Professional Documents
Culture Documents
Crisc Chap PDF
Crisc Chap PDF
c
c
Part I provides an overview of risk management and risk governance to ensure that the CRISC
candidate sufficiently understands the environment in which the CRISC functions.
While the CRISC may not personally perform the tasks related to risk governance, the concepts
that are addressed in Part I are important to effectively:
NoteThe concepts introduced in Part I are considered a fundamental element of the CRISC
job practice.
s a result of completing this chapter, the CRISC candidate should be able to:
Open table as
!"
spreadsheet
c c
. Part I Overview I±±1 1
B. Overview of Risk 2anagement I±B±1 1
C. Risk and Opportunity 2anagement I±C±1 2
¦. Roles and Responsibilities for IT-related I±¦±1 1
Risk 2anagement
0. Risk 2anagement Frameworks, Standards I±0±1 3
and Practices
Open table as
!"
spreadsheet
c c
F. 0ssentials of Risk Governance I±F±1 11
G. Suggested Resources for Further Study I±G±1 1
"
Risk management is the process of balancing the risk associated with business activities with an
adequate level of control that will enable the business to meet its objectives.
It holistically covers all concepts and processes affiliated with managing risk, including the
systematic application of management policies, procedures and practices; the tasks of establishing
the conte t, communicating and consulting; and identifying, analyzing, evaluating, treating,
monitoring and reviewing risk.
The CRISC must understand the principles and concepts of risk management and be able to apply
these principles to a unique enterprise. Risk is an integral part of all enterprises and must be
properly identified, managed and monitored to support the overall business objectives of the
enterprise.
While the CRISC is not e pected to establish the risk tolerance or acceptance levels of the
enterprise²those are decisions to be made strategically by senior managers and shareholders of
the business²the CRISC is e pected to provide accurate reporting on the levels of risk facing the
organization. This reporting is based on risk identification, assessment and analysis.
Other CRISC activities include recommending the use of mitigating IS controls to avoid or limit
adverse events and enabling the deployment of new business systems and initiatives to help
ensure that the enterprise can confidently leverage new opportunities without facing an
unacceptable level of risk.
#
$$
%
0nterprises continuously plan, operate and deploy business activities and processes to achieve
business objectives. The CRISC is actively involved in ensuring that the operational risk of each
business activity is assessed; monitored; and, if necessary, addressed.
0ach business activity carries both risk and opportunity, and the CRISC must be aware of the need
to balance business needs and productivity with IS controls.
&"
"
Risk reflects the combination of the likelihood of events occurring and the impact those events
have on the enterprise.
Risk and opportunity go hand in hand. To provide business value to stakeholders, enterprises must
engage in various activities and initiatives, all of which carry degrees of uncertainty and,
therefore, risk.
2anaging risk and opportunity is a key strategic activity for enterprise success.
c
$"(""
c
$ &
$
2aintain business ll risk is treated as a business risk, and the risk management
objective focus. approach must be comprehensive and cross-functional.
í People
í Information
í pplications
í Infrastructure
(*
+&+, defines a number of roles for risk management and indicates where these roles
carry responsibility or accountability for one or more activities within a process. In this conte t:
belongs to those who must ensure that the activities are completed
successfully.
applies to those who:
í Have the authority to approve the e ecution and/or accept the outcome of an activity within
specific risk management processes
Given that the roles in the figure are implemented differently in every enterprise and do not
necessarily correspond to organizational units or functions, each role has been briefly described.
(
- .
c
#
$
!"
c c
1. ¦ifferences mong Frameworks, Standards and Practices I±0±1 1
2. 0 amples of Frameworks Related to Risk 2anagement and IS I±0±2 1
Control
$
!"
c c
3. 0 amples of Standards Related to Risk 2anagement and IS I±0±3 1
Control
4. 0 amples of eading Practices Related to Risk 2anagement and I±0±3 1
IS Control
,&
""- . c
$ "
- . c
Provide a systematic view of ³things to watch´ that could result in harm to customers or
an enterprise
ct as a guide to focus efforts of diverse teams
Save time and costs, such as training costs, operational costs and performance
improvement costs
Help achieve business objectives more quickly and easily
Provide credibility to engage functional (e.g., chief financial officer [CFO]) and C-suite
leadership
Frameworks
Standards
Practices
&"
Frameworks re generally accepted, business-process-oriented structures that establish a
common language and enable repeatable business processes
! This term may be defined differently in different disciplines. This definition
suits the purposes of this manual.
