Questions:

1. Do you have a Communications Flow defined?

 risk strategy, policies, procedures, awareness training and continuous reinforcement of
principles;
 info. on current RM capability;
 info. on actual risk status

1. Have you undertaken a high-level Enterprise Risk Assessment for the Risk universe to
determine high-level IT Risk rating? The purpose of this assessment is to obtain an initial
view on the overall IT risk with which the enterprise is confronted. This can be achieved by a
high-level assessment of components of the risk universe, e.g., organisational entities.
The enterprise IT risk assessment provides a perspective on the inherent risk of the entity

2. When the risk universe is constructed, and after an initial enterprise IT risk assessment is
completed, how have you scoped RM activities. Scoping includes the
activities to decide: which entities will be subject to RM activities, length and breadth of RM
activities

3. Have you documented Risk categories?

Risk categories:

– IT benefit/value enablement risk—Associated with (missed) opportunities to use

technology to improve the efficiency or effectiveness of business processes or as an
enabler for new business initiatives

– IT programme and project delivery risk—Associated with the contribution of IT to

new or improved business solutions, usually in the form of projects and programmes.
This ties to investment portfolio management (as described in the Val IT framework).

– IT operations and service delivery risk—Associated with the operational stability,

availability, protection and recoverability of IT services, which can bring destruction or
reduction of value to the enterprise.

4. Have you documented different IT risk scenarios with their Negative and positive risks?
5. Have you identified Threat events like Disclosure, Interruption, Modification, Theft,
Destruction, Inappropriate use etc. is not determined; Threat types like Malicious,
Accidental, Failure, Natural etc. is not determined; Threat Actors like Internal staff,
contractor, External competitor, outsider, regulator, market etc. ?

6. Have you identified Risk factors - Internal and External, Capabilities?

7. Have you estimated risk using two essential properties ie: frequency and Impact?
Risk estimation using two essential properties ie: frequency – number of times in a given
period that an event is likely to occur and Impact-business consequence of the. Similarly, the
Impact scales is not defined. Impact criteria such as Market share, Productivity (revenue),
reputation, regulatory compliance

8. Have you adopted Risk analysis methods -Qualitative or Quantitative?

9. Do you have Risk Register template? Have you documented detailed information on each
identified risk, including Risk owner, Risk scenario, Detailed scores, Risk response, Controls?
Compare Risk Register template

10. Have you demonstrated aggregated impact of the risks – independent and shared risks to
the entire enterprise?
11. Have you captured Risk Response Options - Avoid, Reduce, Transfer, Accept? Have you
captured the authorities? Capture of Residual Risk ?

12. How do you Risk Response Selection and Prioritization?

13. Have you Classified controls (e.g., predictive, preventive, detective, corrective)? Develop
tests for control design and tests for control operating effectiveness.

14. Have you documented Action Plan for each Risk response?

15. How do you perform Reporting? Provide management with the results of the analysis to
support decision-making.

16. Include control effectiveness and performance, issues and gaps, remediation status, events
and incidents, and their impacts

17. How do you Report IT risk action plan progress.?

18. Do you Maintain incident response plans?

19. Do you Monitor IT Risks -Categorise incidents (e.g., loss of business, policy violation, system
failure, fraud, lawsuit), and compare actual exposures against acceptable thresholds"
20. Do you Initiate incident response-Take action to minimise the impact of an incident in
progress?

21. How do you Communicate lessons learned from risk events.