CRISC-ChapI

8/6/2019 CRISC-ChapI

1/22

Part I: The Big Picture: How

Risk Management Relates to

Risk Governance

A. Part I Overview

Introduction

Part I provides an overview of risk management and risk governance to ensure that the CRISC

candidate sufficiently understands the environment in which the CRISC functions.

Relevance

While the CRISC may not personally perform the tasks related to risk governance, the concepts

that are addressed in Part I are important to effectively:

yIdentify, assess and evaluate risk.yAssist in selecting the appropriate risk response.yMonitor risk.yDesign, implement, monitor and maintain information systems controls to mitigate such

risk.

Note The concepts introduced in Part I are considered a fundamental element of the CRISC

job practice.

Learning Objectives

As a result of completing this chapter, the CRISC candidate should be able to:

yDifferentiate between risk management and risk governance.yIdentify the roles and responsibilities for risk management.yDistinguish among various risk management methodologies.yApply and differentiate the standards, practices and principles of risk management.yList the main tasks related to risk governance.yRecognize relevant risk management standards, frameworks and practices.yExplain the meaning of key risk management concepts, including risk appetite and risk

tolerance.

ontents

Part I contains the following sections:

Open table asspreadsheet

Section StartingPage

No. ofPages

A. Part I Overview IA1 1

B. Overview of Risk Management IB1 1

C. Risk and Opportunity Management IC1 2

D. Roles and Responsibilities for IT-related

Risk Management

ID1 1

E. Risk Management Frameworks, Standards

and Practices

IE1 3


2/22

Open table as

spreadsheet

Section Starting

Page

No. of

Pages

F. Essentials of Risk Governance IF1 11

G. Suggested Resources for Further Study IG1 1

B. Overview of Risk Management

Introduction

Risk management is the process of balancing the risk associated with business activities with an

adequate level of control that will enable the business to meet its objectives.

It holistically covers all concepts and processes affiliated with managing risk, including the

systematic application of management policies, procedures and practices; the tasks of establishing

the context, communicating and consulting; and identifying, analyzing, evaluating, treating,

monitoring and reviewing risk.

Relevance

The CRISC must understand the principles and concepts of risk management and be able to apply

these principles to a unique enterprise. Risk is an integral part of all enterprises and must be

properly identified, managed and monitored to support the overall business objectives of the

enterprise.

While the CRISC is not expected to establish the risk tolerance or acceptance levels of the

enterprisethose are decisions to be made strategically by senior managers and shareholders of

the businessthe CRISC is expected to provide accurate reporting on the levels of risk facing the

organization. This reporting is based on risk identification, assessment and analysis.

Other CRISC activities include recommending the use of mitigating IS controls to avoid or limit

adverse events and enabling the deployment of new business systems and initiatives to help

ensure that the enterprise can confidently leverage new opportunities without facing an

unacceptable level of risk.

C. Risk and Opportunity Management

Introduction

Enterprises continuously plan, operate and deploy business activities and processes to achieve

business objectives. The CRISC is actively involved in ensuring that the operational risk of each

business activity is assessed; monitored; and, if necessary, addressed.

Each business activity carries both risk and opportunity, and the CRISC must be aware of the need

to balance business needs and productivity with IS controls.

Definition of Risk

Risk reflects the combination of the likelihood of events occurring and the impact those events

have on the enterprise.

Riskthe potential for events and their consequencescontains both:

y Opportunities for benefit (upside)y Threats to success (downside)


3/22

Risk Management Is Key to Enterprise Success

Risk and opportunity go hand in hand. To provide business value to stakeholders, enterprises must

engage in various activities and initiatives, all of which carry degrees of uncertainty and,

therefore, risk.

Managing risk and opportunity is a key strategic activity for enterprise success.

Guiding Principles for Effective Risk Management

The following are guiding principles for effective risk management:

y Maintain business objective focus.y Integrate IT risk management into enterprise risk management (ERM).y Balance the costs and benefits of managing risk.y Promote fair and open communication.y Establish tone at the top and assign personal accountability.y Promote continuous improvement as part of daily activities.

The following table provides further detail.

Principle Description

Maintain business

objective focus.

All risk is treated as a business risk, and the risk management

approach must be comprehensive and cross-functional.

The focus is on business outcome. Each business function

supports the achievement of business objectives; IT-related risk is

expressed as the impact it can have on the achievement of business

objectives or strategy.

