Get Instant Access
to This Blueprint

Cio icon

Build an IT Risk Taxonomy

If integrated risk is your destination, your IT risk taxonomy is the road to get you there.

  • Business leaders, driven by the need to make more risk-informed decisions, are putting pressure on IT to provide more timely and consistent risk reporting.
  • IT risk managers need to balance the emerging threat landscape with not losing sight of the risks of today.
  • IT needs to strengthen IT controls and anticipate risks in an age of disruption.

Our Advice

Critical Insight

A common understanding of risks, threats, and opportunities gives organizations the flexibility and agility to adapt to changing business conditions and drive corporate value.

Impact and Result

  • Use this blueprint as a baseline to build a customized IT risk taxonomy suitable for your organization.
  • Learn about the role and drivers of integrated risk management and the benefits it brings to enterprise decision-makers.
  • Discover how to set up your organization up for success by understanding how risk management links to organizational strategy and corporate performance.

Build an IT Risk Taxonomy Research & Tools

1. Build an IT Risk Taxonomy – Develop a common approach to managing risks to enable faster, more effective decision making.

Learn how to develop an IT risk taxonomy that will remain relevant over time while providing the granularity and clarity needed to make more effective risk-based decisions.

2. Build an IT Risk Taxonomy Guideline and Template – A set of tools to customize and design an IT risk taxonomy suitable for your organization.

Leverage these tools as a starting point to develop risk levels and definitions appropriate to your organization. Take a collaborative approach when developing your IT risk taxonomy to gain greater acceptance and understanding of accountability.

3. IT Risk Taxonomy Workbook – A place to complete activities and document decisions that may need to be communicated.

Use this workbook to document outcomes of activities and brainstorming sessions.

4. IT Risk Register – An internal control tool used to manage IT risks. Risk levels archived in this tool are instrumental to achieving an integrated and holistic view of risks across an organization.

Leverage this tool to document risk levels, risk events, and controls. Smaller organizations can leverage this tool for risk management while larger organizations may find this tool useful to structure and define risks prior to using a risk management software tool.


Workshop: Build an IT Risk Taxonomy

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Review IT Risk Fundamentals and Governance

The Purpose

Review IT risk fundamentals and governance.

Key Benefits Achieved


Learn how enterprise risk management and IT risk management intersect and the role the IT taxonomy plays in integrated risk management.

Activities

Outputs

1.1

Discuss risk fundamentals and the benefits of integrated risk.

  • IT Risk Taxonomy Committee Charter Template
  • Build an IT Risk Taxonomy Workbook
1.2

Create a cross-functional IT taxonomy working group.

Module 2: Identify Level 1 Risk Types

The Purpose

Identify suitable IT level 1 risk types.

Key Benefits Achieved


Level 1 IT risk types are determined and have been tested against ERM level one risk types.

Activities

Outputs

2.1

Discuss corporate strategy, business risks, macro trends, and organizational opportunities and constraints.

  • Build an IT Risk Taxonomy Workbook
2.2

Establish level 1 risk types.

2.3

Test soundness of IT level 1 types by mapping to ERM level 1 types.

Module 3: Identify Level 2 and Level 3 Risk Types

The Purpose

Define level 2 and level 3 risk types.

Key Benefits Achieved

Level 2 and level 3 risk types have been determined.

Activities

Outputs

3.1

Establish level 2 risk types.

  • Build an IT Risk Taxonomy Design Template
  • Risk Register Tool
3.2

Establish level 3 risk types (and level 4 if appropriate for your organization).

3.3

Begin to test by working backward from controls to ensure risk events will aggregate consistently.

Module 4: Monitor, Report, and Respond to IT Risk

The Purpose

Test the robustness of your IT risk taxonomy by populating the risk register with risk events and controls.

Key Benefits Achieved

Your IT risk taxonomy has been tested and your risk register has been updated.

Activities

Outputs

4.1

Continue to test robustness of taxonomy and iterate if necessary.

  • Build an IT Risk Taxonomy Design Template
  • Risk Register Tool
  • Build an IT Risk Taxonomy Workbook
4.2

Optional activity: Draft your IT risk appetite statements.

4.3

Discuss communication and continual improvement plan.


Build an IT Risk Taxonomy

If integrated risk is your destination, your IT risk taxonomy is the road to get you there.

Analyst Perspective

Donna Bales.

