Build an IT Risk Taxonomy

Build an IT Risk Taxonomy

If integrated risk is your destination, your IT risk taxonomy is the road to get you there.

Analyst Perspective

The pace and uncertainty of the current business environment introduce new and emerging vulnerabilities that can disrupt an organization’s strategy on short notice. Having a long-term view of risk while navigating the short term requires discipline and a robust and strategic approach to risk management. Managing emerging risks such as climate risk, the impact of digital disruption on internal technology, and the greater use of third parties will require IT leaders to be more disciplined in how they manage and communicate material risks to the enterprise. Establishing a hierarchical common language of IT risks through a taxonomy will facilitate true aggregation and integration of risks, enabling more effective decision making. This holistic, disciplined approach to risk management helps to promote a more sustainable risk culture across the organization while adding greater rigor at the IT control level. Donna Bales Principal Research Director Info-Tech Research Group

Executive Summary

Info-Tech Insight

A common understanding of risks, threats, and opportunities gives organizations the flexibility and agility to adapt to changing business conditions and drive corporate value.

Increasing threat landscape

The risk landscape is continually evolving, putting greater pressure on the risk function to work collaboratively throughout the organization to strengthen operational resilience and minimize strategic, financial, and reputational impact.

Persistent and emerging threats

Organizations should not underestimate the long-term impact on corporate performance if emerging risks are not fully understood, controlled, and embedded into decision-making.

Blueprint benefits

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

IT Risk Taxonomy Committee Charter Template Create a cross-functional IT risk taxonomy committee.		Build an IT Risk Taxonomy Guideline Use IT risk taxonomy as a baseline to build your organization’s approach.
Build an IT Risk Taxonomy Design Template Use this template to design and test your taxonomy.		Risk Register Tool Update your risk register with your IT risk taxonomy.

Key deliverable:

Build an IT Risk Taxonomy Workbook

Use the tools and activities in each phase of the blueprint to customize your IT risk taxonomy to suit your organization’s needs.

Benefit from industry-leading best practices

As a part of our research process, we used the COSO, ISO 31000, and COBIT 2019 frameworks. Contextualizing IT risk management within these frameworks ensures that our project-focused approach is grounded in industry-leading best practices for managing IT risk.

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

A Guided Implementation (GI) is a series

of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 6 to 8 calls over the course of 3 to 6 months.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Phase 1

Understand Risk Management Fundamentals

Governance, risk, and compliance (GRC)

Risk management is one component of an organization’s GRC function.

GRC principles are important tools to support enterprise management.

Governance sets the guardrails to ensure that the enterprise is in alignment with standards, regulations, and board decisions. A governance framework will communicate rules and expectations throughout the organization and monitor adherence.

Risk management is how the organization protects and creates enterprise value. It is an integral part of an organization’s processes and enables a structured decision-making approach.

Compliance is the process of adhering to a set of guidelines; these could be external regulations and guidelines or internal corporate policies.

GRC principles are tightly bound and continuous

Enterprise risk management

Regardless of size or structure, every organization makes strategic and operational decisions that expose it to uncertainties.

Enterprise risk management (ERM) is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio (RIMS).

An ERM is program is crucial because it will:

• Help shape business objectives, drive revenue growth, and execute risk-based decisions.
• Enable a deeper understanding of risks and assessment of current risk profile.
• Support forward-looking risk management and more constructive dialogue with the board and regulatory agencies.
• Provide insight on the robustness and efficacy of risk management processes, tools, and controls.
• Drive a positive risk culture.

ERM is supported by strategy, effective processes, technology, and people

Risk frameworks

Risk frameworks are leveraged by the industry to “provide a structure and set of definitions to allow enterprises of all types and sizes to understand and better manage their risk environments.” COSO Enterprise Risk Management, 2nd edition

• Many organizations lean on the Committee of Sponsoring Organizations’ Enterprise Risk Management framework (COSO ERM) and ISO 31000 to view organizational risks from an enterprise perspective.
• Prior to the introduction of standardized risk frameworks, it was difficult to quantify the impact of a risk event on the entire enterprise, as the risk was viewed in a silo or as an individual risk component.
• Recently, the National Institute of Science and Technology (NIST) published guidance on developing an enterprise risk management approach. The guidance helps to bridge the gap between best practices in enterprise risk management and processes and control techniques that cybersecurity professionals use to meet regulatory cybersecurity risk requirements.