Every risk analysis considers business and IT-process resilience

and contains a dependency analysis of how the business process

depends on IT-related resources, such as:

People

Information

Applications

Infrastructure

IT-related business risk is viewed from two angles:

Protection against value destruction

Enablement of value generation

Integrate IT risk

management into

enterprise risk management

(ERM).

Business objectives and the amount of risk that the enterprise is

prepared to take are clearly defined and documented.

The entitys risk appetite reflects its risk management philosophy

and influences the culture and operating style (as stated in the

Committee of Sponsoring Organizations of the Treadway Commission

[COSO] Enterprise Risk ManagementIntegrated Framework).

Risk issues are integrated for each business organization (i.e.,


4/22


5/22

D. Roles and Responsibilities for IT-

related Risk Management

Exhibit ID1: Responsibilities and Accountability for IT-related Risk Management

Exhibit ID1 defines a number of roles for risk management and indicates where these rolescarry responsibility or accountability for one or more activities within a process. In this context:

yResponsibilitybelongs to those who must ensure that the activities are completedsuccessfully.

yAccountabilityapplies to those who: Own the required resources

Have the authority to approve the execution and/or accept the outcome of an activity within

specific risk management processes

Given that the roles in the figure are implemented differently in every enterprise and do not

necessarily correspond to organizational units or functions, each role has been briefly described.

Exhibit ID1: Responsibilities and Accountability for IT-related Risk Management


6/22

Note Within this framework, the CRISC executes on risk evaluation and risk response activities

and functions within the risk governance framework established within the enterprise.

E: Risk Management Frameworks,Standards and Practices

Contents

This section contains the following topics:

Topic Starting

Page

No. of

Pages

1. Differences Among Frameworks, Standards and Practices IE1 1

2. Examples of Frameworks Related to Risk Management and IS

Control

IE2 1


7/22

Topic Starting

Page

No. of

Pages

3. Examples of Standards Related to Risk Management and IS

Control

IE3 1

4. Examples ofLeading Practices Related to Risk Management and

IS Control

IE3 1

1. Differences Among Frameworks, Standards and Practices

Importance of Risk Management Frameworks, Standards and Practices

Frameworks, standards and practices matter to the CRISC because they:

y Provide a systematic view of things to watch that could result in harm to customers oran enterprise

y Act as a guide to focus efforts of diverse teamsy Save time and costs, such as training costs, operational costs and performance

improvement costs

y Help achieve business objectives more quickly and easilyy Provide credibility to engage functional (e.g., chief financial officer [CFO]) and C-suite

leadership

Frameworks, Standards and Practices Definitions

The following table provide definitions for:

y Frameworksy Standardsy Practices

Term Definition

Frameworks Are generally accepted, business-process-oriented structures that establish a

common language and enable repeatable business processes

Note: This term may be defined differently in different disciplines. This definition

suits the purposes of this manual.

Standards Establish mandatory rules, specifications and metrics used to measure compliance

against quality, value, etc.

Standards are usually intended for compliance purposes and to provide assurance

to others who interact with a process or outputs of a process (for example, food and

drug quality).

Practices Are frequent or usual actions performed as an application of knowledge

A leading practice would be defined as an action that optimally applies knowledge

in a particular area.

They are issued by a recognized authority that is appropriate to the subject

matter. Issuing bodies may include professional associations and academic

institutions or commercial entities such as software vendors. They are generally

based on a combination of research, expert insight and peer review.

Note: Practices usually are derived from and supplement/support standards and

frameworks and are the least formal of the three.


8/22

2. Examples of Frameworks Related to Risk Management and IS

Control

Examples of Risk Management of Frameworks

The following table provides examples of frameworks related to risk management.

Issuing Body Publication

ISACA The Risk IT Framework

ISACA Enterprise Value: Governance of IT

Investments, The Val IT Framework 2.0

ISACA COBIT 4.1

Committee of Sponsoring Organizations of the

Treadway Commission (COSO)

Enterprise Risk ManagementIntegrated

Framework

US National Institute of Standards and

Technology (NIST)

Risk Management Framework (RMF)

Reminder: Frameworks can be applied flexibly within an enterprise.

3. Examples of Standards Related to Risk Management and IS

Control

Examples of Risk Management Standards

Standards related to risk management include, but are not limited to, those in the following table.


