By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
The definition of risk has changed over time, and several definitions are currently in use. They ultimately convey the same meaning: risk is the combination of the probability of an event and its consequence. This definition is intentionally broad because risk is a business factor that has the potential to influence both positive and negative outcomes. In the context of IT, risk is often seen as an adverse factor that can threaten an organization’s assets or otherwise cause harm. Several factors are considered when evaluating risk, including the mission of the organization, its assets, threat and vulnerability, likelihood, and consequences (also called impact). These terms will be further explored in each of the chapters in this review manual.
Governance And Risk Management Governance is the accountability for protection of the assets of an organization. In a corporate structure, the directors of an organization (frequently organized as a board) are accountable for governance and entrust the senior management team with the responsibility to manage the day-to-day operations of the organization in alignment with the strategic mandates that the directors approve. Similar arrangements exist within cooperative and partnership-style organizations, although the names may differ.
Governance is applicable to all departments of the organization. It may take the form of financial accountability and oversight, operational effectiveness, legal and regulatory compliance, adoption of fair labor practices, social responsibility and governance of IT investment, operations, and control. Risk management is an important part of governance. Managers require accurate information to be able to correctly understand risk and address the circumstances that would indicate the need for risk mitigation.
Over the past decade, the term “governance” has moved to the forefront of business thinking in response to examples demonstrating the importance of good governance on one end of the spectrum and the global business mishaps derived from poor governance on the other. Corporate governance is the system by which organizations are evaluated, directed and controlled. By implication, the corporate governance of IT is the system by which the current and future use of IT is evaluated, directed and controlled. The objective of any governance system is to enable organizations to create value for their stakeholders or to promote value creation. Value creation, in turn, is comprised of benefits realization, risk optimization and resource optimization. Risk optimization is an essential part of any governance system and cannot be seen in isolation from benefits realization or resource optimization.
Governance answers four questions: 1. Are we doing the right things? 2. Are we doing them the right way? 3. Are we getting them done well? 4. Are we getting the benefits?
There is a clear distinction between governance and management. Management focuses on planning, building, running and monitoring activities in alignment with the direction set by the governance body to create value by achieving objectives. A well-managed organization subject to poor governance will create and execute clear, effective plans to attain objectives that do not create value. Similarly, risk management foresees the challenges to achieving objectives and attempts to lower the probabilities of negative outcomes occurring and/or their impacts if they do occur, but the effectiveness of risk management depends in large part on decisions made by managers responsible for risk governance.
Effective risk governance helps ensure that risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return.
The Context Of It Risk Management Risk management is defined as the coordinated activities to direct and control an enterprise with regard to risk. In simple terms, risk can be viewed as a challenge to achieving objectives, and risk management as the activity undertaken to predict challenges and lower their chances of occurring and/or their impact.
Effective risk management can also assist in maximizing opportunities, and the risk practitioner should keep this upside/downside duality of risk in mind. For example, a risk decision might take the form of potential benefits that may accrue if opportunities are taken versus missed benefits if those same opportunities are foregone.
The dual nature of risk is a result of its use in different contexts by business and IT, and it is not always easy to draw the distinction. International Organization for Standardization (ISO) 31000:2009 – Risk Management Principles and Guidelines calls risk “the effect of uncertainty on objectives. An effect is a deviation from the expected—positive and/or negative.” However, ISO/International Electrotechnical Commission (IEC) 27005:2011 – Information technology – Security techniques – Information security risk management regards risk solely from a negative angle, stating “information security risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization.” Risk practitioners who are able to effectively view risk from both perspectives are likely to find that they can more easily discuss risk with business and IT professionals without causing confusion.
Risk management starts with understanding the organization, but the risk practitioner should bear in mind that the organization is heavily influenced by the environment, or context, in which it operates. Assessing an organization’s context includes evaluating the intent and capability of threats; the relative value of assets or resources and the trust that must be placed in them; and the presence and extent of vulnerabilities that might be exploited to intercept, interrupt, modify or fabricate data in information assets. Other factors that must be considered include:
- Dependency of the organization on a supply chain, especially one based in another geographic region of the world or reliant upon just-in-time delivery - The influences of financing, debt and partners or substantial stakeholders - Vulnerability to changes in economic or political conditions - Changes to market trends and patterns - Emergence of new competition - Impact of new legislation - Existence of potential natural disaster - Constraints caused by legacy systems and antiquated technology - Strained labor relations and inflexible management
The strategy of the organization will drive the individual lines of business that make up the organization, and each line of business will develop information systems that support its business function. Source: ISACA, The Risk IT Framework, USA, 2009
Examples of category-wise specific risk include the following: - Strategic: Changes in customer preference or stakeholder preference, executive turnover - Environmental: Pollution or disturbance of protected areas - Market: Foreign-exchange rates, availability of commodities and raw materials - Credit: Interest rates, callable loans, damage to assets for which the organization is an insurer - Operational: Employee errors, fraud, theft - Compliance: Failure to meet regulatory requirements, inaccurate documentation - IT benefit/value enablement: Delivered projects do not create expected value - IT program and project delivery: Projects are not delivered in a manner consistent with plans - IT operations and service delivery: Delivered services fall short of service level agreements (SLAs)
Risk is an influencing factor and must be evaluated at all levels of the organization—the strategic level, the business unit level and the information systems level. A properly managed risk framework addresses the impact of risk at all levels and describes how risk at one level may affect the other levels as well.
