IT Governance, Risk, and Compliance

Mar 7 2013   1:54AM GMT

Risk Management: Is it just another set of business buzzwords? – Part IV

Robert Davis Robert Davis Profile: Robert Davis

The risk management process introduces a systematic approach for identifying, assessing, and reducing risks as well as maintaining defined acceptable risk levels.  An IT risk assessment should be considered a key risk management practice area.  When management institutionalizes an IT governance risk assessment methodology, quantitative and/or qualitative factors effecting business processes should be considered, evaluated, and documented to enable suitable event responses.  Management’s IT processes risk assessment determines IT potential opportunity cost and control implementation criticality.  Quantitative risk calculations include:

  • Exposure Factor = Percentage of asset lost caused by identified risk
  • Single Loss Expectancy (SLE) = Asset Value X Exposure Factor
  • Annualized Rate of Occurrence (ARO) = Estimated frequency a threat will occur within a year
  • Annualized Loss Expectancy (ALE) = SLE X ARO
  • Safeguard Cost/Benefit Analysis = (ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard)


Davis, Robert E. (2011). Assuring IT Governance. Available from and

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: