It Build An IT Risk Taxonomy Phases 1 3 1

Build an IT Risk Taxonomy
If integrated risk is your destination, your IT

risk taxonomy is the road to get you there.
Info-Tech Research Group Inc. is a global leader in providing IT research and

advice. Info-Tech’s products and services combine actionable insight and
relevant advice with ready-to-use tools and templates that cover the full
spectrum of IT concerns.
© 1997-2023 Info-Tech Research Group Inc.
Table of
Contents 3 Executive Brief
4 Analyst Perspective
5 Executive Summary
15 Phase 1: Understanding Risk Management Fundamentals
25 Phase 2: Setting Up Your Organization for Success
39 Phase 3: Structuring your IT Risk Taxonomy
64 Appendix
67 Bibliography
If integrated risk is your destination, your IT

risk taxonomy is the road to get you there.
EXECUTIVE BRIEF
Analyst
Perspective
The pace and uncertainty of the current business environment introduce new and emerging
vulnerabilities that can disrupt an organization’s strategy on short notice.
Having a long-term view of risk while navigating the short term requires discipline and a
robust and strategic approach to risk management.
Managing emerging risks such as climate risk, the impact of digital disruption on internal
technology, and the greater use of third parties will require IT leaders to be more disciplined
in how they manage and communicate material risks to the enterprise.
Establishing a hierarchical common language of IT risks through a taxonomy will facilitate
true aggregation and integration of risks, enabling more effective decision making. This
holistic, disciplined approach to risk management helps to promote a more sustainable risk
culture across the organization while adding greater rigor at the IT control level.
Donna Bales
Principal Research Director
Info-Tech Research Group
Info-Tech Research Group | 4

Executive Summary
Your Challenge Common Obstacles Info-Tech’s Approach
IT has several challenges when managing and Many IT organizations encounter obstacles in • Take a collaborative approach when developing
responding to risk events: these areas: your IT risk taxonomy to gain greater
• Business leaders, driven by the need to make • Ensuring an integrated, well-coordinated acceptance and understanding of accountability.
more risk-informed decisions, are putting approach to risk management across the • Spend the time to fully analyze your current and
pressure on IT to provide more timely and organization. future threat landscape when defining your level
consistent risk reporting. 1 IT risks and consider the causal impact and
• Developing an IT risk taxonomy that will
• Navigating today’s ever-evolving threat remain relevant over time while providing complex linkages and intersections.
landscape is complex. IT risk managers need to sufficient granularity and definitional clarity. • Recognize that the threat landscape will
balance the emerging threat landscape while not continue to evolve and that your IT risk
• Gaining acceptance and ensuring understanding
losing sight of the risks of today. taxonomy is a living document that must be
of accountability. Involving business leaders
• IT needs to strengthen IT controls and anticipate and a wide variety of risk owners when continually reviewed and strengthened.
risks in an age of disruption. developing your IT risk taxonomy will lead to
greater organizational acceptance.
Info-Tech Insight
A common understanding of risks, threats, and opportunities gives organizations the flexibility and agility to adapt to changing business conditions
and drive corporate value.
• .

Increasing threat landscape
The risk landscape is continually evolving, putting greater pressure on the risk function to work collaboratively throughout the
organization to strengthen operational resilience and minimize strategic, financial, and reputational impact.
Financial Impact Strategic Risk Reputation Risk

$4.24 million
per incident
58%
Percent of CROs who view inability to

manage cyber risks as a top strategic
risk.
In IBM’s 2021 Cost of a Data EY’s 2022 Global Bank Risk Protiviti’s 2023 Executive Perspectives
Breach Report, the Ponemon Management survey revealed that Chief on Top Risks survey featured
Institute found that data security Risk Officers (CROs) view the inability operational resilience within its top ten
breaches now cost companies to manage cyber risk and the inability risks. An organization’s failure to be
$4.24 million per incident on to manage cloud and data risk as the sufficiently resilient or agile in a crisis
average – the highest cost in the top strategic risks. can significantly impact operations and
17-year history of the report.
reputation. Info-Tech Research Group | 6
Persistent and emerging threats
Organizations should not underestimate the long-term impact on corporate performance if emerging risks are not fully understood,
controlled, and embedded into decision-making.
Talent Risk Sustainability Digital Disruption
Source: Info-Tech 2023

Tech Trends Report
Protiviti’s 2023 Executive Perspectives Sustainability is at the top of the risk agenda for The risks related to digital disruption are
on Top Risks survey revealed talent many organizations. In EY’s 2022 Global Bank vast and evolving. In the short term, risks
risk as the top risk organizations face, Risk Management survey, environmental, social, surface in compliance and skills shortage,
specifically organizations’ ability to and governance (ESG) risks were identified as a but Protiviti’s 2023 Executive Perspectives
attract and retain top talent. Of the 38 risk focus area, with 84% anticipating it to increase survey shows that in the longer term,
risks in the survey, it was the only risk in priority over the next three years. Yet Info-Tech’s executives are concerned that the speed of
issue rated at a “significant impact” Tech Trends 2023 report revealed that only 24% of change and market forces may outpace an
level. organizations could accurately report on their organization’s ability to compete.
carbon footprint. Info-Tech Research Group | 7
Blueprint benefits
IT Benefits Business Benefits
• Simple, customizable approach to build an IT risk taxonomy • Reduced operational surprises and failures
• Improved satisfaction with IT for senior leadership and business • More dynamic decision making
units • More proactive risk responses
• Greater ability to respond to evolving threats • Improve transparency and comparability of risks across silos
• Improved understanding of IT’s role in enterprise risk • Better financial resilience and confidence in meeting regulatory
management (ERM) requirements
• Stronger, more reliable internal control framework • More relevant risk assurance for key stakeholders

Key deliverable: Blueprint deliverables
Each step of this blueprint is accompanied by supporting deliverables to help
you accomplish your goals:

Workbook
IT Risk Taxonomy Build an IT Risk
Use the tools and activities in each phase of Committee Charter Taxonomy
the blueprint to customize your IT risk Template Guideline
taxonomy to suit your organization’s needs.
Create a cross-functional Use IT risk taxonomy as a
IT risk taxonomy baseline to build your
committee. organization’s approach.
Build an IT Risk Risk Register

Taxonomy Design Tool
Template
Update your risk
Use this template to design register with your IT
and test your taxonomy. risk taxonomy.

Benefit from industry-leading best practices
As a part of our research process, we used the COSO, ISO 31000, and COBIT 2019 frameworks. Contextualizing IT risk management
within these frameworks ensures that our project-focused approach is grounded in industry-leading best practices for managing IT risk.
COSO’s Enterprise Risk ISO 31000 – Risk Management COBIT 2019’s IT functions were used
Management —Integrating with can help organizations increase the to develop and refine the ten IT risk
Strategy and Performance addresses likelihood of achieving objectives, categories used in our top-down risk
the evolution of enterprise risk improve the identification of identification methodology.
management and the need for opportunities and threats, and
organizations to improve their effectively allocate and use
approach to managing risk to meet the resources for risk treatment.
demands of an evolving business
environment.
Info-Tech offers various levels of
support to best suit your needs
Guided Implementation
DIY Toolkit Workshop Consulting
“Our team has already made this “Our team knows that we need to “We need to hit the ground “Our team does not have the time
critical project a priority, and we fix a process, but we need running and get this project or the knowledge to take this
have the time and capability, but assistance to determine where to kicked off immediately. Our project on. We need assistance
some guidance along the way focus. Some check-ins along the team has the ability to take this through the entirety of this
would be helpful.” way would help keep us on over once we get a framework project.”
track.” and strategy in place.”
Diagnostics and consistent frameworks are used throughout all four options.

