This article provides an overview and summary of the COBIT 5 process Manage Risk, which is part of the Management – Plan (Align, Plan and Organise) domain.

The purpose of this COBIT 5 process is to continually identify, assess and reduce IT risks within the levels of tolerance set by organisation and IT executive management. The goal is to integrate the management of IT risks with overall organisation ERM programme.

The following sub-governance processes are further supported by a list of control activities:

  1. Collect data. Identify and collect relevant data to IT risk assessments and reporting.
  2. Analyse risks. Develop useful information to support risk decisions.
  3. Maintain a risk profile. Maintain an inventory of known risk and risk attributes.
  4. Articulate risks. Provide information on the current state of IT exposures and opportunities.
  5. Define a risk management action portfolio. Manage opportunities to reduce risk to an acceptable level.
  6. Respond to risks. Respond in a timely manner with effective measures.

For more information please contact Morland-Austin at