CRISC

(Certified in Risk and

Information Systems Control)

Agenda

Introduction
Overview of the CRISC
Risk Management and Information Systems Control
Theory and Concepts
Risk Identification, Assessment and Evaluation

-Risk Response

-Risk Monitoring

-Information Systems Control Design and

Implementation

-Information Systems Control Monitoring and

Maintenance
Risk Management and Information Systems Control in
Practice
2

Introduction

Do CRISC Domain
Structure
CRISC

n Structure

About the CRISC Exam

The content of the 2013 CRISC Review

Manual is based on the CRISC job practice
found at www.isaca.org/criscjobpractice

There are 5 domains in the CRISC job

practice The CRISC exam is a practicebased exam.

Tests ability to apply knowledge and

experience.
5

About the CRISC Exam

The CRISC certification is designed to

meet the growing demand for
professionals who can integrate
enterprise risk management (ERM) with
discrete IS control skills. The technical
skills and practices the CRISC
certification promotes and evaluates are
the building blocks of success in this
growing field, and the CRISC designation
demonstrates proficiency in this role.
6

Exam Relevance

About the CRISC Exam

The exam in 200 multiple choice questions.

CRISC exam questions are developed with the

intent of measuring and testing practical
knowledge and the application of general concepts
and standards.
All questions are designed with one best answer.
The candidate is asked to choose the correct or
best answer from the options.
8

CRISC Review Course

Domain One

Risk Identification ,
Assessment,
and Evaluation

Overview

Identify, assess and evaluate risk to enable the

execution of the enterprise risk management
strategy

This domain is the input to the next domain Risk

Response
This domain is affected by and restarts as a result
of the third domain Risk Monitoring

10

Domain-1
Learning Objective

As a result of completing this chapter, the CRISC candidate should be able to:
-Differentiate between risk management and risk governance

-Identify the roles and responsibilities for risk management

-Distinguish between various risk management methodologies

risk

-Apply and differentiate the standards, practices and principles of

management
-List the main tasks related to risk governance

-Recognize relevant risk management standards, frameworks and

practices

-Explain the meaning of key risk management concepts, including

risk appetite and risk
tolerance

11

Risk Management
Essentials of Risk Governance

-Risk Appetite and Risk

Tolerance

-Risk Awareness and

Communication
-Risk Culture

12

Definitions - Governance

Ensures that stakeholder needs,

conditions and options are evaluated
to determine balanced, agreed-on
enterprise objectives to be achieved;
setting direction through
prioritization and decision making;
and monitoring performance and
compliance against agreed-on
direction and objectives
13

Definition - Risk

Risk reflects the combination of the

likelihood of events occurring and the
impact those events have on the enterprise.
Riskthe potential for events and their
consequences, contains both:
-Opportunities for benefit (upside)
-Threats to success (downside)

14

Definitions - Risk Management

Risk Management:
1. The coordinated activities to direct and control an
enterprise with regard to risk
2. One of the governance objectives. Entails
recognizing risk; assessing the impact and
likelihood of that risk; and developing strategies,
such as avoiding the risk, reducing the negative
effect of the risk and/or transferring the risk, to
manage it within the context of the enterprise's
risk appetite.

15

Definition Risk Assessment

A process used to identify and evaluate risk and its
potential effects.

Scope Notes: Includes assessing the critical

functions necessary for an enterprise to continue
business operations, defining the controls in place
to reduce enterprise exposure and evaluating the
cost for such controls. Risk analysis often involves
an evaluation of the probabilities of a particular
event.

16

Definition - Risk Analysis

1. A process by which frequency and magnitude of IT risk

scenarios are estimated.
2. The initial steps of risk management: analyzing the
value of assets to the business, identifying threats to
those assets and evaluating how vulnerable each asset is
to those threats.

Scope Notes: It often involves an evaluation of the

probable frequency of a particular event, as well as the
probable impact of that event

17

Risk and Opportunity Management

Guiding Principles for Effective Risk Management

Maintain Business Objective Focus

Integrate IT Risk Management Into Enterprise Risk
Management (ERM)
Balance The Costs And Benefits Of Managing Risk
Promote Fair And Open Communication
Establish Tone At The Top And Assign Personal
Accountability
Daily Process With Continuous Improvement

18

Responsibility vs.
Accountability

Responsibilitybelongs to those who must ensure

that the activities are completed successfully.
Accountabilityapplies to those who either own
the required resources or those who have the
authority to approve the execution and/or accept
the outcome of an activity within specific risk
management processes.

19

Risk Management
Risk Management frameworks,
standards and practices matter to the
CRISC because they:
-Provide a view of things to watch
-Act as a guide to focus risk efforts
-Help achieve business objectives
-Provide credibility Save time and
cost

20

Frameworks
Framework Generally accepted,
business process-oriented structures
that establish a common language and
enable repeatable business processes

ISACAs Risk IT Framework is an example

21

Standards
Standards Established mandatory rules,
specifications and metrics used to measure
compliance against quality, value, etc.

