ISACA

The recognized global

leader in IT governance,
control, security and
assurance

High-level session overview

1.

CRISC background information

2.

Part IThe Big Picture

CRISC Background
information

About the CRISC Exam

The content of the 2011 CRISC Review Manual is based on the CRISC job
practice found at www.isaca.org/criscjobpractice
There are 5 domains in the CRISC job practice
The CRISC exam is a practice-based exam. Simply reading the material in
this manual will not properly prepare candidates for the exam.
No representations or warranties are made by ISACA in regard to this or
other ISACA publications assuring candidates passage of the CRISC exam.
This publication was produced independently of the CRISC Certification
Committee, which has no responsibility for the content of this manual .

About the CRISC Exam

The CRISC certification is designed to meet the growing demand for professionals
who can integrate enterprise risk management (ERM) with discrete IS control skills.
The technical skills and practices the CRISC certification promotes and evaluates
are the building blocks of success in this growing field, and the CRISC designation
demonstrates proficiency in this role.

Exam Relevance
Ensure that the CRISC candidate
Has the practical knowledge required to perform the tasks described in the task
and knowledge statements.
The percentages listed with the domains indicate the emphasis or percentage
of questions that will appear on the exam from each domain. For a description of
each domains task and knowledge statements, visit www.isaca.org/criscjobpractice
.
Note: The concepts introduced in
In this manual are considered a
fundamental part of the CRISC
job practice.

% of Total Exam Questions

Domain 5; 18%

Domain 1; 31%

Domain 4; 17%

Domain 3; 17%

Domain 2; 17%

About the CRISC Exam

The exam in 200 multiple choice questions.
CRISC exam questions are developed with the intent of measuring and testing
practical knowledge and the application of general concepts and standards.
All questions are designed with one best answer.
The candidate is asked to choose the correct or best answer from the options.
Good preparation for the CRISC exam can be achieved through an organized plan of study. To
assist individuals with the development of a successful study plan, ISACA offers study aids and
review courses to exam candidates. See www.isaca.org/criscbooks to view the ISACA study aids
that can help prepare for the exam

Manual Setup
The CRISC Review Manual 2011 is organized into three parts:
Part IThe Big Picture: How Risk Management Relates to Risk Governance
Part IIRisk Management and Information Systems Control Theory and Concepts
Part III Risk Management and Information Systems Control in Practice

Additional Resources
Study Questions, Answers and Explanations
Glossary
Suggested Resources for Further Study
List of Exhibits

The CRISC candidate also may find it useful to study

the CRISC Review, Questions, Answers &
Explanations Manual 2011, which consists of 100
multiple-choice study questions.

CRISC Review Course

Part I
The Big Picture: How
Risk Management
Relates to Risk
Governance

Section Overview
Exam Relevance
Discuss specific topics within the chapter
Case Study
Sample Questions
Key Terms (Definition and Acronyms)
Suggested Reading

Part 1
Learning Objectives
As a result of completing this chapter, the CRISC candidate should be able
to:
q
Differentiate between risk management and risk governance
q
Identify the roles and responsibilities for risk management
q
Distinguish between various risk management methodologies
q
Apply and differentiate the standards, practices and principles of risk
management
q
List the main tasks related to risk governance
q
Recognize relevant risk management standards, frameworks and
practices
q
Explain the meaning of key risk management concepts, including risk
appetite and risk tolerance

ISACA
Trust in, and value from,
information systems

Section Topic

Risk Management

Section Topics
Risk Management
Essentials of Risk Governance
Risk Appetite and Risk Tolerance
Risk Awareness and Communication
Risk Culture

Overview of Risk
Management
Risk Management:
Is the process of balancing the risk associated with
business activities with an adequate level of control
that will enable the business to meet its objectives.
Holistically covers all concepts and processes
affiliated with managing risk, including the systematic
application of management policies, procedures and
practices; the tasks of communicating, consulting,
establishing the context; and identifying, analyzing,
evaluating, treating, monitoring and reviewing risk.

Risk
Risk reflects the combination of the likelihood of events occurring and the impact
those events have on the enterprise.
Riskthe potential for events and their consequences, contains both:
Opportunities for benefit (upside)
Threats to success (downside)

Risk and Opportunity

Management
Guiding Principles for Effective Risk Management
1.
2.

