ISACA The recognized global leader in IT governance, control, security and assurance
High-level session overview 1. CRISC background information 2. Part I The Big Picture
CRISC Background information
About the CRISC Exam The content of the 2011 CRISC Review Manual is based on the CRISC job practice found at www.isaca.org/criscjobpractice There are 5 domains in the CRISC job practice The CRISC exam is a practice-based exam. Simply reading the material in this manual will not properly prepare candidates for the exam. No representations or warranties are made by ISACA in regard to this or other ISACA publications assuring candidates passage of the CRISC exam. This publication was produced independently of the CRISC Certification Committee, which has no responsibility for the content of this manual.
About the CRISC Exam The CRISC certification is designed to meet the growing demand for professionals who can integrate enterprise risk management (ERM) with discrete IS control skills. The technical skills and practices the CRISC certification promotes and evaluates are the building blocks of success in this growing field, and the CRISC designation demonstrates proficiency in this role.
Exam Relevance Ensure that the CRISC candidate Has the practical knowledge required to perform the tasks described in the task and knowledge statements. The percentages listed with the domains indicate the emphasis or percentage of questions that will appear on the exam from each domain. For a description of each domain s task and knowledge statements, visit www.isaca.org/criscjobpractice. Note: The concepts introduced in In this manual are considered a fundamental part of the CRISC job practice. % of Total Exam Questions Domain 5; 18% Domain 1; 31% Domain 4; 17% Domain 3; 17% Domain 2; 17%
About the CRISC Exam The exam in 200 multiple choice questions. CRISC exam questions are developed with the intent of measuring and testing practical knowledge and the application of general concepts and standards. All questions are designed with one best answer. The candidate is asked to choose the correct or best answer from the options. Good preparation for the CRISC exam can be achieved through an organized plan of study. To assist individuals with the development of a successful study plan, ISACA offers study aids and review courses to exam candidates. See www.isaca.org/criscbooks to view the ISACA study aids that can help prepare for the exam
Manual Setup The CRISC Review Manual 2011 is organized into three parts: Part I The Big Picture: How Risk Management Relates to Risk Governance Part II Risk Management and Information Systems Control Theory and Concepts Part III Risk Management and Information Systems Control in Practice
Additional Resources Study Questions, Answers and Explanations Glossary Suggested Resources for Further Study List of Exhibits The CRISC candidate also may find it useful to study the CRISC Review, Questions, Answers & Explanations Manual 2011, which consists of 100 multiple-choice study questions.
CRISC Review Course Part I The Big Picture: How Risk Management Relates to Risk Governance
Exam Relevance Discuss specific topics within the chapter Case Study Sample Questions Key Terms (Definition and Acronyms) Suggested Reading Section Overview
Part 1 Learning Objectives As a result of completing this chapter, the CRISC candidate should be able to: q Differentiate between risk management and risk governance q Identify the roles and responsibilities for risk management q Distinguish between various risk management methodologies q Apply and differentiate the standards, practices and principles of risk management q List the main tasks related to risk governance q Recognize relevant risk management standards, frameworks and practices q Explain the meaning of key risk management concepts, including risk appetite and risk tolerance
ISACA Trust in, and value from, information systems
Section Topic Risk Management
Section Topics Risk Management Essentials of Risk Governance Risk Appetite and Risk Tolerance Risk Awareness and Communication Risk Culture
Overview of Risk Management Risk Management: Is the process of balancing the risk associated with business activities with an adequate level of control that will enable the business to meet its objectives. Holistically covers all concepts and processes affiliated with managing risk, including the systematic application of management policies, procedures and practices; the tasks of communicating, consulting, establishing the context; and identifying, analyzing, evaluating, treating, monitoring and reviewing risk.
