ISACA. The recognized global leader in IT governance, control, security and assurance

Similar documents
Strengthening Your Enterprise Risk Management Process

Certificate in Internal Audit 3

Charter for Enterprise Risk Management

Lya Villasuso OECD Corporate Affairs Division Response ed to: RE: Corporate Governance and the Financial Crises

The COSO Risk Framework: A reference for internal control? Transition from COSO I to COSO II

CGEIT Certification Job Practice

Sample Strategy and Value Oversight Policy

CRISC EXAM PREP COURSE: SESSION 4

CGEIT QAE ITEM DEVELOPMENT GUIDE

Translate stakeholder needs into strategy. Governance is about negotiating and deciding amongst different stakeholders value interests.

International Standards for the Professional Practice of Internal Auditing (Standards)

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

Successful ERM Program Standards. Definitions of Enterprise Risk Management (ERM)

Sample Corporate Risk Management Policy

Risk Management Policy

International Standards for the Professional Practice of Internal Auditing (Standards)

GRM OVERSEAS LIMITED RISK MANAGEMENT POLICY

COSO ERM: Integrating with Strategy and Performance. Michael Parkinson

SAMPLE BEC SuperfastCPA Review Notes

CGEIT ITEM DEVELOPMENT GUIDE

If It s not a Business Initiative, It s not COBIT 5

Gleim CIA Review Updates to Part Edition, 1st Printing June 2018

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

From Dictionary.com. Risk: Exposure to the chance of injury or loss; a hazard or dangerous chance

Enhanced Risk Management Policy

Enterprise risk management Protecting and enhancing value Advisory

More than 2000 organizations use our ERM solution

RISK MANAGEMENT REPORT

IRM s Professional Standards in Risk Management PART 1 Consultation: Functional Standards

Gleim CPA Review Updates to Business Environment and Concepts 2018 Edition, 1st Printing March 2018

Enterprise Risk Management (ERM) - Impact of 2017 COSO ERM Model

Aligning and Integrating ERM and Business Process. Federal ERM Summit September 9, :00-12:00

Canadian Insurance Accountants Association

Braindumps COBIT5 50q

Risk Management at Statistics Canada

Technology s Role in Enterprise Risk Management

Enterprise Risk Management: Developing a Model for Organizational Success. White Paper

CITIBANK N.A JORDAN. Governance and Management of Information and Related Technologies Guide

RISK MANAGEMENT FRAMEWORK OF THE CGIAR SYSTEM

Tactical Implementation of Enterprise Risk Management

Leveraging ERM to meet. and create business value. Management Flora Do, Senior Manager, Enterprise Risk Management

EY Center for Board Matters. Leading practices for audit committees

The Current State of Risk Management Maturity for Belgian Organizations kpmg.com/be

and COBIT 5 ISACA STRATEGIC ADVISORY BOARD VICE PRESIDENT STRATEGY & INNOVATION CA TECHNOLOGIES 2012 ISACA. All Rights Reserved.

29/11/2017. Risk Management Policy

Session 7: Corporate Governance

Guidance Note: Corporate Governance - Audit Committee. January Ce document est aussi disponible en français.

Guidance Note: Corporate Governance - Board of Directors. January Ce document est aussi disponible en français.

METROPOLITAN TRANSPORTATION AUTHORITY

Selftestengine COBIT5 36q

Aligning Corporate Governance with IT Governance and Why Should I Care?

CONNECTING THE INTERNAL AUDIT DOTS AN OVERVIEW OF INTERNAL AUDIT S ROLE, SCOPE, STANDARDS AND ENGAGEMENT APPROACH

LeiningerCPA, Ltd. RISK MANAGEMENT POLICY STATEMENT

E D M O N T O N ADMINISTRATIVE PROCEDURE

Good Corporate Governance (GCG) Being a good corporate citizen is good risk management

Risk Management Policy

COBIT 5 for Information Security. Dr. Derek J. Oliver Co-Chair, COBIT 5 Task Force

The Sector Skills Council for the Financial Services Industry. National Occupational Standards. Risk Management for the Financial Sector

Deloitte Governance Framework and Maturity Model

Active Essex Risk Management Strategy

Taking ERM to a. 6 GRC Today / October 2015

Guidance Note: Corporate Governance - Audit Committee. March Ce document est aussi disponible en français.

