ISACA publishes new IT risk management framework based on COBIT

ISACA has released a risk management framework to help enterprise compliance officers identify, govern and manage IT risk. The Risk IT framework is aligned with COBIT.

As risk management gains new prominence after the passage of a landmark financial regulatory reform bill in the U.S. House of Representatives last week, compliance officers are looking for better risk assessment tools for IT infrastructure.

The growth and maturation of IT governance as a discipline in enterprise IT departments has been driven by the demands of regulatory compliance requirements from the Sarbanes-Oxley Act and Basel II, along with the effects of the scope creep endemic to IT projects.

The Control Objectives for Information and Related Technology (COBIT) provide a reference framework for control and security of sensitive data. Those controls can be applied to mitigate IT risk, but measuring it is something else. Now ISACA has released Risk IT, a framework to help enterprise compliance officers identify, govern and manage IT risk.

ISACA, a nonprofit association of more than 86,000 IT professionals, developed Risk IT in response to member and industry demand. The risk management framework and supporting documentation are the result of thousands of hours of work from a team of IT, business experts and reviewers from around the globe.

"RiskIT provides one unified framework you can use across business," said Brian Barnier, a principal at ValueBridge Advisors who sat on the task force that developed Risk IT. "Other risk management frameworks are very technical. Risk IT was developed out of a sense of trying to solve practical problems." In his view, this IT risk management framework does two things:

  • It provides the means to tie together silo-specific frameworks;
  • It then pulls that in to apply existing enterprise-wide frameworks.

"We've received a lot of questions about what to do if there isn't an existing enterprise framework in use," said Barnier. "That's fine. Risk IT does not pre-require users to have COBIT in place."

Risk IT is meant to provide a means for IT practitioners to easily map risk to topics, allowing them to solve practical issues. ISACA also provides a free 100-page glossary and Risk IT Practitioner Guide to help users make their way through the risk management framework.

"Organizations tend to skip the risk assessment phase and go right to 'how do we fix it,'" said Ted Ritter, senior research analyst at The Nemertes Research Group Inc. "If you're familiar with COBIT, this risk management framework uses the same terminology and will reference the controls that are there."

Both the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST) also outline controls that can be used to manage risk, as Ritter explained. data protection law, which shifted to a risk management framework in its final iteration.

What makes Risk IT different for IT risk management?

The close relationship among IT governance, risk management and compliance is precisely why the concept of GRC software has been pitched so hard as a panacea to the enterprise in past years. As senior writer Linda Tucci reported earlier this month, however, GRC spending isn't focused on technology. Even if IT governance is key and compliance is mandated, however, applying frameworks for measuring the risk associated with IT hasn't been easy for IT practitioners.

The same issues driving business continuity and security problems can be tied together, allowing the compliance officer to see root causes for multiple issues.

Brian Barnier, principal, ValueBridge Advisors

The issue, as Barnier said he sees it, is that many compliance officers can't measure IT risk outside of individual silos. "From the perspective of the compliance officer, consider reconciling multiple reports," he said. "You'll have a ton of similar information for the different reports. Doesn't help get to the real risks. The same issues driving business continuity and security problems can be tied together, allowing the compliance officer to see root causes for multiple issues."

The backdrop for the value of this risk management framework lies in the DNA of ISACA (formerly known as the Information Systems Audit and Control Association) itself, explained Barnier. "When I sit in on an ISACA meeting, it's not just pure thought leaders," he said. "It's practitioner-driven. We received over 1,600 comments as we created this risk management framework. The result is very responsive to what the members were asking for to do their jobs."

Barnier pointed out that 27 sections will be forthcoming for NIST's update to its risk management framework, and 37 for ISO 27001. "Everybody just swims in this stuff," he said. "When we asked how many risk management frameworks are you using, the bulk of the rooms generally said around five or six."

GRC software alone won't break down risk management silos. Neither will the use of COBIT and Risk IT. With effective strategy, measurement and management, however, IT compliance professionals will have a better toolkit to manage both IT and risk in 2010.

Listen to a podcast on risk management

Play now:

You must have Adobe Flash Player 7 or above to view this content.See to download now.
Download for later:

Don't forget business model risk in your risk management strategy
• Internet Explorer: Right Click > Save Target As
• Firefox: Right Click > Save Link As

Let us know what you think about the story; email [email protected].

Dig Deeper on Risk management and compliance