ISACA IT Audit and Assurance Standards

International Organization

for Standardization (ISO)

ISO 31000:2009 (at the time of this manuals publication, the newest

for general purpose risk management)

Note: Unlike other standards, this was not intended to be used for

certification.

ISO/International

Electrotechnical

Commission (IEC)

ISO/IEC 2700x (for information security management systems

[ISMSs])

British Standards

Institution (BSI)

BS 25999-x (for business continuity)

BS 25999 comprises two parts:

Part 1, the Code of Practice, provides business continuity

management (BCM) best practice recommendations. Please note that

this is a guidance document only.

Part 2, the Specification, provides the requirements for a BCMsystem (BCMS) based on BCM best practice. This is the part of the

standard that can be used to demonstrate compliance via an auditing

and certification process.

Payment Card Industry

(PCI) Security Standards

Council

PCI Data Security Standard (PCI DSS)

Reminder: Standardsincluding corporate standards, which are not addressed hereideally

define measurable objectives to enable compliance assessments. Standards are intended to be

implemented in a rigid way with variations only as allowed in the standard.


9/22

4. Examples ofLeading Practices Related to Risk Management and

IS Control

Examples of Risk Management or Control Leading Practices

The following table provides examples leading practices related to risk management or control.


ISACA The Risk IT Practitioner Guide

ISO/IEC ISO/IEC 2700x (for ISMSs)

NIST NIST Special Publication (SP) 800-37, Revision 1, Guide for

Applying the Risk Management Framework to Federal

Information Systems

Carnegie Mellon University (CMU)

Software Engineering Institute (SEI)

Operationally Critical Threat, Asset, and Vulnerability

EvaluationSM (OCTAVE)

Spanish Ministry for Public

Administrations

Methodology for Information Systems Risk Analysis and

Management (MAGERIT version 2)

F: Essentials of Risk Governance

Section Overview

This section contains a brief introduction to risk governance to provide the CRISC candidate

with a baseline understanding of the holistic environment in which the CRISC functions.

Relevance

Risk is an integral part of business and a core factor related to the stability, growth and success

of the enterprise. Risk represents the opportunity for growth and levels of profit, but also

poses the possibility of loss or damage to the business objectives.

Risk governance addresses the oversight of the business risk strategy of the enterprise.

Risk governance is the domain of senior management and the shareholders of the enterprise.

They establish the organizations risk culture and the acceptable levels of risk; set up the

management framework; and ensure that the risk management function is operating

effectively to identify, manage, monitor and report on current and potential risk facing the

enterprise.

Contents

This section contains the following topics:

Topic Starting Page No. of Pages

1. Risk Governance IF1 1

2. Risk Governance Objectives IF2 1


10/22

Topic Starting Page No. of Pages

3. Risk Appetite and Tolerance IF3 3

4. Risk Awareness and Communication IF6 5

5. Risk Culture IF10 1

1. Risk Governance

Topic Overview

Risk governance is a strategic business function. Ultimately, it is the board of directors and

senior managements responsibility to set up the risk governance process, establish and

maintain a common risk view, make risk-aware business decisions, and set the enterprises risk

culture.

This section discusses the elements of risk governance and how to put an effective riskmanagement structure in place. It is important to recognize that risk must be addressed from a

business perspective and not from a purely IT viewpoint. The principles of risk governance

must also be applied from an enterprisewide perspective and not solely on a department by

department or a system by system basis.

Note While risk governance and the decisions made in the execution of risk governance

ultimately are not the responsibility of the CRISC, the practitioner must nevertheless

contribute to and enable sound risk management decisions through the execution of

many underlying tasks associated with the risk governance process.

2. Risk Governance Objectives

Risk Governance Objectives

Effective risk governance helps ensure that risk management practices are embedded in the

enterprise, enabling it to secure optimal risk-adjusted return. Risk governance has three main

objectives:

Establish and maintain a common risk view

Integrate risk management into the enterprise

Make risk-aware business decisions

Foundation for Effective Risk Governance

To effectively govern enterprise and IT risk, there must be an:

Understanding and consensus with respect to the risk appetite and risk tolerance of the

enterprise


11/22

Awareness of risk and the need for effective communication about risk throughout the

enterprise

Understanding of the elements of risk culture

Establish and Maintain a Common Risk View

Effective risk governance establishes the common view of risk for the enterprise. This

determines which controls are necessary to mitigate risk and how risk-based controls are

integrated into business processes and IS.