Changing Hats: Business Continuity to Operations Risk Manager. Presenter

Enterprise Risk Management Montana State Fund

Risk Appetite Framework Linking Risk to Strategy Joseph A. Iraci Managing Director, TD Ameritrade

OPERATIONAL RISK EXAMINATION TECHNIQUES

Cobit 5! Not just for your Auditor!! Fusion (Cobit as an approach to Business & IT Alignment)! Integra(on

THE ENTERPRISE AND RISK MANAGEMENT POLICY

CORPORATE GOVERNANCE KING III COMPLIANCE

Audit, Risk and Compliance Committee Terms of Reference. Atlas Mara Limited. (The "COMPANY") Amendments approved by the Board on 22 March 2016

Creating a Risk Intelligent Enterprise: Risk governance

Environmental Reporting Guidance: CSA Staff Notice What does it mean, why does it matter and where do you go from here?

B U S I N E S S R I S K M A N A G E M E N T L T D

SPTF Universal Standards for. Social Performance. Management. Version 2.0, Published August 2016

Role of Board of Directors in Risk Management. CPA Erick Audi Thursday, 15 th November 2018

CORPORATE GOVERNANCE THEORY, SCOPE AND IMPORTANCE

September 17, 2012 Pittsburgh ISACA Chapter

GLOBAL ADVOCACY PLATFORM

PRACTICE. Reframing risk BY MARK BUTTERWORTH

"IT Governance Helping Business Survival

NATIONAL AUSTRALIA BANK LIMITED ACN BOARD RISK COMMITTEE CHARTER

Certification Candidates Examination Guide

In Control: Getting Familiar with the New COSO Guidelines. CSMFO Monterey, California February 18, 2015

Quality Assessments what you need to know

ERM 101. Casualty Loss Reserve Seminar, Fall /5/ Practical Enterprise Risk Management (ERM) Agenda ERM 101 2

IT Management & Governance Tool Assess the importance and effectiveness of your core IT processes

Governance Guideline SEPTEMBER 2013 BC CREDIT UNIONS.

Emerging Trends in Auditing ERM COSO ERM 2017

Self Assessment Workbook

Texas Tech University System

Internal Control Integrated Framework. An IAASB Overview September 2016

Internal Control Integrated Framework. An IAASB Overview September 2016

Agenda. Agenda. Definitions and Processes. Risks. Audit & ERM. Key Strategies. Conclusions ERM and Audit 1. ERM and Audit.

General Comments. Comments on CEBS Consultation Paper CP 24 ( high-level principles for risk management )

ICAAP. Engaging the business in risk management. A presentation to FIDE Forum by Penny Fosker. 10 January towerswatson.com

5 DAY MBA. Certified Enterprise Risk Management

Next-generation enterprise risk management

MANAGING RISK AT SUNCORP

Director Training and Qualifications

GAIT FOR BUSINESS AND IT RISK

Transcription:

ISACA The recognized global leader in IT governance, control, security and assurance

High-level session overview 1. CRISC background information 2. Part I The Big Picture

CRISC Background information

About the CRISC Exam The content of the 2011 CRISC Review Manual is based on the CRISC job practice found at www.isaca.org/criscjobpractice There are 5 domains in the CRISC job practice The CRISC exam is a practice-based exam. Simply reading the material in this manual will not properly prepare candidates for the exam. No representations or warranties are made by ISACA in regard to this or other ISACA publications assuring candidates passage of the CRISC exam. This publication was produced independently of the CRISC Certification Committee, which has no responsibility for the content of this manual.

About the CRISC Exam The CRISC certification is designed to meet the growing demand for professionals who can integrate enterprise risk management (ERM) with discrete IS control skills. The technical skills and practices the CRISC certification promotes and evaluates are the building blocks of success in this growing field, and the CRISC designation demonstrates proficiency in this role.

Exam Relevance Ensure that the CRISC candidate Has the practical knowledge required to perform the tasks described in the task and knowledge statements. The percentages listed with the domains indicate the emphasis or percentage of questions that will appear on the exam from each domain. For a description of each domain s task and knowledge statements, visit www.isaca.org/criscjobpractice. Note: The concepts introduced in In this manual are considered a fundamental part of the CRISC job practice. % of Total Exam Questions Domain 5; 18% Domain 1; 31% Domain 4; 17% Domain 3; 17% Domain 2; 17%

About the CRISC Exam The exam in 200 multiple choice questions. CRISC exam questions are developed with the intent of measuring and testing practical knowledge and the application of general concepts and standards. All questions are designed with one best answer. The candidate is asked to choose the correct or best answer from the options. Good preparation for the CRISC exam can be achieved through an organized plan of study. To assist individuals with the development of a successful study plan, ISACA offers study aids and review courses to exam candidates. See www.isaca.org/criscbooks to view the ISACA study aids that can help prepare for the exam

Manual Setup The CRISC Review Manual 2011 is organized into three parts: Part I The Big Picture: How Risk Management Relates to Risk Governance Part II Risk Management and Information Systems Control Theory and Concepts Part III Risk Management and Information Systems Control in Practice

Additional Resources Study Questions, Answers and Explanations Glossary Suggested Resources for Further Study List of Exhibits The CRISC candidate also may find it useful to study the CRISC Review, Questions, Answers & Explanations Manual 2011, which consists of 100 multiple-choice study questions.