Risk Risk reflects the combination of the likelihood of events occurring and the impact those events have on the enterprise. Risk the potential for events and their consequences, contains both: Opportunities for benefit (upside) Threats to success (downside)
Risk and Opportunity Management Guiding Principles for Effective Risk Management 1. Maintain Business Objective Focus 2. Integrate IT Risk Management Into Enterprise Risk Management (ERM) 3. Balance The Costs And Benefits Of Managing Risk 4. Promote Fair And Open Communication 5. Establish Tone At The Top And Assign Personal Accountability 6. Daily Process With Continuous Improvement
Responsibility vs. Accountability Responsibility belongs to those who must ensure that the activities are completed successfully. Accountability applies to those who either own the required resources or those who have the authority to approve the execution and/or accept the outcome of an activity within specific risk management processes.
Responsibility vs. Accountability
The CRISC executes on: Risk evaluation Risk response activities Risk Management Roles and Responsibilities The CRISC functions within the risk governance framework established within the enterprise
Section Topics Risk Management Frameworks, Standards and practices
Relevance of Risk Management Frameworks, Standards and Practices Risk Management Frameworks, standards and practices matter to the CRISC because they: Provide a view of things to watch Act as a guide to focus efforts Help achieve business objectives Provide credibility Save time and cost
Frameworks Framework Generally accepted, business process-oriented structures that establish a common language and enable repeatable business processes The Risk IT Framework is an example
Standards Standards Established mandatory rules, specifications and metrics used to measure compliance against quality, value, etc. Standards are usually intended for compliance purposes IT Audit and Assurance Standards are an example
Practices Practices are frequent or unusual actions performed as an application of knowledge. Practices are issued by a recognized authority Leading Practices are actions that optimally apply knowledge in a particular area. Practices are usually derived from supplement/support standards and frameworks The Risk IT Practitioner Guide is an example
Section Topic ESSENTIALS OF Risk Governance
Relevance of Risk Governance Risk is an integral part of business Risk is a core factor related to the stability, growth and success of the organization Risk represents the opportunity for growth and levels of profit Risk poses the possibility of loss or damage to the business objectives Risk governance addresses the oversight of the business risk strategy of the enterprise
Overview of Risk Governance Risk governance is the domain of the enterprises senior management and shareholders. This group is responsible for: Establishing the organizations risk culture and acceptable levels of risk Setting up the risk framework Ensuring effectiveness of the risk management function
Objectives of Risk Governance Risk governance has three main objectives: 1. Establishing and maintaining a common risk view 2. Integrating risk management into the enterprise 3. Making risk-aware business decisions
An effective risk governance foundation requires : Foundation of Risk Governance 1. An understanding and consensus with respect to the risk appetite and risk tolerance of the enterprise 2. An awareness of risk and of the need for effective communication about risk throughout the enterprise 3. An understanding of the elements of risk culture
Objectives of Risk Governance cont. 1. Establishing and maintaining a common risk view Determines which controls are necessary to mitigate risk Determines how risk based controls are integrated into business processes and IS Risk governance function oversees the operations of the risk management team
2. Integrating risk management into the enterprise Enforces a holistic ERM approach for the enterprise Objectives of Risk Governance cont. Requires integration of RM into every departments, function, system and geographical location
Objectives of Risk Governance cont. 3. Making risk-aware business decisions Consider the full range of opportunities and consequences each statement through out the enterprise; society, and the environment
Essentials of Risk Governance Risk Appetite and Tolerance
Risk Appetite and Risk Tolerance Definitions Risk appetite The amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission Risk tolerance The acceptable level of variation that management is willing to allow for any particular risk as it pursues its objectives
Risk Appetite and Risk Tolerance cont. How Risk Appetite relates to risk scenarios with varying Frequency and Magnitude Frequency How often is the event expected to occur? Magnitude What is the impact to the enterprise when the event occurs?
