Professional Documents
Culture Documents
0verview Crisc Part 1 The Big Picture 2011 PDF
0verview Crisc Part 1 The Big Picture 2011 PDF
1.
2.
CRISC Background
information
Exam Relevance
Ensure that the CRISC candidate
Has the practical knowledge required to perform the tasks described in the task
and knowledge statements.
The percentages listed with the domains indicate the emphasis or percentage
of questions that will appear on the exam from each domain. For a description of
each domains task and knowledge statements, visit www.isaca.org/criscjobpractice
.
Note: The concepts introduced in
In this manual are considered a
fundamental part of the CRISC
job practice.
Domain 1; 31%
Domain 4; 17%
Domain 3; 17%
Domain 2; 17%
Manual Setup
The CRISC Review Manual 2011 is organized into three parts:
Part IThe Big Picture: How Risk Management Relates to Risk Governance
Part IIRisk Management and Information Systems Control Theory and Concepts
Part III Risk Management and Information Systems Control in Practice
Additional Resources
Study Questions, Answers and Explanations
Glossary
Suggested Resources for Further Study
List of Exhibits
Part I
The Big Picture: How
Risk Management
Relates to Risk
Governance
Section Overview
Exam Relevance
Discuss specific topics within the chapter
Case Study
Sample Questions
Key Terms (Definition and Acronyms)
Suggested Reading
Part 1
Learning Objectives
As a result of completing this chapter, the CRISC candidate should be able
to:
q
Differentiate between risk management and risk governance
q
Identify the roles and responsibilities for risk management
q
Distinguish between various risk management methodologies
q
Apply and differentiate the standards, practices and principles of risk
management
q
List the main tasks related to risk governance
q
Recognize relevant risk management standards, frameworks and
practices
q
Explain the meaning of key risk management concepts, including risk
appetite and risk tolerance
ISACA
Trust in, and value from,
information systems
Section Topic
Risk Management
Section Topics
Risk Management
Essentials of Risk Governance
Risk Appetite and Risk Tolerance
Risk Awareness and Communication
Risk Culture
Overview of Risk
Management
Risk Management:
Is the process of balancing the risk associated with
business activities with an adequate level of control
that will enable the business to meet its objectives.
Holistically covers all concepts and processes
affiliated with managing risk, including the systematic
application of management policies, procedures and
practices; the tasks of communicating, consulting,
establishing the context; and identifying, analyzing,
evaluating, treating, monitoring and reviewing risk.
Risk
Risk reflects the combination of the likelihood of events occurring and the impact
those events have on the enterprise.
Riskthe potential for events and their consequences, contains both:
Opportunities for benefit (upside)
Threats to success (downside)
3.
4.
5.
6.
Responsibility vs.
Accountability
Responsibilitybelongs to those who must ensure
that the activities are completed
successfully.
Accountabilityapplies to those who either own the
required resources or those who
have the authority to approve the
execution and/or accept the outcome
of an activity within specific risk
management processes.
Responsibility vs.
Accountability
Risk Management
Roles and Responsibilities
The CRISC executes on:
Risk evaluation
Risk response activities
The CRISC functions within the risk governance framework established within
the enterprise
Section Topics
Relevance of
Risk Management Frameworks,
Standards and Practices
Risk Management Frameworks, standards and practices matter to the CRISC
because they:
Provide a view of things to watch
Act as a guide to focus efforts
Help achieve business objectives
Provide credibility
Save time and cost
Frameworks
Framework Generally accepted, business process-oriented structures that
establish a common language and enable repeatable business processes
The Risk IT Framework is an example
Standards
Standards Established mandatory rules, specifications and metrics used to
measure compliance against quality, value, etc.
Standards are usually intended for compliance purposes
IT Audit and Assurance Standards are an example
Practices
Practices are frequent or unusual actions performed
as an application of knowledge.
Practices are issued by a recognized authority
Leading Practices are actions that optimally apply
knowledge in a particular area.
