0verview-Crisc Part 1 the Big Picture 2011

ISACA®The recognized global

leader in IT governance,control, security and

assurance

High-level session overview

1. CRISC background information

2. Part I—The Big Picture

CRISC Background information

About the CRISC Exam

The content of the 2011 CRISC Review Manual is based on the CRISC job practice found at www.isaca.org/criscjobpracticeThere are 5 domains in the CRISC job practiceThe CRISC exam is a practice-based exam. Simply reading the material in this manual will not properly prepare candidates for the exam.No representations or warranties are made by ISACA in regard to this or other ISACA publications assuring candidates’ passage of the CRISC exam. This publication was produced independently of the CRISC Certification Committee, which has no responsibility for the content of this manual.

http://www.isaca.org/criscjobpractice


The CRISC certification is designed to meet the growing demand for professionals who can integrate enterprise risk management (ERM) with discrete IS control skills. The technical skills and practices the CRISC certification promotes and evaluates are the building blocks of success in this growing field, and the CRISC designation demonstrates proficiency in this role.

Exam Relevance

Ensure that the CRISC candidate…Has the practical knowledge required to perform the tasks described in the task and knowledge statements.

The percentages listed with the domains indicate the emphasis or percentage of questions that will appear on the exam from each domain. For a description of each domain’s task and knowledge statements, visit www.isaca.org/criscjobpractice.

Note: The concepts introduced in In this manual are considered a fundamental part of the CRISC job practice.

Domain 1; 31%

Domain 2; 17%Domain 3; 17%

Domain 4; 17%

Domain 5; 18%

% of Total Exam Questions

http://www.isaca.org/criscjobpractice


The exam in 200 multiple choice questions.CRISC exam questions are developed with the intent of measuring and testing practical knowledge and the application of general concepts and standards. All questions are designed with one best answer. The candidate is asked to choose the correct or best answer from the options.Good preparation for the CRISC exam can be achieved through an organized plan of study. To assist individuals with the development of a successful study plan, ISACA offers study aids and review courses to exam candidates. See www.isaca.org/criscbooks to view the ISACA study aids that can help prepare for the exam

Manual Setup

The CRISC Review Manual 2011 is organized into three parts:Part I—The Big Picture: How Risk Management Relates to Risk GovernancePart II—Risk Management and Information Systems Control Theory and ConceptsPart III— Risk Management and Information Systems Control in Practice

Additional Resources

Study Questions, Answers and ExplanationsGlossarySuggested Resources for Further StudyList of Exhibits

The CRISC candidate also may find it useful to study the CRISC™ Review, Questions, Answers & Explanations Manual 2011, which consists of 100 multiple-choice study questions.

Part I

The Big Picture: How Risk Management

Relates to Risk Governance

CRISC Review Course

Section Overview

Exam RelevanceDiscuss specific topics within the chapter Case StudySample QuestionsKey Terms (Definition and Acronyms)Suggested Reading

Part 1Learning Objectives

As a result of completing this chapter, the CRISC candidate should be able to:

q Differentiate between risk management and risk governanceq Identify the roles and responsibilities for risk managementq Distinguish between various risk management methodologiesq Apply and differentiate the standards, practices and principles of risk

managementq List the main tasks related to risk governanceq Recognize relevant risk management standards, frameworks and

practicesq Explain the meaning of key risk management concepts, including risk

appetite and risk tolerance

Trust in, and value from, information systems

ISACA®

Risk ManagementSection Topic

Section Topics

Risk ManagementEssentials of Risk Governance

Risk Appetite and Risk Tolerance

Risk Awareness and Communication

Risk Culture

Overview of Risk Management

Risk Management:Is the process of balancing the risk associated with business activities with an adequate level of control that will enable the business to meet its objectives.Holistically covers all concepts and processes affiliated with managing risk, including the systematic application of management policies, procedures and practices; the tasks of communicating, consulting, establishing the context; and identifying, analyzing, evaluating, treating, monitoring and reviewing risk.