Guided Implementation A Guided
What does a typical GI on this topic look like? Implementation (GI) is a
series
of calls with an Info-
Tech analyst to help
Phase 1 Phase 2 Phase 3
implement our best
practices in your
organization.
Call #1: Review Call #2: Review Calls #4-5: Call #7 Align
risk the role of an IT Identify level risk events and
management risk taxonomy in 1 IT risk controls to level A typical GI is 6 to 8
fundamentals. risk
management.
types. Test 3 risk types and calls over the course of
against test.
enterprise risk 3 to 6 months.
Call #3: management. Call #8: Update
Establish a your risk
cross-functional Call #6:
register and
team. Identify level
communicate
2 and level 3
taxonomy
risk types.
internally.
Info-Tech
Info-Tech Research
Research Group| 13
Group | 13
Workshop Overview
Contact your account representative for more information.
[email protected] 1-888-670-8889
Day 1 Day 2 Day 3 Day 4 Day 5

Review IT Risk Fundamentals Identify Level 1 IT Risk Types Identify Level 2 and Level 3 Monitor, Report, and Respond Next Steps and
and Governance Risk Types to IT Risk Wrap-Up (offsite)
1.1 Discuss risk fundamentals 2.1 Discuss corporate strategy, 3.1 Establish level 2 risk types. 4.1 Continue to test robustness 5.1 Complete in-progress
and the benefits of business risks, macro of taxonomy and iterate if deliverables from
3.2 Establish level 3 risk types
integrated risk. trends, and organizational necessary. previous four days.
Activities
(and level 4 if appropriate

opportunities and
1.2 Create a cross-functional IT for your organization). 4.2 Optional activity: Draft your 5.2 Set up review time for
taxonomy working group. constraints. IT risk appetite statements. workshop deliverables
3.3 Begin to test by working
2.2 Establish level 1 risk types. and to discuss next steps.
backward from controls to 4.3 Discuss communication and
2.3 Test soundness of IT level 1 ensure risk events will continual improvement plan.
types by mapping to ERM aggregate consistently.
level 1 types.
1. IT Risk Taxonomy 1. Build an IT Risk Taxonomy 1. Build an IT Risk Taxonomy 1. Build an IT Risk Taxonomy 1. Workshop Report
Committee Charter Template Workbook Design Template Design Template
2. Build an IT Risk Taxonomy 2. Risk Register Tool 2. Risk Register Tool
Deliverables
Workbook 3. Build an IT Risk Taxonomy

Workbook

Phase 1
Understand Risk Management Fundamentals
Phase 1 Phase 2 Phase 3

• Governance, Risk, and • What Is a Risk • Steps to Define IT Risk
Compliance Taxonomy? Taxonomy
• Enterprise Risk • Functional Role of an IT • Define Level 1
Management Risk Taxonomy • Test Level 1
• Enterprise Risk Appetite • Connection to Enterprise • Define Level 2 and 3
• Risk Statements and Risk Management • Test via Your Control
Scenarios • Establish Committee Framework

Governance, risk, and compliance
(GRC) GRC principles are tightly bound and continuous
Risk management is one component of an organization’s GRC

function.
GRC principles are important tools to support enterprise management.
Governance sets the guardrails to ensure that the enterprise is in

alignment with standards, regulations, and board decisions. A Governance
Risk
Compliance
governance framework will communicate rules and expectations
throughout the organization and monitor adherence.
Risk management is how the organization protects and creates

enterprise value. It is an integral part of an organization’s processes and
enables a structured decision-making approach.
Compliance is the process of adhering to a set of guidelines; these

could be external regulations and guidelines or internal corporate
policies.

Enterprise risk management ERM is supported by strategy, effective processes,
technology, and people
Regardless of size or structure, every organization makes strategic

and operational decisions that expose it to uncertainties. People
Enterprise risk management (ERM) is a strategic business discipline that

supports the achievement of an organization’s objectives by addressing the
full spectrum of its risks and managing the combined impact of those risks
Performance
as an interrelated risk portfolio (RIMS). Strategy
An ERM is program is crucial because it will: Execute
Risk Appetite
• Help shape business objectives, drive revenue growth, and execute risk- Plan
based decisions. Respond
• Enable a deeper understanding of risks and assessment of current risk

profile.
• Support forward-looking risk management and more constructive Process
dialogue with the board and regulatory agencies.
Technology
• Provide insight on the robustness and efficacy of risk management
processes, tools, and controls.
• Drive a positive risk culture. Info-Tech Research Group | 17
Risk frameworks
Risk frameworks are leveraged by the industry to “provide a structure
and set of definitions to allow enterprises of all types and sizes to
understand and better manage their risk environments.” COSO
Enterprise Risk Management, 2nd edition
• Many organizations lean on the Committee of Sponsoring Organizations’

Enterprise Risk Management framework (COSO ERM) and ISO 31000
to view organizational risks from an enterprise perspective.
• Prior to the introduction of standardized risk frameworks, it was difficult
to quantify the impact of a risk event on the entire enterprise, as the risk
was viewed in a silo or as an individual risk component.
• Recently, the National Institute of Science and Technology (NIST) Source: National Institute of Standards and Technology
published guidance on developing an enterprise risk management

approach. The guidance helps to bridge the gap between best practices in New NIST guidance (NISTIR 8286) emphasizes the complexity
enterprise risk management and processes and control techniques that of risk management and the need for the risk management
cybersecurity professionals use to meet regulatory cybersecurity risk process to be carried out seamlessly across three tiers with the
requirements. overall objective of continuous improvement.

Enterprise risk appetite
“The amount of risk an organization is willing to take in pursuit of
its objectives”
– Robert R. Moeller, COSO ERM Framework Model Change or
new risks
• A primary role of the board and senior management is to balance value creation with
effectively management of enterprise risks.
Adjust
• As part of this role, the board will approve the enterprise’s risk appetite. Placing this
enterprise risk
responsibility with the board ensures that the risk appetite is aligned with the company’s profile
strategic objectives.
• The risk appetite is used throughout the organization to assess and respond to individual
risks, acting as a constant to make sure that risks are managed within the organization’s
Adjust risk
acceptable limits. appetite
• Each year, or in reaction to a risk trigger, the enterprise risk appetite will be updated and
approved by the board.
• Risk appetite will vary across organizations for several reasons, such as industry, company
culture, competitors, the nature of the objectives pursued, and financial strength.

Risk profile vs. risk appetite
Risk profile is the broad parameters an organization considers in executing its business strategy. Risk appetite is
the amount of risk an entity is willing to accept in pursuit of its strategic objectives. The risk appetite can be used
to inform the risk profile or vice versa. Your organization’s risk culture informs and is used to communicate both.
Risk Tolerant Moderate Risk Averse

• You have no compliance requirements.
• You have no sensitive data. • You have some compliance requirements, such as: • You have multiple strict compliance and/or regulatory
• Customers do not expect you to have strong security o HIPAA requirements.
controls. o PIPEDA • You house sensitive data, such as medical records.
• Revenue generation and innovative products take • You have sensitive data and are required to retain • Customers expect your organization to maintain strong
priority and risk is acceptable. records. and current security controls.
• The organization does not have remote locations. • Customers expect strong security controls. • Information security is highly visible to senior
• It is likely that your organization does not operate management and public investors.
• Information security is visible to senior leadership.
within the following industries: • The organization has multiple remote locations.
• The organization has some remote locations.
o Finance • Your organization operates within the following
• Your organization most likely operates within the
o Healthcare industries:
following industries:
o Telecom o Finance
o Government
o Government o Healthcare
o Research
o Research o Telecom
o Education
o Education
Where the IT risk appetite fits The risk appetite has a risk lens but is also
into the risk program closely linked to corporate performance.
Mission Vision Core Values
Enterprise Strategy
• Your organization’s strategy and associated risk appetite cascade down to each
business department. Overall strategy and risk appetite also set a strategy and risk
Enterprise Risk Appetite
appetite for each department.
IT Strategy
• Both risk appetite and risk tolerances set boundaries for how much risk an
organization is willing or prepared to take. However, while appetite is often broad,
IT Risk Appetite
tolerance is tactical and focused.
• Tolerances apply to specific objectives and provide guidance to those executing on

a day-to-day basis. They measure the variation around performance expectations Risk Tolerance
that the organization will tolerate. Risk Tolerance
Critical Critical
• Ideally, they are incorporated into existing governance, risk, and compliance Risk Appetite
systems and are also considered when evaluated business cases.
Performance
• IT risk appetite statements are based on IT level 1 risk types.
Adapted from “Risk Appetite – Critical for
Success...” COSO, 2020
Statements of risk
Risk Landscape
All risks across a company’s landscape Risk tolerance “reflects the
acceptable variation in
Risk Tolerance
outcomes related to specific
Critical Risk Critical performance measures
Appetite
linked to objectives the
entity seeks to achieve.”
COSO
Performance
Downside boundary of Upper limit to where we

impact if bad things can go if good things
happen happen
Continually revisit risks over time
Risk Appetite Risk Tolerance

