XYZ is one of the branch offices of banking subsidiaries in Indonesia that focuses on providing leasing facilities, investment and working capital. As a company, PT. XYZ is inseparable in the use of information technology which gives rise to various possible risks that exist. Therefore, it is necessary to have an analysis of information technology risk management in PT. XYZ. Through this research, it is hoped that it can help PT. XYZ in identifying possible risks that occur to the company, as well as actions that must be taken in the face of such risks. The framework used in this study is the ISO 31000 framework. Based on the results of this study, 13 possible risks that have low risk levels (R01, R02, R03, R04, R05, R07, R08, R12, R13, R15, R16, R20 and R21 ), 6 possible risks that have medium risk levels (R06, R09, R10, R11, R14 and R18), as well as 2 possible risks that have high risk levels (R17 and R19). In addition, a risk treatment proposal was produced that can be used as a reference by PT. XYZ to minimize losses caused by these risks.