The risk governance function sets the tone of the business in how to determine an acceptable

level of risk tolerance. In the end, the senior management team is liable for the impact of the

risk faced by the enterprise and bears the responsibility to ensure that it is provided ongoing

risk assessment results, monitors the risk environment and mandates corrective action where

the risk levels are not within acceptable limits.

Risk governance is a continuous life cycle that requires regular reporting and ongoing review.

The risk governance function must oversee the operations of the risk management team.

Integrate Risk Management Into the Enterprise

Integrating risk management into the enterprise enforces a holistic enterprise risk

management (ERM) approach across the entire organization. It requires the integration of risk

management into every department, function, system and geographic location. Understanding

that risk in one department or system may pose an unacceptable risk to another department

or system requires that all business processes be compliant with at least a minimal or baseline

level of risk management.

The objective of ERM is to establish the authority to require all business processes to undergoa risk analysis on a periodic basis or when there is a significant change to the internal or

external environment.

Make Risk-aware Business Decisions

To make risk-aware business decisions, the risk governance function must consider the full

range of opportunities and consequences of each such decision and its impact on the

enterprise, its place in society and the environment.

3. Risk Appetite and Tolerance

Definitions and Clarification of Risk Appetite and Risk Tolerance

Risk appetite and risk tolerance are concepts that are frequently used, but the potential

for misunderstanding is high. Some people use the concepts interchangeably; others see a

clear difference.

The following table provides definitions of each term.


12/22

Term Definition

Risk

appetite

The broad-based amount of risk a company or other entity is willing to accept in

pursuit of its mission (or vision)

Risktolerance

The acceptable variation relative to the achievement of an objective (and often isbest measured in the same units as those used to measure the related objective)

Note These definitions are compatible with the Committee of

Sponsoring Organizations of the Treadway Commission

(COSO) ERM definitions, which are equivalent to the ISO

31000 definition in Guide 73:2009, Risk Management

Vocabulary.

Major Factors When Considering Risk Appetite Levels

Risk appetite is the broad-based amount of risk an enterprise is prepared to accept while

pursuing its business objectives. When considering the risk appetite levels for the enterprise,

the following two major factors are important:

The enterprises objective capacity to absorb loss, e.g., financial loss, reputation damage

The (management) culture or predisposition toward risk takingcautious or aggressive. (What

is the amount of loss the enterprise wants to accept to pursue a return?)

Risk appetite can and will be different among enterprisesthere is no absolute norm or

standard of what constitutes acceptable and unacceptable risk. Every enterprise has to define

its own risk appetite levels and should:

Ensure that such definitions/levels are:

In line with the overall risk culture that the enterprise wants to express (that is, ranging from

very risk averse to risk taking/opportunity seeking)

Well defined, understood and communicated

Review them on a regular basis

Note Risk appetite and risk tolerance should be applied not only to risk assessments,

but also to all risk decision making.

Exhibit IF1: Risk Map Indicating Risk Appetite Bands

In practice, risk appetite can be defined, in terms of combinations of frequency and

magnitude of a risk, using risk maps. Exhibit IF1 and the following table depict and describe

different bands of risk significance, based on frequency and magnitude of risk.

Exhibit IF1: Risk Map Indicating Risk Appetite Bands


13/22

Risk Level Description

Really

Unacceptable

Indicates really unacceptable risk. The enterprise estimates that this level

of risk is far beyond its normal risk appetite. Any risk found to be in this band

may trigger an immediate risk response.

Unacceptable Indicates elevated risk, i.e., also above acceptable risk appetite. The

enterprise may, as a matter of policy, require mitigation or another adequate

response to be defined within certain time boundaries.

Acceptable Indicates a normal, acceptable level of risk, usually with no special action

required, except for maintaining the current controls or other responses

Opportunity Indicates very low risk, in which cost-saving opportunities may be found by

decreasing the degree of control or in which opportunities for assuming more

risk may arise

Note This risk appetite scheme is an example.

Each enterprise has to define its own risk

appetite levels and review them regularly.

Risk Tolerance Example

Risk tolerance is the acceptable deviation from the level set by the risk appetite and business

objectives.

Example: Standards require projects to be completed within the estimated budgets and time,

but overruns of 10 percent of budget or 20 percent of time are tolerated.


14/22

Risk Appetite and Risk Tolerance Guidelines

The guidelines listed in the following table apply to risk appetite and risk tolerance.

