c


c



   


 
c




 

Part I provides an overview of risk management and risk governance to ensure that the CRISC
candidate sufficiently understands the environment in which the CRISC functions.
 
While the CRISC may not personally perform the tasks related to risk governance, the concepts
that are addressed in Part I are important to effectively:

Identify, assess and evaluate risk.

ssist in selecting the appropriate risk response.
2onitor risk.
esign, implement, monitor and maintain information systems controls to mitigate such
risk.
NoteThe concepts introduced in Part I are considered a fundamental element of the CRISC
job practice.




s a result of completing this chapter, the CRISC candidate should be able to:

ifferentiate between risk management and risk governance.

Identify the roles and responsibilities for risk management.
istinguish among various risk management methodologies.
pply and differentiate the standards, practices and principles of risk management.
ist the main tasks related to risk governance.
Recognize relevant risk management standards, frameworks and practices.
0 plain the meaning of key risk management concepts, including risk appetite and risk
tolerance.

Part I contains the following sections:
Open table as
spreadsheet







c 

!"
c 

Part I Overview

I1

B.

Overview of Risk 2anagement

IB1

C.

Risk and Opportunity 2anagement

IC1

Roles and Responsibilities for IT-related

Risk 2anagement

I1

0.

Risk 2anagement Frameworks, Standards

and Practices

I01

Open table as
spreadsheet







c 

!"
c 

F.

0ssentials of Risk Governance

IF1

11

G.

Suggested Resources for Further Study

IG1



"
  

 

Risk management is the process of balancing the risk associated with business activities with an
adequate level of control that will enable the business to meet its objectives.
It holistically covers all concepts and processes affiliated with managing risk, including the
systematic application of management policies, procedures and practices; the tasks of establishing
the conte t, communicating and consulting; and identifying, analyzing, evaluating, treating,
monitoring and reviewing risk.
 
The CRISC must understand the principles and concepts of risk management and be able to apply
these principles to a unique enterprise. Risk is an integral part of all enterprises and must be
properly identified, managed and monitored to support the overall business objectives of the
enterprise.
While the CRISC is not e pected to establish the risk tolerance or acceptance levels of the
enterprisethose are decisions to be made strategically by senior managers and shareholders of
the businessthe CRISC is e pected to provide accurate reporting on the levels of risk facing the
organization. This reporting is based on risk identification, assessment and analysis.
Other CRISC activities include recommending the use of mitigating IS controls to avoid or limit
adverse events and enabling the deployment of new business systems and initiatives to help
ensure that the enterprise can confidently leverage new opportunities without facing an
unacceptable level of risk.

#
 $$
 
%  

 

0nterprises continuously plan, operate and deploy business activities and processes to achieve
business objectives. The CRISC is actively involved in ensuring that the operational risk of each
business activity is assessed; monitored; and, if necessary, addressed.
0ach business activity carries both risk and opportunity, and the CRISC must be aware of the need
to balance business needs and productivity with IS controls.
&"


"

Risk reflects the combination of the likelihood of events occurring and the impact those events
have on the enterprise.
Riskthe potential for events and their consequencescontains both:




Opportunities for benefit (upside)

Threats to success (downside)


  '%(
$

 
Risk and opportunity go hand in hand. To provide business value to stakeholders, enterprises must
engage in various activities and initiatives, all of which carry degrees of uncertainty and,
therefore, risk.
2anaging risk and opportunity is a key strategic activity for enterprise success.


c


$"
(""

  
The following are guiding principles for effective risk management:








2aintain business objective focus.

Integrate IT risk management into enterprise risk management (0R2).
Balance the costs and benefits of managing risk.
Promote fair and open communication.
0stablish tone at the top and assign personal accountability.
Promote continuous improvement as part of daily activities.

