This article provides an overview of the risk factors within the COBIT 5 for risk management framework.

Risk factors influence the business impact and/or frequency of risk scenarios and can be classified as follows:

  1. Internal Environmental Factors – predominantly under the control of the business, this includes things like strategic importance of IT, complexity of IT, complexity of the business, degree of change, change management capability, risk management capabilities and values, operating model and strategic priorities.
  2. External Environment Factors – predominantly outside of the control of the business, this includes things like market/economic conditions, rate of change, industry/competition, regulatory environment and technology status and evolution.
  3. Risk Management Capabilities – concerned with the maturity of the IT risk management processes, this includes things like risk governance, risk evaluation and risk response.
  4. IT Capability Factors – concerned with the maturity of IT processes compared to COBIT 5 standards.
  5. IT Related Business Capabilities, concerned with value management maturity, this includes things like value governance, portfolio management and investment management.

Risk factors should be used when developing risk scenarios to help refine them and to estimate the frequency and impact of the risk event.


For more information please contact Morland-Austin at