Standards 0stablish mandatory rules, specifications and metrics used to measure compliance
against quality, value, etc.
Standards are usually intended for compliance purposes and to provide assurance
to others who interact with a process or outputs of a process (for e ample, food and
drug quality).
Practices re frequent or usual actions performed as an application of knowledge
! Practices usually are derived from and supplement/support standards and
frameworks and are the least formal of the three.
º(* $"-
#
(* $"
"-
% c
ISC p p
ISC 0 p
p p
ISC COBIT® 4.1
Committee of Sponsoring Organizations of the 0
Treadway Commission (COSO)
US National Institute of Standards and Risk 2anagement Framework (R2F)
Technology (NIST)
Frameworks can be applied fle ibly within an enterprise.
(* $"
Standards related to risk management include, but are not limited to, those in the following table.
% c
ISC IT udit and ssurance Standards
International Organization ISO 31000:2009 (at the time of this manual¶s publication, the newest
for Standardization (ISO) for general purpose risk management)
! Unlike other ³standards,´ this was not intended to be used for
certification.
ISO/International ISO/I0C 2700 (for information security management systems
0lectrotechnical [IS2Ss])
Commission (I0C)
British Standards BS 25999- (for business continuity)
Institution (BSI)
BS 25999 comprises two parts:
Standards²including corporate standards, which are not addressed here²ideally
define measurable objectives to enable compliance assessments. Standards are intended to be
implemented in a rigid way with variations only as allowed in the standard.
ë(* $"
c
#
(* $"
#
c
The following table provides e amples leading practices related to risk management or control.
% c
ISC p p!
ISO/I0C ISO/I0C 2700 (for IS2Ss)
NIST NIST Special Publication (SP) 800-37, Revision 1, Guide for
pplying the Risk 2anagement Framework to Federal
Information Systems
Carnegie 2ellon University (C2U) Operationally Critical Threat, sset, and Vulnerability
Software 0ngineering Institute (S0I) 0valuationS2 (OCTV0®)
Spanish 2inistry for Public 2ethodology for Information Systems Risk nalysis and
dministrations 2anagement (2G0RIT version 2)
Section Overview
This section contains a brief introduction to risk governance to provide the CRISC candidate
with a baseline understanding of the holistic environment in which the CRISC functions.
Relevance
Risk is an integral part of business and a core factor related to the stability, growth and success
of the enterprise. Risk represents the opportunity for growth and levels of profit, but also
poses the possibility of loss or damage to the business objectives.
Risk governance addresses the oversight of the business risk strategy of the enterprise.
Risk governance is the domain of senior management and the shareholders of the enterprise.
They establish the organization͛s risk culture and the acceptable levels of risk; set up the
management framework; and ensure that the risk management function is operating
effectively to identify, manage, monitor and report on current and potential risk facing the
enterprise.
Contents
1. Risk Governance
Topic Overview
Risk governance is a strategic business function. Ultimately, it is the board of directors and
senior management͛s responsibility to set up the risk governance process, establish and
maintain a common risk view, make risk-aware business decisions, and set the enterprise͛s risk
culture.
This section discusses the elements of risk governance and how to put an effective risk
management structure in place. It is important to recognize that risk must be addressed from a
business perspective and not from a purely IT viewpoint. The principles of risk governance
must also be applied from an enterprisewide perspective and not solely on a department by
department or a system by system basis.
NoteWhile risk governance and the decisions made in the execution of risk governance
ultimately are not the responsibility of the CRISC, the practitioner must nevertheless
contribute to and enable sound risk management decisions through the execution of
many underlying tasks associated with the risk governance process.
Effective risk governance helps ensure that risk management practices are embedded in the
enterprise, enabling it to secure optimal risk-adjusted return. Risk governance has three main
objectives:
Understanding and consensus with respect to the risk appetite and risk tolerance of the
enterprise
Awareness of risk and the need for effective communication about risk throughout the
enterprise
Effective risk governance establishes the common view of risk for the enterprise. This
determines which controls are necessary to mitigate risk and how risk-based controls are
integrated into business processes and IS.