3.
4.
5.

6.

Maintain Business Objective Focus

Integrate IT Risk Management Into Enterprise Risk
Management (ERM)
Balance The Costs And Benefits Of Managing Risk
Promote Fair And Open Communication
Establish Tone At The Top And Assign Personal
Accountability
Daily Process With Continuous Improvement

Responsibility vs.
Accountability
Responsibilitybelongs to those who must ensure
that the activities are completed
successfully.
Accountabilityapplies to those who either own the
required resources or those who
have the authority to approve the
execution and/or accept the outcome
of an activity within specific risk
management processes.

Responsibility vs.
Accountability

Risk Management
Roles and Responsibilities
The CRISC executes on:
Risk evaluation
Risk response activities
The CRISC functions within the risk governance framework established within
the enterprise

Section Topics

Risk Management Frameworks,

Standards and practices

Relevance of
Risk Management Frameworks,
Standards and Practices
Risk Management Frameworks, standards and practices matter to the CRISC
because they:
Provide a view of things to watch
Act as a guide to focus efforts
Help achieve business objectives
Provide credibility
Save time and cost

Frameworks
Framework Generally accepted, business process-oriented structures that
establish a common language and enable repeatable business processes
The Risk IT Framework is an example

Standards
Standards Established mandatory rules, specifications and metrics used to
measure compliance against quality, value, etc.
Standards are usually intended for compliance purposes
IT Audit and Assurance Standards are an example

Practices
Practices are frequent or unusual actions performed
as an application of knowledge.
Practices are issued by a recognized authority
Leading Practices are actions that optimally apply
knowledge in a particular area.
Practices are usually derived from
supplement/support standards and frameworks
The Risk IT Practitioner Guide is an example

Section Topic

ESSENTIALS OF Risk
Governance

Relevance of
Risk Governance
Risk is an integral part of business
Risk is a core factor related to the stability, growth and success of the organization
Risk represents the opportunity for growth and levels of profit
Risk poses the possibility of loss or damage to the business objectives
Risk governance addresses the oversight of the business risk strategy of the
enterprise

Overview of
Risk Governance
Risk governance is the domain of the enterprises senior management and
shareholders.
This group is responsible for:
Establishing the organizations risk culture and acceptable levels of risk
Setting up the risk framework
Ensuring effectiveness of the risk management function

Objectives of
Risk Governance
Risk governance has three main objectives:
Establishing and maintaining a common risk view
2.
Integrating risk management into the enterprise
3. Making risk-aware business decisions
1.

Foundation of
Risk Governance
An effective risk governance foundation requires :
1.
An understanding and consensus with respect to the risk appetite and risk
tolerance of the enterprise
2.
An awareness of risk and of the need for effective communication about
risk throughout the enterprise
3. An understanding of the elements of risk culture

Objectives of
Risk Governancecont.
1.

Establishing and maintaining a common risk view

Determines which controls are necessary to mitigate risk
Determines how risk based controls are integrated into business processes
and IS
Risk governance function oversees the operations of the risk management
team

Objectives of
Risk Governancecont.
2.

Integrating risk management into the enterprise

Enforces a holistic ERM approach for the enterprise
Requires integration of RM into every departments, function, system and
geographical location

Objectives of
Risk Governancecont.
3.

Making risk-aware business decisions

Consider the full range of opportunities and consequences each statement
through out the enterprise; society, and the environment

Essentials of Risk Governance

Risk Appetite and Tolerance

Risk Appetite and Risk

Tolerance
Definitions
Risk appetiteThe amount of risk, on a broad level, that an entity is willing to
accept in pursuit of its mission
Risk toleranceThe acceptable level of variation that management is willing to
allow for any particular risk as it pursues its objectives

Risk Appetite and Risk

Tolerancecont.
How Risk Appetite relates to risk scenarios with varying Frequency and Magnitude
FrequencyHow often is the event expected to occur?
MagnitudeWhat is the impact to the enterprise when the event occurs?

