The IT Certification Resource Center

Featured Deal

Get CompTIA, Cisco, or Microsoft training courses free for a week.
Learn More ❯

Six Steps to Using Risk Scenarios for Improved Risk Management

New ISACA guide provides 60 customizable scenarios for organizations

Rolling Meadows, IL, USA (23 September 2014)—To help executives understand IT-related risk, IT risk managers should develop and test risk scenarios. A new guide and tool kit from global IT association ISACA provide 60 risk scenario examples covering 20 categories of risk that organizations can customize for their own use.


Risk Scenarios Using COBIT 5 for Risk provides an understanding of risk assessment and risk management concepts in business terms, based on the principles of the globally recognized COBIT framework. It also outlines six key steps to effectively using risk scenarios to improve risk management:

  1. Use generic risk scenarios, such as those presented in this publication, to define a set that is tailored to your organization.
  2. Validate the risk scenarios against the business objectives of the organization, ensuring that the scenarios address business impacts.
  3. Refine the selected scenarios based on this validation and ensure their level of detail is in line with their criticality to the business.
  4. Reduce the number of scenarios to a manageable set.
  5. Keep all scenarios in a list so they can be reevaluated.
  6. Include in the scenarios an unspecified event (an incident not covered by other scenarios).


“The scenarios included in this guide help enterprises develop a tangible and assessable representation of risk to determine the business impact and the enterprise’s preparation levels,”
 said Steven Babb, chair of ISACA’s Knowledge Board and ISACA international vice president. “Well-developed risk scenarios that are linked to real business risk using these six steps help support risk management activities and make them realistic and relevant to the enterprise.”


Risk Scenarios provides scenario examples across categories such as IT investment decision making, staff operations, infrastructure, software, regulatory compliance, geopolitical, malware, acts of nature and innovation.


“Risk scenario analysis is a valuable technique that helps IT professionals understand and handle vulnerabilities, while helping businesses respond more effectively when implementing strategies that could affect IT-related risk,” said Robert E Stroud, CGEIT, CRISC, international president of ISACA. “The new Risk Scenarios publication provides key guidance based on the globally respected COBIT framework to help enterprises identify, analyze and respond to risk and understand its impact on the business.”


The publication also provides guidance on how to respond to risk that exceeds the organization’s tolerance level and how to use COBIT 5 to accomplish key risk management activities.


Risk Scenarios is available at More information on COBIT is available at



With more than 115,000 constituents in 180 countries, ISACA ( helps business and IT leaders build trust in, and value from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge, standards, networking, and career development for information systems audit, assurance, security, risk, privacy and governance professionals. ISACA offers the Cybersecurity Nexus, a comprehensive set of resources for cybersecurity professionals, and COBIT, a business framework that helps enterprises govern and manage their information and technology. ISACA also advances and validates business-critical skills and knowledge through the globally respected Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) credentials. The association has more than 200 chapters worldwide.