Risk

Risk reflects the combination of the likelihood of events occurring and the impact those events have on the enterprise. Risk—the potential for events and their consequences, contains both:

Opportunities for benefit (upside)Threats to success (downside)

Risk and Opportunity Management

Guiding Principles for Effective Risk Management

1. Maintain Business Objective Focus2. Integrate IT Risk Management Into Enterprise Risk

Management (ERM)3. Balance The Costs And Benefits Of Managing Risk4. Promote Fair And Open Communication5. Establish Tone At The Top And Assign Personal

Accountability6. Daily Process With Continuous Improvement

Responsibility vs. Accountability

Responsibility—belongs to those who must ensure that the activities are completed successfully.

Accountability—applies to those who either own the required resources or those who have the authority to approve the execution and/or accept the outcome of an activity within specific risk management processes.

Responsibility vs. Accountability

Risk ManagementRoles and Responsibilities

The CRISC executes on:

Risk evaluation

Risk response activities

The CRISC functions within the risk governance framework established within the enterprise

Risk Management Frameworks, Standards and practices

Section Topics

Relevance of Risk Management Frameworks,

Standards and PracticesRisk Management Frameworks, standards and practices matter to the CRISC because they:

Provide a view of “things to watch”Act as a guide to focus effortsHelp achieve business objectivesProvide credibilitySave time and cost

Frameworks

Framework – Generally accepted, business process-oriented structures that establish a common language and enable repeatable business processesThe Risk IT Framework is an example

Standards

Standards – Established mandatory rules, specifications and metrics used to measure compliance against quality, value, etc. Standards are usually intended for compliance purposesIT Audit and Assurance Standards are an example

Practices

Practices are frequent or unusual actions performed as an application of knowledge.Practices are issued by a “recognized authority”Leading Practices are actions that optimally apply knowledge in a particular area.Practices are usually derived from supplement/support standards and frameworksThe Risk IT Practitioner Guide is an example

ESSENTIALS OF Risk Governance

Section Topic

Relevance of Risk Governance

Risk is an integral part of businessRisk is a core factor related to the stability, growth and success of the organizationRisk represents the opportunity for growth and levels of profitRisk poses the possibility of loss or damage to the business objectivesRisk governance addresses the oversight of the business risk strategy of the enterprise

Overview of Risk Governance

Risk governance is the domain of the enterprises senior management and shareholders.This group is responsible for:

Establishing the organizations risk culture and acceptable levels of risk

Setting up the risk framework

Ensuring effectiveness of the risk management function

Objectives of Risk Governance

Risk governance has three main objectives:

1. Establishing and maintaining a common risk view2. Integrating risk management into the enterprise3. Making risk-aware business decisions

Foundation ofRisk Governance

An effective risk governance foundation requires :1. An understanding and consensus with respect to the risk appetite and risk

tolerance of the enterprise2. An awareness of risk and of the need for effective communication about

risk throughout the enterprise3. An understanding of the elements of risk culture

Objectives of Risk Governance—cont.

1. Establishing and maintaining a common risk viewDetermines which controls are necessary to mitigate risk

Determines how risk based controls are integrated into business processes and IS

Risk governance function oversees the operations of the risk management team


2. Integrating risk management into the enterprise Enforces a holistic ERM approach for the enterprise

Requires integration of RM into every departments, function, system and geographical location


3. Making risk-aware business decisionsConsider the full range of opportunities and consequences each statement

through out the enterprise; society, and the environment

Risk Appetite and ToleranceEssentials of Risk Governance

Risk Appetite and Risk Tolerance

DefinitionsRisk appetite—The amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission

Risk tolerance—The acceptable level of variation that management is willing to allow for any particular risk as it pursues its objectives

Risk Appetite and Risk Tolerance—cont.

How Risk Appetite relates to risk scenarios with varying Frequency and Magnitude

Frequency—How often is the event expected to occur?

Magnitude—What is the impact to the enterprise when the event occurs?

Risk Appetite and Risk Tolerance—cont.

