This article provides an overview of the risk management process within the COBIT 5 for risk management framework.

The COBIT 5 for Risk, risk management perspective focuses on the use of the core risk processes from the COBIT5 Enabling Processes guide (Process Reference Model):

  1. EDM03 – Ensure Risk Optimisation.
  2. APO12 – Manage Risk.


The Ensure Risk Optimisation process is concerned with ensuring the enterprise risk tolerances and risk appetite are defined and communicated and the impact to enterprise value from IT risks are managed, this is achieved through the following:

  1. Evaluating IT risk management – continual examination and judgement of IT risk in relation to enterprise strategy (i.e. determine risk appetite, tolerances, alignment to enterprise risk strategy, evaluate risk factors, risk aware decision making and evaluation of risk management activities against tolerances).
  2. Directing IT risk management – providing direction through the delivery of policies, measurement objectives and approved processes for measuring the management of IT risk to provide assurance that IT risk management practices are appropriate and aligned to enterprise risk appetite.
  3. Monitoring IT risk management – Monitoring IT risk management processes and defining how deviations from the agreed targets will be managed (i.e. identified, documented, tracked, reported and resolved).


The Manage Risk process is concerned with continually identifying, assessing and responding to IT risk to ensure they remain within the agreed tolerance levels set, this is achieved through the following:

  1. Collect data.  Establish methods of collection, recording and capture relevant risk information on the operating environment (internal and external), actual/probable risk events, contributing factors for the risk events and emerging risks issues etc.
  2. Analyse risk.  Set the scope of risk analysis (based on the cost/benefit analysis), build and maintain risk scenarios. Estimate frequency and magnitude of loss for risk scenarios, consider risk factors and known controls and then calculate residual risk. Compare residual risk against risk tolerances and identify exposures that require a risk response. Complete cost/benefits analysis on risk response options (avoid, reduce/mitigate, transfer/share, accepts, exploit) and propose best response. Identify and validate (against enterprise requirements) the requirements/expectations/controls to implement the proposed risk response.
  3. Maintain a risk profile.  Maintain an inventory of known risks and key risk attributes, organise risk scenarios by line of business or function, consolidate into an aggregated risk profile, define a set of risk indicators to enable the monitoring of risk trends and update with actual risk events as they occur and their corresponding risk action plan status updates.
  4. Articulate risk.  Report results of the risk analysis and the current risk profile to impacted stakeholders, in the best format to support effective decision making.
  5. Define a risk management action portfolio.  Maintain a list of current existing controls that manage risk today (mapped to risk scenarios) and a proposed list of new implementations that will deliver new controls to reduce risk levels further defined based on costs/benefits.
  6. Respond to risk.  Maintain an effective process that documents risk events as they occur, categorise incidents to enable the easy comparison of actual exposure against tolerance levels. Implement appropriate response plans as incidents occur, identify and communicate risk related root causes and ensure process improvements are included in IT risk management processes.

For more information please contact Morland-Austin at