CRISC Review Course Part I The Big Picture: How Risk Management Relates to Risk Governance

Exam Relevance Discuss specific topics within the chapter Case Study Sample Questions Key Terms (Definition and Acronyms) Suggested Reading Section Overview

Part 1 Learning Objectives As a result of completing this chapter, the CRISC candidate should be able to: q Differentiate between risk management and risk governance q Identify the roles and responsibilities for risk management q Distinguish between various risk management methodologies q Apply and differentiate the standards, practices and principles of risk management q List the main tasks related to risk governance q Recognize relevant risk management standards, frameworks and practices q Explain the meaning of key risk management concepts, including risk appetite and risk tolerance

ISACA Trust in, and value from, information systems

Section Topic Risk Management

Section Topics Risk Management Essentials of Risk Governance Risk Appetite and Risk Tolerance Risk Awareness and Communication Risk Culture

Overview of Risk Management Risk Management: Is the process of balancing the risk associated with business activities with an adequate level of control that will enable the business to meet its objectives. Holistically covers all concepts and processes affiliated with managing risk, including the systematic application of management policies, procedures and practices; the tasks of communicating, consulting, establishing the context; and identifying, analyzing, evaluating, treating, monitoring and reviewing risk.

Risk Risk reflects the combination of the likelihood of events occurring and the impact those events have on the enterprise. Risk the potential for events and their consequences, contains both: Opportunities for benefit (upside) Threats to success (downside)

Risk and Opportunity Management Guiding Principles for Effective Risk Management 1. Maintain Business Objective Focus 2. Integrate IT Risk Management Into Enterprise Risk Management (ERM) 3. Balance The Costs And Benefits Of Managing Risk 4. Promote Fair And Open Communication 5. Establish Tone At The Top And Assign Personal Accountability 6. Daily Process With Continuous Improvement

Responsibility vs. Accountability Responsibility belongs to those who must ensure that the activities are completed successfully. Accountability applies to those who either own the required resources or those who have the authority to approve the execution and/or accept the outcome of an activity within specific risk management processes.

Responsibility vs. Accountability

The CRISC executes on: Risk evaluation Risk response activities Risk Management Roles and Responsibilities The CRISC functions within the risk governance framework established within the enterprise

Section Topics Risk Management Frameworks, Standards and practices

Relevance of Risk Management Frameworks, Standards and Practices Risk Management Frameworks, standards and practices matter to the CRISC because they: Provide a view of things to watch Act as a guide to focus efforts Help achieve business objectives Provide credibility Save time and cost

Frameworks Framework Generally accepted, business process-oriented structures that establish a common language and enable repeatable business processes The Risk IT Framework is an example

Standards Standards Established mandatory rules, specifications and metrics used to measure compliance against quality, value, etc. Standards are usually intended for compliance purposes IT Audit and Assurance Standards are an example

Practices Practices are frequent or unusual actions performed as an application of knowledge. Practices are issued by a recognized authority Leading Practices are actions that optimally apply knowledge in a particular area. Practices are usually derived from supplement/support standards and frameworks The Risk IT Practitioner Guide is an example

Section Topic ESSENTIALS OF Risk Governance

Relevance of Risk Governance Risk is an integral part of business Risk is a core factor related to the stability, growth and success of the organization Risk represents the opportunity for growth and levels of profit Risk poses the possibility of loss or damage to the business objectives Risk governance addresses the oversight of the business risk strategy of the enterprise

Overview of Risk Governance Risk governance is the domain of the enterprises senior management and shareholders. This group is responsible for: Establishing the organizations risk culture and acceptable levels of risk Setting up the risk framework Ensuring effectiveness of the risk management function

Objectives of Risk Governance Risk governance has three main objectives: 1. Establishing and maintaining a common risk view 2. Integrating risk management into the enterprise 3. Making risk-aware business decisions

An effective risk governance foundation requires : Foundation of Risk Governance 1. An understanding and consensus with respect to the risk appetite and risk tolerance of the enterprise 2. An awareness of risk and of the need for effective communication about risk throughout the enterprise 3. An understanding of the elements of risk culture

