Professional Documents
Culture Documents
CRISC ChapI PDF
CRISC ChapI PDF
c
c
Part I provides an overview of risk management and risk governance to ensure that the CRISC
candidate sufficiently understands the environment in which the CRISC functions.
While the CRISC may not personally perform the tasks related to risk governance, the concepts
that are addressed in Part I are important to effectively:
c
!"
c
Part I Overview
I1
B.
IB1
C.
IC1
I1
0.
I01
Open table as
spreadsheet
c
!"
c
F.
IF1
11
G.
IG1
"
Risk management is the process of balancing the risk associated with business activities with an
adequate level of control that will enable the business to meet its objectives.
It holistically covers all concepts and processes affiliated with managing risk, including the
systematic application of management policies, procedures and practices; the tasks of establishing
the conte t, communicating and consulting; and identifying, analyzing, evaluating, treating,
monitoring and reviewing risk.
The CRISC must understand the principles and concepts of risk management and be able to apply
these principles to a unique enterprise. Risk is an integral part of all enterprises and must be
properly identified, managed and monitored to support the overall business objectives of the
enterprise.
While the CRISC is not e pected to establish the risk tolerance or acceptance levels of the
enterprisethose are decisions to be made strategically by senior managers and shareholders of
the businessthe CRISC is e pected to provide accurate reporting on the levels of risk facing the
organization. This reporting is based on risk identification, assessment and analysis.
Other CRISC activities include recommending the use of mitigating IS controls to avoid or limit
adverse events and enabling the deployment of new business systems and initiatives to help
ensure that the enterprise can confidently leverage new opportunities without facing an
unacceptable level of risk.
#
$$
%
0nterprises continuously plan, operate and deploy business activities and processes to achieve
business objectives. The CRISC is actively involved in ensuring that the operational risk of each
business activity is assessed; monitored; and, if necessary, addressed.
0ach business activity carries both risk and opportunity, and the CRISC must be aware of the need
to balance business needs and productivity with IS controls.
&"
"
Risk reflects the combination of the likelihood of events occurring and the impact those events
have on the enterprise.
Riskthe potential for events and their consequencescontains both:
'%($
Risk and opportunity go hand in hand. To provide business value to stakeholders, enterprises must
engage in various activities and initiatives, all of which carry degrees of uncertainty and,
therefore, risk.
2anaging risk and opportunity is a key strategic activity for enterprise success.
c
$"(""
The following are guiding principles for effective risk management:
&
$
2aintain business
objective focus.
Integrate IT risk
Business objectives and the amount of risk that the enterprise is
management into
prepared to take are clearly defined and documented.
enterprise risk management
(0R2).
The entitys risk appetite reflects its risk management philosophy
and influences the culture and operating style (as stated in the
Committee of Sponsoring Organizations of the Treadway Commission
[COSO] 0
)
Risk issues are integrated for each business organization (i.e.,
c
$
&
$
the risk view is consolidated across the overall enterprise).
ttestation of/sign-off on control environment is provided.
Promote continuous
improvement as part of
daily activities.
& $
")
(*
+&+,$
%")
(*
+&+, defines a number of roles for risk management and indicates where these roles
carry responsibility or accountability for one or more activities within a process. In this conte t:
belongs to those who must ensure that the activities are completed
successfully.
Note
Within this framework, the CRISC e ecutes on risk evaluation and risk response activities
and functions within the risk governance framework established within the enterprise.
(
- .
c
#
This section contains the following topics:
$
1. ifferences mong Frameworks, Standards and Practices
2. 0 amples of Frameworks Related to Risk 2anagement and IS
Control
c
!"
c
I01
I02
$
c
!"
c
I03
I03
,&
""- . c
$ "
- . c
Frameworks, standards and practices matter to the CRISC because they:
Provide a systematic view of things to watch that could result in harm to customers or
an enterprise
ct as a guide to focus efforts of diverse teams
Save time and costs, such as training costs, operational costs and performance
improvement costs
Help achieve business objectives more quickly and easily
Provide credibility to engage functional (e.g., chief financial officer [CFO]) and C-suite
leadership
Frameworks
Standards
Practices
&"
Frameworks
Standards
Practices
c
ISC
ISC
ISC
COBIT 4.1
0
Frameworks can be applied fle ibly within an enterprise.
c
ISC
International Organization
for Standardization (ISO)
ISO 31000:2009 (at the time of this manuals publication, the newest
for general purpose risk management)
! Unlike other standards, this was not intended to be used for
certification.
