CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Certified in Risk and

Information Systems
Control (CRISC)
COURSE OVERVIEW

Course Topics

Domain 1: Domain 3:
Governance Risk Response
Domain 2: and Reporting Domain 4:
IT Risk Information
Assessment Technology and
Security

©2021. ISACA. All Rights Reserved

1
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

CRISC Job Practice and Questions

22 26 • CRISC exam contains 150 questions total

• Percentage based on domain weight
• Multiple choice questions based on practical
knowledge

32 20

Domain 1 Domain 2
Domain 3 Domain 4

Governance
MODULE 1

©2021. ISACA. All Rights Reserved

2
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Exam Relevance
The domain represents approximately
26% of the CRISC examination 22
(approximately 39 questions). 26

32 20

Domain 1 Domain 2
Domain 3 Domain 4

Session Topics
Key Risk Concepts

Organizational Strategy, Goals and Objectives

Organizational Structure, Roles and Responsibilities

Organizational Culture and Assets

Policies, Standards and Business Process Review

Risk Governance Overview

Enterprise Risk Management, Risk Management

Frameworks and Three Lines of Defense

Risk Profile, Risk Appetite and Risk Tolerance

Professional Ethics, Laws, Regulations and Contracts

©2021. ISACA. All Rights Reserved

3
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Learning Objectives
Outline how the key concepts of risk impact the enterprise.

Distinguish between governance and management functions.

Describe the relationship between enterprise risk and IT risk.

Define roles and responsibilities within the organizational structure and explain
how they relate to risk management.

Outline the impact of organizational culture on risk management.

Identify organizational assets and how they are valued.

Explain how policies and standards provide direction to the enterprise.

Describe how the business process reviews help improve enterprise

effectiveness.

Learning Objectives

Describe the concepts of enterprise risk management.

Assess risk frameworks and their role enterprise risk management.

Explain role of the risk practitioner in the three lines of defense.

Define the types of risk profiles.

Describe the relationship between risk appetite and risk tolerance.

Describe the impact of legal, regulatory, and contractual obligations

regarding risk management.

Explain the importance of professional ethics in risk management.

©2021. ISACA. All Rights Reserved

4
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Key Risk Concepts

Setting Context for Risk in the Enterprise

Setting Context
Communication
Key Risk
Terminology
Risk Reporting and Risk Identification and
Communication • Likelihood Assessment
• Event
• Impact
• Threat Risk Analysis and Business
Risk Response
Impact Evaluation
• Vulnerability

10

©2021. ISACA. All Rights Reserved

5
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Quantifying Risk
Productivity
Damaged Reputation
Response Costs
Impaired Growth
Legal and Regulatory
Health, safety, environment
Competitive Advantage

Setting a monetary value of total losses an Awareness of potential losses associated

enterprise is willing to incur is easier than with risk helps with deciding how to
outlining possible negative outcomes. respond to risk beyond acceptable levels

11

11

Review Question
IT risk is measured by its:

A. level of damage to IT systems.

B. impact on business operations.

C. cost of countermeasures.

D. annual loss expectancy.

12

©2021. ISACA. All Rights Reserved

6
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Organizational Strategy, Goals and

Objectives

13

13

Organizational Governance Overview

Accountability

Conformance Governance Performance

Responsibility

14

14

©2021. ISACA. All Rights Reserved

7
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Governance of Enterprise IT
Governance is applicable to all Board of Directors
departments within an enterprise
Enterprise Strategy
Provides accurate information to
understand threats, subsequent risk Senior Management
and response tactics
Strategic Plans
System to evaluate, direct, monitor and
ultimately control the current and future Risk
Business Units
use of IT Management
Reporting Risk Guidance Reporting
Enables enterprises to create value
for stakeholders, leading to better
Business
planning and optimization
Operations and Risk Monitoring
Processes

15

15

Governance Answers Four Questions

Are we doing the Are we doing them

right things? 1 2 the right way?

Are we seeing
expected benefits? 4 3 Are we getting
them done well?