Objectives of Risk Governance cont. 1. Establishing and maintaining a common risk view Determines which controls are necessary to mitigate risk Determines how risk based controls are integrated into business processes and IS Risk governance function oversees the operations of the risk management team

2. Integrating risk management into the enterprise Enforces a holistic ERM approach for the enterprise Objectives of Risk Governance cont. Requires integration of RM into every departments, function, system and geographical location

Objectives of Risk Governance cont. 3. Making risk-aware business decisions Consider the full range of opportunities and consequences each statement through out the enterprise; society, and the environment

Essentials of Risk Governance Risk Appetite and Tolerance

Risk Appetite and Risk Tolerance Definitions Risk appetite The amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission Risk tolerance The acceptable level of variation that management is willing to allow for any particular risk as it pursues its objectives

Risk Appetite and Risk Tolerance cont. How Risk Appetite relates to risk scenarios with varying Frequency and Magnitude Frequency How often is the event expected to occur? Magnitude What is the impact to the enterprise when the event occurs?

Risk Appetite and Risk Tolerance cont. Applicable Guidelines for Risk Appetite and Risk Tolerance Connectivity of risk appetite and risk tolerance Review and approval of exceptions to risk tolerance standards Risk appetite and tolerance change over time Cost of risk mitigation options can affect risk tolerance

Essentials of Risk Governance Risk Awareness and Communication

Risk Awareness and Communication Description Risk awareness is about acknowledging that risk is an integral part of the business Risk communication stresses that is risk is to be managed and mitigated, it must first be discussed and effectively communicated throughout the enterprise

Risk Awareness and Communication cont. Good vs. Poor Communication Benefits of good communication include contributing to managements understanding of exposures, awareness, and transparency to external stakeholders Consequences of poor communication include a false sense of confidence relating to exposure, incorrect perception by external stakeholders and perception that the enterprise lacks transparency with external stakeholders

Types of Risk Information To Be Communicated Risk Awareness and Communication cont. Expectations from risk management (strategy, policies, procedures, awareness, training, etc.) Current risk management capability (risk management, process maturity) Status with regard to IT risk (risk profile, key risk indicators, loss data, etc.)

Key Concepts of Risk Governance Elements of Effective Communication Clear Concise Useful Timely Aimed at the correct target audience Available on a need-to-know basis

Stakeholder Communication Inputs and Outputs Key Concepts of Risk Governance It is important for the CRISC to know what types of information should come from and go to various stakeholders

Essentials of Risk Governance Risk culture

Risk Culture cont. Overview of a Risk-Aware Culture ü ü ü ü Allows for open discussions about risk components Acceptable levels of risk are understood and maintained Begins at the top (board and executive) Set direction Communicate risk-aware decision making Reward effective risk management behaviors Implies that all levels are aware of how and when to respond to adverse IT events

Risk Culture Risk-Aware Culture is a series of behaviors Behaviors toward taking risk Behavior toward negative outcomes Behavior toward policy compliance Symptoms of inadequate or problematic risk culture include: Misalignment between real risk appetite and translation into policies Existence of a blame culture

Case Study & Practice questions

Case Study Company XYZ has four offices located in the US, Canada, China, and Egypt. The company currently has four separate risk management plans and programs and while the offices all serve independent functions and have separate technology infrastructures, the plans are not integrated nor have ever been shared. The company plans to IPO in the US later this year and the companies CEO and board of directors has just directed the enterprise to build a centralized risk management and governance program. You are the CRISC for your location s IT shop. Based on the topics discussed in this chapter, how would you participate?

Practice Question 1 X-1. Risk management should consider the following aspect(s) of risk: Thresholds Consequences Both, opportunities and threats Both, opportunities and thresholds

Practice Question 2 X-2. What factors chance risk appetite and tolerance: New technology New organizational structures New market conditions All of the above

Practice Question 3 X-3. Which of the following statements is true: Risk tolerance is the amount of risk the company is willing to accept Risk appetite is the acceptable variance relative to objective achievement Risk tolerance is the acceptable variance relative to objective achievement Risk tolerance level is based on the enterprise s ability to absorb loss

Practice Question 4 X-4. What risk components should be communicated? Expectations from process owners Status with regard to IT risk Future risk exposure Status with regard to Operational Risk

Practice Question 5 X-5. The IT risk action plan is an output communication from? CRISC Chief Information Officer IT Management Chief Risk Officer and the Enterprise Risk Management Committee

