The document discusses IT governance and risk management. It defines governance as managing an organization through senior executive direction and control. Risk management is defined as identifying, assessing, and prioritizing risks, then applying resources to minimize threats and maximize opportunities. The document outlines various frameworks for classifying and evaluating IT risks, such as how IT risk fits within enterprise risk management. It also provides examples of IT risk scenarios and discusses establishing risk tolerance and an ongoing process of planning, doing, checking, and acting to manage risks.