IT Risk Management
by Gerald Trites

Earlier in February, ISACA released an Exposure Draft setting out a framework for IT Risk Management. The framework takes Cobit a step further, by going beyond the means for managing risk to addressing the governance and management of IT Risk from end to end. The document is 92 pages long, and addresses the area in a comprehensive manner.

The ED begins by defining IT Risk as distinct from business risk. To quote, "IT risk is the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. IT risk consists of IT-related events that could potentially impact the business. It includes both uncertain frequency and magnitude, and it creates challenges in meeting strategic goals and objectives as well as uncertainty in the pursuit of opportunities."

The document then goes on to develop principles related to risk management and risk governance and uses these principles to set forth the key building blocks of IT Risk management.

The actual framework is built around the central ideas of governance, evaluation and response. Comments will be received for 45 days. IT Auditors should take careful note of this ED, as it is certain to play a signficant role in future engagements, both as a tool for the use of the auditors and as a tool that will be used by management and other stakeholders to manage IT risk.

The Exposure Draft can be downloaded from the ISACA site.