In a world increasingly subject to digitalisation and the use of technology, an ineffective IT strategy and failing IT are amongst the most significant risks facing the boards of most organisations. The purpose of this paper is to provide a practical guide to Chief Risk Officers (CROs) and senior risk professionals active in the insurance industry on the main threats and developments in the IT landscape in which they operate, and support them to effectively measure and manage these risks in their organisations.

The paper describes the process of setting and maintaining risk appetite for IT risks and the benefits thereof, the process for establishing KRIs (key risk indicators) and tools and techniques in use, and breaks down the sub-steps of the IT risk management process. The paper emphasises the importance of selecting the right (‘fit for purpose’) IT risk framework as it should be compatible with the enterprise ERM strategy and impacts other programs, e.g., resilience, regulatory compliance and internal and external sourcing. The paper studies different frameworks commonly used in IT, describes the main purpose and focus of each framework and the main advantages and disadvantages.