The following table provides further detail.

c


$

&

$


2aintain business
objective focus.

ll risk is treated as a business risk, and the risk management

approach must be comprehensive and cross-functional.
The focus is on business outcome. 0ach business function
supports the achievement of business objectives; IT-related risk is
e pressed as the impact it can have on the achievement of business
objectives or strategy.
0very risk analysis considers business and IT-process resilience
and contains a dependency analysis of how the business process
depends on IT-related resources, such as:
People
Information
pplications
Infrastructure
IT-related business risk is viewed from two angles:
Protection against value destruction
0nablement of value generation

Integrate IT risk
Business objectives and the amount of risk that the enterprise is
management into
prepared to take are clearly defined and documented.
enterprise risk management
(0R2).
The entitys risk appetite reflects its risk management philosophy
and influences the culture and operating style (as stated in the
Committee of Sponsoring Organizations of the Treadway Commission
[COSO] 0
 
  


  )
Risk issues are integrated for each business organization (i.e.,

c


$

&

$

the risk view is consolidated across the overall enterprise).
ttestation of/sign-off on control environment is provided.

Balance the costs and

benefits of managing risk.

Risk is prioritized and addressed in line with risk appetite and

tolerance.
Controls are implemented to address a risk and minimize impact
and are based on a cost/benefit analysis. In other words, controls are
not implemented simply for the sake of implementing controls.
0 isting controls are leveraged to address multiple risk factors or
to address risk more efficiently.

Promote fair and open

communication.

Open, accurate, timely and transparent information on IT risk is

e changed and serves as the basis for all risk-related decisions.
Risk issues, principles and risk management methods are
integrated across the enterprise.
Technical findings are translated into relevant and
understandable business terms.

0stablish tone at the top,

and assign personal
accountability.

Key personnel, i.e., influences, business owners and the board of

directors, is engaged in risk management.
There is clear assignment and acceptance of risk ownership.
Top management provides direction by means of policies,
procedures and the right level of enforcement.
0nterprise leadership actively promotes a risk-aware culture.
uthorized individuals make risk decisions, including businessfocused IT risk, e.g., for IT investment decisions, project funding,
major IT environment changes, risk assessments, and the monitoring
and testing of controls.

Promote continuous
improvement as part of
daily activities.

Because of the dynamic nature of risk, risk management is an

iterative, perpetual and ongoing process.
The enterprise pays attention to consistent risk assessment
methods, roles and responsibilities, tools, techniques, and criteria
across the enterprise, noting especially:
Identification of key processes and associated risk
Understanding of impacts on achieving business objectives
Identification of triggers that indicate when an update of the
framework is required
Risk management practices are appropriately prioritized and
embedded in enterprise decision-making processes that enable riskreturn aware business decisions.
Risk management practices are straightforward and easy to use
and contain practices to detect, prevent and mitigate threat and
potential risk.

& $



"
)

 
  
(*

+&+,$



   

%"
)
 
  
(*

+&+, defines a number of roles for risk management and indicates where these roles
carry responsibility or accountability for one or more activities within a process. In this conte t:

 
 belongs to those who must ensure that the activities are completed
successfully.

 

 applies to those who:

Own the required resources
Have the authority to approve the e ecution and/or accept the outcome of an activity within
specific risk management processes
Given that the roles in the figure are implemented differently in every enterprise and do not
necessarily correspond to organizational units or functions, each role has been briefly described.
0 hibit I1: Responsibilities and ccountability for IT-related Risk 2anagement

Note

Within this framework, the CRISC e ecutes on risk evaluation and risk response activities
and functions within the risk governance framework established within the enterprise.