Risk Appetite and Risk

Tolerancecont.
Applicable Guidelines for Risk Appetite and Risk Tolerance

Connectivity of risk appetite and risk tolerance

Review and approval of exceptions to risk tolerance
standards
Risk appetite and tolerance change over time
Cost of risk mitigation options can affect risk
tolerance

Essentials of Risk Governance

Risk Awareness and

Communication

Risk Awareness and

Communication
Description

Risk awarenessis about acknowledging that risk is

an integral part of the business
Risk communicationstresses that is risk is to be
managed and mitigated, it must first be discussed
and effectively communicated throughout the
enterprise

Risk Awareness and

Communicationcont.
Good vs. Poor Communication

Benefits of good communication include contributing

to managements understanding of exposures,
awareness, and transparency to external stakeholders
Consequences of poor communication include a false
sense of confidence relating to exposure, incorrect
perception by external stakeholders and perception
that the enterprise lacks transparency with external
stakeholders

Risk Awareness and

Communicationcont.
Types of Risk Information To Be Communicated

Expectations from risk management (strategy,

policies, procedures, awareness, training, etc.)
Current risk management capability (risk
management, process maturity)
Status with regard to IT risk (risk profile, key risk
indicators, loss data, etc.)

Key Concepts of
Risk Governance
Elements of Effective Communication

Clear
Concise
Useful
Timely
Aimed at the correct target audience
Available on a need-to-know basis

Key Concepts of
Risk Governance
Stakeholder Communication Inputs and Outputs

It is important for the CRISC to know what types of

information should come from and go to various
stakeholders

Essentials of Risk Governance

Risk culture

Risk Culturecont.
Overview of a Risk-Aware Culture

Allows for open discussions about risk components

Acceptable levels of risk are understood and
maintained
Begins at the top (board and executive)
Set direction
Communicate risk-aware decision making
Reward effective risk management behaviors

Implies that all levels are aware of how and when to

respond to adverse IT events

Risk Culture
Risk-Aware Culture is a series of behaviors

Behaviors toward taking risk

Behavior toward negative outcomes
Behavior toward policy compliance
Symptoms of inadequate or problematic risk culture include:

Misalignment between real risk appetite and translation into

policies
Existence of a blame culture

Case Study &

Practice questions

Case Study
Company XYZ has four offices located in the US, Canada, China, and
Egypt.
The company currently has four separate risk management plans and
programs and while the offices all serve independent functions and have
separate technology infrastructures, the plans are not integrated nor have
ever been shared.
The company plans to IPO in the US later this year and the companies
CEO and board of directors has just directed the enterprise to build a
centralized risk management and governance program.
You are the CRISC for your locations IT shop. Based on the topics
discussed in this chapter, how would you participate?

Practice Question 1
X-1.

Risk management should consider the

following aspect(s) of risk:

Thresholds

Consequences

Both, opportunities and threats

Both, opportunities and thresholds

Practice Question 2
X-2.

What factors chance risk appetite and

tolerance:

New technology

New organizational structures

New market conditions

All of the above

Practice Question 3
X-3.

Which of the following statements is true:

Risk tolerance is the amount of risk the company is willing to accept

Risk appetite is the acceptable variance relative to objective achievement

Risk tolerance is the acceptable variance relative to objective achievement

Risk tolerance level is based on the enterprises ability to absorb loss

Practice Question 4
X-4.

What risk components should be

communicated?

Expectations from process owners

Status with regard to IT risk

Future risk exposure

Status with regard to Operational Risk

Practice Question 5
X-5.

The IT risk action plan is an output

communication from?

CRISC

Chief Information Officer

IT Management

Chief Risk Officer and the Enterprise Risk

Management Committee

Definitions and acronyms

Acronym Review
Review Guide
Reference
Source/Page

Acronyms

Definition

I-D-1

CRO

Chief Risk Officer

I-D-1

CIO

Chief Information Officer

I-F-2

ERM

Enterprise Risk Management

Definition Review
Review Guide
Reference
Source/Page

Word

Definition

I-C-1

Risk

Reflects the combination of the likelihood of events occurring and the impact
those events have on the enterprise. Risk means the potential for events and
their consequencescontains both: Opportunities for benefit (upside) &
Threats to success (downside)

I-D-1

Responsibility

Belongs to those who must ensure that the activities are completed
successfully

I-D-1

Accountability

Applies to those who own the required resources; has the authority to approve
the execution and/or accept the outcome of an activity within specific risk
management processes

I-E-2

Standards

Establish mandatory rules, specifications and metrics used to measure

compliance against quality, value, etc. Standards are usually intended for
compliance purposes and to provide assurance to others who interact with a
process or outputs of a process

I-E-2

Practices

Are frequent or usual actions performed as an application of knowledge

They are issued by a recognized authority that is appropriate to the subject
matter. Issuing bodies may include professional associations and academic
institutions or commercial entities such as software vendors. They are generally
based on a combination of research, expert insight and peer review. Note:
Practices usually are derived from and supplement/support standards and
frameworks and are the least formal of the three.