16

16

©2021. ISACA. All Rights Reserved

8
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Enterprise Strategy
An enterprise exists for the sole purpose of achieving the defined strategic vision.
Enterprise strategy is the focus of its efforts; these are the primary drivers behind how investments
and decisions are being made and which actions are taken.

17

17

Context of IT Risk Management

Risk management is the coordinated activities to direct and control (measure) an enterprise
regarding risk.

Inform Direct Influence

18

18

©2021. ISACA. All Rights Reserved

9
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Delivering a Successful Risk Management

Capability
Consider available methods,
1. models and frameworks that
best align with the enterprise
2. Define the risk taxonomy

Integrate risk efforts into

3. Define the risk ontology 4. the enterprise

Determine process to make

5. Manage risk within the enterprise 6. risk-based business decisions

Report on status of risk managed

7. Track and trend outcomes of
risk efforts 8. by the enterprise

Allocate the necessary resources

9. to implement IT risk management
19

19

Review Question
Which of the following is MOST important to determine when defining
risk management strategies?

A. Risk assessment criteria

B. IT architecture complexity

C. Enterprise disaster recovery plan

D. Business objectives and operations

20

20

©2021. ISACA. All Rights Reserved

10
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Risk Practitioner Goals

To ensure the enterprise can deliver on its goals,

clearly defined objectives are necessary.

At a high level, risk practitioners’ goals are to:

• Provide accurate, complete and timely
information required for informed decisions
made by senior management
• Identify and assess risk, and its likelihood of
occurrence and impact to enterprise
• Allow for the ability to balance performance and
conformance requirements to best suit the
enterprise

21

21

Assessing Enterprise Context

Enterprise

Environment Context

22 Threats Value Vulnerabilities

22

©2021. ISACA. All Rights Reserved

11
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

I&T Related Risk Relative to

Other Major Categories of Risk

23

23

IT Risk Management Life Cycle

• Monitor controls, risk • Determine risk context and risk

management efforts and framework and enterprise risk
Risk and Control appetite and tolerance levels
current risk state IT Risk
Monitoring and • Identify and document risk
• Report results back to Identification
Reporting • Results in listing and
senior management
documentation of threats posed

• Seek and implement • Analyze and evaluate threats

cost-effective ways to Risk Response IT Risk • Assess and prioritize risk
address identified and and Mitigation Assessment • Provide details needed for
assessed risk response and mitigation

24

24

©2021. ISACA. All Rights Reserved

12
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Engaging Senior Management

• Vitally important throughout the

risk management process

• Much more likely to have the • Senior management support

budget, authority, access to should be visible and active
personnel and information, and
Senior
legitimacy that will provide a Management
• Executives should be willing to
successful result Support intervene when necessary to:
• Communicate the
importance of risk
identification efforts
• Encourage everyone to
actively contribute to the
success of the program

25

25

Alignment With Business Goals and Objectives

Risk Overall Risk

Universe Strategy

Business
Goals

Overall Enterprise
Business Vision and
Risk Strategy

26

26

©2021. ISACA. All Rights Reserved

13
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Risk Practitioner’s Role

To avoid being seen as obstructionist, the risk practitioner should seek to:

Understand the business in its

proper context Build relationships that promote
communication
Listen to and understand the
defined strategy
Be aware of changes to ensure the
ability to respond accordingly
Create a culture that encourages open
and informed discussions of risk
Advise on the various aspects of risk,
not make decisions on behalf of the
Secure appropriate technologies business
and business processes
27

27

Types of IT-related Business Risk

Cyber and Emerging

Access Risk Availability Risk
Information Risk Technology Risk

Infrastructure Investment or Program/Project

Integrity Risk
Risk Expense Risk Risk

Relevance Risk Schedule Risk Talent Risk Third-Party Risk

28

28

©2021. ISACA. All Rights Reserved

14
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Organizational Structure, Roles and

Responsibilities

29

29

Risk Management Effectiveness

Support Positioning Integration

Risk management should be a function with enterprise scope, able to reach into all the
parts of the organization and provide leadership, advice and direction.

