EDM03

EDM03: Ensured Risk Optimization

Purpose:

Ensure that the enterprise’s risk appetite and tolerance are understood, articulated and communicated, and that risk to enterprise value related to the use of IT is identified and managed.
Ensure that IT-related enterprise risk does not exceed risk appetite and risk tolerance, the impact of IT risk to enterprise value is identified and managed, and the potential for compliance failures is minimised.

The Ensure Risk Optimisation process is concerned with ensuring the enterprise risk tolerances and risk appetite are defined and communicated and the impact to enterprise value from IT risks are managed, this is achieved through the following:

Evaluating IT risk management – continual examination and judgement of IT risk in relation to enterprise strategy (i.e. determine risk appetite, tolerances, alignment to enterprise risk strategy, evaluate risk factors, risk aware decision making and evaluation of risk management activities against tolerances).

Directing IT risk management – providing direction through the delivery of policies, measurement objectives and approved processes for measuring the management of IT risk to provide assurance that IT risk management practices are appropriate and aligned to enterprise risk appetite.

Monitoring IT risk management – Monitoring IT risk management processes and defining how deviations from the agreed targets will be managed (i.e. identified, documented, tracked, reported and resolved).

Reference:

https://www.morland-austin.com/it-grc-knowledge-base/3.27/risk-management-process

https://wiki.process-symphony.com.au/framework/lifecycle/evaluate-direct-and-monitor-cobit/

Page updated

Google Sites

Report abuse