8/6/2019 CRISC-ChapI
1/22
Part I: The Big Picture: How
Risk Management Relates to
Risk Governance
A. Part I Overview
Introduction
Part I provides an overview of risk management and risk governance to ensure that the CRISC
candidate sufficiently understands the environment in which the CRISC functions.
Relevance
While the CRISC may not personally perform the tasks related to risk governance, the concepts
that are addressed in Part I are important to effectively:
yIdentify, assess and evaluate risk.yAssist in selecting the appropriate risk response.yMonitor risk.yDesign, implement, monitor and maintain information systems controls to mitigate such
risk.
Note The concepts introduced in Part I are considered a fundamental element of the CRISC
job practice.
Learning Objectives
As a result of completing this chapter, the CRISC candidate should be able to:
yDifferentiate between risk management and risk governance.yIdentify the roles and responsibilities for risk management.yDistinguish among various risk management methodologies.yApply and differentiate the standards, practices and principles of risk management.yList the main tasks related to risk governance.yRecognize relevant risk management standards, frameworks and practices.yExplain the meaning of key risk management concepts, including risk appetite and risk
tolerance.
ontents
Part I contains the following sections:
Open table asspreadsheet
Section StartingPage
No. ofPages
A. Part I Overview IA1 1
B. Overview of Risk Management IB1 1
C. Risk and Opportunity Management IC1 2
D. Roles and Responsibilities for IT-related
Risk Management
ID1 1
E. Risk Management Frameworks, Standards
and Practices
IE1 3
8/6/2019 CRISC-ChapI
2/22
Open table as
spreadsheet
Section Starting
Page
No. of
Pages
F. Essentials of Risk Governance IF1 11
G. Suggested Resources for Further Study IG1 1
B. Overview of Risk Management
Introduction
Risk management is the process of balancing the risk associated with business activities with an
adequate level of control that will enable the business to meet its objectives.
It holistically covers all concepts and processes affiliated with managing risk, including the
systematic application of management policies, procedures and practices; the tasks of establishing
the context, communicating and consulting; and identifying, analyzing, evaluating, treating,
monitoring and reviewing risk.
Relevance
The CRISC must understand the principles and concepts of risk management and be able to apply
these principles to a unique enterprise. Risk is an integral part of all enterprises and must be
properly identified, managed and monitored to support the overall business objectives of the
enterprise.
While the CRISC is not expected to establish the risk tolerance or acceptance levels of the
enterprisethose are decisions to be made strategically by senior managers and shareholders of
the businessthe CRISC is expected to provide accurate reporting on the levels of risk facing the
organization. This reporting is based on risk identification, assessment and analysis.
Other CRISC activities include recommending the use of mitigating IS controls to avoid or limit
adverse events and enabling the deployment of new business systems and initiatives to help
ensure that the enterprise can confidently leverage new opportunities without facing an
unacceptable level of risk.
C. Risk and Opportunity Management
Introduction
Enterprises continuously plan, operate and deploy business activities and processes to achieve
business objectives. The CRISC is actively involved in ensuring that the operational risk of each
business activity is assessed; monitored; and, if necessary, addressed.
Each business activity carries both risk and opportunity, and the CRISC must be aware of the need
to balance business needs and productivity with IS controls.
Definition of Risk
Risk reflects the combination of the likelihood of events occurring and the impact those events
have on the enterprise.
Riskthe potential for events and their consequencescontains both:
y Opportunities for benefit (upside)y Threats to success (downside)
8/6/2019 CRISC-ChapI
3/22
Risk Management Is Key to Enterprise Success
Risk and opportunity go hand in hand. To provide business value to stakeholders, enterprises must
engage in various activities and initiatives, all of which carry degrees of uncertainty and,
therefore, risk.
Managing risk and opportunity is a key strategic activity for enterprise success.