30

30

©2021. ISACA. All Rights Reserved

15
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

RACI
Responsible Accountable

Accountable for
Responsible for managing risk
the risk management effort

Consulted and provide support and Informed of the achievements

assistance to the risk management and/or deliverables of
effort the practice

Consulted Informed

Demonstrates the relationships and interactions between various roles

31

31

Applying the RACI Model

1
Risk management may be applied to an entire enterprise under a
singular, centralized formal risk management team or may be
practiced separately in each level of the enterprise

2 Enterprise size and diversity of the enterprise also influence risk

management. Cultural differences between departments can create
counterintuitive perspectives

3 Risk management may be too large a task for a single department

or team in larger enterprises. Arrange the risk management effort
by department, products, services or geographic region, following
the same standards and model.

32

32

©2021. ISACA. All Rights Reserved

16
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Review Question
Who is responsible for explaining the ramifications of a new zero-day
exploit to the enterprise to senior management?

A. Chief operating officer

B. Chief risk officer

C. Chief information security officer

D. Chief information officer

33

Key Roles

Risk Manager

Control Owner
Risk Analyst

Control Stewards
Risk Owner

Subject Matter Experts

34

34

©2021. ISACA. All Rights Reserved

17
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Example Organizational Structure

Governing Senior
Body Management

Risk Business Information

Assurance
Management Units Technology

Human Lead
Manager Finance Operations Stewards
Resources Auditor

General HRIS
Analysts Applications Systems Analysts
Ledger Owner

Risk Owner Risk Owner Network Control

Control Control
Systems
Owner Owner

Security
35 Operations

35

Review Question
The risk to an information system that supports a critical business
process is owned by:

A. the IT director.

B. senior management.

C. the risk management department.

D. the system users.

36

36

©2021. ISACA. All Rights Reserved

18
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Organizational Structure and Culture

The structure and culture of the organization directly influence and inform staff
decisions relating to risk prevention, risk detection and risk response efforts.

Identify Assess Respond

Lessons learned may be applicable in protecting other departments, systems or

applications from the same problems. Collaboration and sharing of information is an
important part of using risk scenarios.

37

37

Organizational Culture and Assets

38

38

©2021. ISACA. All Rights Reserved

19
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Risk Management and Organizational Culture

Organizational
Culture

39

39

Organizational Culture Relating to Risk

Vulnerable Reactive Compliant Proactive Resilient

(Don’t Care Culture) (Blame Culture) (Compliance Culture) (Ownership Culture) (Way of Life)

Apathy Resistance to caring Responsibilities Clear lines of Lines of accountability

assigned accountability and and responsibility
Near misses not Some near-miss responsibility defined communicated and
considered reporting Reporting limited to understood
compliance areas Processes defined to
Negligence Some window enhance long-term Active monitoring and
dressing As-required process sustainability and reporting
Hiding of incidents definition operationalization
Ad hoc/inconsistent Advanced
No or little training training Limited instrumentation Appropriate instrumentation and
and investments instrumentation and investments made
Poor or no Communication on a investments are made
communication need-to-know basis Minimal required Training is encouraged
training Training defined and
required Active communication
Compartmentalized
communications Open communication
40

40

©2021. ISACA. All Rights Reserved

20
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Applying Organizational Culture

Determine the risk appetite of senior management Enterprise decisions:

• Invest
Culture and ethics help determine risk-appetite variances • Take on a new line of business
• Develop a new product
Risk appetite can change or vary based on risk type and • Open a new office
should be reviewed periodically • Hire a new employee
• Invest in new hardware or
Extent of risk-appetite change depends on market software
conditions, confidence, past successes or failures, global • Upgrade existing applications
economics, reports in the media, availability of resources, • Implement new controls
new regulations or long-term strategy

41

41

Comparing Risk Cultures

Misalignment of actual risk appetite,

Begins at the top stated tolerances and risk policies

Promotes an open discussion of risk Failure to align risk policy with

management direction and/or enterprise
Ensures acceptable levels of risk are norms regarding compliance with policy
understood and maintained
Existence of a blame culture

Risk-Aware Problematic
42

42

©2021. ISACA. All Rights Reserved

21
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Risk Culture Elements

Aggressive:
Risk Taking Behavior
towards Informed
Conservative: risk taking
Risk Averse

Behavior Risk Behavior Compliant

Learning Culture towards towards
negative Culture policy
Blaming Culture outcomes compliance Noncompliant

43

43

Review Question
Which of the following is MOST important when selecting an
appropriate risk management methodology?