Guideline Description

Risk appetite andrisk tolerance must

connect.

Risk appetite and risk tolerance go hand in hand. Risk tolerance isdefined at the enterprise level and is reflected in policies set by the

executives. At lower (tactical) levels of the enterprise, or in some entities

of the enterprise, exceptions can be tolerated (or different thresholds

defined) as long as the overall exposure does not exceed the set risk

appetite at the enterprise level. Any business initiative includes a risk

component, so management should have the discretion to pursue new

opportunities of risk.

Enterprises in which policies are cast in stone, rather than lines in the

sand, could lack the agility and innovation to exploit new business

opportunities. Conversely, there are situations in which policies are

based on specific legal, regulatory or industry requirements in which it is

appropriate to have no risk tolerance for failure to comply.

Exceptions to risk

tolerance standards

must be reviewed

and approved.

Risk tolerance is defined at the enterprise level by the board and

clearly communicated to all stakeholders. A process should be in place to

review and approve any exceptions to such standards.

Risk appetite and

tolerance change

over time.

Risk appetite and tolerance change due to:

New technology

New organizational structures

New market conditions

New business strategy

Many other factors

Such factors require an enterprise to reassess its risk portfolio at

regular intervals and also require the enterprise to reconfirm its risk

appetite at regular intervals, triggering risk policy reviews.

In this respect, an enterprise also needs to understand that the better

risk management it has in place, the more risk can be taken in pursuit of

return.

Cost of risk

mitigation options

There may be circumstances in which the cost/business impact of risk

mitigation options exceeds an enterprises capabilities/resources, thus


15/22

Guideline Description

can affect risk

tolerance.

forcing higher tolerance for one or more risk conditions.

Example: If a regulation states that sensitive data at rest must be

encrypted, yet there is no feasible encryption solution or the cost of

implementing a solution would have a large negative impact, the

enterprise may choose to accept the risk associated with regulatory

noncompliance, which is a risk trade-off.

4. Risk Awareness and Communication

Defining Risk Awareness

Risk awareness is about acknowledging that risk is an integral part of the business. This does

not imply that all risk is to be avoided or eliminated, but rather that:

Risk is well understood and known.

IT risk issues are identifiable.

The enterprise recognizes and uses the means to manage risk.

Importance of Risk Communication

Risk communication is a critical part in the risk management process. People are naturally

uncomfortable talking about risk and tend to put off admitting that risk is involved and

communicating about issues; incidents; and; eventually, even crises.

If risk is to be managed and mitigated, it must first be discussed and effectively communicated

throughout an enterprise.

Benefits of Effective Risk Communication

The benefits of open communication on risk include:

Assistance in executive managements understanding of the actual exposure to IT risk,

enabling the definition of appropriate and informed risk responses

Awareness among all internal stakeholders of the importance of integrating risk and

opportunity in their daily duties

Transparency to external stakeholders regarding the actual level of risk and risk management

processes in use

Consequences of Poor Risk Communication

The consequences of poor communication of risk include:

A false sense of confidence at the top on the degree of actual exposure related to IT and lack

of a well-understood direction for risk management from the top down


16/22

Unbalanced communication to the external world on risk, especially in cases of high, but

managed risk, which may lead to an incorrect perception on actual risk by third parties such as:

Clients

Investors

Regulators

The perception that the enterprise is trying to cover up known risk from stakeholders

Exhibit IF2: IT Risk Communication Components

Exhibit IF2 and the following table depict and describe the broad array of information flows

and the major types of IT risk information that should be communicated.

Exhibit IF2: IT Risk Communication Components

Risk Component to Be

Communicated

Description

Expectations from This includes risk strategy, policies, procedures, awareness training,

continuous reinforcement of principles, etc. This is essential


17/22

Risk Component to Be

Communicated

Description

risk management communication on the enterprises overall strategy toward IT risk and:

Drives all subsequent efforts on risk management

Sets the overall expectations from risk management

Current risk

management

capability

This information:

Allows for monitoring of the state of the risk management engine

in the enterprise

Is a key indicator for good risk management

Has predictive value for how well the enterprise is managing risk

and reducing exposure

Status with regard

to IT risk

This includes the actual status with regard to IT risk including

information such as:

Risk profile of the enterprise, i.e., the overall portfolio of

(identified) risk to which the enterprise is exposed

Key risk indicators (KRIs) to support management reporting on risk

Event/loss data

Root cause of loss events

Options to mitigate risk (including cost and benefits)

Effective Communication

The following table lists the required elements for effective communication.

