Professional Documents
Culture Documents
Questions To T RIsk-temp
Questions To T RIsk-temp
1. Have you undertaken a high-level Enterprise Risk Assessment for the Risk universe to
determine high-level IT Risk rating? The purpose of this assessment is to obtain an initial
view on the overall IT risk with which the enterprise is confronted. This can be achieved by a
high-level assessment of components of the risk universe, e.g., organisational entities.
The enterprise IT risk assessment provides a perspective on the inherent risk of the entity
2. When the risk universe is constructed, and after an initial enterprise IT risk assessment is
completed, how have you scoped RM activities. Scoping includes the
activities to decide: which entities will be subject to RM activities, length and breadth of RM
activities
Risk categories:
4. Have you documented different IT risk scenarios with their Negative and positive risks?
5. Have you identified Threat events like Disclosure, Interruption, Modification, Theft,
Destruction, Inappropriate use etc. is not determined; Threat types like Malicious,
Accidental, Failure, Natural etc. is not determined; Threat Actors like Internal staff,
contractor, External competitor, outsider, regulator, market etc. ?
7. Have you estimated risk using two essential properties ie: frequency and Impact?
Risk estimation using two essential properties ie: frequency – number of times in a given
period that an event is likely to occur and Impact-business consequence of the. Similarly, the
Impact scales is not defined. Impact criteria such as Market share, Productivity (revenue),
reputation, regulatory compliance
9. Do you have Risk Register template? Have you documented detailed information on each
identified risk, including Risk owner, Risk scenario, Detailed scores, Risk response, Controls?
Compare Risk Register template
10. Have you demonstrated aggregated impact of the risks – independent and shared risks to
the entire enterprise?
11. Have you captured Risk Response Options - Avoid, Reduce, Transfer, Accept? Have you
captured the authorities? Capture of Residual Risk ?
13. Have you Classified controls (e.g., predictive, preventive, detective, corrective)? Develop
tests for control design and tests for control operating effectiveness.
14. Have you documented Action Plan for each Risk response?
15. How do you perform Reporting? Provide management with the results of the analysis to
support decision-making.
16. Include control effectiveness and performance, issues and gaps, remediation status, events
and incidents, and their impacts
19. Do you Monitor IT Risks -Categorise incidents (e.g., loss of business, policy violation, system
failure, fraud, lawsuit), and compare actual exposures against acceptable thresholds"
20. Do you Initiate incident response-Take action to minimise the impact of an incident in
progress?