A. Risk culture

B. Countermeasure analysis

C. Cost-benefit analysis

D. Risk transfer strategy

44

44

©2021. ISACA. All Rights Reserved

22
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Risk Awareness Program

Topics include:
Tailor to the needs of the individual
• Required procedures
groups within an enterprise.
• Policy compliance
• Identifying enterprise risk
Can help mitigate some types of • Potential impacts of risk
organizational risk • Addressed vulnerabilities
• Past attacks and compromises

Most cost-effective improvement in Management:

risk and security • Supervisory role in protecting systems
and applications from attack
• Overseeing staff action
Reinforce the need for diligence and • Directing compliance with enterprise
caution when addressing risk policies and practices

45

45

Measuring Risk Awareness Programs

Use a standardized approach to

gauge awareness levels across Provides metrics for awareness
the enterprise (paper or computer- trends and training effectiveness
based quizzes)

Use skills assessment or testing Derive additional training

approach to determine further requirements from tracking help
training needs desk activity, operational errors,
security events and audits

46

46

©2021. ISACA. All Rights Reserved

23
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Risk-Driven Business Approach

Mitigation - Reduce Risk
START N

Technical Controls

Risk falls Organizational Measures

Analyze & within
Identify
Assess defined
limits? Transfer Risk - Insure

Y
Avoid Risk – Stop

Accept Residual N
Monitor Risk risk
Y acceptable?

Y
Re-assess
47

47

Risk Communication
Plays a key role in defining and understanding
the risk culture of an enterprise

Removes the uncertainty and doubts

concerning risk management

Discuss and communicate risk to stakeholders

and personnel throughout the enterprise,
appropriate to their respective roles.

Include threats, incidents, existing vulnerabilities

and value of assets

Be open and transparent about issues or failures

for better decision-making

48

48

©2021. ISACA. All Rights Reserved

24
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Risk Communication Benefits

More
Greater informed
awareness Greater awareness Transparency to
risk decisions
among stakeholders among stakeholders external stakeholders

Gain Trust

49

49

Risk Components to Communicate

Expectations Capability Status

• Risk strategy, policies, • Allows for monitoring the Actual status of IT risk:
procedures, awareness state of a risk management • Enterprise risk profile
training and continuous engine in the enterprise • Key risk indicators to
reinforcement of principles • Key indicator for good risk support management
• Drives all subsequent management reporting on risk
efforts on risk management • Event/loss data
• Sets the overall • Has predictive value for • Root cause of loss events
expectations about the risk how well the enterprise is • Options to mitigate risk
management program managing risk and reducing
exposure
50

50

©2021. ISACA. All Rights Reserved

25
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Organizational Assets

The identification of risk Service and Business

People
depends on the successful Processes
identification of assets,
threats to those assets and
the vulnerabilities that the Data, Information
assets contain. Reputation and Brand
and Knowledge

Facilities and
Assets Cash and Investments
Equipment

Customer Lists Research

51

51

Impact on Organizational Assets

Technology Intellectual
People Data
Property
Enterprises are Customer lists, financial Outdated technology is Trademarks, copyrights,
vulnerable to loss of data, marketing plans, often overlooked patents, trade secrets
key employees HR data or research or research
Extended support can
Identify and support Must ensure protection lengthen availability but Represents future
through cross-training of data in all forms and increase costs earning potential of
locations at all times the enterprise
Provide sufficient Apply patches and
Identify business regular maintenance
documentation of key
value and define Protect and handle IP
processes Securely dispose of
security classifications properly and
technology containing responsibly
data