The pace and uncertainty of the current business environment introduce new and emerging vulnerabilities that can disrupt an organization’s strategy on short notice.

Having a long-term view of risk while navigating the short term requires discipline and a robust and strategic approach to risk management.

Managing emerging risks such as climate risk, the impact of digital disruption on internal technology, and the greater use of third parties will require IT leaders to be more disciplined in how they manage and communicate material risks to the enterprise.

Establishing a hierarchical common language of IT risks through a taxonomy will facilitate true aggregation and integration of risks, enabling more effective decision making. This holistic, disciplined approach to risk management helps to promote a more sustainable risk culture across the organization while adding greater rigor at the IT control level.

Donna Bales
Principal Research Director
Info-Tech Research Group

Executive Summary

Your Challenge

Common Obstacles

Info-Tech’s Approach

IT has several challenges when managing and responding to risk events:

  • Business leaders, driven by the need to make more risk-informed decisions, are putting pressure on IT to provide more timely and consistent risk reporting.
  • Navigating today’s ever-evolving threat landscape is complex. IT risk managers need to balance the emerging threat landscape while not losing sight of the risks of today.
  • IT needs to strengthen IT controls and anticipate risks in an age of disruption.

Many IT organizations encounter obstacles in these areas:

  • Ensuring an integrated, well-coordinated approach to risk management across the organization.
  • Developing an IT risk taxonomy that will remain relevant over time while providing sufficient granularity and definitional clarity.
  • Gaining acceptance and ensuring understanding of accountability. Involving business leaders and a wide variety of risk owners when developing your IT risk taxonomy will lead to greater organizational acceptance.

.

  • Take a collaborative approach when developing your IT risk taxonomy to gain greater acceptance and understanding of accountability.
  • Spend the time to fully analyze your current and future threat landscape when defining your level 1 IT risks and consider the causal impact and complex linkages and intersections.
  • Recognize that the threat landscape will continue to evolve and that your IT risk taxonomy is a living document that must be continually reviewed and strengthened.

Info-Tech Insight

A common understanding of risks, threats, and opportunities gives organizations the flexibility and agility to adapt to changing business conditions and drive corporate value.

Increasing threat landscape

The risk landscape is continually evolving, putting greater pressure on the risk function to work collaboratively throughout the organization to strengthen operational resilience and minimize strategic, financial, and reputational impact.

Financial Impact

Strategic Risk

Reputation Risk

In IBM’s 2021 Cost of a Data Breach Report, the Ponemon Institute found that data security breaches now cost companies $4.24 million per incident on average – the highest cost in the 17-year history of the report.

58% percent of CROs who view inability to manage cyber risks as a top strategic risk.

EY’s 2022 Global Bank Risk Management survey revealed that Chief Risk Officers (CROs) view the inability to manage cyber risk and the inability to manage cloud and data risk as the top strategic risks.

Protiviti’s 2023 Executive Perspectives on Top Risks survey featured operational resilience within its top ten risks. An organization’s failure to be sufficiently resilient or agile in a crisis can significantly impact operations and reputation.

Persistent and emerging threats

Organizations should not underestimate the long-term impact on corporate performance if emerging risks are not fully understood, controlled, and embedded into decision-making.

Talent Risk

Sustainability

Digital Disruption

Protiviti’s 2023 Executive Perspectives on Top Risks survey revealed talent risk as the top risk organizations face, specifically organizations’ ability to attract and retain top talent. Of the 38 risks in the survey, it was the only risk issue rated at a “significant impact” level.

Sustainability is at the top of the risk agenda for many organizations. In EY’s 2022 Global Bank Risk Management survey, environmental, social, and governance (ESG) risks were identified as a risk focus area, with 84% anticipating it to increase in priority over the next three years. Yet Info-Tech’s Tech Trends 2023 report revealed that only 24% of organizations could accurately report on their carbon footprint.

Source: Info-Tech 2023 Tech Trends Report

The risks related to digital disruption are vast and evolving. In the short term, risks surface in compliance and skills shortage, but Protiviti’s 2023 Executive Perspectives survey shows that in the longer term, executives are concerned that the speed of change and market forces may outpace an organization’s ability to compete.

Build an IT risk taxonomy: As technology and digitization continue to advance, risk management practices must also mature. To strengthen operational and financial resiliency, it is essential that organizations move away from a siloed approach to IT risk management wart an integrated approach. Without a common IT risk taxonomy, effective risk assessment and aggregation at the enterprise level is not possible.