Definition Review
Review Guide
Reference
Source/Page

Word

Definition

I-E-2

Leading Practice

An action that optimally applies knowledge in a particular area

I-F-3

Risk Appetite

The broad-based amount of risk a company or other entity is willing

to accept in pursuit of its mission (or vision)

I-F-3

Risk Tolerance

The acceptable variation relative to the achievement of an objective

(and often is best measured in the same units as those used to
measure the related objective)

I-F-6

Risk Awareness

Is about acknowledging that risk is an integral part of the business.

This does not imply that all risk is to be avoided or eliminated, but
rather that:
Risk is well understood and known.
IT risk issues are identifiable.
The enterprise recognizes and uses the means to manage risk.

Supplemental Exercises

Big Picture Exercise 1

Your
Answer

For each identify is it is considered a Framework, Standard or

Practice:

Correct Answer

COBIT 4.1

Framework

Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVE)

Practice

PCI Data Security Standard (PCI DSS)

Standard

NIST Special Publication (SP) 800-37, Revision 1, Guide for Applying the Risk
Management Framework to Federal Information Systems

Practice

ISO 31000:2009 (at the time of this manuals publication, the newest for
general purpose risk management)

Standard

The Risk IT Framework

Framework

The Risk IT Practitioner Guide

Practice

Big Picture Exercise 2

Your Answer

Identify the stakeholder for risk communication flow

input and output

Correct Answer

Input - Current IT risk exposure/profile

Executive management
and board

Output - Potential IT risk issues

All Employees

Input - Audit findings

Risk control functions

Output - Support on risk awareness initiatives

Human resources (HR)

Input - Enterprise appetite for IT risk

Chief information officer

(CIO)

Output - Financial information with regard to IT and IT

programmes/projects (budget, actual, trends, etc.)

Chief financial officer

(CFO)

Output - Audit findings

Compliance and audit

Big Picture Exercise 2

Your Answer

Identify the stakeholder for risk communication flow

input and output

Correct Answer

Input - Control and compliance monitoring

External Auditor

Output - Key performance objectives

Executive management
and board
Business management
and business process
owners
IT management
(including security and
service management)
Insurer

Input - Ongoing changes to IT risk factors

Output - IT risk mitigation strategy and plan, including assignment

of responsibility and development of metrics
Input - Summary IT risk reports, including residual risk, controls
maturity levels and audit findings
Input - Risk awareness expectations

All Employees

Input - IT risk register

Chief risk officer (CRO)

and enterprise risk
committee

Big Picture Exercise 2

Your Answer

Identify the stakeholder for risk communication flow

input and output

Correct Answer

Output - Audit findings

External Auditor

Input - Key performance objectives

Chief financial officer

(CFO)

Output - IT risk reports

Risk control functions

Input - In general, all communications intended for the board and

executive management

Regulator

Input - Executive summary risk reports

Investors

Output - Insurance coverage (property,

business interruption, directors and officers)

Insurer

Output - Business impact of the IT risk and impacted business units

Chief information officer

(CIO)

Big Picture Exercise 2

Your Answer

Identify the stakeholder for risk communication flow

input and output

Correct Answer

Input - Risk awareness expectations

Human resources (HR)

Output - Enterprise appetite for IT risk

Output - Risk tolerance levels for their portfolio of investments

Chief risk officer (CRO)

and enterprise risk
committee
Investor

Input - IT risk RACI charts

Compliance and audit

Output - Control and compliance monitoring

Business management
and business process
owners
Regulator

Output - Requirements for controls and

reporting
Input - Key performance objectives

IT management
(including security and
service management)

Suggested resources for

further study

Suggested Resources for

Further Study
Risk IT Framework and Practitioner Guides
Val IT Framework 2.0
COBIT 4.1
See your CRISC Review Manual for more sources of information.