52

52

©2021. ISACA. All Rights Reserved

26
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Intellectual Property Terms

Trademark Copyright Patent Trade Secret

A formula, process,
Protection of research
A sound, color, logo, design, practice or
Protection of any work and ideas that led to
saying or other other form of secret
that is captured in a the development of a
distinctive symbol that business information
tangible form (e.g., new, unique and
is closely associated that provides a
written works, useful product to
with a certain product competitive
recordings, images, prevent the
or company. Some advantage to the
software, music, unauthorized
trademarks are organization that
sculpture, dance, etc.) duplication of the
eligible for registration possesses the
patented item
information

53

53

Asset Inventory and Documentation

Update to reflect items currently in use Common requirement in regulations, standards
when implementing changes or updates and agreements relating to privacy

Data/information assets Hardware Assets

• System(s) • Equipment
• Source • Supplier
• Acquisition method • Acquisition date
• Business use • Original cost
• Business criticality • Actual cost
• Availability • Location
• Completeness • Equipment owner
• Processing • Maintenance details
• Storage • Insurance and warranty data
• Transmission
• Sensitivity
• Classification
54 • Business owner

54

©2021. ISACA. All Rights Reserved

27
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Asset Inventory

Record Build
Record all relevant assets owned by Common methods to build the
the enterprise: inventory include reviewing purchasing
• Financial or nonfinancial systems, contracts and current
• Required to deliver services software installations.
• Owned or controlled by the
enterprise for a future benefit Determine assets importance in
• Differs between enterprises context of enterprise activities:

• Not all assets are equal

• Prioritize most valuable assets

55

55

Asset Valuation

Determine the importance of assets in the context of organizational activities giving priority to
protecting the most important assets first and less significant assets as time and budget allow.

An asset may be valued according to what another person would pay for it or by its measure of
value to the enterprise.

• Completed by assigning a quantitative (monetary) value

• Calculating the value an asset provides to an enterprise is not as straightforward as it may appear

• Consider impact and consequences of data breaches (sanctions or lawsuits)

• Base valuation on the total range of potential losses and other impacts

• Protects the enterprise from paying more for protection than the net worth

• Calculate based on impact of confidentiality, integrity or availability loss

56

56

©2021. ISACA. All Rights Reserved

28
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Review Question
Which of the following is MOST useful when computing annual loss
exposure?

A. The cost of existing controls

B. The number of vulnerabilities

C. The net present value of the asset

D. The business value of the asset

57

57

Policies, Standards and Business Process

Review

58

58

©2021. ISACA. All Rights Reserved

29
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Risk Management Policies

The risk practitioner should identify the presence or lack of policies
and work to determine whether the policies are enforced.

Information Risk Appetite/

Enterprise Risk Privacy
Security Tolerance

59

59

Procedures Risk Management Procedures

• Risk Identification
Detailed description of steps necessary to perform specific
operations in conformance with applicable standards: • Risk Analysis
• Defined as part of processes • Risk Evaluation
• Created to define how processes should be completed
• Risk Assessment
• Implementing the intent of policy by outlining tasks
A lack of standards and procedures makes it difficult to carry out • Risk Response
activities in a systematic manner and may result in undependable,
• Control Selection
inconsistent operations and elevated risk
• Distinguish between the existence of published procedures • Control Monitoring
and their actual use
• Establish KPIs, KCIs, and KRIs
• Ensure continued use of procedures long term, especially
when precision is important • Risk Monitoring

• Risk Reporting

60

60

©2021. ISACA. All Rights Reserved

30
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Review Question
Which of the following provides the GREATEST support to a risk
practitioner recommending encryption of corporate laptops and
removable media as a risk mitigation measure?