The risk governance function sets the tone of the business in how to determine an acceptable
level of risk tolerance. In the end, the senior management team is liable for the impact of the
risk faced by the enterprise and bears the responsibility to ensure that it is provided ongoing
risk assessment results, monitors the risk environment and mandates corrective action where
the risk levels are not within acceptable limits.
Risk governance is a continuous life cycle that requires regular reporting and ongoing review.
The risk governance function must oversee the operations of the risk management team.
Integrating risk management into the enterprise enforces a holistic enterprise risk
management (ERM) approach across the entire organization. It requires the integration of risk
management into every department, function, system and geographic location. Understanding
that risk in one department or system may pose an unacceptable risk to another department
or system requires that all business processes be compliant with at least a minimal or baseline
level of risk management.
The objective of ERM is to establish the authority to require all business processes to undergo
a risk analysis on a periodic basis or when there is a significant change to the internal or
external environment.
To make risk-aware business decisions, the risk governance function must consider the full
range of opportunities and consequences of each such decision and its impact on the
enterprise, its place in society and the environment.
͞Risk appetite͟ and ͞risk tolerance͟ are concepts that are frequently used, but the potential
for misunderstanding is high. Some people use the concepts interchangeably; others see a
clear difference.
Risk The broad-based amount of risk a company or other entity is willing to accept in
appetite pursuit of its mission (or vision)
Risk The acceptable variation relative to the achievement of an objective (and often is
tolerance best measured in the same units as those used to measure the related objective)
Risk appetite is the broad-based amount of risk an enterprise is prepared to accept while
pursuing its business objectives. When considering the risk appetite levels for the enterprise,
the following two major factors are important:
The enterprise͛s objective capacity to absorb loss, e.g., financial loss, reputation damage
Risk appetite can and will be different among enterprisesͶthere is no absolute norm or
standard of what constitutes acceptable and unacceptable risk. Every enterprise has to define
its own risk appetite levels and should:
In line with the overall risk culture that the enterprise wants to express (that is, ranging from
very risk averse to risk taking/opportunity seeking)
NoteRisk appetite and risk tolerance should be applied not only to risk assessments,
but also to all risk decision making.
Really Indicates really unacceptable risk. The enterprise estimates that this level
Unacceptable of risk is far beyond its normal risk appetite. Any risk found to be in this band
may trigger an immediate risk response.
Unacceptable Indicates elevated risk, i.e., also above acceptable risk appetite. The
enterprise may, as a matter of policy, require mitigation or another adequate
response to be defined within certain time boundaries.
Acceptable Indicates a normal, acceptable level of risk, usually with no special action
required, except for maintaining the current controls or other responses
Opportunity Indicates very low risk, in which cost-saving opportunities may be found by
decreasing the degree of control or in which opportunities for assuming more
risk may arise
Risk tolerance is the acceptable deviation from the level set by the risk appetite and business
objectives.
Example: Standards require projects to be completed within the estimated budgets and time,
but overruns of 10 percent of budget or 20 percent of time are tolerated.
Risk Appetite and Risk Tolerance Guidelines
The guidelines listed in the following table apply to risk appetite and risk tolerance.
Guideline Description
Risk appetite and Risk appetite and risk tolerance go hand in hand. Risk tolerance is
risk tolerance must defined at the enterprise level and is reflected in policies set by the
connect. executives. At lower (tactical) levels of the enterprise, or in some entities
of the enterprise, exceptions can be tolerated (or different thresholds
defined) as long as the overall exposure does not exceed the set risk
appetite at the enterprise level. Any business initiative includes a risk
component, so management should have the discretion to pursue new
opportunities of risk.
Enterprises in which policies are cast in stone, rather than ͞lines in the
sand,͟ could lack the agility and innovation to exploit new business
opportunities. Conversely, there are situations in which policies are
based on specific legal, regulatory or industry requirements in which it is
appropriate to have no risk tolerance for failure to comply.
