c


c



   


 
c




 


Part I provides an overview of risk management and risk governance to ensure that the CRISC
candidate sufficiently understands the environment in which the CRISC functions.

 

While the CRISC may not personally perform the tasks related to risk governance, the concepts
that are addressed in Part I are important to effectively:

Identify, assess and evaluate risk.

—ssist in selecting the appropriate risk response.
2onitor risk.
¦esign, implement, monitor and maintain information systems controls to mitigate such
risk.

NoteThe concepts introduced in Part I are considered a fundamental element of the CRISC
job practice.






—s a result of completing this chapter, the CRISC candidate should be able to:

¦ifferentiate between risk management and risk governance.

Identify the roles and responsibilities for risk management.
¦istinguish among various risk management methodologies.
—pply and differentiate the standards, practices and principles of risk management.
ist the main tasks related to risk governance.
Recognize relevant risk management standards, frameworks and practices.
0 plain the meaning of key risk management concepts, including ³risk appetite´ and ³risk
tolerance.´



Part I contains the following sections:

Open table as 
 

 !"
spreadsheet 
c  c 
—. Part I Overview I±—±1 1
B. Overview of Risk 2anagement I±B±1 1
C. Risk and Opportunity 2anagement I±C±1 2
¦. Roles and Responsibilities for IT-related I±¦±1 1
Risk 2anagement
0. Risk 2anagement Frameworks, Standards I±0±1 3
and Practices
 Open table as 
 

 !"
spreadsheet 

c  c 
F. 0ssentials of Risk Governance I±F±1 11
G. Suggested Resources for Further Study I±G±1 1



"
  

 


Risk management is the process of balancing the risk associated with business activities with an
adequate level of control that will enable the business to meet its objectives.

It holistically covers all concepts and processes affiliated with managing risk, including the
systematic application of management policies, procedures and practices; the tasks of establishing
the conte t, communicating and consulting; and identifying, analyzing, evaluating, treating,
monitoring and reviewing risk.

 

The CRISC must understand the principles and concepts of risk management and be able to apply
these principles to a unique enterprise. Risk is an integral part of all enterprises and must be
properly identified, managed and monitored to support the overall business objectives of the
enterprise.

While the CRISC is not e pected to establish the risk tolerance or acceptance levels of the
enterprise²those are decisions to be made strategically by senior managers and shareholders of
the business²the CRISC is e pected to provide accurate reporting on the levels of risk facing the
organization. This reporting is based on risk identification, assessment and analysis.

Other CRISC activities include recommending the use of mitigating IS controls to avoid or limit
adverse events and enabling the deployment of new business systems and initiatives to help
ensure that the enterprise can confidently leverage new opportunities without facing an
unacceptable level of risk.

#
 $$
 
%  

 


0nterprises continuously plan, operate and deploy business activities and processes to achieve
business objectives. The CRISC is actively involved in ensuring that the operational risk of each
business activity is assessed; monitored; and, if necessary, addressed.

0ach business activity carries both risk and opportunity, and the CRISC must be aware of the need
to balance business needs and productivity with IS controls.

&"


"


Risk reflects the combination of the likelihood of events occurring and the impact those events
have on the enterprise.

Risk²the potential for events and their consequences²contains both:

 Opportunities for benefit (upside)

 Threats to success (downside)

  '%(
$

 

Risk and opportunity go hand in hand. To provide business value to stakeholders, enterprises must
engage in various activities and initiatives, all of which carry degrees of uncertainty and,
therefore, risk.

2anaging risk and opportunity is a key strategic activity for enterprise success.



c


$"
(""

  

The following are guiding principles for effective risk management:

 2aintain business objective focus.

 Integrate IT risk management into enterprise risk management (0R2).
 Balance the costs and benefits of managing risk.
 Promote fair and open communication.
 0stablish tone at the top and assign personal accountability.
 Promote continuous improvement as part of daily activities.

The following table provides further detail.

c


$ &

$

2aintain business ‡ —ll risk is treated as a business risk, and the risk management
objective focus. approach must be comprehensive and cross-functional.