Guiding Principles for Effective Risk Management
The following are guiding principles for effective risk management:
y Maintain business objective focus.y Integrate IT risk management into enterprise risk management (ERM).y Balance the costs and benefits of managing risk.y Promote fair and open communication.y Establish tone at the top and assign personal accountability.y Promote continuous improvement as part of daily activities.
The following table provides further detail.
Principle Description
Maintain business
objective focus.
All risk is treated as a business risk, and the risk management
approach must be comprehensive and cross-functional.
The focus is on business outcome. Each business function
supports the achievement of business objectives; IT-related risk is
expressed as the impact it can have on the achievement of business
objectives or strategy.
Every risk analysis considers business and IT-process resilience
and contains a dependency analysis of how the business process
depends on IT-related resources, such as:
People
Information
Applications
Infrastructure
IT-related business risk is viewed from two angles:
Protection against value destruction
Enablement of value generation
Integrate IT risk
management into
enterprise risk management
(ERM).
Business objectives and the amount of risk that the enterprise is
prepared to take are clearly defined and documented.
The entitys risk appetite reflects its risk management philosophy
and influences the culture and operating style (as stated in the
Committee of Sponsoring Organizations of the Treadway Commission
[COSO] Enterprise Risk ManagementIntegrated Framework).
Risk issues are integrated for each business organization (i.e.,
8/6/2019 CRISC-ChapI
4/22
8/6/2019 CRISC-ChapI
5/22
D. Roles and Responsibilities for IT-
related Risk Management
Exhibit ID1: Responsibilities and Accountability for IT-related Risk Management
Exhibit ID1 defines a number of roles for risk management and indicates where these rolescarry responsibility or accountability for one or more activities within a process. In this context:
yResponsibilitybelongs to those who must ensure that the activities are completedsuccessfully.
yAccountabilityapplies to those who: Own the required resources
Have the authority to approve the execution and/or accept the outcome of an activity within
specific risk management processes
Given that the roles in the figure are implemented differently in every enterprise and do not
necessarily correspond to organizational units or functions, each role has been briefly described.
Exhibit ID1: Responsibilities and Accountability for IT-related Risk Management
8/6/2019 CRISC-ChapI
6/22
Note Within this framework, the CRISC executes on risk evaluation and risk response activities
and functions within the risk governance framework established within the enterprise.
E: Risk Management Frameworks,Standards and Practices
Contents
This section contains the following topics:
Topic Starting
Page
No. of
Pages
1. Differences Among Frameworks, Standards and Practices IE1 1
2. Examples of Frameworks Related to Risk Management and IS
Control
IE2 1
8/6/2019 CRISC-ChapI
7/22
Topic Starting
Page
No. of
Pages
3. Examples of Standards Related to Risk Management and IS
Control
IE3 1
4. Examples ofLeading Practices Related to Risk Management and
IS Control
IE3 1
1. Differences Among Frameworks, Standards and Practices
Importance of Risk Management Frameworks, Standards and Practices
Frameworks, standards and practices matter to the CRISC because they:
y Provide a systematic view of things to watch that could result in harm to customers oran enterprise
y Act as a guide to focus efforts of diverse teamsy Save time and costs, such as training costs, operational costs and performance
improvement costs
y Help achieve business objectives more quickly and easilyy Provide credibility to engage functional (e.g., chief financial officer [CFO]) and C-suite
leadership
Frameworks, Standards and Practices Definitions
The following table provide definitions for:
y Frameworksy Standardsy Practices
Term Definition
Frameworks Are generally accepted, business-process-oriented structures that establish a
common language and enable repeatable business processes
Note: This term may be defined differently in different disciplines. This definition
suits the purposes of this manual.
Standards Establish mandatory rules, specifications and metrics used to measure compliance
against quality, value, etc.
Standards are usually intended for compliance purposes and to provide assurance
to others who interact with a process or outputs of a process (for example, food and
drug quality).