(
  -

.
 
 c


#
This section contains the following topics:
$

1. ifferences mong Frameworks, Standards and Practices
2. 0 amples of Frameworks Related to Risk 2anagement and IS
Control




c 

!"
c 

I01

I02

$





c 

!"
c 

3. 0 amples of Standards Related to Risk 2anagement and IS

Control

I03

4. 0 amples of eading Practices Related to Risk 2anagement and

IS Control

I03

,&
""
-

.  
 c


$
 "
  -

.  
 c


Frameworks, standards and practices matter to the CRISC because they:







Provide a systematic view of things to watch that could result in harm to customers or
an enterprise
ct as a guide to focus efforts of diverse teams
Save time and costs, such as training costs, operational costs and performance
improvement costs
Help achieve business objectives more quickly and easily
Provide credibility to engage functional (e.g., chief financial officer [CFO]) and C-suite
leadership

-

.  
 c


&"



The following table provide definitions for:





Frameworks
Standards
Practices




&"




Frameworks

re generally accepted, business-process-oriented structures that establish a

common language and enable repeatable business processes
! This term may be defined differently in different disciplines. This definition
suits the purposes of this manual.

Standards

0stablish mandatory rules, specifications and metrics used to measure compliance

against quality, value, etc.
Standards are usually intended for compliance purposes and to provide assurance
to others who interact with a process or outputs of a process (for e ample, food and
drug quality).

Practices

re frequent or usual actions performed as an application of knowledge

leading practice would be defined as an action that optimally applies knowledge
in a particular area.
They are issued by a recognized authority that is appropriate to the subject
matter. Issuing bodies may include professional associations and academic
institutions or commercial entities such as software vendors. They are generally
based on a combination of research, e pert insight and peer review.
! Practices usually are derived from and supplement/support standards and
frameworks and are the least formal of the three.

(* $"-

 

     
#

(* $"
  "-


The following table provides e amples of frameworks related to risk management.

 %

c 
 


ISC

p  p  

ISC

0
  p

 

p p  

ISC

COBIT 4.1

Committee of Sponsoring Organizations of the

Treadway Commission (COSO)

0
 
  



  

US National Institute of Standards and

Technology (NIST)

Risk 2anagement Framework (R2F)



 Frameworks can be applied fle ibly within an enterprise.

/(* $"  
 

    
#

(* $"
    

Standards related to risk management include, but are not limited to, those in the following table.

 %

c 
 


ISC

IT udit and ssurance Standards

International Organization
for Standardization (ISO)

ISO 31000:2009 (at the time of this manuals publication, the newest
for general purpose risk management)
! Unlike other standards, this was not intended to be used for
certification.

ISO/International
0lectrotechnical
Commission (I0C)

ISO/I0C 2700 (for information security management systems

[IS2Ss])

British Standards
Institution (BSI)

BS 25999- (for business continuity)

BS 25999 comprises two parts:
Part 1, the Code of Practice, provides business continuity
management (BC2) best practice recommendations. Please note that
this is a guidance document only.
Part 2, the Specification, provides the requirements for a BC2
system (BC2S) based on BC2 best practice. This is the part of the
standard that can be used to demonstrate compliance via an auditing
and certification process.

Payment Card Industry

(PCI) Security Standards
Council

PCI ata Security Standard (PCI SS)



 Standardsincluding corporate standards, which are not addressed hereideally
define measurable objectives to enable compliance assessments. Standards are intended to be
implemented in a rigid way with variations only as allowed in the standard.

(* $" 
c

 
   
 #

(* $"
  
#
 
c


The following table provides e amples leading practices related to risk management or control.

 %

c 
 


ISC

p  p!

 

ISO/I0C

ISO/I0C 2700 (for IS2Ss)

NIST

NIST Special Publication (SP) 800-37, Revision 1, Guide for

pplying the Risk 2anagement Framework to Federal
Information Systems

Carnegie 2ellon University (C2U)

Operationally Critical Threat, sset, and Vulnerability
Software 0ngineering Institute (S0I) 0valuationS2 (OCTV0)
Spanish 2inistry for Public
dministrations

2ethodology for Information Systems Risk nalysis and

2anagement (2G0RIT version 2)