• The general amount of risk an organization is willing to accept while • Risk tolerance is the acceptable deviation from the level set by
pursuing its objectives. the risk appetite.
• Proactive, future view of risks that reflects the desired range of enterprise • Risk tolerance is a tactical tool often expressed in quantitative
performance. terms.
• Reflects the longer-term strategy of what needs to be achieved and the • Key risk indicators are often used to align to risk tolerance limits
resources available to achieve it, expressed in quantitative criteria. to ensure the organization stays within the set risk boundary.
• Risk appetites will vary for several reasons, such as the company culture,
financial strength, and capabilities. Info-Tech Research Group | 22
Risk scenarios
Risk scenarios serve two main purposes: to help decision makers understand how adverse events can Top-down approach –
affect organizational strategy and objectives and to prepare a framework for risk analysis by clearly driven by the business by
defining and decomposing the factors contributing to the frequency and the magnitude of adverse determining the business
events. ISACA impact, i.e. what is the
impact on my customers,
reputation, and bottom line if
the system that supports
• Organizations’ pervasive use of and dependency on technology has increased the importance of
payment processing fails?
scenario analysis to identify relevant and important risks and the potential impacts of risk events
on the organization if the risk event were to occur.
• Risk scenarios provide “what if” analysis through a structured approach, which can help to
define controls and document assumptions.
• They form a constructive narrative and help to communicate a story by bringing in business Server to support
context. payment processing
• For the best outcome, have input from business and IT stakeholders. However, in reality, risk Bottom-up approach –
scenarios are usually driven by IT through the asset management practice. driven by IT by identifying
critical assets and what
• Once the scenarios are developed, they are used during the risk analysis phase, in which harm could happen if they
frequency and business impacts are estimated. They are also a useful tool to help the risk team were to fail.
(and IT) communicate and explain risks to various business stakeholders.
Example risk scenario Use level 1 IT risks
to derive potential
scenarios.
Risk Scenario Description Example: IT Risks

Risk Scenario Title A brief description of the risk scenario The enterprise is unable to recruit and retain IT staff
Risk Type The process or system that is impacted by the risk • Service quality
• Product and service cost
Risk Scenario Deeper insight into how the risk might impact business • Inadequate capacity to support business needs
Category functions • Talent and skills gap due to inability to retain talent
Risk Statement Used to communicate the potential adverse outcomes of a The organization chronically fails to recruit sufﬁciently
particular risk event and can be used to communicate to skilled IT workers, leading to a loss of efficiency in overall
stakeholders to enable informed decisions technology operation and an increased security exposure.
Risk Owner The designated party responsible and accountable for • Head of Human Resources
ensuring that the risk is maintained in accordance with • Business Process Owner
enterprise requirements
Risk Oversight The person (role) who is responsible for risk assessments, CRO/COO
monitoring, documenting risk response, and establishing key
risk indicators
Informed by ISACA

Phase 2 This phase will walk you through the
following activities:
• How to set up a cross-functional IT

Set Your Organization Up for Success risk taxonomy committee
This phase involves the following

participants:
• CIO
• CISO
Phase 1 Phase 2 Phase 3 • CRO

• Governance, Risk, and • What Is a Risk • Steps to Define IT Risk • IT Risk Owners
• Enterprise Risk • Functional Role of an IT • Define Level 1 • Business Leaders
• Human Resources
• Risk Statements and Risk Management • Test via Your Control

What is a risk taxonomy?
A risk taxonomy provides a common risk view and enables Typical Tree Structure
integrated risk
Root
• A risk taxonomy is the (typically hierarchical) categorization of risk types. It is node
constructed out of a collection of risk types organized by a classification scheme.
• Its purpose is to assist with the management of an organization’s risk by arranging risks in
a classification scheme. Child Child
node node
• It provides foundational support across the risk management lifecycle in relation to each
of the key risks.
Child Child Child Child
• More material risk categories form the root nodes of the taxonomy, and risk types cascade
node node node node
into more granular manifestations (child nodes).
• From a risk management perspective, a taxonomy will:
o Enable more effective risk aggregation and interoperability.
o Provide the organization with a complete view of risks and how risks might be
interconnected or concentrated.
o Help organizations form a robust control framework.
o Give risk managers a structure to manage risks proactively.

What is integrated risk
management? Enterprise Risk Management (ERM)
• Integrated risk management is the process of ensuring all forms of risk

information, including risk related to information and technology, are
considered and included in the organization’s risk management strategy.
Non- Reputationa
• It removes the siloed approach of classifying risks related to specific Strategic Financial Talent
Financial l
departments or areas of the organization, recognizing that each risk is a
potential threat to the overarching enterprise.
• By aggregating the different threats or uncertainty that might exist

within an organization, integrated risk management enables more
informed decisions to be made that align to strategic goals and continue Integrated risk management: A strategic and collaborative way to
to drive value back to the business.
manage risks across the organization. It is a forward-looking,
• By holistically considering the different risks, the organization can make business-specific outlook with the objective of improving risk
informed decisions on the best course of action that will reduce any visibility and culture.
negative impacts associated with the uncertainty and increase the overall
value.

Drivers and benefits of integrated
risk Business velocity and complexity
are making real-time risk
management a business necessity.
Drivers for Integrated Risk Benefits of Integrated Risk
Management Management
• Enables better scenario
Business shift to
planning
digital experiences
• Enables more proactive risk
responses
• Provides more relevant risk
The breadth and assurance to key
number of risks
requiring oversight stakeholders
• Improves transparency and
comparability of risks across
The need for faster organizational silos
risk analysis and • Supports better financial
decision making resilience

If integrated risk is the destination, your taxonomy is
your road to get you there
Info-Tech’s Model for Integrated Risk
Optimize Compliance
Strategic and Audit Risk-
Objectives Governance Aware
Culture
Risk-
Informed
Decisions
Report Access to
Minimize Tools and
Losses Training
Data and
Analytics
Monitor
Integrated
Risk
Management
Respond Assess
Infrastructure
Process Reporting
Identify
How the risk practices The risk taxonomy provides a common classification of risks
intersect that allows risks to roll up systematically to enterprise risk,

enabling more effective risk responses and more informed
decision making.
IT Risk Management IT Risk Taxonomy Enterprise Risk Management

(IT Level 1 Risks)
Assess Risk Impact
Strategic
Financial
Technolog Talent Strategic

y Risks Risks Risks
Reputation
Material Risks Material Risks Provide Risk Response
Accept Transfer
Data Risks Security Third-Party

Risks Risks Mitigate Terminate
Communicate risk response

ERM taxonomy
Relative to the base event types, overall there is an increase in the number
of level 1 risk types in risk taxonomies Oliver Wyman
Traditional ERM Structure
• The changing risk profile of organizations and regulatory focus in Strategic Reputational ESG
some industries is pushing organizations to rethink their risk Level 1
taxonomies.
• Generally, the expansion of level 1 risk types is due to the increase Financial Non-Financial
in risk themes under the operational risk umbrella.
Level 2 Credit and Counterparty Operational
• Non-financial risks are risks that are not considered to be
traditional financial risks, such as operational risk, technology Market Legal and Regulatory
risk, culture, and conduct. Environmental, social, and governance
(ESG) risk is often referred to as a non-financial risk, although it Insurance Talent and Culture
can have both financial and non-financial implications.
Liquidity and Funding
• Certain level 1 ERM risks, such as strategic risk, reputational risk,
and ESG risk, cover both financial and non-financial risks.

Operational resilience
• The concept of operational resiliency was first introduced by European Operational resilience will often feature in ERM
frameworks in organizations that deliver critical services,
Central Bank (ECB) in 2018 as an attempt to corral supervisory
products, or functions, such as financial services
cooperation on operational resiliency in financial services.
• The necessity for stronger operational resiliency became clear during the
early stages of COVID-19 when many organizations were not prepared Strategic Reputational ESG
for disruption, leading to serious concern for the safety and soundness of
the financial system. Level 1
Operational
• It has gained traction and is now defined in global supervisory guidance. Financial Financial
Resilience
Canada’s prudential regulator, Office of the Superintendent of Financial
Institutions (OSFI), defines it as “the ability of a financial institution to Credit and Legal and
Level 2 Counterparty Regulatory
Business Continuity
deliver its operations, including its critical operations, through
disruption.” Market Talent and Culture Third-Party
• Practically, its purpose is to knit together several operational risk Insurance Conduct Security (cyber)
management categories such as business continuity, security, and third-
Liquidity
party risk.
• The concept has been adopted by information and communication
technology (ICT) companies, as technology and cyber risks sit neatly
under this risk type.
• It is now not uncommon to see operational resiliency as a level 1 risk Info-Tech Research Group | 32
type in a financial institution’s ERM framework.