Practices Are frequent or usual actions performed as an application of knowledge
A leading practice would be defined as an action that optimally applies knowledge
in a particular area.
They are issued by a recognized authority that is appropriate to the subject
matter. Issuing bodies may include professional associations and academic
institutions or commercial entities such as software vendors. They are generally
based on a combination of research, expert insight and peer review.
Note: Practices usually are derived from and supplement/support standards and
frameworks and are the least formal of the three.
8/6/2019 CRISC-ChapI
8/22
2. Examples of Frameworks Related to Risk Management and IS
Control
Examples of Risk Management of Frameworks
The following table provides examples of frameworks related to risk management.
Issuing Body Publication
ISACA The Risk IT Framework
ISACA Enterprise Value: Governance of IT
Investments, The Val IT Framework 2.0
ISACA COBIT 4.1
Committee of Sponsoring Organizations of the
Treadway Commission (COSO)
Enterprise Risk ManagementIntegrated
Framework
US National Institute of Standards and
Technology (NIST)
Risk Management Framework (RMF)
Reminder: Frameworks can be applied flexibly within an enterprise.
3. Examples of Standards Related to Risk Management and IS
Control
Examples of Risk Management Standards
Standards related to risk management include, but are not limited to, those in the following table.
Issuing Body Publication
ISACA IT Audit and Assurance Standards
International Organization
for Standardization (ISO)
ISO 31000:2009 (at the time of this manuals publication, the newest
for general purpose risk management)
Note: Unlike other standards, this was not intended to be used for
certification.
ISO/International
Electrotechnical
Commission (IEC)
ISO/IEC 2700x (for information security management systems
[ISMSs])
British Standards
Institution (BSI)
BS 25999-x (for business continuity)
BS 25999 comprises two parts:
Part 1, the Code of Practice, provides business continuity
management (BCM) best practice recommendations. Please note that
this is a guidance document only.
Part 2, the Specification, provides the requirements for a BCMsystem (BCMS) based on BCM best practice. This is the part of the
standard that can be used to demonstrate compliance via an auditing
and certification process.
Payment Card Industry
(PCI) Security Standards
Council
PCI Data Security Standard (PCI DSS)
Reminder: Standardsincluding corporate standards, which are not addressed hereideally
define measurable objectives to enable compliance assessments. Standards are intended to be
implemented in a rigid way with variations only as allowed in the standard.
8/6/2019 CRISC-ChapI
9/22
4. Examples ofLeading Practices Related to Risk Management and
IS Control
Examples of Risk Management or Control Leading Practices
The following table provides examples leading practices related to risk management or control.
Issuing Body Publication
ISACA The Risk IT Practitioner Guide
ISO/IEC ISO/IEC 2700x (for ISMSs)
NIST NIST Special Publication (SP) 800-37, Revision 1, Guide for
Applying the Risk Management Framework to Federal
Information Systems
Carnegie Mellon University (CMU)
Software Engineering Institute (SEI)
Operationally Critical Threat, Asset, and Vulnerability
EvaluationSM (OCTAVE)
Spanish Ministry for Public
Administrations
Methodology for Information Systems Risk Analysis and
Management (MAGERIT version 2)
F: Essentials of Risk Governance
Section Overview
This section contains a brief introduction to risk governance to provide the CRISC candidate
with a baseline understanding of the holistic environment in which the CRISC functions.
Relevance
Risk is an integral part of business and a core factor related to the stability, growth and success
of the enterprise. Risk represents the opportunity for growth and levels of profit, but also
poses the possibility of loss or damage to the business objectives.
Risk governance addresses the oversight of the business risk strategy of the enterprise.
Risk governance is the domain of senior management and the shareholders of the enterprise.
They establish the organizations risk culture and the acceptable levels of risk; set up the
management framework; and ensure that the risk management function is operating
effectively to identify, manage, monitor and report on current and potential risk facing the
enterprise.