Risk Appetite and Risk Tolerance cont. Applicable Guidelines for Risk Appetite and Risk Tolerance Connectivity of risk appetite and risk tolerance Review and approval of exceptions to risk tolerance standards Risk appetite and tolerance change over time Cost of risk mitigation options can affect risk tolerance
Essentials of Risk Governance Risk Awareness and Communication
Risk Awareness and Communication Description Risk awareness is about acknowledging that risk is an integral part of the business Risk communication stresses that is risk is to be managed and mitigated, it must first be discussed and effectively communicated throughout the enterprise
Risk Awareness and Communication cont. Good vs. Poor Communication Benefits of good communication include contributing to managements understanding of exposures, awareness, and transparency to external stakeholders Consequences of poor communication include a false sense of confidence relating to exposure, incorrect perception by external stakeholders and perception that the enterprise lacks transparency with external stakeholders
Types of Risk Information To Be Communicated Risk Awareness and Communication cont. Expectations from risk management (strategy, policies, procedures, awareness, training, etc.) Current risk management capability (risk management, process maturity) Status with regard to IT risk (risk profile, key risk indicators, loss data, etc.)
Key Concepts of Risk Governance Elements of Effective Communication Clear Concise Useful Timely Aimed at the correct target audience Available on a need-to-know basis
Stakeholder Communication Inputs and Outputs Key Concepts of Risk Governance It is important for the CRISC to know what types of information should come from and go to various stakeholders
Essentials of Risk Governance Risk culture
Risk Culture cont. Overview of a Risk-Aware Culture ü ü ü ü Allows for open discussions about risk components Acceptable levels of risk are understood and maintained Begins at the top (board and executive) Set direction Communicate risk-aware decision making Reward effective risk management behaviors Implies that all levels are aware of how and when to respond to adverse IT events
Risk Culture Risk-Aware Culture is a series of behaviors Behaviors toward taking risk Behavior toward negative outcomes Behavior toward policy compliance Symptoms of inadequate or problematic risk culture include: Misalignment between real risk appetite and translation into policies Existence of a blame culture
Case Study & Practice questions
Case Study Company XYZ has four offices located in the US, Canada, China, and Egypt. The company currently has four separate risk management plans and programs and while the offices all serve independent functions and have separate technology infrastructures, the plans are not integrated nor have ever been shared. The company plans to IPO in the US later this year and the companies CEO and board of directors has just directed the enterprise to build a centralized risk management and governance program. You are the CRISC for your location s IT shop. Based on the topics discussed in this chapter, how would you participate?
Practice Question 1 X-1. Risk management should consider the following aspect(s) of risk: Thresholds Consequences Both, opportunities and threats Both, opportunities and thresholds
Practice Question 2 X-2. What factors chance risk appetite and tolerance: New technology New organizational structures New market conditions All of the above
Practice Question 3 X-3. Which of the following statements is true: Risk tolerance is the amount of risk the company is willing to accept Risk appetite is the acceptable variance relative to objective achievement Risk tolerance is the acceptable variance relative to objective achievement Risk tolerance level is based on the enterprise s ability to absorb loss
Practice Question 4 X-4. What risk components should be communicated? Expectations from process owners Status with regard to IT risk Future risk exposure Status with regard to Operational Risk
Practice Question 5 X-5. The IT risk action plan is an output communication from? CRISC Chief Information Officer IT Management Chief Risk Officer and the Enterprise Risk Management Committee
Definitions and acronyms
Acronym Review Review Guide Reference Source/Page Acronyms Definition I-D-1 CRO Chief Risk Officer I-D-1 CIO Chief Information Officer I-F-2 ERM Enterprise Risk Management
Definition Review Review Guide Reference Source/Page Word Definition I-C-1 Risk Reflects the combination of the likelihood of events occurring and the impact those events have on the enterprise. Risk means the potential for events and their consequences contains both: Opportunities for benefit (upside) & Threats to success (downside) I-D-1 Responsibility Belongs to those who must ensure that the activities are completed successfully I-D-1 Accountability Applies to those who own the required resources; has the authority to approve the execution and/or accept the outcome of an activity within specific risk management processes I-E-2 Standards Establish mandatory rules, specifications and metrics used to measure compliance against quality, value, etc. Standards are usually intended for compliance purposes and to provide assurance to others who interact with a process or outputs of a process I-E-2 Practices Are frequent or usual actions performed as an application of knowledge They are issued by a recognized authority that is appropriate to the subject matter. Issuing bodies may include professional associations and academic institutions or commercial entities such as software vendors. They are generally based on a combination of research, expert insight and peer review. Note: Practices usually are derived from and supplement/support standards and frameworks and are the least formal of the three.