ERM level 1 risk categories
Although many organizations have expanded their enterprise risk management taxonomies to
address new threats, most organizations will have the following level 1 risk types:
ERM Level 1 Definition Definition Source

Financial The ability to obtain sufficient and timely funding capacity. Global Association of Risk Professionals
(GARP)
Non-Financial Non-financial risks are risks that are not considered to be traditional financial Office of the Superintendent of Financial
risks such as operational risk, technology risk, culture and conduct. Institutions (OSFI)
Reputational Potential negative publicity regarding business practices regardless of validity. US Federal Reserve
Global Association of Risk Professionals
(GARP)
Strategic Risk of unsuccessful business performance due to internal or external The Risk Management Society (RIMS)
uncertainties, whether the event is event or trend driven. Actions or events that
adversely impact an organizations strategies and/or implementation of its
strategies.
Sustainability This risk of any negative financial or reputational impact on an organizations Open Risk Manual
(ESG) stemming from current or prospective impacts of ESG factors on its Info-Tech Research Group
counterparties or invested assets.
Talent and The widespread behaviors and mindsets that can threaten sound decision- Info-Tech Research Group
Risk Culture making, prudent risk-taking, and effective risk management and can weaken an
institution’s financial and operational resilience.

Different models of Level 1 Potential
Rationale
Industries Risk Definition
ERM Advanced
Analytics
Use of
advanced
analytics is
Large
Enterprise,
Marketing
Risks involved with model risk and
emerging risks posed by artificial
intelligence/machine learning.
considered
Some large organizations will elevate certain material
Anti-Money Risk is Financial The risk of exposure to financial crime
operational risks to level 1 organizational risks due to Laundering viewed as Services, and fraud.
(AML) and material Gaming, Real
risk materiality. Fraud Estate
Conduct Risk Sector- Financial The current or prospective risk of losses
specific risk Services to an institution arising from
Every organization will approach its risk management taxonomy
type inappropriate supply of financial
differently; the number of level 1 risk types will vary and depend highly on services including cases of willful or
perceived impact. negligent misconduct.
Operational Sector- Financial Organizational risk resulting from an
Some of the reasons why an organization would elevate a risk to a level Resiliency specific risk Services, ICT organization’s failure to deliver its
1 ERM risk are: type operations, including its critical
operations, through disruption.
• The risk has significant impact on the organization's strategy, reputation, Privacy Board driven Healthcare, The potential loss of control over
or financial performance. – perceived Financial personal information.
as material Services
• The regulator has explicitly called out board oversight within legislation. risk to
organization
• It is best practice in the organization’s industry or business sector. Information Board driven All may The people, processes, and technology
Security – regulatory consider involved in protecting data
• The organization has structured its operations around a particular risk focus (information) in any form – whether
digital or on paper – through its
theme due to its potential negative impact. For example, the organization
creation, storage, transmission,
may have a dedicated department for data privacy. exchange, and destruction.
Risk and impact
Rolling Up Risks to a Portfolio View
Mapping risks to business outcomes happens within
the ERM function and by enterprise fiduciaries.  Enterprise impacts  Enterprise risk profile
Strategy/ • Ability to
Mission achieve goals Strategic
Operational
• Impact on
Finances
capital or
• When mapping risk events to enterprise risk types, the relationship is operational Reporting
expenses
rarely linear. Rather, risk events typically will have multiple impacts on
the enterprise, including strategic, reputational, ESG, and financial  Compliance
impacts. Security Event Reputation
• Damage to
reputation
• As risk information is transmitted from lower levels, it informs the next
level, providing the appropriate information to prioritize risk.
• In the final stage, the enterprise portfolio view will reflect the enterprise 1. A risk event within IT will roll up to the enterprise via the IT risk
impacts according to risk dimensions, such as strategic, operational, register.
reporting, and compliance. 2. The impact of the risk on cash flow and operations will be
aggregated and allocated in the enterprise risk register by
enterprise fiduciaries (e.g. CFO).
3. The impacts are translated into full value exposures or modified
impact and likelihood assessments.
Common challenges
How to synthesize different objectives between IT risk and enterprise risk
Commingling risk data is a major challenge when developing a risk taxonomy, but one of the
underlying reasons is that the enterprise and IT look at risk from different dimensions.
• The role of the enterprise in risk management is to • IT risk management focuses on internal controls and
provide and preserve value, and therefore the sits as a function within the larger enterprise.
enterprise evaluates risk on an adjusted risk-return basis. • IT takes a bottom-up approach by applying an ongoing
• To do this effectively, the enterprise must break down process of risk management and constantly identifying,
silos and view risk holistically. assessing, prioritizing, and mitigating risks.
• ERM is a top-down process of evaluating risks that • IT has a central role in risk mitigation and, if functioning
may impact the entity. As part of the process, ERM must well, will continually reduce IT risks, simplifying the
manage risks within the enterprise risk framework and role for ERM.
provide reasonable assurances that enterprise objectives
will be met.

Establish a team
Cross-functional collaboration is key to defining level 1 risk Governance Layer Role/ Responsibilities
types. Enterprise Enterprise Risk Council

• Approve of risk taxonomy
Defines organizational goals.
Directs or regulates the
Establish a cross-functional working group. performance and behavior of the
enterprise, ensuring it has the
• Level 1 IT risk types are the most important to get right because they are the root structure and capabilities to
nodes that all subtypes of risk cascade from. achieve its goals.
• To ensure the root nodes (level 1 risk types) address the risks of your
organization, it is vital to have a strong understanding or your organization’s Strategic IT Risk Council
value chain, so your organizational strategy is a key input for defining your IT Ensures business and IT • Provide input
level 1 risk types. initiatives, products, and services • May review taxonomy ahead
are aligned to the organization’s of going to the enterprise risk
• Since the taxonomy provides the method for communicating risks to the people goals and strategy and provide
council for approval
who need to make decisions, a wide understanding and acceptance of the expected value. Ensures
taxonomy is essential. This means that multiple people across your organization adherence to key principles.
should be involved in defining the taxonomy. Tactical Subcommittee
• Form a cross-functional tactical team to collaborate and agree on definitions. The • Define risk types and
Ensures key activities and
definitions
team should include subject matter experts and leaders in key risk and business planning are in place to execute
• Establish and maintain
areas. In terms of governance structure, this committee might sit underneath the strategic initiatives.
taxonomy
enterprise risk council, and members of your IT risk council may also be good • Recommend changes
candidates for this tactical working group. • Advocate and communicate
internally
• The committee would be responsible for defining the taxonomy as well as
performing regular reviews.
• The importance of collaboration will become crystal clear as you begin this work,
as risks should be connected to only one risk type. Info-Tech Research Group | 37
Input Output
2.1 Establish a cross-functional
working group • Organization chart and
operating model
• Cross-functional working
group charter
• Corporate governance
framework and existing
committee charters
2-3 hours
1. Consider your organization’s operating model and current governance framework,

specifically any current risk committees.
2. Consider the members of current committees and your objectives and begin
defining:
Materials Participants
a) Committee mandate, goals, and success factors.
b) Responsibility and membership.
c) Committee procedures and policies. • Whiteboard/flip charts • CISO
3. Make sure you define how this tactical working group will interact with existing • Build an IT Risk Taxonomy • Human resources
Workbook
committees. • Corporate communications
• IT Risk Taxonomy
• CRO or risk owners
Committee Charter
Download Build an IT Risk Taxonomy Workbook Template • Business leaders

Phase 3 This phase will walk you through the
following activities:
• Establish level 1 risk types

Structure Your IT Risk Taxonomy
• Test level 1 risk types
• Define level 2 and level 3 risk types
• Test the taxonomy via your control

framework
Phase 1 Phase 2 Phase 3 This phase involves the following

• Governance, Risk, and • What Is a Risk • Steps to Define IT Risk participants:
• Enterprise Risk • Functional Role of an IT • Define Level 1 • CIO
• CISO
• Risk Statements and Risk Management • Test via Your Control • CRO
• IT Risk Owners
• Business Leaders
• Human Resources

Structuring your IT risk
taxonomy A successful risk taxonomy is forward looking and
codifies the most frequently used risk language
across your organization.
Do’s Don’ts
• Ensure your organization’s • Don’t develop risk types based on
values are embedded into the function.
risk types. Parent risk types aligned to
• Don’t develop your taxonomy in a
• Design your taxonomy to be silo. Level 1 organizational values
forward looking and risk
based.
• Make level 1 risk types generic
so they can be used across the
Level 2 Subrisks to
organization. level 1 risks
• Ensure each risk has its own
attributes and belongs to only
one risk type. Level 3
Further
• Collaborate on and
communicate your taxonomy definition
throughout organization.