Source: National Institute of Standards and Technology

New NIST guidance (NISTIR 8286) emphasizes the complexity of risk management and the need for the risk management process to be carried out seamlessly across three tiers with the overall objective of continuous improvement.

Enterprise risk appetite

“The amount of risk an organization is willing to take in pursuit of its objectives”

– Robert R. Moeller, COSO ERM Framework Model

• A primary role of the board and senior management is to balance value creation with effectively management of enterprise risks.
• As part of this role, the board will approve the enterprise’s risk appetite. Placing this responsibility with the board ensures that the risk appetite is aligned with the company’s strategic objectives.
• The risk appetite is used throughout the organization to assess and respond to individual risks, acting as a constant to make sure that risks are managed within the organization’s acceptable limits.
• Each year, or in reaction to a risk trigger, the enterprise risk appetite will be updated and approved by the board.
• Risk appetite will vary across organizations for several reasons, such as industry, company culture, competitors, the nature of the objectives pursued, and financial strength.

Change or new risks » adjust enterprise risk profile » adjust risk appetite

Risk profile vs. risk appetite

Risk profile is the broad parameters an organization considers in executing its business strategy. Risk appetite is the amount of risk an entity is willing to accept in pursuit of its strategic objectives. The risk appetite can be used to inform the risk profile or vice versa. Your organization’s risk culture informs and is used to communicate both.

Where the IT risk appetite fits into the risk program

• Your organization’s strategy and associated risk appetite cascade down to each business department. Overall strategy and risk appetite also set a strategy and risk appetite for each department.
• Both risk appetite and risk tolerances set boundaries for how much risk an organization is willing or prepared to take. However, while appetite is often broad, tolerance is tactical and focused.
• Tolerances apply to specific objectives and provide guidance to those executing on a day-to-day basis. They measure the variation around performance expectations that the organization will tolerate.
• Ideally, they are incorporated into existing governance, risk, and compliance systems and are also considered when evaluated business cases.
• IT risk appetite statements are based on IT level 1 risk types.

The risk appetite has a risk lens but is also closely linked to corporate performance.

Statements of risk

Risk scenarios

Risk scenarios serve two main purposes: to help decision makers understand how adverse events can affect organizational strategy and objectives and to prepare a framework for risk analysis by clearly defining and decomposing the factors contributing to the frequency and the magnitude of adverse events.

ISACA

• Organizations’ pervasive use of and dependency on technology has increased the importance of scenario analysis to identify relevant and important risks and the potential impacts of risk events on the organization if the risk event were to occur.
• Risk scenarios provide “what if” analysis through a structured approach, which can help to define controls and document assumptions.
• They form a constructive narrative and help to communicate a story by bringing in business context.
• For the best outcome, have input from business and IT stakeholders. However, in reality, risk scenarios are usually driven by IT through the asset management practice.
• Once the scenarios are developed, they are used during the risk analysis phase, in which frequency and business impacts are estimated. They are also a useful tool to help the risk team (and IT) communicate and explain risks to various business stakeholders.

Top-down approach – driven by the business by determining the business impact, i.e. what is the impact on my customers, reputation, and bottom line if the system that supports payment processing fails?

Bottom-up approach – driven by IT by identifying critical assets and what harm could happen if they were to fail.

Example risk scenario

Use level 1 IT risks to derive potential scenarios.

Phase 2

Set Your Organization Up for Success

This phase will walk you through the following activities:

• How to set up a cross-functional IT risk taxonomy committee

This phase involves the following participants:

• CIO
• CISO
• CRO
• IT Risk Owners
• Business Leaders
• Human Resources

What is a risk taxonomy?

A risk taxonomy provides a common risk view and enables integrated risk

• A risk taxonomy is the (typically hierarchical) categorization of risk types. It is constructed out of a collection of risk types organized by a classification scheme.
• Its purpose is to assist with the management of an organization’s risk by arranging risks in a classification scheme.
• It provides foundational support across the risk management lifecycle in relation to each of the key risks.
• More material risk categories form the root nodes of the taxonomy, and risk types cascade into more granular manifestations (child nodes).
• From a risk management perspective, a taxonomy will:
  • Enable more effective risk aggregation and interoperability.
  • Provide the organization with a complete view of risks and how risks might be interconnected or concentrated.
  • Help organizations form a robust control framework.
  • Give risk managers a structure to manage risks proactively.