F: Essentials of Risk Governance

Section Overview
This section contains a brief introduction to risk governance to provide the CRISC candidate
with a baseline understanding of the holistic environment in which the CRISC functions.
Relevance
Risk is an integral part of business and a core factor related to the stability, growth and success
of the enterprise. Risk represents the opportunity for growth and levels of profit, but also
poses the possibility of loss or damage to the business objectives.
Risk governance addresses the oversight of the business risk strategy of the enterprise.
Risk governance is the domain of senior management and the shareholders of the enterprise.
They establish the organizations risk culture and the acceptable levels of risk; set up the
management framework; and ensure that the risk management function is operating
effectively to identify, manage, monitor and report on current and potential risk facing the
enterprise.
Contents
This section contains the following topics:
Topic

Starting Page No. of Pages

1. Risk Governance

IF1

2. Risk Governance Objectives

IF2

Topic

Starting Page No. of Pages

3. Risk Appetite and Tolerance

IF3

4. Risk Awareness and Communication IF6

5. Risk Culture

IF10

1. Risk Governance
Topic Overview
Risk governance is a strategic business function. Ultimately, it is the board of directors and
senior managements responsibility to set up the risk governance process, establish and
maintain a common risk view, make risk-aware business decisions, and set the enterprises risk
culture.
This section discusses the elements of risk governance and how to put an effective risk
management structure in place. It is important to recognize that risk must be addressed from a
business perspective and not from a purely IT viewpoint. The principles of risk governance
must also be applied from an enterprisewide perspective and not solely on a department by
department or a system by system basis.
NoteWhile risk governance and the decisions made in the execution of risk governance
ultimately are not the responsibility of the CRISC, the practitioner must nevertheless
contribute to and enable sound risk management decisions through the execution of
many underlying tasks associated with the risk governance process.
2. Risk Governance Objectives
Risk Governance Objectives
Effective risk governance helps ensure that risk management practices are embedded in the
enterprise, enabling it to secure optimal risk-adjusted return. Risk governance has three main
objectives:
Establish and maintain a common risk view
Integrate risk management into the enterprise
Make risk-aware business decisions
Foundation for Effective Risk Governance
To effectively govern enterprise and IT risk, there must be an:
Understanding and consensus with respect to the risk appetite and risk tolerance of the
enterprise

Awareness of risk and the need for effective communication about risk throughout the
enterprise
Understanding of the elements of risk culture
Establish and Maintain a Common Risk View
Effective risk governance establishes the common view of risk for the enterprise. This
determines which controls are necessary to mitigate risk and how risk-based controls are
integrated into business processes and IS.
The risk governance function sets the tone of the business in how to determine an acceptable
level of risk tolerance. In the end, the senior management team is liable for the impact of the
risk faced by the enterprise and bears the responsibility to ensure that it is provided ongoing
risk assessment results, monitors the risk environment and mandates corrective action where
the risk levels are not within acceptable limits.
Risk governance is a continuous life cycle that requires regular reporting and ongoing review.
The risk governance function must oversee the operations of the risk management team.
Integrate Risk Management Into the Enterprise
Integrating risk management into the enterprise enforces a holistic enterprise risk
management (ERM) approach across the entire organization. It requires the integration of risk
management into every department, function, system and geographic location. Understanding
that risk in one department or system may pose an unacceptable risk to another department
or system requires that all business processes be compliant with at least a minimal or baseline
level of risk management.
The objective of ERM is to establish the authority to require all business processes to undergo
a risk analysis on a periodic basis or when there is a significant change to the internal or
external environment.
Make Risk-aware Business Decisions
To make risk-aware business decisions, the risk governance function must consider the full
range of opportunities and consequences of each such decision and its impact on the
enterprise, its place in society and the environment.
3. Risk Appetite and Tolerance
Definitions and Clarification of Risk Appetite and Risk Tolerance
Risk appetite and risk tolerance are concepts that are frequently used, but the potential
for misunderstanding is high. Some people use the concepts interchangeably; others see a
clear difference.
The following table provides definitions of each term.