Communication

Element

Description

Clear Risk information must be known and understood by all stakeholders.

Concise Information or communication should not inundate the recipients. All

ground rules of good communication apply to communication on risk.

This includes the avoidance of jargon and technical terms regarding risk

because the intended audiences are generally not deeply technologically

skilled.


18/22

Communication

Element

Description

Useful Any communication on risk must be relevant. Technical information

that is too detailed and/or is sent to inappropriate parties will hinder,

rather than enable, a clear view of risk.

Timely For each risk, critical moments exist between its origination and its

potential business consequence.

Examples:

A risk may originate when an inadequate IT organization is set up; the

business consequence is inefficient IT operations and service delivery.

The origination point may be project failure; the business

consequence is delayed business initiatives.

Communication is timely when it allows action to be taken at the

appropriate moments to identify and treat the risk. It serves no useful

purpose to communicate a project delay a week before the deadline

Aimed at the

correct target

audience

Information must:

Be communicated at the right level of aggregation

Be adapted for the audience

Enable informed decisions

In this process, aggregation must not hide root causes of risk.

Example: A security officer needs technical IT data on intrusions and

viruses to deploy solutions. An IT steering committee may not need this

level of detail, but it does need aggregated information to decide on

policy changes or additional budgets to treat the same risk.

Available on a

need-to-know basis

Information related to IT risk should be known and communicated to all

parties with a genuine need. A risk register with all documented risk is not

public information and should be properly protected against internal and

external parties with no need for it. Communication does not always needto be formal, through written reports or messages. Timely face-to-face

meetings between stakeholders are an important means of

communication for information related to IT risk.

Exhibit IF3: Risk Communication FlowsStakeholders

Exhibit IF3 provides a quick overview of the most important communication channels for

effective and efficient risk management. The figures intent is to provide a high-level overview


19/22

of the main communication flows on IT risk that should exist in one form or another in any

enterprise.

Note This exhibit is focused on the most important information that each stakeholder needs to

process. The CRISC may hold one of the more of the tactical or operational roles depicted.

Exhibit IF3: Risk Communication FlowsStakeholders Input


20/22

5. Risk Culture

Importance of a Risk-aware Culture

Risk management is about helping enterprises take more risk in pursuit of return. A risk-awareculture:

Characteristically offers a setting in which components of risk are discussed openly and

acceptable levels of risk are understood and maintained

Begins at the top, with board and business executives who:

Set direction.

Communicate risk-aware decision making.

Reward effective risk management behaviors.

Risk awareness also implies that all levels within an enterprise are aware of why a response is

needed and how to respond to adverse IT events.

Exhibit IF4: Elements of a Risk Culture

Risk culture is a concept that is not easy to describe. Exhibit IF4 and the following table

depict and describe the series of behaviors that are elements of a risk culture.


21/22

Exhibit IF4: Elements of a Risk Culture

Elements of a Risk Culture

Behavior toward

taking risk

How much risk does the enterprise feel it can absorb, and what

specific risk is it willing to take?

Behavior toward

following policy

To what extent will people embrace and/or comply with policy?

Behavior toward

negative outcomes

How does the enterprise deal with negative outcomes, i.e., loss

events or missed opportunities? Will it learn from them and try to

adjust, or will blame be assigned without treating the root cause?

Symptoms of an Inadequate or Problematic Risk Culture

Misalignment

between real risk

appetite and

translation into

policies

Managements real position toward risk can be reasonably

aggressive and risk taking, whereas the policies that are created reflect

a much stricter attitude.

Existence of a

blame culture

This type of culture should, by all means, be avoided; it is the most

effective inhibitor of relevant and efficient communication.


22/22

Elements of a Risk Culture

In a blame culture, business units tend to point the finger at IT when

projects are not delivered on time or do not meet expectations. In

doing so, they fail to realize how the business units involvement up

front affects project success.

In extreme cases, the business unit may assign blame for a failure to

meet the expectations that the unit never clearly communicated. The

blame game only detracts from effective communication across

units, further fuelling delays. Executive leadership must identify and

quickly control a blame culture if collaboration is to be fostered

throughout the enterprise.

CRISC-ChapI

Documents