IT Risk

From Open Risk Manual


IT Risk is a broad term that encompasses any and all risks to the firm's operation's that are associated with and derive from the use of (Digital) Information and Communication Technology. A variety of other terms are used in the same context with varying degrees of scope overlap: Technology Risk, Cybercrime, Cyber Risk, Infosecurity

IT Risk Taxonomy

IT Risk has several distinct subtypes[1], summarized in the following IT Risk Taxonomy:

Risk Factors

The IT Risk Profile of a firm depends in general on the following general risk factors (more specific factors are associated with individual risk sub-types):

  • whether the institution has high reliance on internet dependencies, high adoption of innovative IT solutions or other business distribution channels that may make it a more likely target for cyber-attacks
  • whether the institution may have inherent complexity (e.g. as a result of mergers or acquisitions) or the outdated nature of its IT systems
  • whether the institution is implementing material changes to its IT systems and/or IT function (e.g. as a result of mergers, acquisitions, divestments or the replacement of its core IT systems), which may adversely impact the stability or orderly functioning of the IT systems
  • whether the institution has outsourced material IT services or IT systems within or outside the group
  • whether the institution is implementing aggressive IT cost cutting measures which may lead to the eduction of needed IT investments, resources and IT expertise and can increase the exposure to all the IT risks types in the taxonomy
  • whether the location of important IT operations/data centres (e.g. regions, countries) may expose the institution to natural disasters (e.g. flooding, earthquakes), political instability or labour conflicts and civil disturbances


IT Risk Controls comprise of:

  • IT risk management policies, processes and risk tolerance thresholds
  • Organisational management and oversight frameworks
  • Internal audit coverage and findings
  • Specific risk controls for the IT risk sub-categories

See Also


  1. EBA, Final Guidelines on ICT Risk Assessment under SREP