Documente Academic
Documente Profesional
Documente Cultură
Agenda
Introduction
Overview of the CRISC
Risk Management and Information Systems Control
Theory and Concepts
Risk Identification, Assessment and Evaluation
-Risk Response
-Risk Monitoring
Introduction
Do CRISC Domain
Structure
CRISC
n Structure
Exam Relevance
Domain One
Risk Identification ,
Assessment,
and Evaluation
Overview
10
Domain-1
Learning Objective
As a result of completing this chapter, the CRISC candidate should be able to:
-Differentiate between risk management and risk governance
risk
11
Risk Management
Essentials of Risk Governance
12
Definitions - Governance
Definition - Risk
14
Risk Management:
1. The coordinated activities to direct and control an
enterprise with regard to risk
2. One of the governance objectives. Entails
recognizing risk; assessing the impact and
likelihood of that risk; and developing strategies,
such as avoiding the risk, reducing the negative
effect of the risk and/or transferring the risk, to
manage it within the context of the enterprise's
risk appetite.
15
16
17
18
Responsibility vs.
Accountability
19
Risk Management
Risk Management frameworks,
standards and practices matter to the
CRISC because they:
-Provide a view of things to watch
-Act as a guide to focus risk efforts
-Help achieve business objectives
-Provide credibility Save time and
cost
20
Frameworks
Framework Generally accepted,
business process-oriented structures
that establish a common language and
enable repeatable business processes
21
Standards
Standards Established mandatory rules,
specifications and metrics used to measure
compliance against quality, value, etc.
22
Practices
Practices are frequent or unusual actions
performed as an application of knowledge.
Practices are issued by a recognized authority
Leading Practices are actions that optimally
apply knowledge in a particular area.
Practices are usually derived from
supplement/support standards and frameworks
23
ESSENTIALS OF RISK
GOVERNANCE
24
Risk Governance
Overview of Risk
Governance
Objectives of Risk
Governance
Risk governance has three main
objectives:
Establishing and maintaining a common
risk view
Integrating risk management into the
enterprise
27
28
30
31
32
Risk Appetite
Guidelines for Risk Appetite
Risk appetite change over time
Cost of risk mitigation options
can affect acceptable levels of
risk tolerance
33
35
Communicating Risk
Good vs. Poor Communication
Benefits of good communication include
contributing to managements
understanding of exposures, awareness, and
transparency to external stakeholders
Consequences of poor communication
include a false sense of confidence relating
to exposure, incorrect perception by
external stakeholders and perception that
the enterprise lacks transparency with
external stakeholders
36
Communicating Risk
37
Effective Communication
Elements of Effective Communication:
Clear
Concise
Useful
Timely
Aimed at the correct target audience
Available on a need-to-know basis
38
39
Risk Culturecont.
Overview of a Risk-Aware Culture
Allows for open discussions about risk
components
Acceptable levels of risk are understood and
maintained
:Begins at the top (board and executive)
Set direction
Communicate risk-aware decision making
Reward effective risk management
behaviors
Implies that all levels are aware of how and
when to respond to adverse IT events
40
Risk Culture
Risk-Aware Culture is a series of behaviors
Behaviors toward taking risk
Behavior toward negative outcomes
Behavior toward policy compliance
Symptoms of inadequate or problematic risk
culture include:
Misalignment between real risk appetite and
translation into policies
Existence of a blame culture
41
Summary
1-Risk must be governed and managed
not the same thing
Governance is direction and oversight
Management is planning and
operations
2-The organization must determine and
communicate its risk culture
3-Risk is a balance between opportunity
and loss
42
Summary
1-Risk must be governed and managed
not the same thing
Governance is direction and oversight
Management is planning and
operations
2-The organization must determine and
communicate its risk culture
3-Risk is a balance between opportunity
and loss
43