ISO/International
0lectrotechnical
Commission (I0C)
British Standards
Institution (BSI)
Standardsincluding corporate standards, which are not addressed hereideally
define measurable objectives to enable compliance assessments. Standards are intended to be
implemented in a rigid way with variations only as allowed in the standard.
(* $"
c
#
(* $"
#
c
The following table provides e amples leading practices related to risk management or control.
%
c
ISC
ISO/I0C
NIST
1. Risk Governance
IF1
IF2
Topic
IF3
5. Risk Culture
IF10
1. Risk Governance
Topic Overview
Risk governance is a strategic business function. Ultimately, it is the board of directors and
senior managements responsibility to set up the risk governance process, establish and
maintain a common risk view, make risk-aware business decisions, and set the enterprises risk
culture.
This section discusses the elements of risk governance and how to put an effective risk
management structure in place. It is important to recognize that risk must be addressed from a
business perspective and not from a purely IT viewpoint. The principles of risk governance
must also be applied from an enterprisewide perspective and not solely on a department by
department or a system by system basis.
NoteWhile risk governance and the decisions made in the execution of risk governance
ultimately are not the responsibility of the CRISC, the practitioner must nevertheless
contribute to and enable sound risk management decisions through the execution of
many underlying tasks associated with the risk governance process.
2. Risk Governance Objectives
Risk Governance Objectives
Effective risk governance helps ensure that risk management practices are embedded in the
enterprise, enabling it to secure optimal risk-adjusted return. Risk governance has three main
objectives:
Establish and maintain a common risk view
Integrate risk management into the enterprise
Make risk-aware business decisions
Foundation for Effective Risk Governance
To effectively govern enterprise and IT risk, there must be an:
Understanding and consensus with respect to the risk appetite and risk tolerance of the
enterprise
Awareness of risk and the need for effective communication about risk throughout the
enterprise
Understanding of the elements of risk culture
Establish and Maintain a Common Risk View
Effective risk governance establishes the common view of risk for the enterprise. This
determines which controls are necessary to mitigate risk and how risk-based controls are
integrated into business processes and IS.
The risk governance function sets the tone of the business in how to determine an acceptable
level of risk tolerance. In the end, the senior management team is liable for the impact of the
risk faced by the enterprise and bears the responsibility to ensure that it is provided ongoing
risk assessment results, monitors the risk environment and mandates corrective action where
the risk levels are not within acceptable limits.
Risk governance is a continuous life cycle that requires regular reporting and ongoing review.
The risk governance function must oversee the operations of the risk management team.
Integrate Risk Management Into the Enterprise
Integrating risk management into the enterprise enforces a holistic enterprise risk
management (ERM) approach across the entire organization. It requires the integration of risk
management into every department, function, system and geographic location. Understanding
that risk in one department or system may pose an unacceptable risk to another department
or system requires that all business processes be compliant with at least a minimal or baseline
level of risk management.
The objective of ERM is to establish the authority to require all business processes to undergo
a risk analysis on a periodic basis or when there is a significant change to the internal or
external environment.
Make Risk-aware Business Decisions
To make risk-aware business decisions, the risk governance function must consider the full
range of opportunities and consequences of each such decision and its impact on the
enterprise, its place in society and the environment.
3. Risk Appetite and Tolerance
Definitions and Clarification of Risk Appetite and Risk Tolerance
Risk appetite and risk tolerance are concepts that are frequently used, but the potential
for misunderstanding is high. Some people use the concepts interchangeably; others see a
clear difference.
The following table provides definitions of each term.