‡ The focus is on business outcome. 0ach business function

supports the achievement of business objectives; IT-related risk is
e pressed as the impact it can have on the achievement of business
objectives or strategy.

‡ 0very risk analysis considers business and IT-process resilience

and contains a dependency analysis of how the business process
depends on IT-related resources, such as:

í People

í Information

í —pplications

í Infrastructure

‡ IT-related business risk is viewed from two angles:

í Protection against value destruction

í 0nablement of value generation

Integrate IT risk ‡ Business objectives and the amount of risk that the enterprise is
management into prepared to take are clearly defined and documented.
enterprise risk management
(0R2).
‡ The entity¶s risk appetite reflects its risk management philosophy
and influences the culture and operating style (as stated in the
Committee of Sponsoring Organizations of the Treadway Commission
[COSO] 0
 
  


  )

‡ Risk issues are integrated for each business organization (i.e.,

c


$ &

$

Balance the costs and
benefits of managing risk.
Promote fair and open
communication.
0stablish tone at the top,
and assign personal
accountability.
Promote continuous
improvement as part of
daily activities.
the risk view is consolidated across the overall enterprise).
‡ —ttestation of/sign-off on control environment is provided.
‡ Risk is prioritized and addressed in line with risk appetite and
tolerance.
‡ Controls are implemented to address a risk and minimize impact
and are based on a cost/benefit analysis. In other words, controls are
not implemented simply for the sake of implementing controls.
‡ 0 isting controls are leveraged to address multiple risk factors or
to address risk more efficiently.
‡ Open, accurate, timely and transparent information on IT risk is
e changed and serves as the basis for all risk-related decisions.
‡ Risk issues, principles and risk management methods are
integrated across the enterprise.
‡ Technical findings are translated into relevant and
understandable business terms.
‡ Key personnel, i.e., influences, business owners and the board of
directors, is engaged in risk management.
‡ There is clear assignment and acceptance of risk ownership.
‡ Top management provides direction by means of policies,
procedures and the right level of enforcement.
‡ 0nterprise leadership actively promotes a risk-aware culture.
‡ —uthorized individuals make risk decisions, including business-
focused IT risk, e.g., for IT investment decisions, project funding,
major IT environment changes, risk assessments, and the monitoring
and testing of controls.
‡ Because of the dynamic nature of risk, risk management is an
iterative, perpetual and ongoing process.
‡ The enterprise pays attention to consistent risk assessment
methods, roles and responsibilities, tools, techniques, and criteria
across the enterprise, noting especially:
± Identification of key processes and associated risk
± Understanding of impacts on achieving business objectives
± Identification of triggers that indicate when an update of the
framework is required
‡ Risk management practices are appropriately prioritized and
embedded in enterprise decision-making processes that enable risk-
return aware business decisions.
‡ Risk management practices are straightforward and easy to use
and contain practices to detect, prevent and mitigate threat and
potential risk.
& $



"
)

 
  
(*

+&+,$



 
 

%"
)
 
  

(*

+&+, defines a number of roles for risk management and indicates where these roles
carry responsibility or accountability for one or more activities within a process. In this conte t:

 
 belongs to those who must ensure that the activities are completed
successfully.
— 

 applies to those who:

í Own the required resources

í Have the authority to approve the e ecution and/or accept the outcome of an activity within
specific risk management processes

Given that the roles in the figure are implemented differently in every enterprise and do not
necessarily correspond to organizational units or functions, each role has been briefly described.

0 hibit I±¦±1: Responsibilities and —ccountability for IT-related Risk 2anagement

Note Within this framework, the CRISC e ecutes on risk evaluation and risk response activities
and functions within the risk governance framework established within the enterprise.