Definition Review Review Guide Reference Source/Page Word Definition I-E-2 Leading Practice An action that optimally applies knowledge in a particular area I-F-3 Risk Appetite The broad-based amount of risk a company or other entity is willing to accept in pursuit of its mission (or vision) I-F-3 Risk Tolerance The acceptable variation relative to the achievement of an objective (and often is best measured in the same units as those used to measure the related objective) I-F-6 Risk Awareness Is about acknowledging that risk is an integral part of the business. This does not imply that all risk is to be avoided or eliminated, but rather that: Risk is well understood and known. IT risk issues are identifiable. The enterprise recognizes and uses the means to manage risk.
Supplemental Exercises
Big Picture Exercise 1 Your Answer For each identify is it is considered a Framework, Standard or Practice: COBIT 4.1 Correct Answer Framework Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVE) Practice PCI Data Security Standard (PCI DSS) Standard NIST Special Publication (SP) 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems ISO 31000:2009 (at the time of this manual s publication, the newest for general purpose risk management) The Risk IT Framework Practice Standard Framework The Risk IT Practitioner Guide Practice
Big Picture Exercise 2 Your Answer Identify the stakeholder for risk communication flow input and output Correct Answer Input - Current IT risk exposure/profile Output - Potential IT risk issues Input - Audit findings Executive management and board All Employees Risk control functions Output - Support on risk awareness initiatives Human resources (HR) Input - Enterprise appetite for IT risk Output - Financial information with regard to IT and IT programmes/projects (budget, actual, trends, etc.) Chief information officer (CIO) Chief financial officer (CFO) Output - Audit findings Compliance and audit
Big Picture Exercise 2 Your Answer Identify the stakeholder for risk communication flow input and output Correct Answer Input - Control and compliance monitoring External Auditor Output - Key performance objectives Input - Ongoing changes to IT risk factors Output - IT risk mitigation strategy and plan, including assignment of responsibility and development of metrics Input - Summary IT risk reports, including residual risk, controls maturity levels and audit findings Input - Risk awareness expectations Executive management and board Business management and business process owners IT management (including security and service management) Insurer All Employees Input - IT risk register Chief risk officer (CRO) and enterprise risk committee
Big Picture Exercise 2 Your Answer Identify the stakeholder for risk communication flow input and output Correct Answer Output - Audit findings External Auditor Input - Key performance objectives Output - IT risk reports Chief financial officer (CFO) Risk control functions Input - In general, all communications intended for the board and executive management Input - Executive summary risk reports Regulator Investors Output - Insurance coverage (property, business interruption, directors and officers) Insurer Output - Business impact of the IT risk and impacted business units Chief information officer (CIO)
Big Picture Exercise 2 Your Answer Identify the stakeholder for risk communication flow input and output Correct Answer Input - Risk awareness expectations Human resources (HR) Output - Enterprise appetite for IT risk Output - Risk tolerance levels for their portfolio of investments Chief risk officer (CRO) and enterprise risk committee Investor Input - IT risk RACI charts Compliance and audit Output - Control and compliance monitoring Output - Requirements for controls and reporting Business management and business process owners Regulator Input - Key performance objectives IT management (including security and service management)
Suggested resources for further study
Risk IT Framework and Practitioner Guides Val IT Framework 2.0 COBIT 4.1 Suggested Resources for Further Study See your CRISC Review Manual for more sources of information.