Typical Tree Structure

What is integrated risk management?

• Integrated risk management is the process of ensuring all forms of risk information, including risk related to information and technology, are considered and included in the organization’s risk management strategy.
• It removes the siloed approach of classifying risks related to specific departments or areas of the organization, recognizing that each risk is a potential threat to the overarching enterprise.
• By aggregating the different threats or uncertainty that might exist within an organization, integrated risk management enables more informed decisions to be made that align to strategic goals and continue to drive value back to the business.
• By holistically considering the different risks, the organization can make informed decisions on the best course of action that will reduce any negative impacts associated with the uncertainty and increase the overall value.

Integrated risk management: A strategic and collaborative way to manage risks across the organization. It is a forward-looking, business-specific outlook with the objective of improving risk visibility and culture.

Drivers and benefits of integrated risk

Drivers for Integrated Risk Management

• Business shift to digital experiences
• The breadth and number of risks requiring oversight
• The need for faster risk analysis and decision making

Benefits of Integrated Risk Management

• Enables better scenario planning
• Enables more proactive risk responses
• Provides more relevant risk assurance to key stakeholders
• Improves transparency and comparability of risks across organizational silos
• Supports better financial resilience

Business velocity and complexity are making real-time risk management a business necessity.

If integrated risk is the destination, your taxonomy is your road to get you there

Info-Tech’s Model for Integrated Risk

How the risk practices intersect

The risk taxonomy provides a common classification of risks that allows risks to roll up systematically to enterprise risk, enabling more effective risk responses and more informed decision making.

ERM taxonomy

Relative to the base event types, overall there is an increase in the number of level 1 risk types in risk taxonomies

Oliver Wyman

• The changing risk profile of organizations and regulatory focus in some industries is pushing organizations to rethink their risk taxonomies.
• Generally, the expansion of level 1 risk types is due to the increase in risk themes under the operational risk umbrella.
• Non-financial risks are risks that are not considered to be traditional financial risks, such as operational risk, technology risk, culture, and conduct. Environmental, social, and governance (ESG) risk is often referred to as a non-financial risk, although it can have both financial and non-financial implications.
• Certain level 1 ERM risks, such as strategic risk, reputational risk, and ESG risk, cover both financial and non-financial risks.

Operational resilience

• The concept of operational resiliency was first introduced by European Central Bank (ECB) in 2018 as an attempt to corral supervisory cooperation on operational resiliency in financial services.
• The necessity for stronger operational resiliency became clear during the early stages of COVID-19 when many organizations were not prepared for disruption, leading to serious concern for the safety and soundness of the financial system.
• It has gained traction and is now defined in global supervisory guidance. Canada’s prudential regulator, Office of the Superintendent of Financial Institutions (OSFI), defines it as “the ability of a financial institution to deliver its operations, including its critical operations, through disruption.”
• Practically, its purpose is to knit together several operational risk management categories such as business continuity, security, and third-party risk.
• The concept has been adopted by information and communication technology (ICT) companies, as technology and cyber risks sit neatly under this risk type.
• It is now not uncommon to see operational resiliency as a level 1 risk type in a financial institution’s ERM framework.

Operational resilience will often feature in ERM frameworks in organizations that deliver critical services, products, or functions, such as financial services

ERM level 1 risk categories

Although many organizations have expanded their enterprise risk management taxonomies to address new threats, most organizations will have the following level 1 risk types:

Different models of ERM

Some large organizations will elevate certain operational risks to level 1 organizational risks due to risk materiality.

Every organization will approach its risk management taxonomy differently; the number of level 1 risk types will vary and depend highly on perceived impact.

Some of the reasons why an organization would elevate a risk to a level 1 ERM risk are:

• The risk has significant impact on the organization's strategy, reputation, or financial performance.
• The regulator has explicitly called out board oversight within legislation.
• It is best practice in the organization’s industry or business sector.
• The organization has structured its operations around a particular risk theme due to its potential negative impact. For example, the organization may have a dedicated department for data privacy.

Risk and impact

Mapping risks to business outcomes happens within the ERM function and by enterprise fiduciaries.