(
  -

.
 
 c


#

This section contains the following topics:

$
 

 !"
c  c 
1. ¦ifferences —mong Frameworks, Standards and Practices I±0±1 1
2. 0 amples of Frameworks Related to Risk 2anagement and IS I±0±2 1
Control
$
 

 !"
c  c 
3. 0 amples of Standards Related to Risk 2anagement and IS I±0±3 1
Control
4. 0 amples of eading Practices Related to Risk 2anagement and I±0±3 1
IS Control

,&
""
-

.  
 c



$
 "
  -

.  
 c



Frameworks, standards and practices matter to the CRISC because they:

 Provide a systematic view of ³things to watch´ that could result in harm to customers or
an enterprise
 —ct as a guide to focus efforts of diverse teams
 Save time and costs, such as training costs, operational costs and performance
improvement costs
 Help achieve business objectives more quickly and easily
 Provide credibility to engage functional (e.g., chief financial officer [CFO]) and C-suite
leadership

-

.  
 c


&"




The following table provide definitions for:

 Frameworks
 Standards
 Practices


 &"



Frameworks —re generally accepted, business-process-oriented structures that establish a
common language and enable repeatable business processes

! This term may be defined differently in different disciplines. This definition
suits the purposes of this manual.
Standards 0stablish mandatory rules, specifications and metrics used to measure compliance
against quality, value, etc.

Standards are usually intended for compliance purposes and to provide assurance
to others who interact with a process or outputs of a process (for e ample, food and
drug quality).
Practices —re frequent or usual actions performed as an application of knowledge

— leading practice would be defined as an action that optimally applies knowledge

in a particular area.

They are issued by a ³recognized authority´ that is appropriate to the subject

matter. Issuing bodies may include professional associations and academic
institutions or commercial entities such as software vendors. They are generally
based on a combination of research, e pert insight and peer review.

! Practices usually are derived from and supplement/support standards and
frameworks and are the least formal of the three.
º(* $"-

 
     
#


(* $"
  "-



The following table provides e amples of frameworks related to risk management.


 % c 
 

IS—C— p  p  
IS—C— 0
  p
 

p p  
IS—C— COBIT® 4.1
Committee of Sponsoring Organizations of the 0
 
  



Treadway Commission (COSO)   
US National Institute of Standards and Risk 2anagement Framework (R2F)
Technology (NIST)



 Frameworks can be applied fle ibly within an enterprise.

/(* $"  
 

    
#


(* $"
    


Standards related to risk management include, but are not limited to, those in the following table.


 % c 
 

IS—C— IT —udit and —ssurance Standards
International Organization ISO 31000:2009 (at the time of this manual¶s publication, the newest
for Standardization (ISO) for general purpose risk management)

! Unlike other ³standards,´ this was not intended to be used for
certification.
ISO/International ISO/I0C 2700 (for information security management systems
0lectrotechnical [IS2Ss])
Commission (I0C)
British Standards BS 25999- (for business continuity)
Institution (BSI)
BS 25999 comprises two parts:

‡ Part 1, the Code of Practice, provides business continuity

management (BC2) best practice recommendations. Please note that
this is a guidance document only.

‡ Part 2, the Specification, provides the requirements for a BC2

system (BC2S) based on BC2 best practice. This is the part of the
standard that can be used to demonstrate compliance via an auditing
and certification process.
Payment Card Industry PCI ¦ata Security Standard (PCI ¦SS)
(PCI) Security Standards
Council



 Standards²including corporate standards, which are not addressed here²ideally
define measurable objectives to enable compliance assessments. Standards are intended to be
implemented in a rigid way with variations only as allowed in the standard.
ë(* $" 
c

 
   
 #


(* $"
  
#
 
c



The following table provides e amples leading practices related to risk management or control.


 % c 
 

IS—C— p  p!

 
ISO/I0C ISO/I0C 2700 (for IS2Ss)
NIST NIST Special Publication (SP) 800-37, Revision 1, Guide for
—pplying the Risk 2anagement Framework to Federal
Information Systems
Carnegie 2ellon University (C2U) Operationally Critical Threat, —sset, and Vulnerability
Software 0ngineering Institute (S0I) 0valuationS2 (OCT—V0®)
Spanish 2inistry for Public 2ethodology for Information Systems Risk —nalysis and
—dministrations 2anagement (2—G0RIT version 2)

F: Essentials of Risk Governance

Section Overview

This section contains a brief introduction to risk governance to provide the CRISC candidate
with a baseline understanding of the holistic environment in which the CRISC functions.