Definitions and acronyms

Acronym Review Review Guide Reference Source/Page Acronyms Definition I-D-1 CRO Chief Risk Officer I-D-1 CIO Chief Information Officer I-F-2 ERM Enterprise Risk Management

Definition Review Review Guide Reference Source/Page Word Definition I-C-1 Risk Reflects the combination of the likelihood of events occurring and the impact those events have on the enterprise. Risk means the potential for events and their consequences contains both: Opportunities for benefit (upside) & Threats to success (downside) I-D-1 Responsibility Belongs to those who must ensure that the activities are completed successfully I-D-1 Accountability Applies to those who own the required resources; has the authority to approve the execution and/or accept the outcome of an activity within specific risk management processes I-E-2 Standards Establish mandatory rules, specifications and metrics used to measure compliance against quality, value, etc. Standards are usually intended for compliance purposes and to provide assurance to others who interact with a process or outputs of a process I-E-2 Practices Are frequent or usual actions performed as an application of knowledge They are issued by a recognized authority that is appropriate to the subject matter. Issuing bodies may include professional associations and academic institutions or commercial entities such as software vendors. They are generally based on a combination of research, expert insight and peer review. Note: Practices usually are derived from and supplement/support standards and frameworks and are the least formal of the three.

Definition Review Review Guide Reference Source/Page Word Definition I-E-2 Leading Practice An action that optimally applies knowledge in a particular area I-F-3 Risk Appetite The broad-based amount of risk a company or other entity is willing to accept in pursuit of its mission (or vision) I-F-3 Risk Tolerance The acceptable variation relative to the achievement of an objective (and often is best measured in the same units as those used to measure the related objective) I-F-6 Risk Awareness Is about acknowledging that risk is an integral part of the business. This does not imply that all risk is to be avoided or eliminated, but rather that: Risk is well understood and known. IT risk issues are identifiable. The enterprise recognizes and uses the means to manage risk.

Supplemental Exercises

Big Picture Exercise 1 Your Answer For each identify is it is considered a Framework, Standard or Practice: COBIT 4.1 Correct Answer Framework Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVE) Practice PCI Data Security Standard (PCI DSS) Standard NIST Special Publication (SP) 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems ISO 31000:2009 (at the time of this manual s publication, the newest for general purpose risk management) The Risk IT Framework Practice Standard Framework The Risk IT Practitioner Guide Practice

Big Picture Exercise 2 Your Answer Identify the stakeholder for risk communication flow input and output Correct Answer Input - Current IT risk exposure/profile Output - Potential IT risk issues Input - Audit findings Executive management and board All Employees Risk control functions Output - Support on risk awareness initiatives Human resources (HR) Input - Enterprise appetite for IT risk Output - Financial information with regard to IT and IT programmes/projects (budget, actual, trends, etc.) Chief information officer (CIO) Chief financial officer (CFO) Output - Audit findings Compliance and audit

Big Picture Exercise 2 Your Answer Identify the stakeholder for risk communication flow input and output Correct Answer Input - Control and compliance monitoring External Auditor Output - Key performance objectives Input - Ongoing changes to IT risk factors Output - IT risk mitigation strategy and plan, including assignment of responsibility and development of metrics Input - Summary IT risk reports, including residual risk, controls maturity levels and audit findings Input - Risk awareness expectations Executive management and board Business management and business process owners IT management (including security and service management) Insurer All Employees Input - IT risk register Chief risk officer (CRO) and enterprise risk committee

Big Picture Exercise 2 Your Answer Identify the stakeholder for risk communication flow input and output Correct Answer Output - Audit findings External Auditor Input - Key performance objectives Output - IT risk reports Chief financial officer (CFO) Risk control functions Input - In general, all communications intended for the board and executive management Input - Executive summary risk reports Regulator Investors Output - Insurance coverage (property, business interruption, directors and officers) Insurer Output - Business impact of the IT risk and impacted business units Chief information officer (CIO)

Big Picture Exercise 2 Your Answer Identify the stakeholder for risk communication flow input and output Correct Answer Input - Risk awareness expectations Human resources (HR) Output - Enterprise appetite for IT risk Output - Risk tolerance levels for their portfolio of investments Chief risk officer (CRO) and enterprise risk committee Investor Input - IT risk RACI charts Compliance and audit Output - Control and compliance monitoring Output - Requirements for controls and reporting Business management and business process owners Regulator Input - Key performance objectives IT management (including security and service management)

Suggested resources for further study

Risk IT Framework and Practitioner Guides Val IT Framework 2.0 COBIT 4.1 Suggested Resources for Further Study See your CRISC Review Manual for more sources of information.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback