This article provides an overview of the COBIT 5 for Risk Management framework.

COBIT 5 provides a framework that helps organisations to achieve their goals from the governance and management of information technology, by helping them to maintain the right balance between realising benefits, resource utilisation and optimising risks and therefore enabling the best value creation from IT.

COBIT 5 for Risk, further enhances and builds upon the COBIT 5 framework by expanding on IT risk principles and procedures, through 2 perspectives:

  1. Risk function perspective – what is needed to create and run an IT risk function.
  2. Risk management perspective – processes to identify, analyse, respond and report on IT risks.

COBIT 5 for Risk, allows an organisation to improve IT risk related capabilities, awareness, communication, decision making, outcomes and directing strategy by enabling the following:

  1. Providing key stakeholders a consistent, accurate and validated assessment of the current level of IT risk and impact to the organisation.
  2. Managing risk in line with the approved IT risk appetite.
  3. Implementing the correct IT risk culture.
  4. Quantitative approach to assessing IT risk mitigation costs versus loss exposure.
  5. Advocating risk responsibility and acceptance.
  6. Delivering an effective approach to manage IT risks.
  7. Identifying opportunities to integrate management of enterprise risk with IT risk.

COBIT 5 for Risk, covers the following key IT risk management questions:

  1. What is an IT risk?
  2. How do the COBIT 5 enablers relate to providing IT risk management (i.e. principles, policies and frameworks, processes, organisational structures, culture, ethics and behaviours)?
  3. How do I setup and maintain an efficient IT risk function? What is the IT risk function perspective?
  4. How does IT risk relate to COBIT 5 principles?
  5. What are key aspects from IT risk management in practice?
  6. Are there any practical examples of IT risk scenarios and how to address them?
  7. How does COBIT 5 for Risk help me in responding to IT risk?
  8. Does COBIT 5 align with IT risk management standards?
  9. Does COBIT 5 for Risk help me in defining detailed IT risk analysis methods?

More detail can be found in the individual articles which provide further drill down on the individual domains and processes.


For more information please contact Morland-Austin at