Relevance

Risk is an integral part of business and a core factor related to the stability, growth and success
of the enterprise. Risk represents the opportunity for growth and levels of profit, but also
poses the possibility of loss or damage to the business objectives.

Risk governance addresses the oversight of the business risk strategy of the enterprise.

Risk governance is the domain of senior management and the shareholders of the enterprise.
They establish the organization͛s risk culture and the acceptable levels of risk; set up the
management framework; and ensure that the risk management function is operating
effectively to identify, manage, monitor and report on current and potential risk facing the
enterprise.

Contents

This section contains the following topics:

Topic Starting Page No. of Pages

1. Risk Governance IʹFʹ1 1

2. Risk Governance Objectives IʹFʹ2 1

Topic Starting Page No. of Pages

3. Risk Appetite and Tolerance IʹFʹ3 3

4. Risk Awareness and Communication IʹFʹ6 5

5. Risk Culture IʹFʹ10 1

1. Risk Governance

Topic Overview

Risk governance is a strategic business function. Ultimately, it is the board of directors and
senior management͛s responsibility to set up the risk governance process, establish and
maintain a common risk view, make risk-aware business decisions, and set the enterprise͛s risk
culture.

This section discusses the elements of risk governance and how to put an effective risk
management structure in place. It is important to recognize that risk must be addressed from a
business perspective and not from a purely IT viewpoint. The principles of risk governance
must also be applied from an enterprisewide perspective and not solely on a department by
department or a system by system basis.

NoteWhile risk governance and the decisions made in the execution of risk governance
ultimately are not the responsibility of the CRISC, the practitioner must nevertheless
contribute to and enable sound risk management decisions through the execution of
many underlying tasks associated with the risk governance process.

2. Risk Governance Objectives

Risk Governance Objectives

Effective risk governance helps ensure that risk management practices are embedded in the
enterprise, enabling it to secure optimal risk-adjusted return. Risk governance has three main
objectives:

Establish and maintain a common risk view

Integrate risk management into the enterprise

Make risk-aware business decisions

Foundation for Effective Risk Governance

To effectively govern enterprise and IT risk, there must be an:

Understanding and consensus with respect to the risk appetite and risk tolerance of the
enterprise
Awareness of risk and the need for effective communication about risk throughout the
enterprise

Understanding of the elements of risk culture

Establish and Maintain a Common Risk View

Effective risk governance establishes the common view of risk for the enterprise. This
determines which controls are necessary to mitigate risk and how risk-based controls are
integrated into business processes and IS.

The risk governance function sets the tone of the business in how to determine an acceptable
level of risk tolerance. In the end, the senior management team is liable for the impact of the
risk faced by the enterprise and bears the responsibility to ensure that it is provided ongoing
risk assessment results, monitors the risk environment and mandates corrective action where
the risk levels are not within acceptable limits.

Risk governance is a continuous life cycle that requires regular reporting and ongoing review.
The risk governance function must oversee the operations of the risk management team.

Integrate Risk Management Into the Enterprise

Integrating risk management into the enterprise enforces a holistic enterprise risk
management (ERM) approach across the entire organization. It requires the integration of risk
management into every department, function, system and geographic location. Understanding
that risk in one department or system may pose an unacceptable risk to another department
or system requires that all business processes be compliant with at least a minimal or baseline
level of risk management.

The objective of ERM is to establish the authority to require all business processes to undergo
a risk analysis on a periodic basis or when there is a significant change to the internal or
external environment.

Make Risk-aware Business Decisions

To make risk-aware business decisions, the risk governance function must consider the full
range of opportunities and consequences of each such decision and its impact on the
enterprise, its place in society and the environment.

3. Risk Appetite and Tolerance

Definitions and Clarification of Risk Appetite and Risk Tolerance

͞Risk appetite͟ and ͞risk tolerance͟ are concepts that are frequently used, but the potential
for misunderstanding is high. Some people use the concepts interchangeably; others see a
clear difference.