There are several key parts of an IT risk management program. Different risk management methodologies use slightly different terms to describe the components of IT risk management. The CRISC candidate is not expected to be familiar with the details of each methodology, but should be familiar with the general concepts and process flows related to IT risk management.
IT risk management is the implementation of a risk strategy that reflects the culture, appetite and tolerance levels of organizational management; considers technology and budgets; and addresses the requirements of regulation and compliance. An effective IT risk management strategy is critical to an organization’s ability to effectively and efficiently execute its overall business strategy.
IT risk management is a cyclical process.
The first step in the IT risk management process is the identification of IT risk, which includes determining the risk context and risk framework, and the process of identifying and documenting risk. The risk identification effort should result in the listing and documentation of risk, which serves as the input for the next phase of the process, IT risk assessment. The effort to assess and prioritize risk provides management with the data needed for risk response and mitigation, the third phase of the cycle, which seeks and implements cost-effective ways to address the risk that has been identified and assessed. The final phase is risk and control monitoring and reporting, in which controls, risk management efforts and the current risk state are monitored and the results reported back to senior management. The process repeats as the risk environment changes, which may occur a as a result of internal or external factors.
The IT risk management process is based on the complete cycle of all the elements. A failure to perform any one of the phases in a complete and thorough manner may result in deficiencies being carried forward that cause the overall process to be ineffective. As with all life cycles, the process continues with refinement, adaptation and a focus on continuous improvement and maturity. The more often the risk management life cycle is repeated, the more effective the IT risk management effort will be and the more consistency the organization will see in the results that it obtains.
Importance of IT Risk Management IT risk management is important to the organization because of the tangible benefits that it delivers, including the following: - Better oversight of organizational assets - Reduced or minimized loss - Identification of threats, vulnerabilities and consequences on a proactive basis - Prioritization of risk response efforts to match organizational goals and priorities - A more holistic basis for and approach to legal and regulatory compliance - Increased likelihood of project success - Improved performance, leading to greater stakeholder confidence - Creation of a risk-aware culture with less reliance on specialists - Better incident and business continuity management - Improved controls with better monitoring and reporting - Improved decision making as a result of expanded access to accurate, timely information - An increased ability to meet business objectives and create value
Key Concepts Of Risk Risk can be discussed in quantitative or qualitative terms, and the specific definitions of risk vary from source to source. However, the fundamental nature of risk is that it addresses the odds that some event will happen (probability or likelihood) and what it would mean for the organization if that event did happen (consequences). Early attempts to define risk observed that the probability of something happening was a combination of two things: whether something was attempted (threat) and whether the target of the attempt was susceptible to what was tried (vulnerability). As the study of risk matured, risk practitioners began to distinguish between delineation of the consequences and the extent to which those consequences affected the value-creation activities of the organization (impact). It is now common to distinguish between different types of threats, to evaluate them on the basis of specific organizational assets against which they may be directed and to assess those assets in terms of their individual weaknesses (vulnerabilities) that might be exploited to create consequences for the assets. When viewed from the perspective of how these assets are used within the organization, it becomes possible to quantify impact in terms of lost productivity and other specific measures of value, which is useful for two reasons:
1. It is easier for managers to set a dollar value of total losses that they are willing to incur (risk appetite) than it is to define what consequences are or are not acceptable in a dozen or more different areas of operations.
2. Knowing the potential losses associated with risk provides a basis for deciding how to respond to risk that is beyond acceptable levels because it does not make sense to spend more to respond to a risk than the risk itself presents in terms of the cost of impact.
Example of Risk: Consider a house in a dry, wooded area; fire is a threat regardless of the building material used to construct the house (i.e., wood or brick). The probability of a fire starting in the wooded area is distinct from the probability of the house burning down. For the second instance, we take into consideration the building material. A wooden house is more vulnerable to fire; a brick house is not. For the same threat (a fire starting), the likelihood of impact is, therefore, different depending on the vulnerability.
Next, the destruction of the house is a potential consequence. If the house is occupied, the impact is temporary homelessness for those who live there, which imposes the immediate costs of temporary lodging and a replacement wardrobe. Under those circumstances, it makes sense to take precautions sufficient to address this impact, such as insuring the home against fire or putting in a fire-suppression system, but it is not reasonable to hire a full-time fire crew to watch the house on a daily basis because the cost of the fire crew would exceed the cost of the impact. However, if the house were uninhabited and condemned, the consequences would have no negative impact, and no precautions may be necessary. The key concepts of risk are discussed in various contexts throughout this review manual. It is common for people who lack strong understanding of these terms to use them interchangeably, but doing so can create confusion, impede successful risk management and cast doubt on competence. The risk practitioner should ensure that he/she spends enough time studying them to gain a basic, reliable understanding of the different terms and how they relate to one another.