Exceptions to risk Risk tolerance is defined at the enterprise level by the board and
tolerance standards clearly communicated to all stakeholders. A process should be in place to
must be reviewed review and approve any exceptions to such standards.
and approved.
Risk appetite and Risk appetite and tolerance change due to:
tolerance change
over time. ͻ New technology
Cost of risk There may be circumstances in which the cost/business impact of risk
mitigation options mitigation options exceeds an enterprise͛s capabilities/resources, thus
Guideline Description
can affect risk forcing higher tolerance for one or more risk conditions.
tolerance.
Example: If a regulation states that sensitive data at rest must be
encrypted, yet there is no feasible encryption solution or the cost of
implementing a solution would have a large negative impact, the
enterprise may choose to accept the risk associated with regulatory
noncompliance, which is a risk trade-off.
Risk awareness is about acknowledging that risk is an integral part of the business. This does
not imply that all risk is to be avoided or eliminated, but rather that:
Risk communication is a critical part in the risk management process. People are naturally
uncomfortable talking about risk and tend to put off admitting that risk is involved and
communicating about issues; incidents; and; eventually, even crises.
If risk is to be managed and mitigated, it must first be discussed and effectively communicated
throughout an enterprise.
Awareness among all internal stakeholders of the importance of integrating risk and
opportunity in their daily duties
Transparency to external stakeholders regarding the actual level of risk and risk management
processes in use
A false sense of confidence at the top on the degree of actual exposure related to IT and lack
of a well-understood direction for risk management from the top down
Unbalanced communication to the external world on risk, especially in cases of high, but
managed risk, which may lead to an incorrect perception on actual risk by third parties such as:
Clients
Investors
Regulators
The perception that the enterprise is trying to cover up known risk from stakeholders
Exhibit IʹFʹ2 and the following table depict and describe the broad array of information flows
and the major types of IT risk information that should be communicated.
Expectations from This includes risk strategy, policies, procedures, awareness training,
continuous reinforcement of principles, etc. This is essential
Risk Component to Be Description
Communicated
risk management communication on the enterprise͛s overall strategy toward IT risk and:
ͻ Has predictive value for how well the enterprise is managing risk
and reducing exposure
Status with regard This includes the actual status with regard to IT risk including
to IT risk information such as:
ͻ Event/loss data
Effective Communication
The following table lists the required elements for effective communication.
Communication Description
Element
Timely For each risk, critical moments exist between its origination and its
potential business consequence.
Examples:
Exhibit IʹFʹ3 provides a quick overview of the most important communication channels for
effective and efficient risk management. The figure͛s intent is to provide a high-level overview
of the main communication flows on IT risk that should exist in one form or another in any
enterprise.
NoteThis exhibit is focused on the most important information that each stakeholder needs to
process. The CRISC may hold one of the more of the tactical or operational roles depicted.
Risk management is about helping enterprises take more risk in pursuit of return. A risk-aware
culture:
Characteristically offers a setting in which components of risk are discussed openly and
acceptable levels of risk are understood and maintained
Set direction.
Risk awareness also implies that all levels within an enterprise are aware of why a response is
needed and how to respond to adverse IT events.
͞Risk culture͟ is a concept that is not easy to describe. Exhibit IʹFʹ4 and the following table
depict and describe the series of behaviors that are elements of a risk culture.
Exhibit IʹFʹ4: Elements of a Risk Culture
Behavior toward How much risk does the enterprise feel it can absorb, and what
taking risk specific risk is it willing to take?
Behavior toward To what extent will people embrace and/or comply with policy?
following policy
Behavior toward How does the enterprise deal with negative outcomes, i.e., loss
negative outcomes events or missed opportunities? Will it learn from them and try to
adjust, or will blame be assigned without treating the root cause?
Existence of a This type of culture should, by all means, be avoided; it is the most
͞blame culture͟ effective inhibitor of relevant and efficient communication.
Elements of a Risk Culture
In extreme cases, the business unit may assign blame for a failure to
meet the expectations that the unit never clearly communicated. The
͞blame game͟ only detracts from effective communication across
units, further fuelling delays. Executive leadership must identify and
quickly control a blame culture if collaboration is to be fostered
throughout the enterprise.