Blueprint benefits

IT Benefits

Business Benefits

  • Simple, customizable approach to build an IT risk taxonomy
  • Improved satisfaction with IT for senior leadership and business units
  • Greater ability to respond to evolving threats
  • Improved understanding of IT’s role in enterprise risk management (ERM)
  • Stronger, more reliable internal control framework
  • Reduced operational surprises and failures
  • More dynamic decision making
  • More proactive risk responses
  • Improve transparency and comparability of risks across silos
  • Better financial resilience and confidence in meeting regulatory requirements
  • More relevant risk assurance for key stakeholders

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

IT Risk Taxonomy Committee Charter Template

Create a cross-functional IT risk taxonomy committee.

The image contains a screenshot of the IT risk taxonomy committee charter template.

Build an IT Risk Taxonomy Guideline

Use IT risk taxonomy as a baseline to build your organization’s approach.

The image contains a screenshot of the build an it risk taxonomy guideline.

Build an IT Risk Taxonomy Design Template

Use this template to design and test your taxonomy.

The image contains a screenshot of the build an IT risk taxonomy design template.

Risk Register Tool

Update your risk register with your IT risk taxonomy.

The image contains a screenshot of the risk register tool.

Key deliverable:

Build an IT Risk Taxonomy Workbook

Use the tools and activities in each phase of the blueprint to customize your IT risk taxonomy to suit your organization’s needs.

The image contains a screenshot of the build an IT risk taxonomy workbook.

Benefit from industry-leading best practices

As a part of our research process, we used the COSO, ISO 31000, and COBIT 2019 frameworks. Contextualizing IT risk management within these frameworks ensures that our project-focused approach is grounded in industry-leading best practices for managing IT risk.

COSO’s Enterprise Risk Management —Integrating with Strategy and Performance addresses the evolution of enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment.

ISO 31000 – Risk Management can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats, and effectively allocate and use resources for risk treatment.

COBIT 2019’s IT functions were used to develop and refine the ten IT risk categories used in our top-down risk identification methodology.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

Phase 1 Phase 2 Phase 3

Call #1: Review risk management fundamentals.

Call #2: Review the role of an IT risk taxonomy in risk management.

Call #3: Establish a cross-functional team.

Calls #4-5: Identify level 1 IT risk types. Test against enterprise risk management.

Call #6: Identify level 2 and level 3 risk types.

Call #7: Align risk events and controls to level 3 risk types and test.

Call #8: Update your risk register and communicate taxonomy internally.

A Guided Implementation (GI) is a series

of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 6 to 8 calls over the course of 3 to 6 months.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Day 1 Day 2 Day 3 Day 4 Day 5

Review IT Risk Fundamentals and Governance

Identify Level 1 IT Risk Types

Identify Level 2 and Level 3 Risk Types

Monitor, Report, and Respond to IT Risk

Next Steps and
Wrap-Up (offsite)

Activities

1.1 Discuss risk fundamentals and the benefits of integrated risk.

1.2 Create a cross-functional IT taxonomy working group.

2.1 Discuss corporate strategy, business risks, macro trends, and organizational opportunities and constraints.

2.2 Establish level 1 risk types.

2.3 Test soundness of IT level 1 types by mapping to ERM level 1 types.

3.1 Establish level 2 risk types.

3.2 Establish level 3 risk types (and level 4 if appropriate for your organization).

3.3 Begin to test by working backward from controls to ensure risk events will aggregate consistently.

4.1 Continue to test robustness of taxonomy and iterate if necessary.

4.2 Optional activity: Draft your IT risk appetite statements.

4.3 Discuss communication and continual improvement plan.

5.1 Complete in-progress deliverables from previous four days.

5.2 Set up review time for workshop deliverables and to discuss next steps.

Deliverables
  1. T Risk Taxonomy Committee Charter Template
  2. Build an IT Risk Taxonomy Workbook
  1. Build an IT Risk Taxonomy Workbook
  1. IT Risk Taxonomy Design Template
  2. Risk Register
  1. IT Risk Taxonomy Design Template
  2. Risk Register
  3. Build an IT Risk Taxonomy Workbook
  1. Workshop Report

Phase 1

Understand Risk Management Fundamentals

Phase 1

Phase 2

Phase 3

  • Governance, Risk, and Compliance
  • Enterprise Risk Management
  • Enterprise Risk Appetite
  • Risk Statements and Scenarios
  • What Is a Risk Taxonomy?
  • Functional Role of an IT Risk Taxonomy
  • Connection to Enterprise Risk Management
  • Establish Committee
  • Steps to Define IT Risk Taxonomy
  • Define Level 1
  • Test Level 1
  • Define Level 2 and 3
  • Test via Your Control Framework

Governance, risk, and compliance (GRC)

Risk management is one component of an organization’s GRC function.

