Cobit FAQ > A need of risk identification?
|
Cobit FAQ > A need of risk identification? |
|
Will future versions of CobiT give consideration to the perceived need for risk identification?
Risk is addressed in a pervasive manner throughout CobiT and even more so with the advent of the Management Guidelines in the 3rd Edition. A major driver of the control and assurance processes is the IT Governance model that is now covered extensively in CobiT and the Management Guidelines framework. IT governance refers to the generic enterprise objectives of measuring benefits and managing risk. The same idea, risk management as an enterprise objective, was nevertheless already captured by CobiT earlier, because CobiT states that IT needs to provide information to the enterprise that must have the required characteristics in order to enable the achievement of enterprise objectives. While the security related criteria of availability, integrity and confidentiality may be more readily associated with risk, not achieving enterprise objectives or not providing the required criteria is a risk that the enterprise needs to control.
Specific examples have been provided in the 'substantiating' section of the Audit Guidelines. The objective of that section is to document for management what can or has happened as a result of not having effective control in place. More practically, one entire process was defined to cover the assessment of risk. (See PO9 - Assess Risk.)
In conclusion, risk is addressed in the Framework in a proactive manner, i.e., by focussing on objectives, because the primary risk that needs to be managed is that of not achieving the objectives. Second, the 'substantiating' section of the Audit Guidelines provides examples of these risks for each process. This provides for the risk information that the control and assurance professional is looking for. Finally, a whole IT process is dedicated to the assessment of risk in the overall set of IT objectives.
.
|