• When mapping risk events to enterprise risk types, the relationship is rarely linear. Rather, risk events typically will have multiple impacts on the enterprise, including strategic, reputational, ESG, and financial impacts.
• As risk information is transmitted from lower levels, it informs the next level, providing the appropriate information to prioritize risk.
• In the final stage, the enterprise portfolio view will reflect the enterprise impacts according to risk dimensions, such as strategic, operational, reporting, and compliance.

Rolling Up Risks to a Portfolio View

1. A risk event within IT will roll up to the enterprise via the IT risk register.
2. The impact of the risk on cash flow and operations will be aggregated and allocated in the enterprise risk register by enterprise fiduciaries (e.g. CFO).
3. The impacts are translated into full value exposures or modified impact and likelihood assessments.

Common challenges

How to synthesize different objectives between IT risk and enterprise risk

Commingling risk data is a major challenge when developing a risk taxonomy, but one of the underlying reasons is that the enterprise and IT look at risk from different dimensions.

Establish a team

Cross-functional collaboration is key to defining level 1 risk types.

Establish a cross-functional working group.

• Level 1 IT risk types are the most important to get right because they are the root nodes that all subtypes of risk cascade from.
• To ensure the root nodes (level 1 risk types) address the risks of your organization, it is vital to have a strong understanding or your organization’s value chain, so your organizational strategy is a key input for defining your IT level 1 risk types.
• Since the taxonomy provides the method for communicating risks to the people who need to make decisions, a wide understanding and acceptance of the taxonomy is essential. This means that multiple people across your organization should be involved in defining the taxonomy.
• Form a cross-functional tactical team to collaborate and agree on definitions. The team should include subject matter experts and leaders in key risk and business areas. In terms of governance structure, this committee might sit underneath the enterprise risk council, and members of your IT risk council may also be good candidates for this tactical working group.
• The committee would be responsible for defining the taxonomy as well as performing regular reviews.
• The importance of collaboration will become crystal clear as you begin this work, as risks should be connected to only one risk type.

2.1 Establish a cross-functional working group

2-3 hours

1. Consider your organization’s operating model and current governance framework, specifically any current risk committees.
2. Consider the members of current committees and your objectives and begin defining:
   1. Committee mandate, goals, and success factors.
   2. Responsibility and membership.
   3. Committee procedures and policies.
3. Make sure you define how this tactical working group will interact with existing committees.

Download Build an IT Risk Taxonomy Workbook

Phase 3

Structure Your IT Risk Taxonomy

This phase will walk you through the following activities:

• Establish level 1 risk types
• Test level 1 risk types
• Define level 2 and level 3 risk types
• Test the taxonomy via your control framework

This phase involves the following participants:

• CIO
• CISO
• CRO
• IT Risk Owners
• Business Leaders
• Human Resources

Structuring your IT risk taxonomy

Do’s

• Ensure your organization’s values are embedded into the risk types.
• Design your taxonomy to be forward looking and risk based.
• Make level 1 risk types generic so they can be used across the organization.
• Ensure each risk has its own attributes and belongs to only one risk type.
• Collaborate on and communicate your taxonomy throughout organization.

Don’ts

• Don’t develop risk types based on function.
• Don’t develop your taxonomy in a silo.

A successful risk taxonomy is forward looking and codifies the most frequently used risk language across your organization.

Level 1

Parent risk types aligned to organizational values

Level 2

Subrisks to level 1 risks

Level 3

Further definition

Steps to define your IT risk taxonomy

Step 1

Leverage Info-Tech’s Build an IT Risk Taxonomy Guideline and identify IT level 1 risk types. Consider corporate inputs and macro trends.

Step 2

Test level 1 IT risk types by mapping to your enterprise's ERM level 1 risk types.

Step 3

Draft your level 2 and level 3 risk types. Be mutually exclusive to the extent possible.

Step 4

Work backward – align risk events and controls to the lowest level risk category. In our examples, we align to level 3.

Step 5

Add risk levels to your risk registry.

Step 6

Optional – Add IT risk appetite statements to risk register.

Inputs to use when defining level 1

To help you define your IT risk taxonomy, leverage your organization’s strategy and risk management artifacts, such as outputs from risk assessments, audits, and test results. Also consider macro trends and potential risks unique to your organization.