Risk In Relation To Other Business Functions Risk is a critical part of business. Unless a business is willing to take a risk, it will not be able to realize the benefits associated with risk. However, taking too much risk may lead to increased likelihood of failure of the business and loss of investment. Senior management is responsible for setting the risk appetite for the organization—a clear statement of how much risk to take and what opportunities to forego. The risk practitioner is primarily concerned with IT risk, which is a subset of business risk. This requires the risk practitioner to understand the risk culture of an organization and use it to drive or inform the IT risk strategy. The business does not exist so that the organization can have an IT department; the IT department exists to help the business meet its mission and goals. When calculating IT risk, the risk practitioner must be careful not to calculate risk solely from the perspective of the impact of the risk on IT and to ensure that both the technical and nontechnical elements of risk have been considered. An IT system failure has an impact on the IT department, but it may have a much greater impact on the business supported by the IT system than on IT alone. In addition to the relationship between business risk and IT risk, the risk practitioner should also be familiar with risk-related business functions such as business continuity, audit, information security, controls, projects and change management.
Risk and Business Continuity IT risk management is closely linked with business continuity. The business function is concerned with the preservation of critical business functions and the ability of the organization to survive an adverse event that may impact the ability of the organization to meet its mission and goals. Through risk management, the organization attempts to reduce all IT risk to an acceptable level. Although the controls and efforts of IT risk management may not prevent a failure, the risk practitioner works with the incident management and business continuity teams to identify possible threats and put in place the mechanism to detect, contain and recover from an adverse event if it should happen. If the business continuity plan (BCP) is inadequate or inaccurate, the organization may not meet its goals for recovery after an incident.
Risk and Audit The audit function is an important part of corporate governance that provides management with assurance regarding the effectiveness of the control framework, IT risk management program and compliance. In a world of increasing legislation, government oversight and media scrutiny, organizations must diligently demonstrate an adequate control environment and risk management. For that reason, audits of information systems (IS) should be conducted by objective, skilled and independent personnel able to assess risk, identify vulnerabilities, document findings and provide recommendations on how to address audit issues. An audit is a methodical and structured review that requires competence and knowledge in the subject matter of the area being audited. If the IS auditor is not familiar with the technology being used, the significance of operating conditions or the requirements of the organization, the audit may be inaccurate and provide limited value. IS audits must also be independent. Senior management is often involved in the creation of the IS audit plan, and in a situation where a particular manager is involved in inappropriate activity, he/she may restrict the ability of IS audit to perform their duties effectively. Even when there is no wrongdoing, the appearance of partiality may cast doubt on the results of an audit, creating less value than expected. The risk practitioner should review the relationship between the IS auditor and the area being audited to ensure that there is no conflict of interests.
Risk and Information Security IT risk management drives the selection of controls and justifies their initial and continued operation. If the IT risk management activity is not conducted properly, information security controls are almost certain to be incorrectly designed, poorly implemented and improperly operated. Every control should be traceable back to a specific IT risk that the control is designed to mitigate, and the risk practitioner should be able to demonstrate the purpose of each control and explain the reasoning behind its selection.
Control Risk A control is chosen to mitigate a risk, but if the control is not operating correctly then the control may not prevent a failure or compromise. The selection of the wrong control, the incorrect configuration of the control, the improper operation of the control, the failure to monitor and review the control, or the inadequacy of the control to address new threats may each introduce the risk of control failure.
Project Risk Many projects fail; in fact, numerous studies of IT projects have indicated that a majority of IT projects could be considered failures. Failure of a particular project may be defined by it going over its allotted budget or the allotted time scheduled or if it does not deliver what it promised. A project may also be deemed a failure if it delivered what it promised but the deliverables did not meet customer needs and expectations. The failure of an IT project may pose a significant risk to an organization, manifesting as lost market share, failure to seize new opportunities or other adverse impacts on customers, shareholders and staff. Identifying the risk associated with a project and successfully managing that risk is very likely to result in higher levels of project success and stakeholder satisfaction.
Change Risk Risk is not static. Changes in technology, regulations, business processes, functionality, architecture, users and other variables that affect the business and technical environments of the organization may affect the levels of risk associated with systems in operation. The risk level of a particular system may also change because of intentional changes to its configuration or architecture that result in the controls that were originally effective as designed becoming ineffective. The risk practitioner is tasked with managing risk on a continuous basis, which means that he or she must stay aware of emerging risk that may be associated with new threats, new technologies, changes in culture, and alterations in legislation and/or regulation. All of these changes may affect the risk posture of the organization and result in a new level of risk not adequately addressed in earlier risk identification efforts.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.