Contents
This section contains the following topics:
Topic Starting Page No. of Pages
1. Risk Governance IF1 1
2. Risk Governance Objectives IF2 1
8/6/2019 CRISC-ChapI
10/22
Topic Starting Page No. of Pages
3. Risk Appetite and Tolerance IF3 3
4. Risk Awareness and Communication IF6 5
5. Risk Culture IF10 1
1. Risk Governance
Topic Overview
Risk governance is a strategic business function. Ultimately, it is the board of directors and
senior managements responsibility to set up the risk governance process, establish and
maintain a common risk view, make risk-aware business decisions, and set the enterprises risk
culture.
This section discusses the elements of risk governance and how to put an effective riskmanagement structure in place. It is important to recognize that risk must be addressed from a
business perspective and not from a purely IT viewpoint. The principles of risk governance
must also be applied from an enterprisewide perspective and not solely on a department by
department or a system by system basis.
Note While risk governance and the decisions made in the execution of risk governance
ultimately are not the responsibility of the CRISC, the practitioner must nevertheless
contribute to and enable sound risk management decisions through the execution of
many underlying tasks associated with the risk governance process.
2. Risk Governance Objectives
Risk Governance Objectives
Effective risk governance helps ensure that risk management practices are embedded in the
enterprise, enabling it to secure optimal risk-adjusted return. Risk governance has three main
objectives:
Establish and maintain a common risk view
Integrate risk management into the enterprise
Make risk-aware business decisions
Foundation for Effective Risk Governance
To effectively govern enterprise and IT risk, there must be an:
Understanding and consensus with respect to the risk appetite and risk tolerance of the
enterprise
8/6/2019 CRISC-ChapI
11/22
Awareness of risk and the need for effective communication about risk throughout the
enterprise
Understanding of the elements of risk culture
Establish and Maintain a Common Risk View
Effective risk governance establishes the common view of risk for the enterprise. This
determines which controls are necessary to mitigate risk and how risk-based controls are
integrated into business processes and IS.
The risk governance function sets the tone of the business in how to determine an acceptable
level of risk tolerance. In the end, the senior management team is liable for the impact of the
risk faced by the enterprise and bears the responsibility to ensure that it is provided ongoing
risk assessment results, monitors the risk environment and mandates corrective action where
the risk levels are not within acceptable limits.
Risk governance is a continuous life cycle that requires regular reporting and ongoing review.
The risk governance function must oversee the operations of the risk management team.
Integrate Risk Management Into the Enterprise
Integrating risk management into the enterprise enforces a holistic enterprise risk
management (ERM) approach across the entire organization. It requires the integration of risk
management into every department, function, system and geographic location. Understanding
that risk in one department or system may pose an unacceptable risk to another department
or system requires that all business processes be compliant with at least a minimal or baseline
level of risk management.
The objective of ERM is to establish the authority to require all business processes to undergoa risk analysis on a periodic basis or when there is a significant change to the internal or
external environment.
Make Risk-aware Business Decisions
To make risk-aware business decisions, the risk governance function must consider the full
range of opportunities and consequences of each such decision and its impact on the
enterprise, its place in society and the environment.
3. Risk Appetite and Tolerance
Definitions and Clarification of Risk Appetite and Risk Tolerance
Risk appetite and risk tolerance are concepts that are frequently used, but the potential
for misunderstanding is high. Some people use the concepts interchangeably; others see a
clear difference.
The following table provides definitions of each term.
8/6/2019 CRISC-ChapI
12/22
Term Definition
Risk
appetite
The broad-based amount of risk a company or other entity is willing to accept in
pursuit of its mission (or vision)
Risktolerance
The acceptable variation relative to the achievement of an objective (and often isbest measured in the same units as those used to measure the related objective)
Note These definitions are compatible with the Committee of
Sponsoring Organizations of the Treadway Commission
(COSO) ERM definitions, which are equivalent to the ISO
31000 definition in Guide 73:2009, Risk Management
Vocabulary.