Term
Definition
Risk
appetite
Risk
The acceptable variation relative to the achievement of an objective (and often is
tolerance best measured in the same units as those used to measure the related objective)
Note
Risk Level
Description
Really
Unacceptable
Indicates really unacceptable risk. The enterprise estimates that this level
of risk is far beyond its normal risk appetite. Any risk found to be in this band
may trigger an immediate risk response.
Unacceptable
Indicates elevated risk, i.e., also above acceptable risk appetite. The
enterprise may, as a matter of policy, require mitigation or another adequate
response to be defined within certain time boundaries.
Acceptable
Opportunity
Note
Description
Cost of risk
mitigation options
Guideline
Description
Unbalanced communication to the external world on risk, especially in cases of high, but
managed risk, which may lead to an incorrect perception on actual risk by third parties such as:
Clients
Investors
Regulators
The perception that the enterprise is trying to cover up known risk from stakeholders
Exhibit IF2: IT Risk Communication Components
Exhibit IF2 and the following table depict and describe the broad array of information flows
and the major types of IT risk information that should be communicated.
Exhibit IF2: IT Risk Communication Components
Current risk
management
capability
This information:
Allows for monitoring of the state of the risk management engine
in the enterprise
Is a key indicator for good risk management
Has predictive value for how well the enterprise is managing risk
and reducing exposure
Effective Communication
The following table lists the required elements for effective communication.
Communication
Element
Clear
Concise
Description
Communication
Element
Description
Useful
Timely
For each risk, critical moments exist between its origination and its
potential business consequence.
Examples:
A risk may originate when an inadequate IT organization is set up; the
business consequence is inefficient IT operations and service delivery.
The origination point may be project failure; the business
consequence is delayed business initiatives.
Communication is timely when it allows action to be taken at the
appropriate moments to identify and treat the risk. It serves no useful
purpose to communicate a project delay a week before the deadline
Aimed at the
correct target
audience
Information must:
Be communicated at the right level of aggregation
Be adapted for the audience
Enable informed decisions
In this process, aggregation must not hide root causes of risk.
Example: A security officer needs technical IT data on intrusions and
viruses to deploy solutions. An IT steering committee may not need this
level of detail, but it does need aggregated information to decide on
policy changes or additional budgets to treat the same risk.
Available on a
Information related to IT risk should be known and communicated to all
need-to-know basis parties with a genuine need. A risk register with all documented risk is not
public information and should be properly protected against internal and
external parties with no need for it. Communication does not always need
to be formal, through written reports or messages. Timely face-to-face
meetings between stakeholders are an important means of
communication for information related to IT risk.
Exhibit IF3: Risk Communication FlowsStakeholders
Exhibit IF3 provides a quick overview of the most important communication channels for
effective and efficient risk management. The figures intent is to provide a high-level overview
of the main communication flows on IT risk that should exist in one form or another in any
enterprise.
NoteThis exhibit is focused on the most important information that each stakeholder needs to
process. The CRISC may hold one of the more of the tactical or operational roles depicted.
Exhibit IF3: Risk Communication FlowsStakeholders Input
5. Risk Culture
Importance of a Risk-aware Culture
Risk management is about helping enterprises take more risk in pursuit of return. A risk-aware
culture:
Characteristically offers a setting in which components of risk are discussed openly and
acceptable levels of risk are understood and maintained
Begins at the top, with board and business executives who:
Set direction.
Communicate risk-aware decision making.
Reward effective risk management behaviors.
Risk awareness also implies that all levels within an enterprise are aware of why a response is
needed and how to respond to adverse IT events.
Exhibit IF4: Elements of a Risk Culture
Risk culture is a concept that is not easy to describe. Exhibit IF4 and the following table
depict and describe the series of behaviors that are elements of a risk culture.
How much risk does the enterprise feel it can absorb, and what
specific risk is it willing to take?
Behavior toward
following policy
Behavior toward
negative outcomes
How does the enterprise deal with negative outcomes, i.e., loss
events or missed opportunities? Will it learn from them and try to
adjust, or will blame be assigned without treating the root cause?
Symptoms of an Inadequate or Problematic Risk Culture
Misalignment
between real risk
appetite and
translation into
policies
Existence of a
blame culture