Steps to define your IT risk taxonomy
Step 1 Step 3 Step 5

Leverage Info-Tech’s Build
Draft your level
an IT Risk Taxonomy Add risk levels to your
2 and level 3 risk
Guideline and identify IT level risk registry.
types. Be
1 risk types. Consider
mutually
corporate inputs and macro
exclusive to the
trends.
extent possible.
Test level 1 IT risk Work backward – align Optional – Add IT risk

types by mapping to risk events and controls to appetite statements to
your enterprise's ERM the lowest level risk risk register.
level 1 risk types. category. In our examples,
we align to level 3.
Step 2 Step 4 Step 5 6

Step
Inputs to use when defining level 1
To help you define your IT risk taxonomy, leverage your organization’s strategy and risk
management artifacts, such as outputs from risk assessments, audits, and test results. Also
consider macro trends and potential risks unique to your organization.
Step 1 – Define Level 1 Risk Types
Use corporate inputs to help structure your Consider macro trends that may have an impact on
taxonomy how you manage IT risks
Geopolitica Economic
Regulation
l Risk Downturn
Corporate Risk Audit Test Results

Strategy Assessment Competitio Climate Industry
n Risk Disruption

Evaluate from an organizational lens
Ask risk-based questions to help define level 1 IT risks for your organization.
IT Risk Type Example Questions IT Risk Type Example Questions
How reliant is our organization on critical assets for

Technology business operations? Data How much sensitive data does our organization use?
How much data is used and stored aggregately?

How resilient is the organization to an unexpected crisis?
How many planned integrations do we have (over the next How often is data moved? And to what locations?
24 months)?
What is our need for specialized skills, like digital, AI, Third-party How many third-party suppliers do we have?
Talent Risk etc.? How reliant are we on the global supply chain?
Does our culture support change and innovation? What is the maturity level of our third-party
suppliers?
How susceptible is our organization to labor market
changes?
Do we have any concentration risk?
What is the extent of digital adoption or use of emerging
Strategy technologies in our organization? How equipped is our organization to manage cyber
Security threats?
How many security incidents occur per
How aligned is IT with strategy/corporate goals? year/quarter/day?
How much is our business dependent on changing Do we have regulatory obligations? Is there risk of
customer preferences? enforcement action?

Level 1 IT taxonomy structure
Step 2 – Consider your organization’s strategy and areas where risks may manifest and use this guidance to advance your thinking.
Many factors may influence your taxonomy structure, including internal organizational structure, the size of your organization,
industry trends and organizational context, etc.
Most IT organizations will include these level 1 risks in their IT risk taxonomy
IT Level 1 Definition Definition Source Note how this definition by OSFI includes cyber
risk as part of technology risk. Smaller
Technology Risk arising from the inadequacy, disruption, Open Risk Manual organizations and organizations that do not use
destruction, failure, damage from large amounts of sensitive information will
unauthorized access modifications, or typically fold cyber risks under technology
malicious use of information technology
risks. Not all organizations will take this approach.
assets, people or processes that enable and
support business needs, and can result in Some organizations may elevate security risk to
financial loss and/or reputational damage. level 1.
“Technology risk”, which includes “cyber Office of the Superintendent of

risk”, refers to the risk arising from the Financial Institutions (OSFI)
inadequacy, disruption, destruction, failure,
Human capital challenges including succession
damage from unauthorized access,
challenges and the ability to attract and retain top
modifications, or malicious use of
information technology assets, people or talent are considered the most dominant risk to
processes that enable and support business organizations’ ability to meet their value
needs, and can result in financial loss and/or proposition (Protiviti, 2023).
reputational damage.
Talent The risk of not having the right knowledge Info-Tech Research
IT’s role as strategic enabler to the business has
and skills to execute strategy. Group/McLean & Company
never been so vital. With the speed of disruptive
Strategic Risks that threaten IT’s ability to deliver Info-Tech Research Group innovation, IT must be able to monitor alignment,
expected business outcomes. support opportunities, and manage unexpected
crises.
Level 1 IT taxonomy structure cont'd
Step 2 – Large and more complex organizations may have more level 1 risk types. Variances in approaches are closely linked to the
type of industry and business in which the organization operates as well as how they view and position risks within their organization.
IT Level 1 Definition Definition Source

Data Data risk is the exposure to loss of value or Deloitte
reputation caused by issues or limitations to an
Data is increasingly being used for strategic growth
organization’s ability to acquire, store,
transform, move, and use its data assets. initiatives as well as for meeting regulatory
requirements. Organizations that use a lot of data or
Data risk encompasses the risk of loss value or Australian Prudential Regulation specifically sensitive information will likely have
reputation resulting from inadequate or failed Authority (APRA) CPG 235 -2013) data as a level 1 IT risk type.
internal processes, people and systems or from
external events impacting on data.
Third-Party The risk adversely impacting the institutions European Banking Association
performance by engaging a third party, or their (EBA) Third-party risk (supply chain risk) received
associated downstream and upstream partners or Open Risk Manual uses EBA heightened attention during COVID-19. If your IT
another group entity (intragroup outsourcing) to definition organization is heavily reliant on third parties, you
provide IT systems or related services. may want to consider elevating third-party risk to
level 1.
Security The risk of unauthorized access to IT systems Open Risk Manual
and data from within or outside the institution
(e.g., cyber-attacks). An incident is viewed as a
series of events that adversely affects the Some organizations and industries are subject to
information assets of an organization. The regulatory obligations, which typically means the
overall narrative of this type of risk event is board has strict oversight and will elevate security
captured as who, did what, to what (or whom), risk to a level 1.
with what result.
Common challenges Deciding placement in taxonomy
Are you a large

Considerations when defining level 1 IT risk types enterprise?
Yes
No
• Ultimately, the identification of a level 1 IT risk type will be driven by Does your organization
the potential for and materiality of vulnerabilities that may impede an have sensitive data such
as PII data?
organization from delivering successful business outcomes.
Yes No
• Senior leaders within organizations play a central role in protecting
organizations against vulnerabilities and threats.
• The size and structure of your organization will influence how you Level 1 Data Level 1 Technology
manage risk.
Level 2 Data Privacy Level 2 Security
• The following slide shows typical roles and responsibilities for data
privacy.
Level 3 TBD Level 3 Data Privacy
• Large enterprises and organizations that use a lot of personal identifiable
information (PII) data, such as those in healthcare, financial services, and
online retail, will typically have data as a level 1 IT risk and data privacy • In larger enterprises, data risks are managed within a dedicated
as a level 2 risk type. functional department with its own governance structure. In
small organizations, the CIO is typically responsible and
• However, smaller organizations or organizations that do not use a lot of
accountable for managing data privacy risk.
data will typically fold data privacy under either technology risk or
security risk.
Global Enterprise Midmarket
Privacy Requirement What Is Involved Accountable Responsible Accountable & Responsible
Privacy Legal and • Ensuring the relevant Accountable roles understand privacy obligations for Privacy Officer (Legal) Privacy Officer (Legal)
Compliance Obligations the jurisdictions operated in.
Privacy Policy, • Defining polices and ensuring they are in place to ensure all privacy Chief Risk Officer (Risk) Head of Risk Function
Standards, and obligations are met.
Governance • Monitoring adherence to those policies and standards.
Data Classification and • Defining the organization’s data classification and security standards and Chief Information Security Officer (IT) Chief Information Security
Security Standards and ensuring they align to the privacy policy. Officer (IT)
Best-Practice • Designing and building the data security standards, processes, roles, and
Capabilities technologies required to ensure all security obligations under the privacy
policy can be met.
• Providing oversight of the effectiveness of data security practices and leading
resolution of data security issues/incidents.
Technical Application of • Ensuring all technology design, implementation, and operational decisions Chief Information Officer Chief Data Architect (IT) Chief Information Officer
Data Classification, adhere to data classification, data management, and data security standards. (IT) (IT)
Management and
Security Standards
Where no Head of Data