Major Factors When Considering Risk Appetite Levels
Risk appetite is the broad-based amount of risk an enterprise is prepared to accept while
pursuing its business objectives. When considering the risk appetite levels for the enterprise,
the following two major factors are important:
The enterprises objective capacity to absorb loss, e.g., financial loss, reputation damage
The (management) culture or predisposition toward risk takingcautious or aggressive. (What
is the amount of loss the enterprise wants to accept to pursue a return?)
Risk appetite can and will be different among enterprisesthere is no absolute norm or
standard of what constitutes acceptable and unacceptable risk. Every enterprise has to define
its own risk appetite levels and should:
Ensure that such definitions/levels are:
In line with the overall risk culture that the enterprise wants to express (that is, ranging from
very risk averse to risk taking/opportunity seeking)
Well defined, understood and communicated
Review them on a regular basis
Note Risk appetite and risk tolerance should be applied not only to risk assessments,
but also to all risk decision making.
Exhibit IF1: Risk Map Indicating Risk Appetite Bands
In practice, risk appetite can be defined, in terms of combinations of frequency and
magnitude of a risk, using risk maps. Exhibit IF1 and the following table depict and describe
different bands of risk significance, based on frequency and magnitude of risk.
Exhibit IF1: Risk Map Indicating Risk Appetite Bands
8/6/2019 CRISC-ChapI
13/22
Risk Level Description
Really
Unacceptable
Indicates really unacceptable risk. The enterprise estimates that this level
of risk is far beyond its normal risk appetite. Any risk found to be in this band
may trigger an immediate risk response.
Unacceptable Indicates elevated risk, i.e., also above acceptable risk appetite. The
enterprise may, as a matter of policy, require mitigation or another adequate
response to be defined within certain time boundaries.
Acceptable Indicates a normal, acceptable level of risk, usually with no special action
required, except for maintaining the current controls or other responses
Opportunity Indicates very low risk, in which cost-saving opportunities may be found by
decreasing the degree of control or in which opportunities for assuming more
risk may arise
Note This risk appetite scheme is an example.
Each enterprise has to define its own risk
appetite levels and review them regularly.
Risk Tolerance Example
Risk tolerance is the acceptable deviation from the level set by the risk appetite and business
objectives.
Example: Standards require projects to be completed within the estimated budgets and time,
but overruns of 10 percent of budget or 20 percent of time are tolerated.
8/6/2019 CRISC-ChapI
14/22
Risk Appetite and Risk Tolerance Guidelines
The guidelines listed in the following table apply to risk appetite and risk tolerance.
Guideline Description
Risk appetite andrisk tolerance must
connect.
Risk appetite and risk tolerance go hand in hand. Risk tolerance isdefined at the enterprise level and is reflected in policies set by the
executives. At lower (tactical) levels of the enterprise, or in some entities
of the enterprise, exceptions can be tolerated (or different thresholds
defined) as long as the overall exposure does not exceed the set risk
appetite at the enterprise level. Any business initiative includes a risk
component, so management should have the discretion to pursue new
opportunities of risk.
Enterprises in which policies are cast in stone, rather than lines in the
sand, could lack the agility and innovation to exploit new business
opportunities. Conversely, there are situations in which policies are
based on specific legal, regulatory or industry requirements in which it is
appropriate to have no risk tolerance for failure to comply.
Exceptions to risk
tolerance standards
must be reviewed
and approved.
Risk tolerance is defined at the enterprise level by the board and
clearly communicated to all stakeholders. A process should be in place to
review and approve any exceptions to such standards.
Risk appetite and
tolerance change
over time.
Risk appetite and tolerance change due to:
New technology
New organizational structures
New market conditions
New business strategy
Many other factors
Such factors require an enterprise to reassess its risk portfolio at
regular intervals and also require the enterprise to reconfirm its risk
appetite at regular intervals, triggering risk policy reviews.
