are there any standards which can be used to help establish a corporate risk register specific to IT? I know most projects have risk logs but I am more talking about the organisation on the whole, and risks specific to IT. I am keen to learn what standards/frameworks are out there, and how the risks are identified and fed into the register. And what the overall benefit of having such is. Most individual teams I presume know their risks, e.g. loss of service, security compromise, disgruntled customers, reputation, non-compliance etc etc. I just unsure how organisations pull this altogether for a corporate risk register.