Term

Definition

Risk
appetite

The broad-based amount of risk a company or other entity is willing to accept in

pursuit of its mission (or vision)

Risk
The acceptable variation relative to the achievement of an objective (and often is
tolerance best measured in the same units as those used to measure the related objective)
Note

These definitions are compatible with the Committee of

Sponsoring Organizations of the Treadway Commission
(COSO) ERM definitions, which are equivalent to the ISO
31000 definition in Guide 73:2009, Risk Management
Vocabulary.

Major Factors When Considering Risk Appetite Levels

Risk appetite is the broad-based amount of risk an enterprise is prepared to accept while
pursuing its business objectives. When considering the risk appetite levels for the enterprise,
the following two major factors are important:
The enterprises objective capacity to absorb loss, e.g., financial loss, reputation damage
The (management) culture or predisposition toward risk takingcautious or aggressive. (What
is the amount of loss the enterprise wants to accept to pursue a return?)
Risk appetite can and will be different among enterprisesthere is no absolute norm or
standard of what constitutes acceptable and unacceptable risk. Every enterprise has to define
its own risk appetite levels and should:
Ensure that such definitions/levels are:
In line with the overall risk culture that the enterprise wants to express (that is, ranging from
very risk averse to risk taking/opportunity seeking)
Well defined, understood and communicated
Review them on a regular basis
NoteRisk appetite and risk tolerance should be applied not only to risk assessments,
but also to all risk decision making.
Exhibit IF1: Risk Map Indicating Risk Appetite Bands
In practice, risk appetite can be defined, in terms of combinations of frequency and
magnitude of a risk, using risk maps. Exhibit IF1 and the following table depict and describe
different bands of risk significance, based on frequency and magnitude of risk.
Exhibit IF1: Risk Map Indicating Risk Appetite Bands

Risk Level

Description

Really
Unacceptable

Indicates really unacceptable risk. The enterprise estimates that this level
of risk is far beyond its normal risk appetite. Any risk found to be in this band
may trigger an immediate risk response.

Unacceptable

Indicates elevated risk, i.e., also above acceptable risk appetite. The
enterprise may, as a matter of policy, require mitigation or another adequate
response to be defined within certain time boundaries.

Acceptable

Indicates a normal, acceptable level of risk, usually with no special action

required, except for maintaining the current controls or other responses

Opportunity

Indicates very low risk, in which cost-saving opportunities may be found by

decreasing the degree of control or in which opportunities for assuming more
risk may arise

Note

This risk appetite scheme is an example.

Each enterprise has to define its own risk
appetite levels and review them regularly.

Risk Tolerance Example

Risk tolerance is the acceptable deviation from the level set by the risk appetite and business
objectives.
Example: Standards require projects to be completed within the estimated budgets and time,
but overruns of 10 percent of budget or 20 percent of time are tolerated.

Risk Appetite and Risk Tolerance Guidelines

The guidelines listed in the following table apply to risk appetite and risk tolerance.
Guideline

Description

Risk appetite and

Risk appetite and risk tolerance go hand in hand. Risk tolerance is
risk tolerance must defined at the enterprise level and is reflected in policies set by the
connect.
executives. At lower (tactical) levels of the enterprise, or in some entities
of the enterprise, exceptions can be tolerated (or different thresholds
defined) as long as the overall exposure does not exceed the set risk
appetite at the enterprise level. Any business initiative includes a risk
component, so management should have the discretion to pursue new
opportunities of risk.
Enterprises in which policies are cast in stone, rather than lines in the
sand, could lack the agility and innovation to exploit new business
opportunities. Conversely, there are situations in which policies are
based on specific legal, regulatory or industry requirements in which it is
appropriate to have no risk tolerance for failure to comply.
Exceptions to risk
Risk tolerance is defined at the enterprise level by the board and
tolerance standards clearly communicated to all stakeholders. A process should be in place to
must be reviewed review and approve any exceptions to such standards.
and approved.
Risk appetite and
tolerance change
over time.