In this respect, an enterprise also needs to understand that the better
risk management it has in place, the more risk can be taken in pursuit of
return.
Cost of risk
mitigation options
There may be circumstances in which the cost/business impact of risk
mitigation options exceeds an enterprises capabilities/resources, thus
8/6/2019 CRISC-ChapI
15/22
Guideline Description
can affect risk
tolerance.
forcing higher tolerance for one or more risk conditions.
Example: If a regulation states that sensitive data at rest must be
encrypted, yet there is no feasible encryption solution or the cost of
implementing a solution would have a large negative impact, the
enterprise may choose to accept the risk associated with regulatory
noncompliance, which is a risk trade-off.
4. Risk Awareness and Communication
Defining Risk Awareness
Risk awareness is about acknowledging that risk is an integral part of the business. This does
not imply that all risk is to be avoided or eliminated, but rather that:
Risk is well understood and known.
IT risk issues are identifiable.
The enterprise recognizes and uses the means to manage risk.
Importance of Risk Communication
Risk communication is a critical part in the risk management process. People are naturally
uncomfortable talking about risk and tend to put off admitting that risk is involved and
communicating about issues; incidents; and; eventually, even crises.
If risk is to be managed and mitigated, it must first be discussed and effectively communicated
throughout an enterprise.
Benefits of Effective Risk Communication
The benefits of open communication on risk include:
Assistance in executive managements understanding of the actual exposure to IT risk,
enabling the definition of appropriate and informed risk responses
Awareness among all internal stakeholders of the importance of integrating risk and
opportunity in their daily duties
Transparency to external stakeholders regarding the actual level of risk and risk management
processes in use
Consequences of Poor Risk Communication
The consequences of poor communication of risk include:
A false sense of confidence at the top on the degree of actual exposure related to IT and lack
of a well-understood direction for risk management from the top down
8/6/2019 CRISC-ChapI
16/22
Unbalanced communication to the external world on risk, especially in cases of high, but
managed risk, which may lead to an incorrect perception on actual risk by third parties such as:
Clients
Investors
Regulators
The perception that the enterprise is trying to cover up known risk from stakeholders
Exhibit IF2: IT Risk Communication Components
Exhibit IF2 and the following table depict and describe the broad array of information flows
and the major types of IT risk information that should be communicated.
Exhibit IF2: IT Risk Communication Components
Risk Component to Be
Communicated
Description
Expectations from This includes risk strategy, policies, procedures, awareness training,
continuous reinforcement of principles, etc. This is essential
8/6/2019 CRISC-ChapI
17/22
Risk Component to Be
Communicated
Description
risk management communication on the enterprises overall strategy toward IT risk and:
Drives all subsequent efforts on risk management
Sets the overall expectations from risk management
Current risk
management
capability
This information:
Allows for monitoring of the state of the risk management engine
in the enterprise
Is a key indicator for good risk management
Has predictive value for how well the enterprise is managing risk
and reducing exposure
Status with regard
to IT risk
This includes the actual status with regard to IT risk including
information such as:
Risk profile of the enterprise, i.e., the overall portfolio of
(identified) risk to which the enterprise is exposed
Key risk indicators (KRIs) to support management reporting on risk
Event/loss data
Root cause of loss events
Options to mitigate risk (including cost and benefits)
Effective Communication
The following table lists the required elements for effective communication.
Communication
Element
Description
Clear Risk information must be known and understood by all stakeholders.
Concise Information or communication should not inundate the recipients. All
ground rules of good communication apply to communication on risk.
This includes the avoidance of jargon and technical terms regarding risk
because the intended audiences are generally not deeply technologically
skilled.
8/6/2019 CRISC-ChapI
18/22
Communication
Element
Description
Useful Any communication on risk must be relevant. Technical information
that is too detailed and/or is sent to inappropriate parties will hinder,
rather than enable, a clear view of risk.
