This article provides an overview and summary of the COBIT 5 process Ensure Risk Optimisation, which is part of the Governance – Evaluate, Direct and Monitor domain.

The purpose of this COBIT 5 process is ensure that IT risks do not exceed risk appetite and risk tolerances, the impact of IT risk to organisational value is identified and managed, and the potential for compliance failures is minimised by ensuring:

  1. IT risk thresholds are defined and communicated.
  2. The organisation is managing key IT risks effectively.
  3. IT risks do not exceed risk appetite and impact on organisation value is identified and managed.

The following sub-governance processes are further supported by a list of control activities:

  1. Evaluate risk management. Continually assess and manage risks on the current and future use of IT in the organisation.
  2. Direct risk management. Implement risk management practices to provide reasonable assurance that IT risks do not exceed IT board’s risk appetite.
  3. Monitor risk management. Monitor the key metrics of IT risk management processes and address problems identified.

For more information please contact Morland-Austin at