A. Benchmarking with peers

B. Evaluating public reports on encryption algorithms in the public

domain

C. Developing a business case

D. Scanning unencrypted systems for vulnerabilities

61

61

Exception Management

1 2 3 4

If exceptions are May result in an Exceptions should only Ensure that exceptions
undocumented and undesired level of risk be allowed through a are removed when no
uncontrolled, the level or overconfidence in documented, formal and longer needed
of risk is unknown effectiveness of time-bound process.
established controls
62

62

©2021. ISACA. All Rights Reserved

31
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Business Process Review Purpose

Identify problems or issues Gather information toward

with the current process improving processes

Prepare a road map to Assign responsibility and

implement required changes accountability for projects

Schedule individual projects Monitor project progress for

according to priority milestones and deliverables

Obtain and review feedback Verify compliance to

on project results standards and policies

63

63

Business Process Review Steps

1. Document and
2. Identify 3. Schedule and 4. Feedback and
evaluate current
potential changes implement changes Evaluation
business processes

• List critical processes • Use focus groups • Measure

• Design changes
• Document current business and workshops to operational
• Identify dependencies
processes and risk determine process efficiencies
• Communicate change
• Document identified issues improvements schedule
and problems • Validate proposed
• Baseline other changes with
organizations management and
• Discover potential solutions obtain approval to
and improvements proceed

64

64

©2021. ISACA. All Rights Reserved

32
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Processes and Controls

Consider how controls will integrate into the existing environment:

Communicate Be transparent with Implementing

benefits and value end-users when controls can
with appropriate implementing/ reduce
stakeholders modifying processes workarounds
and controls

Design risk Compliant

responses with a companies may
focus on derive competitive
compliance advantages

65

65

Risk Management Principles

Connect to
enterprise
objectives
Use a consistent
approach aligned Align with ERM
with strategy

Risk
Management
Principles

Establish tone at Balance

the top and cost/benefit of
accountability I&T-related risk
Promote ethical
and open
communication
66

66

©2021. ISACA. All Rights Reserved

33
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

IT Risk in Relation to Other Business Functions

Business Audit Information

Continuity Security

• Preservation of critical business • Formal inspection and • Drives selection of controls and
functions verification of compliance and justifies operation.
• Ability to survive an adverse accuracy • Traceable back to a specific I&T-
event • Provides management with related risk
• Attempts to reduce all I&T- assurance of frameworks, • Prevents poor control design and
related risk to acceptable levels programs and compliance efforts implementation

67

67

Review Question
Which of the following should be of MOST concern to a risk
practitioner?

A. Failure to notify the public of an intrusion

B. Failure to notify the police of an attempted intrusion

C. Failure to internally report a successful attack

D. Failure to examine access rights periodically

68

68

©2021. ISACA. All Rights Reserved

34
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Break

69

Risk Governance Overview

70

70

©2021. ISACA. All Rights Reserved

35
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Risk Governance Overview

Risk
Management
Functions

Processes Activities

Practices
71

71

Risk Governance Objectives

The four core objectives of risk governance:

1 3

Ensure that risk

Establish and maintain Integrate risk Make risk-aware management controls
a common risk view. management into the business decisions. are implemented and
enterprise. operating correctly

2 4

72

72

©2021. ISACA. All Rights Reserved

36
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Enterprise Risk Management, Risk Management

Frameworks and Three Lines of Defense

73

73

Enterprise Risk Management

Risk management is defined as the coordinated activities to
direct and control (measure) an enterprise regarding risk.

Challenge Opportunity

74

74

©2021. ISACA. All Rights Reserved

37
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Establishing an Enterprise Approach to Risk

Management
Risk management is an enterprise activity that benefits from a standardized
and structured approach, enterprise awareness, and executive sponsorship

Identifying risk by Risk may be measured No single approach is

1. system or by project 2. differently, creating 3. best for all types of
can create new risk of gaps between projects enterprises
false assurance. or systems.

Be sensitive to local Apply approach to

4. departmental cultures,
5. entire enterprise without
priorities, regulations, substantial modification
goals and restraints or customization

75

75

Review Question
Which of the following choices provides the BEST view of risk
management?