Data Management • Defining the organization’s data management standards and ensuring they Chief Data Officer Exists and IT, not the
Standards and Best- align to the privacy policy. business, is seen as de facto
Practice Capabilities • Designing and building the data management standards, processes, roles, and owner of data and data
technologies required to ensure data classification, access, and sharing quality
obligations under the privacy policy can be met.
• Providing oversight of the effectiveness of data classification, access, and
sharing practices and leading resolution of data management issues/incidents.
Execution of Data • Ensuring business processes that involve data classification, sharing, and L1 Business Process Owner L2 Business Process Owner
Management access related to their data domain align to data management standards (and
therefore privacy obligations).

Common challenges
Defining security risk and where it resides in the Definitional Nuances
taxonomy “Cybersecurity” describes the technologies,
processes, and practices designed to protect
• For risk management to be effective, risk professionals need to speak the same language, networks, computers, programs, and data from
but the terms “information security,” “cybersecurity,” and “IT security” are often used attack, damage, or unauthorized access.
interchangeably. “IT security” describes a function as well as a
method of implementing policies, procedures,
• Traditionally, cyber risk was folded under technology risk and therefore resided at a lower and systems to defend the confidentiality,
level of a risk taxonomy. However, due to heightened attention from regulators and boards integrity, and availability of any digital
stemming from the pervasiveness of cyber threats, some organizations are elevating information used, transmitted, or stored
security risks to a level 1 IT risk. throughout the organization’s environment.
• Furthermore, regulatory cybersecurity requirements have emphasized control frameworks. “Information security” defines the people,
processes, and technology involved in protecting
As such, many organizations have adopted NIST because it is comprehensive, regularly
data (information) in any form – whether digital
updated, and easily tailored. or on paper – through its creation, storage,
transmission, exchange, and destruction.
• While NIST is prescriptive and action oriented, it start with controls and does not easily
integrate with traditional ERM frameworks. To address this, NIST has published new
guidance focused on an enterprise risk management approach. The guidance helps to
bridge the gap between best practices in enterprise risk management and processes and
Source: RIMS & ISACA
control techniques that cybersecurity professionals use to meet regulatory cybersecurity
risk requirements.
Input Output
3.1 Establish level 1 risk types • Organization's strategy • Level 1 IT risk types
customized to your
• Other organizational
organization
artifacts if available
2-3 hours (operating model, outputs
from audits and risk
1. Consider your current and future corporate goals and business initiatives, risk assessments, risk profile,
management artifacts, and macro industry trends. and risk appetite)
• Build an IT Risk Taxonomy

2. Ask questions to understand risks unique to your organization.
Guideline
3. Review Info-Tech’s IT level 1 risk types and identify the risk types that apply to • IT Risk Taxonomy
your organization. Definitions
4. Add any risk types that are missing and unique to your organization.
5. Refine the definitions to suit your organization. Materials Participants

6. Be mutually exclusive and collectively exhaustive to the extent possible.
• Whiteboard/flip charts • CISO

• Build an IT Risk Taxonomy • Human resources
Workbook
• Corporate communications
Download Build an IT Risk Taxonomy Workbook • CRO or risk owners
• Business leaders

Input Output
3.2 Map IT risk types against • IT level 1 risk types • Final level 1 IT risk types
ERM level 1 risk types customized to your

organization
• ERM level 1 risk types
1-2 hours
1. Using the output from Activity 3.1, map your IT risk types to your ERM level 1
risk types.
2. Record in the Build an IT Risk Taxonomy Workbook.

Workbook

Download Build an IT Risk Taxonomy Workbook

Map IT level 1 risk types to ERM
Test your level 1 IT risk types by mapping to your organization’s level 1 risk types.
Step 2 – Map IT level 1 risk types to ERM
ERM Level 1 Risks IT Level 1 Risks

Strategic Technology
Reputational Talent
Financial Strategic
Non-financial (Operational risk) Data
Talent and Risk Culture Third-Party
Sustainability (ESG) Security

Input Output
3.3 Establishing level 2 and 3 • Output from Activity 3.1, • Level 2 and level 3 risk
risk types Establish level 1 risk types

types recorded in Build an
IT Risk Taxonomy Design
Template
3-4 hours Workbook

1. Using the level 1 IT risk types that you have defined and using Info-Tech’s Risk Guideline
Taxonomy Guideline, first begin to identify level 2 risk types for each level 1 type.
2. Be mutually exclusive and collectively exhaustive to the extent possible.
3. Once satisfied with your level 2 risk types, break them down further to level 3 risk
types.
Note: Smaller organizations may only define two risk levels, while larger
organizations may define further to level 4. • Whiteboard/flip charts • CISO
Design Template

Download Build an IT Risk Taxonomy Design • Business leaders
Template

Step 3 – Break down your level 1 risk types into subcategories. This is complicated and may take many iterations to reach a consistent and
accepted approach. Try to make your definitions intuitive and easy to understand so that they will endure the test of time.
Security vulnerabilities often surface

through third parties, but where and
how you manage this risk is highly
dependent on how you structure your
taxonomy. Organizations with a lot of
exposure may have a dedicated team
and may manage and report security
risks under a level 1 third-party risk
type.

Step 3 – Break down your level 2 risk types into lower-level subcategories. The number of levels of risk you have will depend
on the size of and magnitude of risks within your organization. In our examples, we demonstrate three levels.
Risk taxonomies for smaller

organizations may only
include two risk levels.
However, large enterprises or
more complex organizations
may extend their taxonomy to
level 3 or even 4. This
illustration shows just a few
examples of level 3 risks.

Test using risk events and
controls Example – Third Party Risk
Ultimately risk events and controls need to roll up to level 1
risks in a consistent manner. Test the robustness of your
taxonomy by working backward. Business
Internal Control failure,
continuity
Process e.g. SaaS drops
Step 4 – Work backward to test and align risk events and controls to planning
the lowest level risk category.

Third-
• A key function of IT risk management is to monitor and maintain
Party Performance
internal controls. Risk Contractual
provisions
• Internal controls help to reduce the level of inherent risk to acceptable
Enforcing change
levels, known as residual risk. Failure due to control
Technology poor integration
• As risks evolve, new controls may be needed to upgrade protection Configuration
process
for tech infrastructure and strengthen connections between critical
assets and third-party suppliers.
Work backward to test your flow.

Input Output
3.4 Test your IT taxonomy
• Output from Activities 3.1 • IT risk taxonomy
to 3.3 documented in the IT Risk
Taxonomy Design Template
2-3 hours
1. Leveraging the output from Activities 3.1 to 3.3 and your IT Risk Taxonomy
Design Template, begin to test the robustness of the taxonomy by working
backward from controls to level 1 IT risks.
2. The lineage should show clearly that the control will mitigate the impact of a
realized risk event. Refine the control or move the control to another level 1 risk
type if the control will not sufficiently reduce the impact of a realized risk event. Materials Participants
3. Once satisfied, update your risk register or your risk management software tool.