The following table provides definitions of each term.

Term Definition

Risk The broad-based amount of risk a company or other entity is willing to accept in
appetite pursuit of its mission (or vision)

Risk The acceptable variation relative to the achievement of an objective (and often is
tolerance best measured in the same units as those used to measure the related objective)

Note These definitions are compatible with the Committee of

Sponsoring Organizations of the Treadway Commission
(COSO) ERM definitions, which are equivalent to the ISO
31000 definition in Guide 73:2009, Risk Management
Vocabulary.

Major Factors When Considering Risk Appetite Levels

Risk appetite is the broad-based amount of risk an enterprise is prepared to accept while
pursuing its business objectives. When considering the risk appetite levels for the enterprise,
the following two major factors are important:

The enterprise͛s objective capacity to absorb loss, e.g., financial loss, reputation damage

The (management) culture or predisposition toward risk takingͶcautious or aggressive. (What

is the amount of loss the enterprise wants to accept to pursue a return?)

Risk appetite can and will be different among enterprisesͶthere is no absolute norm or
standard of what constitutes acceptable and unacceptable risk. Every enterprise has to define
its own risk appetite levels and should:

Ensure that such definitions/levels are:

In line with the overall risk culture that the enterprise wants to express (that is, ranging from
very risk averse to risk taking/opportunity seeking)

Well defined, understood and communicated

Review them on a regular basis

NoteRisk appetite and risk tolerance should be applied not only to risk assessments,
but also to all risk decision making.

Exhibit IʹFʹ1: Risk Map Indicating Risk Appetite Bands

In practice, ͞risk appetite͟ can be defined, in terms of combinations of frequency and

magnitude of a risk, using risk maps. Exhibit IʹFʹ1 and the following table depict and describe
different bands of risk significance, based on frequency and magnitude of risk.

Exhibit IʹFʹ1: Risk Map Indicating Risk Appetite Bands

Risk Level Description

Really Indicates really unacceptable risk. The enterprise estimates that this level
Unacceptable of risk is far beyond its normal risk appetite. Any risk found to be in this band
may trigger an immediate risk response.

Unacceptable Indicates elevated risk, i.e., also above acceptable risk appetite. The
enterprise may, as a matter of policy, require mitigation or another adequate
response to be defined within certain time boundaries.

Acceptable Indicates a normal, acceptable level of risk, usually with no special action
required, except for maintaining the current controls or other responses

Opportunity Indicates very low risk, in which cost-saving opportunities may be found by
decreasing the degree of control or in which opportunities for assuming more
risk may arise

Note This risk appetite scheme is an example.

Each enterprise has to define its own risk
appetite levels and review them regularly.

Risk Tolerance Example

Risk tolerance is the acceptable deviation from the level set by the risk appetite and business
objectives.

Example: Standards require projects to be completed within the estimated budgets and time,
but overruns of 10 percent of budget or 20 percent of time are tolerated.
Risk Appetite and Risk Tolerance Guidelines

The guidelines listed in the following table apply to risk appetite and risk tolerance.

Guideline Description

Risk appetite and Risk appetite and risk tolerance go hand in hand. Risk tolerance is
risk tolerance must defined at the enterprise level and is reflected in policies set by the
connect. executives. At lower (tactical) levels of the enterprise, or in some entities
of the enterprise, exceptions can be tolerated (or different thresholds
defined) as long as the overall exposure does not exceed the set risk
appetite at the enterprise level. Any business initiative includes a risk
component, so management should have the discretion to pursue new
opportunities of risk.

Enterprises in which policies are cast in stone, rather than ͞lines in the
sand,͟ could lack the agility and innovation to exploit new business
opportunities. Conversely, there are situations in which policies are
based on specific legal, regulatory or industry requirements in which it is
appropriate to have no risk tolerance for failure to comply.

