How to implement an IT risk framework

🕑 4 minutes read

The search for the IT risk framework

All organizations have risks, the difference between them is the way they are managed. A mature organization has a risk management process that allows senior management to be informed of what these risks are and keep them in mind when making decisions.

In addition, organizations that involve their risk management in decision-making will be able to create opportunities and give them a competitive advantage over those that do not manage them properly.

Due to the current dependence on Information Technology, the IT risks that organizations face have become remarkably important when it comes to achieving the proposed business objectives. The transversality of these risks, together with the complexity when managing them, makes it not an easy task. It is for this reason that organizations consider the implementation of frameworks that allow risks to be evaluated, processed and obtain results.

One of the crucial steps when implementing an IT management framework is how to combine technological and business processes, aligning our IT environment to business needs to create value.


Without prior experience, defining all these processes and their interrelationships is not an easy task. Organizations seek to implement these processes based on standards already adopted by the industry with known levels of success. An example of this is COBIT,which has recently been updated in 2019.

COBIT was originally published in 2012 by ISACA in response to new standards found in the industry; process capacity model proposed by ISO 15504 SPICE and the distinction made by ISO 38500 between corporate governance and management. This means that the processes do not have two states (implemented or not) but different implementation states are identified with respect to their maturity state. To do this, COBIT proposes six levels ranging from 0, the most basic capacity level, to 5 in which the process in question is fully defined and its performance is measured to increase performance within a continuous improvement.

This standard is not intended to replace, but to combine, the different norms or standards, such as ISO 20000, ISO 27000,etc. identifying desirable results and offering methods for their achievement.

COBIT is based on six principles on which to structure a system of governance:

  • Provide value and satisfy stakeholders
  • Cover the company from end to end
  • Dynamic governance system
  • Separating governance from management
  • Adaptation to the needs of the company
  • Integral System of Government

Governance ensures an alignment of the organization’s processes and objectives with the needs, conditions, and interests of stakeholders. On the other hand, we have to take into account senior management, whose efforts are focused on obtaining benefits, optimizing risks and resources.

COBIT, in its 2019 edition, incorporates more than 25 years of experience and has 40 objectives to allow the objectives of technology and information to contribute to the objectives of the organization. These objectives are organized in different perspectives as shown in the following image:

COBIT 2019

*Source – COBIT 2019 from ISACA International

To create and sustain a governance system, COBIT defines a number of basic components. In addition, the standard interrelates these elements and defines the different work products they use. These components are:

  • Processes
  • Organizational structures
  • Principles, policies and procedures
  • Information
  • Culture, ethics and behaviour
  • People, skills and competences
  • Services, infrastructure and applications

As we have seen in its definition, risk management is an essential process that relates governance and management, linking business needs with the operational part to ensure compliance with the objectives.

Regardless of whether the risk management framework is based on the previous standard, the organization must have the appropriate mechanisms to manage the processes implemented. The different processes must be defined, objectives identified, risks associated, dashboards must be defined to allow decision-making, etc. It is only possible using collaborative, parameterizable tools that allow an integrated management of all processes.

Processes such as change management, capacity or availability management, configuration management, asset management, risk management, are processes thatrequire a high degree of automation and interrelation to take advantage of the efforts made, since most of them have common activities.

From GlobalSuite Solutions we offer you the tools and advice necessary to implement an IT Risk Management framework transversal to the entire organization and parameterized to obtain the expected results that allow decision making and manage your risks properly.