• IT risk register • Human resources
• Build an IT Risk Taxonomy • Corporate communications
Design Template
Download the Build an IT Risk Taxonomy Design • Business leaders
Template

Update risk register
Step 5 – Once you are satisfied with your risk categories, update your risk Use Info-Tech’s Risk Register Tool or
registry with your IT risk taxonomy.
populate your internal risk software tool.
Download Info-Tech’s Risk Register Tool

Augment the risk event list using COBIT 2019
processes (Optional)
Other industry-leading frameworks provide alternative ways of conceptualizing the functions and
responsibilities of IT and may help you uncover additional risk events.
1. Managed IT Management Framework 21. Managed IT Change Acceptance and Transitioning
2. Managed Strategy 22. Managed Knowledge
3. Managed Enterprise Architecture 23. Managed Assets
4. Managed Innovation 24. Managed Configuration
5. Managed Portfolio 25. Managed Projects
6. Managed Budget and Costs 26. Managed Operations
7. Managed Human Resources 27. Managed Service Requests and Incidents
8. Managed Relationships 28. Managed Problems
9. Managed Service Agreements 29. Managed Continuity
10. Managed Vendors 30. Managed Security Services
11. Managed Quality 31. Managed Business Process Controls
12. Managed Risk 32. Managed Performance and Conformance Monitoring
13. Managed Security 33. Managed System of Internal Control
14. Managed Data 34. Managed Compliance with External Requirements
15. Managed Programs 35. Managed Assurance
16. Managed Requirements Definition 36. Ensured Governance Framework Setting and Maintenance
17. Managed Solutions Identification and Build 37. Ensured Benefits Delivery
18. Managed Availability and Capacity 38. Ensured Risk Optimization
19. Managed Organizational Change Enablement 39. Ensured Resource Optimization
20. Managed IT Changes 40. Ensured Stakeholder Engagement Info-Tech Research Group | 58
Example IT risk appetite
When developing your risk appetite statements, ensure they are aligned to your organization’s risk appetite
and success can be measured.
Example IT Risk Appetite Statement

Risk Type Technology Risk IT should establish a risk appetite statement
for each level 1 IT risk type.
Appetite Our organization’s number-one priority is to provide high-quality
Statement trusted service to our customers. To meet this objective, critical
systems must be highly performant and well protected from
potential threats. To meet this objective, the following
expectations have been established: The ideal risk appetite statement is
• No appetite for unauthorized access to systems and qualitative and supported by quantitative
confidential data. measures.
• Low appetite for service downtime.
o Service availability objective of 99.9%.
o Near real-time recovery of critical services – ideally
within 30 minutes, no longer than 3 hours. Ultimately, there is an accountable owner(s),
but involve business and technology
Risk Owner Chief Information Officer
stakeholders when drafting to gain
consensus.
Risk Oversight Enterprise Risk Committee
The number of supporting programs and
Supporting Business Continuity Management, Information Security, Internal frameworks will vary with the size of the
Framework(s) Audit
organization.

Input Output
3.5 Draft your IT risk appetite • Organization’s risk appetite • IT risk appetite statements
statements statement

Optional Activity Workbook
• IT Risk Taxonomy Design

2-3 hours Template
1. Using your completed taxonomy and your organization’s risk appetite statement,
draft an IT risk appetite statement for each level 1 risk in your workbook.
2. Socialize the statements and gain approval.
3. Add the approved risk appetite statements to your IT risk register.
• Whiteboard/flip charts • CISO, CIO

Workbook

Download Build an IT Risk Taxonomy Workbook

Key takeaways and next
steps
• The risk taxonomy is the backbone of a robust enterprise risk management program. A good taxonomy is frequently used and well understood.
• Not only is the risk taxonomy used to assess organizational impact, but it is also used for risk reporting, scenarios analysis and horizon scanning,
and risk appetite expression.
• It is essential to capture IT risks within the ERM framework to fully understand the impact and allow for consistent risk discussions and meaningful
aggregation.
• Defining an IT risk taxonomy is a team sport, and organizations should strive to set up a cross-functional working group that is tasked with defining
the taxonomy, monitoring its effectiveness, and ensuring continual improvement.
• The work does not end when the taxonomy is complete. The taxonomy should be well socialized throughout the organization after inception
through training and new policies and procedures. Ultimately, it should be an activity embedded into risk management practices.
• The taxonomy is a living document and should be continually improved upon.

Input Output
3.6 Prepare to communicate the
taxonomy internally
• Build an IT Risk Taxonomy • Presentation
Workbook
• Upcoming research:
Communicate Any IT
Initiative
1-2 hours
To gain acceptance of your risk taxonomy within your organization, ensure it is well
understood and used throughout the organization.
1. Consider your audience and agree on the key elements you want to convey.
2. Prepare your presentation.
3. Test your presentation with a smaller group before communicating to senior

leadership or the board.
• Whiteboard/flip charts • CISO, CIO
• Upcoming research: • Human resources

Communicate Any IT
Initiative
Coming soon: Look for our upcoming research Communicate Any IT Initiative. • CRO or risk owners
• Internal communication
templates • Business leaders

Related Build an IT Risk Management Program
Info-Tech • Use this blueprint to transform your ad hoc risk management processes into a
formalized ongoing program and increase risk management success.
Research • Learn how to take a proactive stance against IT threats and vulnerabilities by
identifying and assessing IT’s greatest's risks before they occur.
Integrate IT Risk Into Enterprise Risk
• Use this blueprint to understand gaps in your organization’s approach to

risk management.
• Learn how to integrate IT risks into the foundational risk practice
Coming Soon: Communicate Any IT initiative
• Use this blueprint to compose an easy-to-understand presentation to

convey the rationale of your initiative and plan of action.
• Learn how to identify your target audience and tailor and deliver the
message in an authentic and clear manner.

Risk definitions
Term Description
Emergent Risk Risks that are poorly understood but expected to grow in significance.
Residual Risk The amount of risk you have left after you have removed a source of risk or implemented a mitigation approach (controls,
monitoring, assurance).
Risk Acceptance If the risk is within the enterprise's risk tolerance or if the cost of otherwise mitigating the risk is higher than the potential loss, the
enterprise can assume the risk and absorb any losses.
Risk Appetite An organization’s general approach and attitude toward risk; the total exposed amount that an organization wishes to undertake on
the basis of risk-return trade-offs for one or more desired and expected outcomes.
Risk Assessment The process of estimating and evaluating risk.
Risk Avoidance The risk response where an organization chooses not to perform a particular action or maintain an existing engagement due to the
risk involved.
Risk Event A risk occurrence (actual or potential) or a change of circumstances. Can consist of more than one occurrence or of something not
happening. Can be referred to as an incident or accident.
Risk Identification The process of finding, recognizing, describing, and documenting risks that could impact the achievement of objectives.
Risk Management The capability and related activities used by an organization to identify and actively manage risks that affect its ability to achieve
goals and strategic objectives. Includes principles, processes, and framework.
Risk Likelihood The chance of a risk occurring. Usually measured mathematically using probability.
Risk Management Expresses an organization’s commitment to risk management and clarifies its use and direction.
Policy
Risk Mitigation The risk response where an action is taken to reduce the impact or likelihood of a risk occurring.
Risk Profile A written description of a set of risks.

Risk definitions
Term Description
Risk Opportunity A cause/trigger of a risk with a positive outcome.
Risk Owner The designated party responsible and accountable for ensuring that the risk is maintained in accordance with enterprise
requirements.
Risk Register A tool used to identify and document potential and active risks in an organization and to track the actions in place to manage each
risk.
Risk Response How you choose to respond to risk (accept, mitigate, transfer, or avoid).
Risk Source The element that, alone or in combination, has potential to give rise to a risk. Usually this is the root cause of the risk.
Risk Statement A description of the current conditions that may lead to the loss, and a description of the loss.
Risk Tolerance The amount of risk you are prepared or able to accept (in terms of volume or impact); the amount of uncertainty an organization is
willing to accept in the aggregate (or more narrowly within a certain business unit or for a specific risk category). Expressed in
quantitative terms that can be monitored (such as volatility or deviation measures), risk tolerance often is communicated in terms of
acceptable/unacceptable outcomes or as limited levels of risk. Risk tolerance statements identify the specific minimum and
maximum levels beyond which the organization is unwilling to accept variations from the expected outcome.
Risk Transfer The risk response where you transfer the risk to a third party.