GRC principles are important tools to support enterprise management.

Governance sets the guardrails to ensure that the enterprise is in alignment with standards, regulations, and board decisions. A governance framework will communicate rules and expectations throughout the organization and monitor adherence.

Risk management is how the organization protects and creates enterprise value. It is an integral part of an organization’s processes and enables a structured decision-making approach.

Compliance is the process of adhering to a set of guidelines; these could be external regulations and guidelines or internal corporate policies.

GRC principles are tightly bound and continuous

The image contains a screenshot of a continuous circle that is divided into three parts: risk, compliance, and governance.

Enterprise risk management

Regardless of size or structure, every organization makes strategic and operational decisions that expose it to uncertainties.

Enterprise risk management (ERM) is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio (RIMS).

An ERM is program is crucial because it will:

  • Help shape business objectives, drive revenue growth, and execute risk-based decisions.
  • Enable a deeper understanding of risks and assessment of current risk profile.
  • Support forward-looking risk management and more constructive dialogue with the board and regulatory agencies.
  • Provide insight on the robustness and efficacy of risk management processes, tools, and controls.
  • Drive a positive risk culture.

ERM is supported by strategy, effective processes, technology, and people

The image contains a screenshot that demonstrates how ERM is supported by strategy, effective processes, technology, and people.

Risk frameworks

Risk frameworks are leveraged by the industry to “provide a structure and set of definitions to allow enterprises of all types and sizes to understand and better manage their risk environments.” COSO Enterprise Risk Management, 2nd edition

  • Many organizations lean on the Committee of Sponsoring Organizations’ Enterprise Risk Management framework (COSO ERM) and ISO 31000 to view organizational risks from an enterprise perspective.
  • Prior to the introduction of standardized risk frameworks, it was difficult to quantify the impact of a risk event on the entire enterprise, as the risk was viewed in a silo or as an individual risk component.
  • Recently, the National Institute of Science and Technology (NIST) published guidance on developing an enterprise risk management approach. The guidance helps to bridge the gap between best practices in enterprise risk management and processes and control techniques that cybersecurity professionals use to meet regulatory cybersecurity risk requirements.

The image contains a screenshot of NIST ERM approach to strategic risk.

Source: National Institute of Standards and Technology

New NIST guidance (NISTIR 8286) emphasizes the complexity of risk management and the need for the risk management process to be carried out seamlessly across three tiers with the overall objective of continuous improvement.

Enterprise risk appetite

“The amount of risk an organization is willing to take in pursuit of its objectives”

– Robert R. Moeller, COSO ERM Framework Model
  • A primary role of the board and senior management is to balance value creation with effectively management of enterprise risks.
  • As part of this role, the board will approve the enterprise’s risk appetite. Placing this responsibility with the board ensures that the risk appetite is aligned with the company’s strategic objectives.
  • The risk appetite is used throughout the organization to assess and respond to individual risks, acting as a constant to make sure that risks are managed within the organization’s acceptable limits.
  • Each year, or in reaction to a risk trigger, the enterprise risk appetite will be updated and approved by the board.
  • Risk appetite will vary across organizations for several reasons, such as industry, company culture, competitors, the nature of the objectives pursued, and financial strength.

Change or new risks » adjust enterprise risk profile » adjust risk appetite

Risk profile vs. risk appetite

Risk profile is the broad parameters an organization considers in executing its business strategy. Risk appetite is the amount of risk an entity is willing to accept in pursuit of its strategic objectives. The risk appetite can be used to inform the risk profile or vice versa. Your organization’s risk culture informs and is used to communicate both.