Step 1 – Define Level 1 Risk Types

Use corporate inputs to help structure your taxonomy

• Corporate Strategy
• Risk Assessment
• Audit
• Test Results

Consider macro trends that may have an impact on how you manage IT risks

• Geopolitical Risk
• Economic Downturn
• Regulation
• Competition
• Climate Risk
• Industry Disruption

Evaluate from an organizational lens

Ask risk-based questions to help define level 1 IT risks for your organization.

Level 1 IT taxonomy structure

Step 2 – Consider your organization’s strategy and areas where risks may manifest and use this guidance to advance your thinking. Many factors may influence your taxonomy structure, including internal organizational structure, the size of your organization, industry trends and organizational context, etc.

Most IT organizations will include these level 1 risks in their IT risk taxonomy

Level 1 IT taxonomy structure cont'd

Step 2 – Large and more complex organizations may have more level 1 risk types. Variances in approaches are closely linked to the type of industry and business in which the organization operates as well as how they view and position risks within their organization.

Common challenges

Considerations when defining level 1 IT risk types

• Ultimately, the identification of a level 1 IT risk type will be driven by the potential for and materiality of vulnerabilities that may impede an organization from delivering successful business outcomes.
• Senior leaders within organizations play a central role in protecting organizations against vulnerabilities and threats.
• The size and structure of your organization will influence how you manage risk.
• The following slide shows typical roles and responsibilities for data privacy.
• Large enterprises and organizations that use a lot of personal identifiable information (PII) data, such as those in healthcare, financial services, and online retail, will typically have data as a level 1 IT risk and data privacy as a level 2 risk type.
• However, smaller organizations or organizations that do not use a lot of data will typically fold data privacy under either technology risk or security risk.

Deciding placement in taxonomy

• In larger enterprises, data risks are managed within a dedicated functional department with its own governance structure. In small organizations, the CIO is typically responsible and accountable for managing data privacy risk.

Common challenges

Defining security risk and where it resides in the taxonomy

• For risk management to be effective, risk professionals need to speak the same language, but the terms “information security,” “cybersecurity,” and “IT security” are often used interchangeably.
• Traditionally, cyber risk was folded under technology risk and therefore resided at a lower level of a risk taxonomy. However, due to heightened attention from regulators and boards stemming from the pervasiveness of cyber threats, some organizations are elevating security risks to a level 1 IT risk.
• Furthermore, regulatory cybersecurity requirements have emphasized control frameworks. As such, many organizations have adopted NIST because it is comprehensive, regularly updated, and easily tailored.
• While NIST is prescriptive and action oriented, it start with controls and does not easily integrate with traditional ERM frameworks. To address this, NIST has published new guidance focused on an enterprise risk management approach. The guidance helps to bridge the gap between best practices in enterprise risk management and processes and control techniques that cybersecurity professionals use to meet regulatory cybersecurity risk requirements.

Definitional Nuances

“Cybersecurity” describes the technologies, processes, and practices designed to protect networks, computers, programs, and data from attack, damage, or unauthorized access.

“IT security” describes a function as well as a method of implementing policies, procedures, and systems to defend the confidentiality, integrity, and availability of any digital information used, transmitted, or stored throughout the organization’s environment.

“Information security” defines the people, processes, and technology involved in protecting data (information) in any form – whether digital or on paper – through its creation, storage, transmission, exchange, and destruction.

3.1 Establish level 1 risk types

2-3 hours

1. Consider your current and future corporate goals and business initiatives, risk management artifacts, and macro industry trends.
2. Ask questions to understand risks unique to your organization.
3. Review Info-Tech’s IT level 1 risk types and identify the risk types that apply to your organization.
4. Add any risk types that are missing and unique to your organization.
5. Refine the definitions to suit your organization.
6. Be mutually exclusive and collectively exhaustive to the extent possible.

Download Build an IT Risk Taxonomy Workbook

3.2 Map IT risk types against ERM level 1 risk types

1-2 hours

1. Using the output from Activity 3.1, map your IT risk types to your ERM level 1 risk types.
2. Record in the Build an IT Risk Taxonomy Workbook.

Download Build an IT Risk Taxonomy Workbook

Map IT level 1 risk types to ERM

Test your level 1 IT risk types by mapping to your organization’s level 1 risk types.

