2023 IT Examiner School

Internal Use Only

IT & Cyber Risk are Business Risks • IT can provide significant benefits to an enterprise, but it also involves risk • IT provides value to enterprise • IT-related events could potentially impact the business • IT creates challenges in meeting strategic goals and objectives and uncertainty in the pursuit of opportunities • IT goals must align with business goals and objectives (Grow, Run, Change) • IT/Cyber risk is operational risk and should be treated like other key business risks • Other Operational Risks are people, process, external events, legal & compliance • Many executives tend to relegate IT risk to technical specialists outside the boardroom • Transfer responsibility

Internal Use Only

Risk Governance

Board of Directors

Risk Appetite

Senior Management

Risk Reporting

Risk Reporting

Risk Management

Business Units

Risk Guidance

Risk Monitoring

Business Operations & Processes