Applicable Guidelines for Risk Appetite and Risk Tolerance

Connectivity of risk appetite and risk toleranceReview and approval of exceptions to risk tolerance standardsRisk appetite and tolerance change over timeCost of risk mitigation options can affect risk tolerance


Essentials of Risk Governance


Description

Risk awareness—is about acknowledging that risk is an integral part of the business

Risk communication—stresses that is risk is to be managed and mitigated, it must first be discussed and effectively communicated throughout the enterprise

Risk Awareness and Communication—cont.

Good vs. Poor Communication

Benefits of good communication include contributing to managements understanding of exposures, awareness, and transparency to external stakeholders

Consequences of poor communication include a false sense of confidence relating to exposure, incorrect perception by external stakeholders and perception that the enterprise lacks transparency with external stakeholders

Risk Awareness and Communication—cont.

Types of Risk Information To Be Communicated

Expectations from risk management (strategy, policies, procedures, awareness, training, etc.)Current risk management capability (risk management, process maturity)Status with regard to IT risk (risk profile, key risk indicators, loss data, etc.)

Key Concepts ofRisk Governance

Elements of Effective Communication

ClearConciseUsefulTimelyAimed at the correct target audienceAvailable on a need-to-know basis

Key Concepts ofRisk Governance

Stakeholder Communication Inputs and Outputs

It is important for the CRISC to know what types of information should come from and go to various stakeholders

Risk cultureEssentials of Risk Governance

Risk Culture—cont.

Overview of a Risk-Aware Culture

ü Allows for open discussions about risk componentsü Acceptable levels of risk are understood and

maintainedü Begins at the top (board and executive)

Set direction

Communicate risk-aware decision making

Reward effective risk management behaviors

ü Implies that all levels are aware of how and when to respond to adverse IT events

Risk Culture

Risk-Aware Culture is a series of behaviors

Behaviors toward taking risk

Behavior toward negative outcomes

Behavior toward policy compliance

Symptoms of inadequate or problematic risk culture include:

Misalignment between real risk appetite and translation into policies

Existence of a “blame culture”

Case Study &Practice questions

Case Study

Company XYZ has four offices located in the US, Canada, China, and Egypt.The company currently has four separate risk management plans and programs and while the offices all serve independent functions and have separate technology infrastructures, the plans are not integrated nor have ever been shared.The company plans to IPO in the US later this year and the companies CEO and board of directors has just directed the enterprise to build a centralized risk management and governance program.

You are the CRISC for your location’s IT shop. Based on the topics discussed in this chapter, how would you participate?

Practice Question 1

X-1. Risk management should consider the following aspect(s) of risk:

– Thresholds– Consequences– Both, opportunities and threats– Both, opportunities and thresholds

Practice Question 2

X-2. What factors chance risk appetite and tolerance:

– New technology– New organizational structures– New market conditions– All of the above

Practice Question 3

X-3. Which of the following statements is true:

● Risk tolerance is the amount of risk the company is willing to accept

● Risk appetite is the acceptable variance relative to objective achievement

● Risk tolerance is the acceptable variance relative to objective achievement

● Risk tolerance level is based on the enterprise’s ability to absorb loss

Practice Question 4

X-4. What risk components should be communicated?

● Expectations from process owners● Status with regard to IT risk● Future risk exposure● Status with regard to Operational Risk

Practice Question 5

X-5. The IT risk action plan is an output communication from?

– CRISC– Chief Information Officer– IT Management– Chief Risk Officer and the Enterprise Risk

Management Committee

Definitions and acronyms

Acronym Review

Review Guide Reference

Source/Page

Acronyms Definition

I-D-1 CRO Chief Risk Officer

I-D-1 CIO Chief Information Officer

I-F-2 ERM Enterprise Risk Management

Definition Review


Source/Page

Word Definition

I-C-1 Risk Reflects the combination of the likelihood of events occurring and the impact those events have on the enterprise. Risk means the potential for events and

their consequences—contains both: Opportunities for benefit (upside) & Threats to success (downside)

I-D-1 Responsibility Belongs to those who must ensure that the activities are completed successfully