Step 2 – Map IT level 1 risk types to ERM

3.3 Establishing level 2 and 3 risk types

3-4 hours

1. Using the level 1 IT risk types that you have defined and using Info-Tech’s Risk Taxonomy Guideline, first begin to identify level 2 risk types for each level 1 type.
2. Be mutually exclusive and collectively exhaustive to the extent possible.
3. Once satisfied with your level 2 risk types, break them down further to level 3 risk types.

Note: Smaller organizations may only define two risk levels, while larger organizations may define further to level 4.

Download Build an IT Risk Taxonomy Design Template

Level 2 IT taxonomy structure

Step 3 – Break down your level 1 risk types into subcategories. This is complicated and may take many iterations to reach a consistent and accepted approach. Try to make your definitions intuitive and easy to understand so that they will endure the test of time.

Security vulnerabilities often surface through third parties, but where and how you manage this risk is highly dependent on how you structure your taxonomy. Organizations with a lot of exposure may have a dedicated team and may manage and report security risks under a level 1 third-party risk type.

Level 3 IT taxonomy structure

Step 3 – Break down your level 2 risk types into lower-level subcategories. The number of levels of risk you have will depend on the size of and magnitude of risks within your organization. In our examples, we demonstrate three levels.

Risk taxonomies for smaller organizations may only include two risk levels. However, large enterprises or more complex organizations may extend their taxonomy to level 3 or even 4. This illustration shows just a few examples of level 3 risks.

Test using risk events and controls

Ultimately risk events and controls need to roll up to level 1 risks in a consistent manner. Test the robustness of your taxonomy by working backward.

Step 4 – Work backward to test and align risk events and controls to the lowest level risk category.

• A key function of IT risk management is to monitor and maintain internal controls.
• Internal controls help to reduce the level of inherent risk to acceptable levels, known as residual risk.
• As risks evolve, new controls may be needed to upgrade protection for tech infrastructure and strengthen connections between critical assets and third-party suppliers.

Example – Third Party Risk

3.4 Test your IT taxonomy

2-3 hours

1. Leveraging the output from Activities 3.1 to 3.3 and your IT Risk Taxonomy Design Template, begin to test the robustness of the taxonomy by working backward from controls to level 1 IT risks.
2. The lineage should show clearly that the control will mitigate the impact of a realized risk event. Refine the control or move the control to another level 1 risk type if the control will not sufficiently reduce the impact of a realized risk event.
3. Once satisfied, update your risk register or your risk management software tool.

Download Build an IT Risk Taxonomy Design Template

Update risk register

Step 5 – Once you are satisfied with your risk categories, update your risk registry with your IT risk taxonomy.

Use Info-Tech’s Risk Register Tool or populate your internal risk software tool.

Download Info-Tech’s Risk Register Tool

Augment the risk event list using COBIT 2019 processes (Optional)

Other industry-leading frameworks provide alternative ways of conceptualizing the functions and responsibilities of IT and may help you uncover additional risk events.

1. Managed IT Management Framework
2. Managed Strategy
3. Managed Enterprise Architecture
4. Managed Innovation
5. Managed Portfolio
6. Managed Budget and Costs
7. Managed Human Resources
8. Managed Relationships
9. Managed Service Agreements
10. Managed Vendors
11. Managed Quality
12. Managed Risk
13. Managed Security
14. Managed Data
15. Managed Programs
16. Managed Requirements Definition
17. Managed Solutions Identification and Build
18. Managed Availability and Capacity
19. Managed Organizational Change Enablement
20. Managed IT Changes
21. Managed IT Change Acceptance and Transitioning
22. Managed Knowledge
23. Managed Assets
24. Managed Configuration
25. Managed Projects
26. Managed Operations
27. Managed Service Requests and Incidents
28. Managed Problems
29. Managed Continuity
30. Managed Security Services
31. Managed Business Process Controls
32. Managed Performance and Conformance Monitoring
33. Managed System of Internal Control
34. Managed Compliance with External Requirements
35. Managed Assurance
36. Ensured Governance Framework Setting and Maintenance
37. Ensured Benefits Delivery
38. Ensured Risk Optimization
39. Ensured Resource Optimization
40. Ensured Stakeholder Engagement

Example IT risk appetite

When developing your risk appetite statements, ensure they are aligned to your organization’s risk appetite and success can be measured.