A. An interdisciplinary team within the enterprise

B. A third-party risk assessment service provider

C. The enterprise’s IT department

D. The enterprise’s internal compliance department

76

76

©2021. ISACA. All Rights Reserved

38
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Risk Management Standards and Frameworks

The common privacy standards include:

COBIT Focus Area Information Risk

International Organization for Standardization (ISO)/

International Electrotechnical Commission (IEC)

NIST Privacy Standards and Guidelines

77

77

NIST Risk Guidance

NIST SP 800-30 NIST SP 800-39

Guide for Conducting Risk Managing Information

Assessments Security Risk

Risk assessments are a key part Provide guidance for an

of effective risk management integrated, organization-wide
and facilitate decision making in program for managing information
the risk management hierarchy security risk on an ongoing basis

78

78

©2021. ISACA. All Rights Reserved

39
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Three Lines of Defense

Enhance enterprise risk management capabilities across the organization’s
various lines of business, establishing a more robust ERM program.

First Line Second Line Third Line

Owns and manages risk Oversees risk Provides independent
Establishes control Monitors controls testing and assurance
functions

79

79

Visualizing the Three Lines of Defense

Governing Body/Audit Committee
Senior Management

1st Line 2nd Line 3rd Line External Audit

Regulators

Financial Controls
Security
Management Internal Risk Management
Control Internal Audit
Controls Quality
Measures
Inspection
Compliance

Risk Management

• Data/system/risk ownership • Risk Framework and Policy • Independent assurance to

• Business operation • Compliance and oversight Board, Senior Management and
• Process & procedure information • Check and challenge Audit Committee

80 Assurance

80

©2021. ISACA. All Rights Reserved

40
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Review Question
Which of the following is one of the MAIN purposes of the first line of
defense in the three lines of defense model?

A. Ensure that financial controls are in place

B. Ensure control deficiencies are addressed

C. Ensure risk management practices are effective

D. Ensure compliance with rules and regulations

81

81

Risk Profile, Risk Appetite and Risk Tolerance

82

82

©2021. ISACA. All Rights Reserved

41
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Risk Profile

Changes in the risk profile can be caused by:

Based on the overall risk posture  New technologies
of the enterprise and its:  Changes to business procedures
• Attentiveness to monitoring  Mergers or acquisitions
control effectiveness  New or revised regulations
• Proactivity in identifying and  Changes in customer expectations
addressing or preventing risk  Actions of competitors
 Effectiveness of risk awareness programs
• Development of a risk culture

83

83

Determining the Risk Profile

Assets Business Events

• New assets • Changes to the scope of risk • New threats (internal and
• Total cost of ownership assessment external)
(TCO) of assets • Changes in business • Newly discovered
• People and the morale of priorities, assets, services, vulnerabilities
the organization products and operations • Possibility of increased risk
• Regulations and legal • Risk acceptance levels due to aggregation of threats
changes • Actions of competitors and vulnerabilities
• Availability of • Changes in the supply chain • Incidents
staff/resources • Changes in financial markets • Logs and other data sources
• Impact from external events

84

84

©2021. ISACA. All Rights Reserved

42
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

IT Risk Management Objectives and Goals

Review
Awareness
IT risk management objectives and goals
on a regular basis (annually) to ensure
continued alignment with goals and
The risk practitioner has a key role ensuring
objectives of senior management
that management is aware of the current IT
Review program in terms of increasing risk profile and that risk is being managed to
maturity (risk response/mitigation activities, meet objectives.
training, improved response time, and better
alignment and communication Work with stakeholders to monitor risk and
evaluate the control framework effectiveness
Criteria for monitoring, thresholds used for and efficiency
KPIs and KRIs, policies and strategies of
risk, reporting schedule and list of key Apply lessons learned to improve the risk
stakeholders to be notified when KPIs or management process
KRIs exceed their thresholds
85

85

Risk Capacity, Appetite and Tolerance

Risk Capacity Risk Appetite Risk Tolerance

Objective amount of loss an Broad-level amount of risk an Acceptable level of deviation

enterprise can accept to entity is willing to accept in allowed by management to
ensure continued existence pursuit of its mission pursue enterprise objectives

Defined by enterprise owners

Defined and approved by senior management
or board of directors

Communicated to all stakeholders

Informs risk appetite
Reassess and reconfirm over time

86

86

©2021. ISACA. All Rights Reserved

43
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Illustrating Risk Appetite, Tolerance and Capacity