Standards are usually intended for

compliance purposes
IT Audit and Assurance Standards are an
example

22

Practices
Practices are frequent or unusual actions
performed as an application of knowledge.
Practices are issued by a recognized authority
Leading Practices are actions that optimally
apply knowledge in a particular area.
Practices are usually derived from
supplement/support standards and frameworks

ISACAs Risk IT Practitioner Guide is an example

23

ESSENTIALS OF RISK
GOVERNANCE

24

Risk Governance

Risk is an integral part of business

Risk is a core factor related to the stability,
growth and success of the organization.
Risk represents the opportunity for growth
and levels of profit
Risk poses the possibility of loss or
damage to the business objectives
Risk Governance addresses the oversight
of the business risk strategy of the
enterprise
25

Overview of Risk
Governance

Risk governance is the domain of the

enterprises senior management and
shareholders.
This group is responsible for:
-Establishing the organizations risk
culture and acceptable levels of risk
-Setting up the risk framework
-Ensuring effectiveness of the risk
management function
26

Objectives of Risk
Governance
Risk governance has three main
objectives:
Establishing and maintaining a common
risk view
Integrating risk management into the
enterprise

- Making risk-aware business

decisions

27

Foundation of Risk Governance

An effective risk governance
foundation requires :
An understanding and consensus
with respect to the risk appetite
and risk tolerance of the enterprise
An awareness of risk and of the
need for effective communication
about risk throughout the
enterprise
-An understanding of the elements
of risk culture

28

Objectives of Risk Governance cont.

1. Establishing and maintaining a
common risk view
-Determines which controls are
necessary to mitigate risk
-Determines how risk based
controls are integrated into business
processes and IS
-Risk Governance function oversees
the operations of the risk
management team
29

Objectives of Risk Governance cont.

2. Integrating risk management into the
enterprise
-Enforces a holistic ERM approach for
the enterprise
-Requires integration of RM into
every departments, function, system
and geographical location

30

Objectives of Risk Governance cont.

3-Making risk-aware business
decisions

Consider the full range of

opportunities and consequences
each statement through out the
enterprise; society, and the
environment

31

Risk Appetite and Risk Tolerance

Definitions
Risk appetiteThe amount of
risk, on a broad level, that an
entity is willing to accept in
pursuit of its mission
Risk toleranceThe acceptable
level of variation that
management is willing to allow
for any particular risk as it
pursues its objectives

32

Risk Appetite
Guidelines for Risk Appetite
Risk appetite change over time
Cost of risk mitigation options
can affect acceptable levels of
risk tolerance

33

Frequency and Magnitude.

Risk Management relates to the
frequency and magnitude of risk
events
-FrequencyHow often is the
event expected to occur?
-MagnitudeWhat is the
impact to the enterprise when
the event occurs?
34

Risk Management and

Communication
Risk communication - stresses
that if risk is to be managed and
mitigated, it must first be
discussed and effectively
communicated throughout the
enterprise

35

Communicating Risk
Good vs. Poor Communication
Benefits of good communication include
contributing to managements
understanding of exposures, awareness, and
transparency to external stakeholders
Consequences of poor communication
include a false sense of confidence relating
to exposure, incorrect perception by
external stakeholders and perception that
the enterprise lacks transparency with
external stakeholders

36

Communicating Risk

Types of Risk Information To Be

Communicated
-Expectations of risk management
(strategy, policies, procedures,
awareness, training, etc.)
-Current risk management
capability (risk management, process
maturity)
-Status with regard to IT risk (risk
profile, key risk indicators, loss data,
etc.)

37

Effective Communication
Elements of Effective Communication:

Clear
Concise
Useful
Timely
Aimed at the correct target audience
Available on a need-to-know basis

38

Key Concepts of Risk Governance

Stakeholder Communication Inputs
and Outputs
-It is important for the CRISC to
know what types of information
should come from and go to various
stakeholders

39

Risk Culturecont.
Overview of a Risk-Aware Culture
Allows for open discussions about risk
components
Acceptable levels of risk are understood and
maintained
:Begins at the top (board and executive)
Set direction
Communicate risk-aware decision making
Reward effective risk management
behaviors
Implies that all levels are aware of how and
when to respond to adverse IT events
40

Risk Culture
Risk-Aware Culture is a series of behaviors
Behaviors toward taking risk
Behavior toward negative outcomes
Behavior toward policy compliance
Symptoms of inadequate or problematic risk
culture include:
Misalignment between real risk appetite and
translation into policies
Existence of a blame culture

41

Summary
1-Risk must be governed and managed
not the same thing
Governance is direction and oversight
Management is planning and
operations
2-The organization must determine and
communicate its risk culture
3-Risk is a balance between opportunity
and loss

42

Summary
1-Risk must be governed and managed
not the same thing
Governance is direction and oversight
Management is planning and
operations
2-The organization must determine and
communicate its risk culture
3-Risk is a balance between opportunity
and loss

43