Practices are usually derived from
supplement/support standards and frameworks
The Risk IT Practitioner Guide is an example
Section Topic
ESSENTIALS OF Risk
Governance
Relevance of
Risk Governance
Risk is an integral part of business
Risk is a core factor related to the stability, growth and success of the organization
Risk represents the opportunity for growth and levels of profit
Risk poses the possibility of loss or damage to the business objectives
Risk governance addresses the oversight of the business risk strategy of the
enterprise
Overview of
Risk Governance
Risk governance is the domain of the enterprises senior management and
shareholders.
This group is responsible for:
Establishing the organizations risk culture and acceptable levels of risk
Setting up the risk framework
Ensuring effectiveness of the risk management function
Objectives of
Risk Governance
Risk governance has three main objectives:
Establishing and maintaining a common risk view
2.
Integrating risk management into the enterprise
3. Making risk-aware business decisions
1.
Foundation of
Risk Governance
An effective risk governance foundation requires :
1.
An understanding and consensus with respect to the risk appetite and risk
tolerance of the enterprise
2.
An awareness of risk and of the need for effective communication about
risk throughout the enterprise
3. An understanding of the elements of risk culture
Objectives of
Risk Governancecont.
1.
Objectives of
Risk Governancecont.
2.
Objectives of
Risk Governancecont.
3.
Key Concepts of
Risk Governance
Elements of Effective Communication
Clear
Concise
Useful
Timely
Aimed at the correct target audience
Available on a need-to-know basis
Key Concepts of
Risk Governance
Stakeholder Communication Inputs and Outputs
Risk culture
Risk Culturecont.
Overview of a Risk-Aware Culture
Risk Culture
Risk-Aware Culture is a series of behaviors
Case Study
Company XYZ has four offices located in the US, Canada, China, and
Egypt.
The company currently has four separate risk management plans and
programs and while the offices all serve independent functions and have
separate technology infrastructures, the plans are not integrated nor have
ever been shared.
The company plans to IPO in the US later this year and the companies
CEO and board of directors has just directed the enterprise to build a
centralized risk management and governance program.
You are the CRISC for your locations IT shop. Based on the topics
discussed in this chapter, how would you participate?
Practice Question 1
X-1.
Thresholds
Consequences
Practice Question 2
X-2.
New technology
Practice Question 3
X-3.
Practice Question 4
X-4.
Practice Question 5
X-5.
CRISC
IT Management
Acronym Review
Review Guide
Reference
Source/Page
Acronyms
Definition
I-D-1
CRO
I-D-1
CIO
I-F-2
ERM
Definition Review
Review Guide
Reference
Source/Page
Word
Definition
I-C-1
Risk
Reflects the combination of the likelihood of events occurring and the impact
those events have on the enterprise. Risk means the potential for events and
their consequencescontains both: Opportunities for benefit (upside) &
Threats to success (downside)
I-D-1
Responsibility
Belongs to those who must ensure that the activities are completed
successfully
I-D-1
Accountability
Applies to those who own the required resources; has the authority to approve
the execution and/or accept the outcome of an activity within specific risk
management processes
I-E-2
Standards
I-E-2
Practices
Definition Review
Review Guide
Reference
Source/Page
Word
Definition
I-E-2
Leading Practice
I-F-3
Risk Appetite
I-F-3
Risk Tolerance
I-F-6
Risk Awareness
Supplemental Exercises
Correct Answer
COBIT 4.1
Framework
Practice
Standard
NIST Special Publication (SP) 800-37, Revision 1, Guide for Applying the Risk
Management Framework to Federal Information Systems
Practice
ISO 31000:2009 (at the time of this manuals publication, the newest for
general purpose risk management)
Standard
Framework
Practice
Correct Answer
Executive management
and board
All Employees
Correct Answer
External Auditor
Executive management
and board
Business management
and business process
owners
IT management
(including security and
service management)
Insurer
All Employees
Correct Answer
External Auditor
Regulator
Investors
Insurer
Correct Answer
Business management
and business process
owners
Regulator
IT management
(including security and
service management)