Timely For each risk, critical moments exist between its origination and its
potential business consequence.
Examples:
A risk may originate when an inadequate IT organization is set up; the
business consequence is inefficient IT operations and service delivery.
The origination point may be project failure; the business
consequence is delayed business initiatives.
Communication is timely when it allows action to be taken at the
appropriate moments to identify and treat the risk. It serves no useful
purpose to communicate a project delay a week before the deadline
Aimed at the
correct target
audience
Information must:
Be communicated at the right level of aggregation
Be adapted for the audience
Enable informed decisions
In this process, aggregation must not hide root causes of risk.
Example: A security officer needs technical IT data on intrusions and
viruses to deploy solutions. An IT steering committee may not need this
level of detail, but it does need aggregated information to decide on
policy changes or additional budgets to treat the same risk.
Available on a
need-to-know basis
Information related to IT risk should be known and communicated to all
parties with a genuine need. A risk register with all documented risk is not
public information and should be properly protected against internal and
external parties with no need for it. Communication does not always needto be formal, through written reports or messages. Timely face-to-face
meetings between stakeholders are an important means of
communication for information related to IT risk.
Exhibit IF3: Risk Communication FlowsStakeholders
Exhibit IF3 provides a quick overview of the most important communication channels for
effective and efficient risk management. The figures intent is to provide a high-level overview
8/6/2019 CRISC-ChapI
19/22
of the main communication flows on IT risk that should exist in one form or another in any
enterprise.
Note This exhibit is focused on the most important information that each stakeholder needs to
process. The CRISC may hold one of the more of the tactical or operational roles depicted.
Exhibit IF3: Risk Communication FlowsStakeholders Input
8/6/2019 CRISC-ChapI
20/22
5. Risk Culture
Importance of a Risk-aware Culture
Risk management is about helping enterprises take more risk in pursuit of return. A risk-awareculture:
Characteristically offers a setting in which components of risk are discussed openly and
acceptable levels of risk are understood and maintained
Begins at the top, with board and business executives who:
Set direction.
Communicate risk-aware decision making.
Reward effective risk management behaviors.
Risk awareness also implies that all levels within an enterprise are aware of why a response is
needed and how to respond to adverse IT events.
Exhibit IF4: Elements of a Risk Culture
Risk culture is a concept that is not easy to describe. Exhibit IF4 and the following table
depict and describe the series of behaviors that are elements of a risk culture.
8/6/2019 CRISC-ChapI
21/22
Exhibit IF4: Elements of a Risk Culture
Elements of a Risk Culture
Behavior toward
taking risk
How much risk does the enterprise feel it can absorb, and what
specific risk is it willing to take?
Behavior toward
following policy
To what extent will people embrace and/or comply with policy?
Behavior toward
negative outcomes
How does the enterprise deal with negative outcomes, i.e., loss
events or missed opportunities? Will it learn from them and try to
adjust, or will blame be assigned without treating the root cause?
Symptoms of an Inadequate or Problematic Risk Culture
Misalignment
between real risk
appetite and
translation into
policies
Managements real position toward risk can be reasonably
aggressive and risk taking, whereas the policies that are created reflect
a much stricter attitude.
Existence of a
blame culture
This type of culture should, by all means, be avoided; it is the most
effective inhibitor of relevant and efficient communication.
8/6/2019 CRISC-ChapI
22/22
Elements of a Risk Culture
In a blame culture, business units tend to point the finger at IT when
projects are not delivered on time or do not meet expectations. In
doing so, they fail to realize how the business units involvement up
front affects project success.
In extreme cases, the business unit may assign blame for a failure to
meet the expectations that the unit never clearly communicated. The
blame game only detracts from effective communication across
units, further fuelling delays. Executive leadership must identify and
quickly control a blame culture if collaboration is to be fostered
throughout the enterprise.