Risk IT Case Study: Risk IT Framework for IT Risk Management: A Case Study of National Stock Exchange of India Limited 

Come join the discussion! Sunil Bakshi responds to questions in the discussion area of the COBIT—Use It Effectively.

The criticality of business operations required NSE to focus on risk management as an integral element of its day-to-day business processes. Up until this new focus, the existing risk management process mainly focused on addressing business risk. The IT risk assessment method was complementary to the business risk processes, and the approach adopted was periodic assessment (once a year), which until now was considered adequate.

However, during the review of risk assessment, it was observed that the dynamic nature of the business environment had been prompting frequent changes in IT infrastructure. These changes constituted not only changes in hardware, but also included revamping applications and identifying new service delivery channels. This prompted the decision to revisit the IT risk management approach.

IT Risk Management Project

Figure 1

Choosing a Guiding Risk Management Framework

Figure 2

  • Risk IT provides granular guidance on risk management processes in the three major areas required—Risk Evaluation, Risk Response and Risk Governance—covering all traditional risk management processes, including risk identification, risk assessment, risk response, risk treatment and risk monitoring.
  • Risk IT focuses on linking IT risk with business objectives rather than IT assets.
  • It is the only framework that provides detailed processes for IT risk governance.
  • Risk IT is focused on building risk scenarios (also provide list of generic scenarios) that help in directly linking risk management with business processes.

NSE’s Risk Management Framework

Following this study, NSE’s risk management framework has been developed based upon Risk IT (figure 3).

Figure 3

NSE’s high-level objectives for each area of the framework are:

  1. 1. Risk Governance:
    • Maintain a common view—Maintain standard risk register to provide a risk update in business terms.
    • Define the organization structure—Define roles and responsibilities across the organization to review and maintain IT risk profile.
    • Make risk-informed decisions—Provide IT risk dashboard to IT management to enable risk-informed strategic decisions.
  2. Risk Evaluation:
    • Collect data—Prepare risk scenarios, conduct risk-identification workshop, establish process touch points for risk updating and link the impact assessment with the business impact analysis (BIA).
    • Analyze risk—Use a standard table for defining likelihood and Impact. Use the Delphi technique5 wherever required.
    • Maintain risk register—Update and maintain the risk register to develop the risk profile by aggregating departmental risk.
  3. Risk Response:
    • Articulate risk—Establish a process for defining risk response and communicating to stakeholders.
    • Manage risk—Maintain a control catalog with risk mapping, and define the review process.
    • React to risk events—Establish a link to incident management, change management and operations management to review risk.

NSE’s Business and IT Mapping

NSE provides IT-based services to members and brokers for trading in securities on behalf of their clients and investors. There are multiple different market segments.

Each market segment has four major processes: trading (consisting of placing orders by members that are matched by matching engine and confirmed), risk management (online monitoring of activities), surveillance (online pattern matching to identify out-of-turn trades to restrict malpractices), and clearing and settlement (involving delivery of securities), in addition to various supporting processes.

Figure 4 depicts the mapping of risk management processes covering these high-level IT processes.

Figure 4

Implementation Approach

The implementation approach for the risk framework at NSE is described in figure 5.

Figure 5

The implementation of risk management was conducted at two levels:

  1. Develop risk register for business functions.
  2. Define aggregation process to arrive at an organization-level risk profile.
Business processes were categorized in the following areas:
  • Most critical (core production)
  • Critical (production)
  • Support functions
For each business function, the following activities were performed:
  • Conduct risk evaluation facilitated workshops.
  • Generate risk profile for inherent risk (risk without considering controls).
  • Determine response options.
  • Identify and assess controls from control catalog.
  • Identify positive (excess) and negative (missing) control gaps.
  • Define a plan for closing control gaps.
  • Finalize the risk register.
  • Obtain confirmation from risk owner (department heads).
For aggregation of the risk profile at the organization level, the following activities were performed:
  • Build a matrix for all identified risk.
  • Collect department-wide data, and build the matrix.
  • Add weightage of criticality for each department.
  • Arrive at organization-level risk profile.
  • Review and sanitize the risk profile by eliminating mathematically inappropriate impacts and likelihood.
  • Present risk profile to board and senior management.

Risk Management Processes

NSE concluded that changes in risk need to be tracked on an ongoing basis and identified the following triggers as having an impact on risk status: incidents, events, changes in IT and business environment, and procurement based on strategic IT decisions. Figure 6 shows the risk updating process based on these identified triggers.

Figure 6

A uniform scale for quantifying the likelihood and qualitative impact assessment was defined for use across the organization.


Use of the Risk IT framework helped NSE in building a uniform structure and view of IT risk across the organization. The Risk IT framework helped NSE in:

  • Presenting a uniform view of IT risk to stakeholders
  • The use of scenarios and avoiding jargon encouraged stakeholders to participate in the process
  • Defining a monitoring process for continuous updating of changes in the risk profile
  • Acceptance by risk owners

An Excel-based tool that automatically updates the risk profile is being used to track and maintain risk changes. The risk profile is presented in three stages:

  • Inherent risk (total risk without controls)
  • Current risk (overview of current risk based on existing controls)
  • Residual risk (risk after applying control gaps)

The residual risk is arrived at after considering the impact of implemented controls over inherent risk. Considering the future road map and alignment of the Risk IT framework with COBIT, COBIT 4.1 control objectives were used to identify control gaps and to assess the impact of controls on the risk profile.

Is a consultant and chief information security officer for NSETECH (NSE Infotech Services limited). A gold member of ISACA, he is a member of the CRISC Test Enhancement Subcommittee. Bakshi has previously worked in various capacities with the State Bank of India, the Enterprise Risk Services Group of Deloitte Touche Tohmatsu, India Private Limited, and Wipro Consulting Services.