Exceptions to risk Risk tolerance is defined at the enterprise level by the board and
tolerance standards clearly communicated to all stakeholders. A process should be in place to
must be reviewed review and approve any exceptions to such standards.
and approved.

Risk appetite and Risk appetite and tolerance change due to:
tolerance change
over time. ͻ New technology

ͻ New organizational structures

ͻ New market conditions

ͻ New business strategy

ͻ Many other factors

Such factors require an enterprise to reassess its risk portfolio at

regular intervals and also require the enterprise to reconfirm its risk
appetite at regular intervals, triggering risk policy reviews.

In this respect, an enterprise also needs to understand that the better

risk management it has in place, the more risk can be taken in pursuit of
return.

Cost of risk There may be circumstances in which the cost/business impact of risk
mitigation options mitigation options exceeds an enterprise͛s capabilities/resources, thus
Guideline Description

can affect risk forcing higher tolerance for one or more risk conditions.
tolerance.
Example: If a regulation states that sensitive data at rest must be
encrypted, yet there is no feasible encryption solution or the cost of
implementing a solution would have a large negative impact, the
enterprise may choose to accept the risk associated with regulatory
noncompliance, which is a risk trade-off.

4. Risk Awareness and Communication

Defining Risk Awareness

Risk awareness is about acknowledging that risk is an integral part of the business. This does
not imply that all risk is to be avoided or eliminated, but rather that:

Risk is well understood and known.

IT risk issues are identifiable.

The enterprise recognizes and uses the means to manage risk.

Importance of Risk Communication

Risk communication is a critical part in the risk management process. People are naturally
uncomfortable talking about risk and tend to put off admitting that risk is involved and
communicating about issues; incidents; and; eventually, even crises.

If risk is to be managed and mitigated, it must first be discussed and effectively communicated
throughout an enterprise.

Benefits of Effective Risk Communication

The benefits of open communication on risk include:

Assistance in executive management͛s understanding of the actual exposure to IT risk,

enabling the definition of appropriate and informed risk responses

Awareness among all internal stakeholders of the importance of integrating risk and
opportunity in their daily duties

Transparency to external stakeholders regarding the actual level of risk and risk management
processes in use

Consequences of Poor Risk Communication

The consequences of poor communication of risk include:

A false sense of confidence at the top on the degree of actual exposure related to IT and lack
of a well-understood direction for risk management from the top down
Unbalanced communication to the external world on risk, especially in cases of high, but
managed risk, which may lead to an incorrect perception on actual risk by third parties such as:

Clients

Investors

Regulators

The perception that the enterprise is trying to cover up known risk from stakeholders

Exhibit IʹFʹ2: IT Risk Communication Components

Exhibit IʹFʹ2 and the following table depict and describe the broad array of information flows
and the major types of IT risk information that should be communicated.

Exhibit IʹFʹ2: IT Risk Communication Components

Risk Component to Be Description

Communicated

Expectations from This includes risk strategy, policies, procedures, awareness training,
continuous reinforcement of principles, etc. This is essential
Risk Component to Be Description
Communicated

risk management communication on the enterprise͛s overall strategy toward IT risk and:

ͻ Drives all subsequent efforts on risk management

ͻ Sets the overall expectations from risk management

Current risk This information:

management
capability ͻ Allows for monitoring of the state of the ͞risk management engine͟
in the enterprise

ͻ Is a key indicator for good risk management

ͻ Has predictive value for how well the enterprise is managing risk
and reducing exposure

Status with regard This includes the actual status with regard to IT risk including
to IT risk information such as:

ͻ Risk profile of the enterprise, i.e., the overall portfolio of

(identified) risk to which the enterprise is exposed

ͻ Key risk indicators (KRIs) to support management reporting on risk

ͻ Event/loss data

ͻ Root cause of loss events

ͻ Options to mitigate risk (including cost and benefits)

Effective Communication

The following table lists the required elements for effective communication.

Communication Description
Element

Clear Risk information must be known and understood by all stakeholders.