Research Contributors and Experts
LynnAnn Brewer Brittany Lutes Ida Siahaan
Research Director Research Director
Director – HR Research & Advisory Services
Info-Tech Research Group Info-Tech Research Group
McLean & Company
Sandi Conrad Carlene McCubbin Steve Willis

Principal Research Director Practice Lead – Data Practice
Practice Lead – CIO Practice
Info-Tech Research Group
Valence Howden Frank Sargent

Principal Research Director Senior Workshop Director
John Kemp Frank Sewell

Executive Counselor – Executive Services Advisory Director

Bibliography
Andrea Tang, “Privacy Risk Management”. ISACA Journal, June 2020, Accessed Forbes Technology Council, "14 Top Data Security Risks Every Business Should Address",
January 2023 January 2020, Accessed January 2023
Anthony Kruizinga, “Reshaping the risk taxonomy”. PwC, April 2021, Accessed Frank Martens, Dr. Larry Rittenberg, "COSO, Risk Appetite Critical for Success, Using Risk
January 2023 Appetite to Thrive in a Changing World", May 2020, Accessed January 2023
Auditboard, "The Essentials of Integrated Risk Management (IRM)", June 2022, Gary Stoneurmer, Alice Goguen and Alexis Feringa, "NIST, Risk Management Guide for
Accessed January 2023 Information Technology Systems", Special Publication, 800-30, September 2012, Accessed
February 2023
Brenda Boultwood, “How to Design an ERM-Friendly Risk Data Architecture”.
Global Association of Risk Professionals, February 2020, Accessed January Guy Pearce, "Real-World Data Resilience Demands and Integrated Approach to AI, Data
2023 Governance and the Cloud", ISACA Journal, May 2022
BSI Standards Publication, "Risk Management Guidelines", ISO 31000, 2018 InfoTech Tech Trends Report, 2023
Dan Swinhoe, "What is Physical Security, How to keep your facilities and devices ISACA, "Getting Started with Risk Scenarios", 2022, Accessed February 2023
safe from onsite attackers", August 2021, Accessed January 2023
James Kaplan, "Creating a technology risk and cyber risk appetite framework," McKinsey &
Eloise Gratton, “Data governance and privacy risk in Canada: A checklist for boards Company, August 2022, Accessed February 2023
and c-suite”. Borden Ladner Gervais, November 2022 , Accessed January 2023
Jean-Gregorie Manoukian, Wolters Kluwer, "Risk appetite and risk tolerance: what’s the
European Union Agency for Cyber Security Glossary difference?", Sept 2016, Accessed February 2023
European Banking Authority, "Guidelines on ICT Risk Assessment under the Jennifer Bayuk, “Technology’s Role in Enterprise Risk Management”, ISACA Journal, March
Supervisory Review and Evaluation process (SREP)", September 2017, 2018, Accessed in February 2023
Accessed February 2023
John Thackeray, "Global Association of Risk Professionals, 7 Key Elements of Effective ERM",
European Banking Authority, "Regulatory Framework for Mitigating Key Resilient January 2020, Accessed January 2023
Risks", Sept 2018, Accessed February 2023
KPMG, "Regulatory rigor: Managing technology and cyber risk, How FRFI’s can achieve
EY, "Seeking stability within volatility: How interdependent risks put CROs at the outcomes laid out in OSFI B-13", October 2022, Accessed January 2023
heart of the banking business", 12th annual EY/IFF global bank risk
Marc Chiapolino et al, “Risk and resilience priorities, as told by chief risk officers”, McKinsey
management survey, 2022, Accessed February 2023
and Company, December 2022, Accessed January 2023
Financial Stability Board, "Cyber Lexicon", November 2018, Accessed February
Mike Rost, Workiva, "5 Steps to Effective Strategic Management", Updated February 2023.
2023 Info-Tech Research Group | 67
Financial Stability Board, "Principles for Effective Risk Appetite Framework",
Bibliography
NIST, "Risk Management Framework for Information Systems and Organization, Ron Brash, "Prioritizing Asset Risk Management in ICS Security", August 2020,
The System Life Cycle Approach for Security and Privacy," December 2018, Accessed February 2023
Ronald Van Loon, "What is Data Culture and How to Implement it?", November 2023, Accessed
NIST, NISTIR, "Integrating CyberSecurity and Enterprise Risk", October 2020, February 2023
SAS, "From Crisis to Opportunity, Redefining Risk Management", 2021Accessed January 2023
Oliver Wyman, "The ORX Reference Taxonomy for operational and non-financial
Satori, Cloudian, "Data Protection and Privacy: 12 Ways to Protect User Data", Accessed
risk summary report", 2019, Accessed February 2023.
January 2023
Office of the Superintendent of Financial Institutions, "Operational Resilience
Spector Information Security, "Building your Asset and Risk Register to Manage Technology
Consultation Results Summary", December 2021, Accessed January 2023
Risk", November 2021, Accessed January 2023
Open Risk Manual, Risk Taxonomy Definitions
Talend, "What is data culture", Accessed February 2023
Ponemon. "Cost of a Data Breach Report 2021." IBM, July 2021. Web.
Tom Schneider, "Managing Cyber Security Risk as Enterprise Risk", ISACA Journal, September
Protiviti, "Executive Perspectives on Top Risks, 2023 & 2032, Key Issues being 2022, Accessed February 2023
discussed in the boardroom and c-suite", February 2023, Accessed February
Tony Martin –Vegue, "How to Write Strong Risk Scenarios and Statements", ISACA Journal,
2023
September 2021, Accessed February 2023
RIMS, ISACA, "Bridging the Digital Gap, How Collaboration Between IT and Risk
The Wall Street Journal, "Making Data Risk a Top Priority", April 2018, Accessed February 2023
Management can Enhance Value Creation", September 2019, Accessed February
2023
Robert, R. Moeller, "COSO, Enterprise Risk Management, Second Edition, 2011",
Robert Putrus, "Effective Reporting to the BoD on Critical Assets, Cyberthreats and
Key Controls: The Qualitative and Quantitative Model", ISACA Journal,
January 2021, Accessed January 2023

It Build An IT Risk Taxonomy Phases 1 3 1

Uploaded by

Copyright:

Available Formats

It Build An IT Risk Taxonomy Phases 1 3 1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

It Build An IT Risk Taxonomy Phases 1 3 1

Uploaded by

Copyright:

Available Formats

Build an IT Risk Taxonomy

If integrated risk is your destination, your IT

Info-Tech Research Group Inc. is a global leader in providing IT research and

15 Phase 1: Understanding Risk Management Fundamentals

25 Phase 2: Setting Up Your Organization for Success

39 Phase 3: Structuring your IT Risk Taxonomy

If integrated risk is your destination, your IT

Info-Tech Research Group | 4

Info-Tech Research Group | 5

Financial Impact Strategic Risk Reputation Risk

Percent of CROs who view inability to

Talent Risk Sustainability Digital Disruption

Source: Info-Tech 2023

IT Benefits Business Benefits

Info-Tech Research Group | 9

Build an IT Risk Taxonomy

Build an IT Risk Risk Register

Info-Tech Research Group | 10

Info-Tech Research Group | 12

Day 1 Day 2 Day 3 Day 4 Day 5

(and level 4 if appropriate

Workbook 3. Build an IT Risk Taxonomy

Info-Tech Research Group | 14

Phase 1 Phase 2 Phase 3

Build an IT Risk Taxonomy

Info-Tech Research Group | 15

Risk management is one component of an organization’s GRC

GRC principles are important tools to support enterprise management.

Governance sets the guardrails to ensure that the enterprise is in

Risk management is how the organization protects and creates

Compliance is the process of adhering to a set of guidelines; these

Info-Tech Research Group | 16

Regardless of size or structure, every organization makes strategic

Enterprise risk management (ERM) is a strategic business discipline that

• Enable a deeper understanding of risks and assessment of current risk

• Many organizations lean on the Committee of Sponsoring Organizations’

published guidance on developing an enterprise risk management

Info-Tech Research Group | 18

Info-Tech Research Group | 19

Risk Tolerant Moderate Risk Averse

into the risk program closely linked to corporate performance.

Mission Vision Core Values

• Tolerances apply to specific objectives and provide guidance to those executing on

Downside boundary of Upper limit to where we

Continually revisit risks over time

Risk Appetite Risk Tolerance

Risk Scenario Description Example: IT Risks

Info-Tech Research Group | 24

• How to set up a cross-functional IT

This phase involves the following

Phase 1 Phase 2 Phase 3 • CRO

Build an IT Risk Taxonomy

Info-Tech Research Group | 25

Info-Tech Research Group | 26

• Integrated risk management is the process of ensuring all forms of risk

• By aggregating the different threats or uncertainty that might exist

Info-Tech Research Group | 27

Info-Tech Research Group | 28

intersect that allows risks to roll up systematically to enterprise risk,