Risk Tolerant

Moderate

Risk Averse

  • You have no compliance requirements.
  • You have no sensitive data.
  • Customers do not expect you to have strong security controls.
  • Revenue generation and innovative products take priority and risk is acceptable.
  • The organization does not have remote locations.
  • It is likely that your organization does not operate within the following industries:
    • Finance
    • Healthcare
    • Telecom
    • Government
    • Research
    • Education
  • You have some compliance requirements, such as:
    • HIPAA
    • PIPEDA
  • You have sensitive data and are required to retain records.
  • Customers expect strong security controls.
  • Information security is visible to senior leadership.
  • The organization has some remote locations.
  • Your organization most likely operates within the following industries:
    • Government
    • Research
    • Education
  • You have multiple strict compliance and/or regulatory requirements.
  • You house sensitive data, such as medical records.
  • Customers expect your organization to maintain strong and current security controls.
  • Information security is highly visible to senior management and public investors.
  • The organization has multiple remote locations.
  • Your organization operates within the following industries:
    • Finance
    • Healthcare
    • Telecom

Where the IT risk appetite fits into the risk program

  • Your organization’s strategy and associated risk appetite cascade down to each business department. Overall strategy and risk appetite also set a strategy and risk appetite for each department.
  • Both risk appetite and risk tolerances set boundaries for how much risk an organization is willing or prepared to take. However, while appetite is often broad, tolerance is tactical and focused.
  • Tolerances apply to specific objectives and provide guidance to those executing on a day-to-day basis. They measure the variation around performance expectations that the organization will tolerate.
  • Ideally, they are incorporated into existing governance, risk, and compliance systems and are also considered when evaluated business cases.
  • IT risk appetite statements are based on IT level 1 risk types.

The risk appetite has a risk lens but is also closely linked to corporate performance.

The image contains a screenshot of a diagram that demonstrates how risk appetite has a risk lens, and how it is linked to corporate performance.

Statements of risk

The image contains a screenshot of a diagram of the risk landscape.

Risk Appetite

Risk Tolerance

  • The general amount of risk an organization is willing to accept while pursuing its objectives.
  • Proactive, future view of risks that reflects the desired range of enterprise performance.
  • Reflects the longer-term strategy of what needs to be achieved and the resources available to achieve it, expressed in quantitative criteria.
  • Risk appetites will vary for several reasons, such as the company culture, financial strength, and capabilities.
  • Risk tolerance is the acceptable deviation from the level set by the risk appetite.
  • Risk tolerance is a tactical tool often expressed in quantitative terms.
  • Key risk indicators are often used to align to risk tolerance limits to ensure the organization stays within the set risk boundary.

Risk scenarios

Risk scenarios serve two main purposes: to help decision makers understand how adverse events can affect organizational strategy and objectives and to prepare a framework for risk analysis by clearly defining and decomposing the factors contributing to the frequency and the magnitude of adverse events.

ISACA
  • Organizations’ pervasive use of and dependency on technology has increased the importance of scenario analysis to identify relevant and important risks and the potential impacts of risk events on the organization if the risk event were to occur.
  • Risk scenarios provide “what if” analysis through a structured approach, which can help to define controls and document assumptions.
  • They form a constructive narrative and help to communicate a story by bringing in business context.
  • For the best outcome, have input from business and IT stakeholders. However, in reality, risk scenarios are usually driven by IT through the asset management practice.
  • Once the scenarios are developed, they are used during the risk analysis phase, in which frequency and business impacts are estimated. They are also a useful tool to help the risk team (and IT) communicate and explain risks to various business stakeholders.

Top-down approach – driven by the business by determining the business impact, i.e. what is the impact on my customers, reputation, and bottom line if the system that supports payment processing fails?

Bottom-up approach – driven by IT by identifying critical assets and what harm could happen if they were to fail.

If integrated risk is your destination, your IT risk taxonomy is the road to get you there.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 3-phase advisory process. You'll receive 7 touchpoints with our researchers, all included in your membership.

Guided Implementation 1: Understand risk management fundamentals
  • Call 1: Review risk management fundamentals.

Guided Implementation 2: Set your organization up for success
  • Call 1: Review the role of an IT risk taxonomy in risk management.
  • Call 2: Establish a cross-functional team.

Guided Implementation 3: Structure your IT risk taxonomy
  • Call 1: Identify level 1 IT risk types. Test against enterprise risk management.
  • Call 2: Identify level 2 and level 3 risk types.
  • Call 3: Align risk events and controls to level 3 risk types and test.
  • Call 4: Update your risk register and communicate taxonomy internally.

Author

Donna Bales

Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019