Concise Information or communication should not inundate the recipients. All

ground rules of good communication apply to communication on risk.
This includes the avoidance of jargon and technical terms regarding risk
because the intended audiences are generally not deeply technologically
skilled.
Communication Description
Element

Useful Any communication on risk must be relevant. Technical information

that is too detailed and/or is sent to inappropriate parties will hinder,
rather than enable, a clear view of risk.

Timely For each risk, critical moments exist between its origination and its
potential business consequence.

Examples:

ͻ A risk may originate when an inadequate IT organization is set up; the

business consequence is inefficient IT operations and service delivery.

ͻ The origination point may be project failure; the business

consequence is delayed business initiatives.

Communication is timely when it allows action to be taken at the

appropriate moments to identify and treat the risk. It serves no useful
purpose to communicate a project delay a week before the deadline

Aimed at the Information must:

correct target
audience ͻ Be communicated at the right level of aggregation

ͻ Be adapted for the audience

ͻ Enable informed decisions

In this process, aggregation must not hide root causes of risk.

Example: A security officer needs technical IT data on intrusions and

viruses to deploy solutions. An IT steering committee may not need this
level of detail, but it does need aggregated information to decide on
policy changes or additional budgets to treat the same risk.

Available on a Information related to IT risk should be known and communicated to all

need-to-know basis parties with a genuine need. A risk register with all documented risk is not
public information and should be properly protected against internal and
external parties with no need for it. Communication does not always need
to be formal, through written reports or messages. Timely face-to-face
meetings between stakeholders are an important means of
communication for information related to IT risk.

Exhibit IʹFʹ3: Risk Communication FlowsͶStakeholders

Exhibit IʹFʹ3 provides a quick overview of the most important communication channels for
effective and efficient risk management. The figure͛s intent is to provide a high-level overview
of the main communication flows on IT risk that should exist in one form or another in any
enterprise.

NoteThis exhibit is focused on the most important information that each stakeholder needs to
process. The CRISC may hold one of the more of the tactical or operational roles depicted.

Exhibit IʹFʹ3: Risk Communication FlowsͶStakeholders Input

5. Risk Culture

Importance of a Risk-aware Culture

Risk management is about helping enterprises take more risk in pursuit of return. A risk-aware
culture:

Characteristically offers a setting in which components of risk are discussed openly and
acceptable levels of risk are understood and maintained

Begins at the top, with board and business executives who:

Set direction.

Communicate risk-aware decision making.

Reward effective risk management behaviors.

Risk awareness also implies that all levels within an enterprise are aware of why a response is
needed and how to respond to adverse IT events.

Exhibit IʹFʹ4: Elements of a Risk Culture

͞Risk culture͟ is a concept that is not easy to describe. Exhibit IʹFʹ4 and the following table
depict and describe the series of behaviors that are elements of a risk culture.
Exhibit IʹFʹ4: Elements of a Risk Culture

Elements of a Risk Culture

Behavior toward How much risk does the enterprise feel it can absorb, and what
taking risk specific risk is it willing to take?

Behavior toward To what extent will people embrace and/or comply with policy?
following policy

Behavior toward How does the enterprise deal with negative outcomes, i.e., loss
negative outcomes events or missed opportunities? Will it learn from them and try to
adjust, or will blame be assigned without treating the root cause?

Symptoms of an Inadequate or Problematic Risk Culture

Misalignment Management͛s real position toward risk can be reasonably

between real risk aggressive and risk taking, whereas the policies that are created reflect
appetite and a much stricter attitude.
translation into
policies

Existence of a This type of culture should, by all means, be avoided; it is the most
͞blame culture͟ effective inhibitor of relevant and efficient communication.
 Elements of a Risk Culture

In a blame culture, business units tend to point the finger at IT when

projects are not delivered on time or do not meet expectations. In
doing so, they fail to realize how the business unit͛s involvement up
front affects project success.

In extreme cases, the business unit may assign blame for a failure to
meet the expectations that the unit never clearly communicated. The
͞blame game͟ only detracts from effective communication across
units, further fuelling delays. Executive leadership must identify and
quickly control a blame culture if collaboration is to be fostered
throughout the enterprise.