Risk appetite and tolerance change due to:

New technology
New organizational structures
New market conditions
New business strategy
Many other factors
Such factors require an enterprise to reassess its risk portfolio at
regular intervals and also require the enterprise to reconfirm its risk
appetite at regular intervals, triggering risk policy reviews.
In this respect, an enterprise also needs to understand that the better
risk management it has in place, the more risk can be taken in pursuit of
return.

Cost of risk
mitigation options

There may be circumstances in which the cost/business impact of risk

mitigation options exceeds an enterprises capabilities/resources, thus

Guideline

Description

can affect risk

tolerance.

forcing higher tolerance for one or more risk conditions.

Example: If a regulation states that sensitive data at rest must be
encrypted, yet there is no feasible encryption solution or the cost of
implementing a solution would have a large negative impact, the
enterprise may choose to accept the risk associated with regulatory
noncompliance, which is a risk trade-off.

4. Risk Awareness and Communication

Defining Risk Awareness
Risk awareness is about acknowledging that risk is an integral part of the business. This does
not imply that all risk is to be avoided or eliminated, but rather that:
Risk is well understood and known.
IT risk issues are identifiable.
The enterprise recognizes and uses the means to manage risk.
Importance of Risk Communication
Risk communication is a critical part in the risk management process. People are naturally
uncomfortable talking about risk and tend to put off admitting that risk is involved and
communicating about issues; incidents; and; eventually, even crises.
If risk is to be managed and mitigated, it must first be discussed and effectively communicated
throughout an enterprise.
Benefits of Effective Risk Communication
The benefits of open communication on risk include:
Assistance in executive managements understanding of the actual exposure to IT risk,
enabling the definition of appropriate and informed risk responses
Awareness among all internal stakeholders of the importance of integrating risk and
opportunity in their daily duties
Transparency to external stakeholders regarding the actual level of risk and risk management
processes in use
Consequences of Poor Risk Communication
The consequences of poor communication of risk include:
A false sense of confidence at the top on the degree of actual exposure related to IT and lack
of a well-understood direction for risk management from the top down

Unbalanced communication to the external world on risk, especially in cases of high, but
managed risk, which may lead to an incorrect perception on actual risk by third parties such as:
Clients
Investors
Regulators
The perception that the enterprise is trying to cover up known risk from stakeholders
Exhibit IF2: IT Risk Communication Components
Exhibit IF2 and the following table depict and describe the broad array of information flows
and the major types of IT risk information that should be communicated.
Exhibit IF2: IT Risk Communication Components

Risk Component to Be Description

Communicated
Expectations from

This includes risk strategy, policies, procedures, awareness training,

continuous reinforcement of principles, etc. This is essential

Risk Component to Be Description

Communicated
risk management

communication on the enterprises overall strategy toward IT risk and:

Drives all subsequent efforts on risk management
Sets the overall expectations from risk management

Current risk
management
capability

This information:
Allows for monitoring of the state of the risk management engine
in the enterprise
Is a key indicator for good risk management
Has predictive value for how well the enterprise is managing risk
and reducing exposure

Status with regard

to IT risk

This includes the actual status with regard to IT risk including

information such as:
Risk profile of the enterprise, i.e., the overall portfolio of
(identified) risk to which the enterprise is exposed
Key risk indicators (KRIs) to support management reporting on risk
Event/loss data
Root cause of loss events
Options to mitigate risk (including cost and benefits)

Effective Communication
The following table lists the required elements for effective communication.
Communication
Element
Clear
Concise

Description

Risk information must be known and understood by all stakeholders.

Information or communication should not inundate the recipients. All
ground rules of good communication apply to communication on risk.
This includes the avoidance of jargon and technical terms regarding risk
because the intended audiences are generally not deeply technologically
skilled.

