avoiding becoming prescriptive. And this is one of the more important improvements in the new version. Specifically, one of the challenges associated with the original version of Risk IT was some ambiguity regarding how it was related to, or aligned with, COBIT. Was it an alternative to COBIT, or supplementary in some fashion? That ambiguity is now resolved, and the alignment is more clearly articulated.
To boil it down, Risk IT avoids many of the gory details we tend to think of when it comes to risk management (the controls) because these are covered in COBIT. And that’s where the alignment lies. Controls are a means to an end — that end being effective risk management. Thus, the two frameworks together provide a more complete approach. That said, Risk IT is not prescriptive regarding control frameworks, so organizations can apply Risk IT alongside whichever controls framework they’ve adopted.
Another significant area of improvement in the second edition of Risk IT is the updates to the section on risk assessment — particularly risk measurement. Guidance related to quantitative versus qualitative measurement is significantly improved, which will help readers to have a clearer and more accurate understanding of the differences. Also, the risk analysis scoping section in the Practitioner ’s Guide is much improved, reflecting better consistency and alignment with what’s required to measure risk reliably.
Of particular importance to me is the fact that Risk IT remains highly compatible with the FAIR risk measurement model. If anything, it is even more closely aligned, which further strengthens the utility of both frameworks.
Despite a percentage of users who dislike using heat maps for communicating risk, Risk IT still advocates their use. Given that their use is still common and many executives are accustomed to them, to ignore them would not reflect the current state of the profession.
The bottom line is this new version of Risk IT represents a meaningful improvement, and ISACA should be commended for putting together a top-notch team in this effort. I ’m very pleased to see Risk IT revitalized and am confident that professionals and stakeholders from many disciplines will find it to be an excellent resource.
Editor’s note: The Risk IT Framework, 2nd Edition, can be downloaded here, and the Risk IT Practitioner Guide, 2nd Edition, can be accessed here.