Give Your IT Risk Program a Jump-start

Evan Wheeler
Author: Evan Wheeler, CRISC, Sr. Director at Capital One
Date Published: 7 June 2022

I’m constantly fielding questions about how to start building a modern-day IT risk management program, and a quick Google search reveals that there are many differing opinions on the best approach. If you pick one of these solutions at random, you’re likely to discover that most promote overly complicated risk assessment techniques that result in arbitrary risk prioritization and can lead your organization to abandon the program because it isn’t showing value quickly enough. 

Now ISACA’s global IT risk advisory group has compiled a toolkit that is designed to jump-start your risk program development initiative, which will hopefully help avoid the pitfalls of many homegrown frameworks. The IT Risk Starter Kit was specifically designed to cover the basic building blocks with the small-to-medium business market in mind – you don’t need to be a large enterprise or have an army of risk consultants to get this off the ground. This kit isn’t just focused on cybersecurity, either – it was developed to broadly cover all domains of IT risk. The goal is to establish a consistent, disciplined and integrated approach to IT risk management, including setting risk appetite and identifying, measuring, controlling, monitoring, and reporting on material risks. In other words, you want a program that can help answer these foundational questions:

  1. What are the top risks for our organization?
  2. Are we improving?
  3. Are we getting the most out of our investments?

Without a structured risk program, we can’t adequately support strategic decision-making, and there is no way to answer the above questions with any confidence. The kit is full of helpful templates, including:

  • Pitch Deck
  • Policy Template
    • Governance Structure
    • Roles & Responsibilities
  • Key Terms & Taxonomy
  • Committee Charter
  • Job Descriptions for Key Roles
  • Risk Appetite Statement Template
  • Risk & Controls Library Template
  • Assessment & Register Templates
  • Risk Scenario Template
  • Risk Report/Dashboard Template
  • Risk Program Maturity Assessment

The How-To Guide included in the kit will walk you through the early stages of establishing a program and documenting your risks. These basic templates are intended to be tailored to your environment and are intentionally agnostic to industry, risk framework or technology types. Although the templates are general, they have been greatly influenced by ISACA’s Risk IT Framework and Risk IT Practitioner Guide.

Starting from Scratch
If you’re just getting started, no worries – the kit includes all the basics to get your program off the ground. If your organization isn’t yet convinced that a risk program is a worthwhile investment, the kit even includes a template for a Pitch Deck that can be used to justify the benefits of a risk program to your senior leadership. The deck lays out an approach to building capabilities over time with a basic roadmap to get started and is organized around addressing these questions:

Why? Overview of the status quo and the organization’s pain points

What? Explain the risk program’s mission and proposed structure

How? Outline the strategic vision and propose the next steps

It then walks through a description of the current opportunities, program mission statement, and a basic roadmap. Keep in mind that these programs aren’t built overnight, and most organizations will take 2-3 years to fully develop and roll out a mature risk program, but you’ll start seeing the benefits much earlier. This deck outlines the initial steps to get started and cuts out the consulting fluff.

Existing Program
If a program already exists, the Pitch Deck can be customized to focus on how these processes can be enhanced or transformed to reach the next level of maturity. Start by highlighting the key things that are working well and what needs to be improved. The slides provide a template to identify any changes in expectations or priorities for the existing risk program. Consider summarizing where your current program is at with a maturity assessment to illustrate the current capabilities and set targets for enhancements. Also, it’s important to recognize that the targets will likely not be “perfect” in every category – you will win points with management by calling this out and being realistic about which program elements will matter most to your organization. 

As you customize the roadmap, remember to set achievable targets, and adjust the timeframe based on the needs of your organization.

Getting Off the Ground
Throughout my career, I’ve designed and built out many risk programs, and the best advice I’ve ever gotten is to keep things simple. Be careful not to over-engineer the program or bite off too big of scope too quickly. This kit was developed with those principles in mind. It includes all the building blocks you’ll need, and it provides a plan to get you on the right path. For example, the Risk Report/Dashboard Template includes four iterations that build on each other and get more sophisticated to mature along with your program. The template will help you to move from the more basic measurements and lagging indicators to more granular scenarios and anticipate future changes in risk exposure. A guiding principle for this kit was that it is never too early to measure and quantify risk, even in the early stages of your program’s journey.

Whether you are brand new to risk management frameworks or have many years under your belt, I hope you’ll download the IT Risk Starter Kit and give it a try.