IT Risk and Control Library Policy and Procedure

Purpose

This policy and procedure document establishes the IT Risk and Control Library to identify, assess, and mitigate IT-related risks in alignment with organizational objectives. It provides a structured framework for managing risks and implementing controls to ensure the confidentiality, integrity, and availability of information assets. The library supports compliance with internal standards, regulatory requirements, and best practices.

Scope

This document applies to all IT systems, applications, networks, and cloud resources owned or managed by the organization, including on-premise and cloud environments. It covers risk identification, control implementation, assessment mappings, and ongoing monitoring. All departments involved in IT operations, development, and security must adhere to this policy.

Definitions

  • Risk: Potential event that could negatively impact organizational objectives, calculated as Probability × Severity.

  • Control: Mechanisms, processes, or procedures designed to mitigate identified risks.

  • ITRA Questionnaire: IT Risk Assessment tool used to evaluate changes and determine applicable controls.

  • Probability (Likelihood): Chance of a risk event occurring (rated 1-5).

  • Severity (Impact): Potential consequences of a risk event (rated 1-5).

  • Risk Rating: Overall level (Low, Medium, High, Extreme) derived from the Risk Rating Matrix.

  • Implementation Method: Step-by-step procedures for applying controls in specific environments.

  • Control Owner: Designated team responsible for maintaining and overseeing the control.

Roles and Responsibilities

  • IT Governance Team: Develops and maintains the Risk and Control Library; conducts periodic reviews.

  • IT Security Team: Implements and monitors security controls; performs vulnerability assessments.

  • IT Operations Team: Handles day-to-day control implementations in on-premise and cloud environments.

  • Portfolio/Project Management Team: Ensures controls are applied during projects; defines requirements in documentation (e.g., ITOG).

  • Privacy and Compliance Team: Reviews data-related risks and cross-border transfers; conducts assessments like DPIA.

  • All Employees and Contractors: Report risks and adhere to controls as per their roles.

Policy Statement

The organization is committed to proactive risk management to protect information assets. All identified risks must be assessed using the Risk Rating Matrix, and appropriate controls implemented. Exceptions to this policy require formal approval from the IT Governance Team and must include compensating controls.

Risk Assessment Methodology

Risks are evaluated based on Probability and Severity to determine the Risk Rating. Use the matrix below for consistent assessment.

Risk Rating Matrix

The risk rating is calculated by Probability (Likelihood) × Severity (Impact).

  • Probability Levels:

    • 1: Rare (<5% chance)

    • 2: Unlikely (5-25% chance)

    • 3: Possible (26-50% chance)

    • 4: Likely (51-75% chance)

    • 5: Almost Certain (>75% chance)

  • Severity Levels:

    • 1: Insignificant (minor disruption)

    • 2: Minor (recoverable with minimal effort)

    • 3: Moderate (requires resources)

    • 4: Major (significant disruption)

    • 5: Severe (catastrophic impact)

Probability / Severity
1 (Insignificant)
2 (Minor)
3 (Moderate)
4 (Major)
5 (Severe)

5 (Almost Certain)

Medium

High

High

Extreme

Extreme

4 (Likely)

Medium

Medium

High

High

Extreme

3 (Possible)

Low

Medium

Medium

High

High

2 (Unlikely)

Low

Low

Medium

Medium

High

1 (Rare)

Low

Low

Low

Medium

Medium

  • Risk Levels and Actions:

    • Low: Monitor; no immediate action required.

    • Medium: Implement controls within 6 months; review quarterly.

    • High: Mitigate within 3 months; escalate to senior management.

    • Extreme: Immediate mitigation; require executive approval.

Risk Library

Risks are categorized and assigned unique IDs (e.g., RISK-AC-001). Each includes a summary and description. Risks link to controls via "Related Controls" (see Relationships section).

Risk Library

Control Library

Controls are categorized with unique IDs (e.g., CTRL-GOV-001). Each includes a summary, description, and applicable ITRA levels.

Control Library

Control Implementation

This section outlines procedures for implementing controls, including entry requirements, methods, and responsible teams. Procedures are grouped by control ID.

Control Implementation

Assessment Questionnaire

ITRA Questionnaire

Relationships Among Components

  • Risks to Controls: Each risk links to one or more controls via "Related Risk IDs" in implementation procedures. Controls mitigate specific risks (e.g., RISK-AC-001 mitigated by CTRL-IAC-001).

  • Controls to Implementations: Implementation procedures provide environment-specific steps for controls, ensuring practical application.

  • Controls to ITRA Mapping: The mapping table shows when controls apply to change scenarios, supporting risk scoping during assessments.

  • Risk Rating to Controls: Use the matrix to prioritize risks; high/extreme risks require robust controls and monitoring.

  • Overall Flow: Risks are identified/assessed (matrix), mapped to controls (library), implemented (procedures), and scoped via ITRA for changes.

Compliance Monitoring and Auditing

  • Annual reviews of the library by IT Governance Team.

  • Audits to verify control effectiveness.

  • Metrics: Risk coverage percentage, control implementation rate.

Exceptions Process

Requests for exceptions must be submitted to IT Governance Team with justification, risk assessment, and compensating controls. Approved exceptions are tracked and reviewed annually.

Risk Acceptance and Risk Register Policy and Procedure

Training Requirements

All relevant staff receive annual training on this policy, risks, and controls. Role-specific training for implementors.

Previous14. ComplianceNextRisk Library

Last updated

Was this helpful?