Enterprise IT risk management is the process of identifying, analyzing, evaluating, and treating the IT-related risks that may affect the organization’s objectives, operations, or assets1. Enterprise IT risk management should be aligned with the organization’s overall riskmanagement framework and strategy, and support the organization’s value creation and protection2.
When evaluating enterprise IT risk management, it is most important to confirm the organization’s risk appetite and tolerance. Risk appetite is the amount and type of risk that an organization is willing to take in order to meet its strategic objectives3. Risk tolerance is the acceptable level of variation that an organization is willing to accept around its risk appetite4. By confirming the organization’s risk appetite and tolerance, the evaluation can:
Ensure that the enterprise IT risk management is consistent and compatible with the organization’s risk culture and vision
Provide clear and measurable criteria and boundaries for assessing and prioritizing the IT risks and their impacts
Guide the selection and implementation of the appropriate risk responses and controls that balance the costs and benefits of risk mitigation
Enable the monitoring and reporting of the IT risk performance and outcomes, and the adjustment of the IT risk strategy and objectives as needed5
References = Enterprise IT Risk Management - ISACA, Enterprise Risk Management - Wikipedia, Risk Appetite - COSO, Risk Tolerance - COSO, Risk Appetite and Tolerance - IRM