CRISC

REVIEW MANUAL 2015

Introduction to IT Risk
Management

Introduction to IT Risk Management

Risk is defined as the combination of the probability of an event and

its consequence.

Often, risk is seen as an adverse event that can threaten an

organizations assets or exploit vulnerabilities and cause harm.

Several factors are considered when evaluating risk, such as:

the mission of the organization

assets

threat

vulnerability

likelihood and impact.

Introduction to IT Risk Management

Governance and Risk Management

Governance is the accountability for protection of the assets of an

organization.

Over the past decade, the term governance has moved to the forefront of
business thinking in response to examples demonstrating the importance of
good governance and, on the other end of the scale, global business
mishaps.

The corporate governance of IT is the system by which the current and future
use of IT is evaluated, directed and controlled.

Introduction to IT Risk Management

Governance and Risk Management

Value creation is comprised of benefits realization, risk optimization

and resource optimization.

Risk optimization is, therefore, an essential part of any governance

system and cannot be seen in isolation from benefits realization or
resource optimization.

Governance answers four questions:

Are we doing the right things?

Are we doing them the right way?

Are we getting them done well?

Are we getting the benefits?

Introduction to IT Risk Management

Governance and Risk Management

There is a clear distinction between governance and management.

Management focuses on planning, building, running and monitoring

within the directions set by the governance system to create value
by achieving objectives.

Risk management foresees the challenges to achieving these

objectives and attempts to lower the chances and impacts of them
occurring.

Introduction to IT Risk Management

Governance and Risk Management

Exhibit 0.1 provides an overview of the risk governance structure.

Introduction to IT Risk Management

Governance and Risk Management

Effective risk governance helps ensure that risk management

practices are embedded in the enterprise, enabling it to secure
optimal risk-adjusted return.

Risk governance has four main objectives:

1.

Establish and maintain a common risk view.

2.

Integrate risk management into the enterprise.

3.

Make risk-aware business decisions.

4.

Ensure that risk management controls are implemented and operating

correctly.

Introduction to IT Risk Management

The Context of IT Risk Management

Risk management is defined as the coordinated activities to direct

and control an enterprise with regard to risk.

In simple terms, risk can be considered as a challenge to achieving

objectives.

Therefore, risk management can be considered as the activity

undertaken to foresee challenges and lower the chances of those
challenges occurring and their impact.

Effective risk management can also assist in maximizing

opportunities.

Introduction to IT Risk Management

The Context of IT Risk Management

Risk management starts with understanding the organization, but

the organization is mostly a servant of the environment, or context,
in which it operates.

Assessing the organizations context includes evaluating the intent

and capability of threats; the relative value of, and trust required in,
assets; and the respective relationship of vulnerabilities that threats
could exploit to intercept, modify or fabricate data in information
assets.

Introduction to IT Risk Management

The Context of IT Risk Management

The strategy of the organization will drive the individual lines of

business that make up the organization, and each line of business
will develop information systems that support its business function.

Exhibit 0.3 illustrates how IT risk relates to overall risk of the

organization.

Introduction to IT Risk Management

The Context of IT Risk Management

It risk management is a cyclical process, as shown in exhibit 0.4.

Introduction to IT Risk Management

The Context of IT Risk Management

The first step in the IT risk management process is the identification of IT

risk, which includes determining risk context and risk framework, and the
process of identifying and documenting risk.

The risk identification effort should result in the listing and documentation of
risk.

This step aligns with the next phase of the IT risk management process: IT
risk assessment.
The effort to asses risk, including the prioritization of risk, will provide
management with data required for consideration as a key factor in
the next phase, risk response and mitigation.
Risk response and mitigation addresses the risk appetite and tolerance
of the organization and the need to find cost-effective ways to address
risk.

Introduction to IT Risk Management

The Context of IT Risk Management

The final phase of IT risk management is risk and control monitoring

and reporting.

In this phase, controls and risk management efforts, as well as the

current risk state, are monitored and results are reported back to
senior management, who will determine the need to return to any
of the previous phases of the process.

Introduction to IT Risk Management

The Context of IT Risk Management

The IT risk management process is based on the complete cycle of

all the elements.

A failure to perform any one of the phases in a complete and

thorough manner will result in an ineffective risk management
process.

A failure in any step of the cycle may cause a deficiency that will
affect the other phases.

As with all life cycles, the process management life cycle is

repeated and continuously improved, the more effective the IT risk
management effort will be, and consistent results will be obtained.

Introduction to IT Risk Management

Importance of IT Risk Management

The benefits of IT risk management include:

Better oversight of organizational assets

Minimized loss

Identification of threats, vulnerabilities and risk

Prioritization of risk response efforts

Legal and regulatory compliance

Increased likelihood of project success

Improved performance and the ability to attain business goals

Increased confidence of stakeholders

Creation of a risk-aware culture

Better incident and business continuity management

Improved controls

Better monitoring and reporting

Improved decision making

Ability to meet business objective

Introduction to IT Risk Management

Business Risk Versus IT Risk

Risk is a critical part of business.

Unless of a business is willing to take a risk, it will not be able to realize

the benefits associated with risk.

However, taking too much risk may lead to increased likelihood of

failure of the business and loss of investment.

Every business faces the decision of how much risk to take and what
opportunities to forego.

This is a decision that reflects the risk acceptance level of the senior
management.

Introduction to IT Risk Management

Business Risk Versus IT Risk
Risk and Business Continuity

IT risk management is closely linked with business continuity, and IT

risk assessment is often a precursor to a business impact analysis
(BIA).

In many ways, business continuity starts where risk management

ends.

Through IT risk management, the organization attempts to reduce all

IT risk to an acceptable level.

The risk is that the business continuity plan (BCP) may not be
adequate or accurate, thereby leading to a failure to recover
effectively from an incident.

Introduction to IT Risk Management

Business Risk Versus IT Risk
IT Risk and Information Security

Information security is usually based on risk.

The national Institute of Standards and Technology (NIST) states that

an organization must provide risk-based, cost-effective controls.

The risk practitioner should be able to demonstrate the purpose of

each control and explain the reasoning behind the selection and
enforcement of the control.

Control Risk

Project Risk

Change Risk

Introduction to IT Risk Management

Summary

This section provided an overview of the areas of IT risk that will be

addressed by the risk practitioner.

There are many variables that a risk practitioner must consider and
many decisions that a risk practitioner must make, but the success of
the IT risk management effort is usually based on having an
organization wide perspective of the risk management of risk,
following a structured methodology and gathering the correct
information.

It is through the success of the IT risk management effort that a risk

practitioner will be able to add value, recommend appropriate
controls, and report status of the risk profile to management and all
relevant stakeholders.

Introduction to IT Risk Management

Now that you have learned a little bit
about CRISC, test yourself with this 16
question multiple choice skills assessment
to see what areas you need more help
with. All you need to do to start is click
quiz button below.

If you would rather skip the quiz and dive into

more detailed material you can sign up now for
our next CRISC class here!