Intro to CRISC and Skills Assessment

CRISCREVIEW MANUAL 2015

Introduction to IT Risk

Management

Introduction to IT Risk Management

Risk is defined as the combination of the probability of an event and

its consequence.

Often, risk is seen as an adverse event that can threaten an

organization’s assets or exploit vulnerabilities and cause harm.

Several factors are considered when evaluating risk, such as:

the mission of the organization

assets

threat

vulnerability

likelihood and impact.


Governance and Risk Management

Governance is the accountability for protection of the assets of an

organization.

Over the past decade, the term “governance” has moved to the forefront of

business thinking in response to examples demonstrating the importance of

good governance and, on the other end of the scale, global business

mishaps.

The corporate governance of IT is the system by which the current and future

use of IT is evaluated, directed and controlled.


Governance and Risk Management Value creation is comprised of benefits realization, risk optimization

and resource optimization.

Risk optimization is, therefore, an essential part of any governance system and cannot be seen in isolation from benefits realization or resource optimization.

Governance answers four questions:

Are we doing the right things?

Are we doing them the right way?

Are we getting them done well?

Are we getting the benefits?



There is a clear distinction between governance and management.

Management focuses on planning, building, running and monitoring within the directions set by the governance system to create value

by achieving objectives.

Risk management foresees the challenges to achieving these

objectives and attempts to lower the chances and impacts of them

occurring.



Exhibit 0.1 provides an overview of the risk governance structure.



Effective risk governance helps ensure that risk management

practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return.

Risk governance has four main objectives:

1. Establish and maintain a common risk view.

2. Integrate risk management into the enterprise.

3. Make risk-aware business decisions.

4. Ensure that risk management controls are implemented and operating

correctly.


The Context of IT Risk Management

Risk management is defined as the coordinated activities to direct

and control an enterprise with regard to risk.

In simple terms, risk can be considered as a challenge to achieving

objectives.

Therefore, risk management can be considered as the activity

undertaken to foresee challenges and lower the chances of those

challenges occurring and their impact.

Effective risk management can also assist in maximizing opportunities.



Risk management starts with understanding the organization, but

the organization is mostly a servant of the environment, or context, in which it operates.

Assessing the organization’s context includes evaluating the intent

and capability of threats; the relative value of, and trust required in,

assets; and the respective relationship of vulnerabilities that threats

could exploit to intercept, modify or fabricate data in information

assets.



The strategy of the organization will drive the individual lines of

business that make up the organization, and each line of business will develop information systems that support its business function.

Exhibit 0.3 illustrates how IT risk relates to overall risk of the

organization.



It risk management is a cyclical process, as shown in exhibit 0.4.


The Context of IT Risk Management The first step in the IT risk management process is the identification of IT

risk, which includes determining risk context and risk framework, and the process of identifying and documenting risk.

The risk identification effort should result in the listing and documentation of risk.

This step aligns with the next phase of the IT risk management process: IT risk assessment.

The effort to asses risk, including the prioritization of risk, will provide management with data required for consideration as a key factor in the next phase, risk response and mitigation.

Risk response and mitigation addresses the risk appetite and tolerance of the organization and the need to find cost-effective ways to address risk.



The final phase of IT risk management is risk and control monitoring

and reporting.

In this phase, controls and risk management efforts, as well as the

current risk state, are monitored and results are reported back to

senior management, who will determine the need to return to any

of the previous phases of the process.



The IT risk management process is based on the complete cycle of

all the elements.

A failure to perform any one of the phases in a complete and

thorough manner will result in an ineffective risk management

process.

A failure in any step of the cycle may cause a deficiency that will

affect the other phases.

As with all life cycles, the process management life cycle is repeated and continuously improved, the more effective the IT risk

management effort will be, and consistent results will be obtained.


Importance of IT Risk Management The benefits of IT risk management include:

Better oversight of organizational assets

Minimized loss

Identification of threats, vulnerabilities and risk

Prioritization of risk response efforts

Legal and regulatory compliance

Increased likelihood of project success

Improved performance and the ability to attain business goals

Increased confidence of stakeholders

Creation of a risk-aware culture

Better incident and business continuity management

Improved controls

Better monitoring and reporting

Improved decision making

Ability to meet business objective


Business Risk Versus IT Risk

Risk is a critical part of business.

Unless of a business is willing to take a risk, it will not be able to realize the benefits associated with risk.

However, taking too much risk may lead to increased likelihood of

failure of the business and loss of investment.

Every business faces the decision of how much risk to take and what

opportunities to forego.

This is a decision that reflects the risk acceptance level of the senior management.



Risk and Business Continuity

IT risk management is closely linked with business continuity, and IT risk assessment is often a precursor to a business impact analysis (BIA).

In many ways, business continuity starts where risk management ends.

Through IT risk management, the organization attempts to reduce all IT risk to an acceptable level.

The risk is that the business continuity plan (BCP) may not be adequate or accurate, thereby leading to a failure to recover effectively from an incident.



IT Risk and Information Security

Information security is usually based on risk.

The national Institute of Standards and Technology (NIST) states that an organization must provide risk-based, cost-effective controls.

The risk practitioner should be able to demonstrate the purpose of each control and explain the reasoning behind the selection and enforcement of the control.

Control Risk

Project Risk

Change Risk


Summary This section provided an overview of the areas of IT risk that will be

addressed by the risk practitioner.

There are many variables that a risk practitioner must consider and many decisions that a risk practitioner must make, but the success of the IT risk management effort is usually based on having an organization wide perspective of the risk management of risk, following a structured methodology and gathering the correct information.

It is through the success of the IT risk management effort that a risk practitioner will be able to add value, recommend appropriate controls, and report status of the risk profile to management and all relevant stakeholders.


Now that you have learned a little bit

about CRISC, test yourself with this 16

question multiple choice skills assessment

to see what areas you need more help

with. All you need to do to start is click

quiz button below.

If you would rather skip the quiz and dive into

more detailed material you can sign up now for

our next CRISC class here!

http://phoenixts.com/crisc-quiz/

http://phoenixts.com/crisc-quiz/

http://phoenixts.com/it-courses/crisc-certification-training/

Intro to CRISC and Skills Assessment

Leadership & Management

risk management governance

effective risk management

risk management exhibit

risk management practices

risk management controls

risk optimization

risk governance structure

risk management value