The Control Objectives for Information and related Technology (COBIT) framework has become a globally accepted standard for IT governance. So much so, in fact, that the Information Systems Audit and Control Association, which developed the framework in 1996, has not only issued several updates, but also extended COBIT and tailored it to specific functions. Val IT, for instance, is a COBIT-based framework addressing the governance of IT-enabled business investments, according to the ISACA Web site.
This week, the standards organization announced the release of its newest COBIT extension, Risk IT. Described as "a framework for enterprises to identify, govern and manage IT risk," Risk IT is comprised of three domains: governing risk, evaluating risk, and responding to risk. The framework includes guidance on activities and responsibilities within each process, as well as how information "flows" between the processes.
In an ISACA e-mail announcing the release, Risk IT developer Brian Barnier says:
Risk and value are two sides of the same coin. Risk is inherent to all enterprises, but a balance must be struck that avoids value destruction and ensures that opportunities for value creation are not missed. Risk IT helps all levels of management manage risk for the greatest benefit and helps detect warning signs earlier.