Communication
Element

Description

Useful

Any communication on risk must be relevant. Technical information

that is too detailed and/or is sent to inappropriate parties will hinder,
rather than enable, a clear view of risk.

Timely

For each risk, critical moments exist between its origination and its
potential business consequence.
Examples:
A risk may originate when an inadequate IT organization is set up; the
business consequence is inefficient IT operations and service delivery.
The origination point may be project failure; the business
consequence is delayed business initiatives.
Communication is timely when it allows action to be taken at the
appropriate moments to identify and treat the risk. It serves no useful
purpose to communicate a project delay a week before the deadline

Aimed at the
correct target
audience

Information must:
Be communicated at the right level of aggregation
Be adapted for the audience
Enable informed decisions
In this process, aggregation must not hide root causes of risk.
Example: A security officer needs technical IT data on intrusions and
viruses to deploy solutions. An IT steering committee may not need this
level of detail, but it does need aggregated information to decide on
policy changes or additional budgets to treat the same risk.

Available on a
Information related to IT risk should be known and communicated to all
need-to-know basis parties with a genuine need. A risk register with all documented risk is not
public information and should be properly protected against internal and
external parties with no need for it. Communication does not always need
to be formal, through written reports or messages. Timely face-to-face
meetings between stakeholders are an important means of
communication for information related to IT risk.
Exhibit IF3: Risk Communication FlowsStakeholders
Exhibit IF3 provides a quick overview of the most important communication channels for
effective and efficient risk management. The figures intent is to provide a high-level overview

of the main communication flows on IT risk that should exist in one form or another in any
enterprise.
NoteThis exhibit is focused on the most important information that each stakeholder needs to
process. The CRISC may hold one of the more of the tactical or operational roles depicted.
Exhibit IF3: Risk Communication FlowsStakeholders Input

5. Risk Culture
Importance of a Risk-aware Culture
Risk management is about helping enterprises take more risk in pursuit of return. A risk-aware
culture:
Characteristically offers a setting in which components of risk are discussed openly and
acceptable levels of risk are understood and maintained
Begins at the top, with board and business executives who:
Set direction.
Communicate risk-aware decision making.
Reward effective risk management behaviors.
Risk awareness also implies that all levels within an enterprise are aware of why a response is
needed and how to respond to adverse IT events.
Exhibit IF4: Elements of a Risk Culture
Risk culture is a concept that is not easy to describe. Exhibit IF4 and the following table
depict and describe the series of behaviors that are elements of a risk culture.

Exhibit IF4: Elements of a Risk Culture

Elements of a Risk Culture

Behavior toward
taking risk

How much risk does the enterprise feel it can absorb, and what
specific risk is it willing to take?

Behavior toward
following policy

To what extent will people embrace and/or comply with policy?

Behavior toward
negative outcomes

How does the enterprise deal with negative outcomes, i.e., loss
events or missed opportunities? Will it learn from them and try to
adjust, or will blame be assigned without treating the root cause?
Symptoms of an Inadequate or Problematic Risk Culture

Misalignment
between real risk
appetite and
translation into
policies

Managements real position toward risk can be reasonably

aggressive and risk taking, whereas the policies that are created reflect
a much stricter attitude.

Existence of a
blame culture

This type of culture should, by all means, be avoided; it is the most

effective inhibitor of relevant and efficient communication.

Elements of a Risk Culture

In a blame culture, business units tend to point the finger at IT when
projects are not delivered on time or do not meet expectations. In
doing so, they fail to realize how the business units involvement up
front affects project success.
In extreme cases, the business unit may assign blame for a failure to
meet the expectations that the unit never clearly communicated. The
blame game only detracts from effective communication across
units, further fuelling delays. Executive leadership must identify and
quickly control a blame culture if collaboration is to be fostered
throughout the enterprise.