I-D-1 Accountability Applies to those who own the required resources; has the authority to approve the execution and/or accept the outcome of an activity within specific risk

management processes

I-E-2 Standards Establish mandatory rules, specifications and metrics used to measurecompliance against quality, value, etc. Standards are usually intended for

compliance purposes and to provide assurance to others who interact with a process or outputs of a process

I-E-2 Practices Are frequent or usual actions performed as an application of knowledgeThey are issued by a “recognized authority” that is appropriate to the subject matter. Issuing bodies may include professional associations and academic

institutions or commercial entities such as software vendors. They are generally based on a combination of research, expert insight and peer review. Note: Practices usually are derived from and supplement/support standards and

frameworks and are the least formal of the three.

Definition Review


Source/Page

Word Definition

I-E-2 Leading Practice An action that optimally applies knowledge in a particular area

I-F-3 Risk Appetite The broad-based amount of risk a company or other entity is willing to accept in pursuit of its mission (or vision)

I-F-3 Risk Tolerance The acceptable variation relative to the achievement of an objective (and often is best measured in the same units as those used to

measure the related objective)

I-F-6 Risk Awareness Is about acknowledging that risk is an integral part of the business. This does not imply that all risk is to be avoided or eliminated, but

rather that:• Risk is well understood and known.

• IT risk issues are identifiable.• The enterprise recognizes and uses the means to manage risk.

Supplemental Exercises

Big Picture – Exercise 1Your

AnswerFor each identify is it is considered a Framework, Standard or

Practice:Correct Answer

COBIT® 4.1 Framework

Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVE) Practice

PCI Data Security Standard (PCI DSS) Standard

NIST Special Publication (SP) 800-37, Revision 1, Guide for Applying the RiskManagement Framework to Federal Information Systems

Practice

ISO 31000:2009 (at the time of this manual’s publication, the newest forgeneral purpose risk management)

Standard

The Risk IT Framework Framework

The Risk IT Practitioner Guide Practice

Big Picture – Exercise 2Your Answer Identify the stakeholder for risk communication flow

input and outputCorrect Answer

Input - Current IT risk exposure/profile Executive managementand board

Output - Potential IT risk issues All Employees

Input - Audit findings Risk control functions

Output - Support on risk awareness initiatives Human resources (HR)

Input - Enterprise appetite for IT risk Chief information officer(CIO)

Output - Financial information with regard to IT and IT programmes/projects (budget, actual, trends, etc.)

Chief financial officer(CFO)

Output - Audit findings Compliance and audit



Input - Control and compliance monitoring External Auditor

Output - Key performance objectives Executive managementand board

Input - Ongoing changes to IT risk factors Business managementand business process

ownersOutput - IT risk mitigation strategy and plan, including assignment

of responsibility and development of metricsIT management

(including security andservice management)

Input - Summary IT risk reports, including residual risk, controls maturity levels and audit findings

Insurer

Input - Risk awareness expectations All Employees

Input - IT risk register Chief risk officer (CRO)and enterprise risk

committee



Output - Audit findings External Auditor

Input - Key performance objectives Chief financial officer(CFO)

Output - IT risk reports Risk control functions

Input - In general, all communications intended for the board and executive management

Regulator

Input - Executive summary risk reports Investors

Output - Insurance coverage (property, business interruption, directors and officers)

Insurer

Output - Business impact of the IT risk and impacted business units Chief information officer(CIO)



Input - Risk awareness expectations Human resources (HR)

Output - Enterprise appetite for IT risk Chief risk officer (CRO)and enterprise risk

committeeOutput - Risk tolerance levels for their portfolio of investments Investor

Input - IT risk RACI charts Compliance and audit

Output - Control and compliance monitoring Business managementand business process

ownersOutput - Requirements for controls and

reportingRegulator

Input - Key performance objectives IT management(including security andservice management)

Suggested resources for further study

Suggested Resources for Further Study

Risk IT Framework and Practitioner GuidesVal IT Framework 2.0COBIT 4.1

See your CRISC Review Manual for more sources of information.

Documents

0verview-Crisc Part 1 the Big Picture 2011