3.5 Draft your IT risk appetite statements

Optional Activity

2-3 hours

1. Using your completed taxonomy and your organization’s risk appetite statement, draft an IT risk appetite statement for each level 1 risk in your workbook.
2. Socialize the statements and gain approval.
3. Add the approved risk appetite statements to your IT risk register.

Download Build an IT Risk Taxonomy Workbook

Key takeaways and next steps

• The risk taxonomy is the backbone of a robust enterprise risk management program. A good taxonomy is frequently used and well understood.
• Not only is the risk taxonomy used to assess organizational impact, but it is also used for risk reporting, scenarios analysis and horizon scanning, and risk appetite expression.
• It is essential to capture IT risks within the ERM framework to fully understand the impact and allow for consistent risk discussions and meaningful aggregation.
• Defining an IT risk taxonomy is a team sport, and organizations should strive to set up a cross-functional working group that is tasked with defining the taxonomy, monitoring its effectiveness, and ensuring continual improvement.
• The work does not end when the taxonomy is complete. The taxonomy should be well socialized throughout the organization after inception through training and new policies and procedures. Ultimately, it should be an activity embedded into risk management practices.
• The taxonomy is a living document and should be continually improved upon.

3.6 Prepare to communicate the taxonomy internally

1-2 hours

To gain acceptance of your risk taxonomy within your organization, ensure it is well understood and used throughout the organization.

1. Consider your audience and agree on the key elements you want to convey.
2. Prepare your presentation.
3. Test your presentation with a smaller group before communicating to senior leadership or the board.

Coming soon: Look for our upcoming research Communicate Any IT Initiative.

Related Info-Tech Research

Build an IT Risk Management Program

• Use this blueprint to transform your ad hoc risk management processes into a formalized ongoing program and increase risk management success.
• Learn how to take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest's risks before they occur.

Integrate IT Risk Into Enterprise Risk

• Use this blueprint to understand gaps in your organization’s approach to risk management.
• Learn how to integrate IT risks into the foundational risk practice

Coming Soon: Communicate Any IT initiative

• Use this blueprint to compose an easy-to-understand presentation to convey the rationale of your initiative and plan of action.
• Learn how to identify your target audience and tailor and deliver the message in an authentic and clear manner.

Risk definitions

Risk definitions

Research Contributors and Experts

LynnAnn Brewer
Director
McLean & Company

Sandi Conrad
Principal Research Director
Info-Tech Research Group

Valence Howden
Principal Research Director
Info-Tech Research Group

John Kemp
Executive Counsellor – Executive Services
Info-Tech Research Group

Brittany Lutes
Research Director
Info-Tech Research Group

Carlene McCubbin
Practice Lead – CIO Practice
Info-Tech Research Group

Frank Sargent
Senior Workshop Director
Info-Tech Research Group

Frank Sewell
Advisory Director
Info-Tech Research Group

Ida Siahaan
Research Director
Info-Tech Research Group

Steve Willis
Practice Lead – Data Practice
Info-Tech Research Group

Bibliography

Andrea Tang, “Privacy Risk Management”. ISACA Journal, June 2020, Accessed January 2023
Anthony Kruizinga, “Reshaping the risk taxonomy”. PwC, April 2021, Accessed January 2023
Auditboard, "The Essentials of Integrated Risk Management (IRM)", June 2022, Accessed January 2023
Brenda Boultwood, “How to Design an ERM-Friendly Risk Data Architecture”. Global Association of Risk Professionals, February 2020, Accessed January 2023
BSI Standards Publication, "Risk Management Guidelines", ISO 31000, 2018
Dan Swinhoe, "What is Physical Security, How to keep your facilities and devices safe from onsite attackers", August 2021, Accessed January 2023
Eloise Gratton, “Data governance and privacy risk in Canada: A checklist for boards and c-suite”. Borden Ladner Gervais, November 2022 , Accessed January 2023
European Union Agency for Cyber Security Glossary
European Banking Authority, "Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP)", September 2017, Accessed February 2023
European Banking Authority, "Regulatory Framework for Mitigating Key Resilient Risks", Sept 2018, Accessed February 2023
EY, "Seeking stability within volatility: How interdependent risks put CROs at the heart of the banking business", 12th annual EY/IFF global bank risk management survey, 2022, Accessed February 2023
Financial Stability Board, "Cyber Lexicon", November 2018, Accessed February 2023
Financial Stability Board, "Principles for Effective Risk Appetite Framework", November 2013, Accessed January 2023
Forbes Technology Council, "14 Top Data Security Risks Every Business Should Address", January 2020, Accessed January 2023
Frank Martens, Dr. Larry Rittenberg, "COSO, Risk Appetite Critical for Success, Using Risk Appetite to Thrive in a Changing World", May 2020, Accessed January 2023
Gary Stoneurmer, Alice Goguen and Alexis Feringa, "NIST, Risk Management Guide for Information Technology Systems", Special Publication, 800-30, September 2012, Accessed February 2023
Guy Pearce, "Real-World Data Resilience Demands and Integrated Approach to AI, Data Governance and the Cloud", ISACA Journal, May 2022
InfoTech Tech Trends Report, 2023
ISACA, "Getting Started with Risk Scenarios", 2022, Accessed February 2023
James Kaplan, "Creating a technology risk and cyber risk appetite framework," McKinsey & Company, August 2022, Accessed February 2023
Jean-Gregorie Manoukian, Wolters Kluwer, "Risk appetite and risk tolerance: what’s the difference?", Sept 2016, Accessed February 2023
Jennifer Bayuk, “Technology’s Role in Enterprise Risk Management”, ISACA Journal, March 2018, Accessed in February 2023
John Thackeray, "Global Association of Risk Professionals, 7 Key Elements of Effective ERM", January 2020, Accessed January 2023
KPMG, "Regulatory rigor: Managing technology and cyber risk, How FRFI’s can achieve outcomes laid out in OSFI B-13", October 2022, Accessed January 2023
Marc Chiapolino et al, “Risk and resilience priorities, as told by chief risk officers”, McKinsey and Company, December 2022, Accessed January 2023
Mike Rost, Workiva, "5 Steps to Effective Strategic Management", Updated February 2023. Accessed February 2023
NIST, "Risk Management Framework for Information Systems and Organization, The System Life Cycle Approach for Security and Privacy," December 2018, Accessed February 2023
NIST, NISTIR, "Integrating CyberSecurity and Enterprise Risk", October 2020, Accessed February 2023
Oliver Wyman, "The ORX Reference Taxonomy for operational and non-financial risk summary report", 2019, Accessed February 2023.
Office of the Superintendent of Financial Institutions, "Operational Resilience Consultation Results Summary", December 2021, Accessed January 2023
Open Risk Manual, Risk Taxonomy Definitions
Ponemon. "Cost of a Data Breach Report 2021." IBM, July 2021. Web.
Protiviti, "Executive Perspectives on Top Risks, 2023 & 2032, Key Issues being discussed in the boardroom and c-suite", February 2023, Accessed February 2023
RIMS, ISACA, "Bridging the Digital Gap, How Collaboration Between IT and Risk Management can Enhance Value Creation", September 2019, Accessed February 2023
Robert, R. Moeller, "COSO, Enterprise Risk Management, Second Edition, 2011", Accessed February 2023
Robert Putrus, "Effective Reporting to the BoD on Critical Assets, Cyberthreats and Key Controls: The Qualitative and Quantitative Model", ISACA Journal, January 2021, Accessed January 2023
Ron Brash, "Prioritizing Asset Risk Management in ICS Security", August 2020, Accessed February 2023
Ronald Van Loon, "What is Data Culture and How to Implement it?", November 2023, Accessed February 2023
SAS, "From Crisis to Opportunity, Redefining Risk Management", 2021Accessed January 2023
Satori, Cloudian, "Data Protection and Privacy: 12 Ways to Protect User Data", Accessed January 2023
Spector Information Security, "Building your Asset and Risk Register to Manage Technology Risk", November 2021, Accessed January 2023
Talend, "What is data culture", Accessed February 2023
Tom Schneider, "Managing Cyber Security Risk as Enterprise Risk", ISACA Journal, September 2022, Accessed February 2023
Tony Martin –Vegue, "How to Write Strong Risk Scenarios and Statements", ISACA Journal, September 2021, Accessed February 2023
The Wall Street Journal, "Making Data Risk a Top Priority", April 2018, Accessed February 2023