Risk Capacity
Risk Tolerance
Risk Appetite
Risk Appetite
Tolerance Criteria Risk Capacity
(Amount & Duration)

Drastic and extreme measures would be A realized risk that

This to
required is ensure
the correct way to survival.
organization’s properly exceeds the risk
manage risk within the enterprise. capacity threatens an
enterprise’s ability to
continue operations

87

87

Review Question
Senior management has defined the enterprise risk appetite as
moderate. A business-critical application has been determined to
pose a high risk. What is the NEXT action the risk practitioner should
take?

A. Remove the high-risk application and replace it with another

system.

B. Recommend that management increase its acceptable risk level

for the application.

C. Assess the impact of planned controls to the application.

D. Restrict access to the application only to trusted users.

88

88

©2021. ISACA. All Rights Reserved

44
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Benefits of Enterprise-Level Definitions

Show impact of
Support
different Support the
Support and understanding
resource prioritization and
provide of how each Identify specific
allocation approval
evidence of risk- component of areas where a
strategies by process of risk
based decision- the enterprise risk response
simulating response
making contributes to should be made
different risk actions through
processes the overall risk
response risk budgets
profile
options

89

89

Creating Risk Aware Culture

Used by senior management to
Important aspect of monitoring risk
revisit and reinforce risk appetite

Consistent Consistent
implementation understanding

Effective monitoring Consistency between

and communication relevant systems

90

90

©2021. ISACA. All Rights Reserved

45
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Professional Ethics, Laws, Regulations and

Contracts

91

91

Professional Ethics of Risk Management

Risk is often impacted by professional ethics.

Certain industries
incorporate ethics into
expectations, which can
Well-treated employees then result in establishing
can be an example or ally. reporting and conformance
Poorly treated employees requirements for
Enterprises with poor may seek revenge causing professionals
management processes serious consequences.
in place may not identify
errors, misuse or fraud.

92

92

©2021. ISACA. All Rights Reserved

46
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Legal, Regulatory and Contractual Requirements

Enterprises are required to comply with the laws and regulations of the
jurisdictions where they operate and face penalties for failing to do so.

Identify which laws apply to the enterprise and understand their

requirements including issues like interpretation and compliance.

Operation across regions or nations may build global and specialized

programs to handle regulations more effectively.

GDPR PCI-DSS

93

93

Review Question
A key objective when monitoring information systems control
effectiveness against the enterprise’s external requirements is to:

A. design the applicable information security controls for external

audits.

B. create the enterprise’s information security policy provisions for

third parties.

C. ensure that the enterprise’s legal obligations have been satisfied.

D. identify those legal obligations that apply to the enterprise’s

security practices.

94

94

©2021. ISACA. All Rights Reserved

47
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Review Question
Shortly after performing the annual review and revision of corporate
policies, a risk practitioner becomes aware that a new law may affect
security requirements for the human resources system. The risk
practitioner should:

A. analyze in detail how the law may affect the enterprise.

B. ensure that necessary adjustments are made during the next

review cycle.

C. initiate an ad hoc revision of the corporate policy.

D. notify the system custodian to implement changes.

95

95

Review Question
It is MOST important that risk appetite is aligned with business
objectives to ensure that:

A. resources are directed toward areas of low risk tolerance.

B. major risk is identified and eliminated.

C. IT and business goals are aligned.

D. the risk strategy is adequately communicated.

96

96

©2021. ISACA. All Rights Reserved

48
CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Summary and Q/A

Key Risk Concepts

Organizational Strategy, Goals and Objectives

Organizational Structure, Roles and Responsibilities

Organizational Culture and Assets

Policies, Standards and Business Process Review

Risk Governance Overview

Enterprise Risk Management, Risk Management

Frameworks and Three Lines of Defense

Risk Profile, Risk Appetite and Risk Tolerance

Professional Ethics, Laws, Regulations and Contracts

97

97

Preparing for Session Two

• Complete session one activities

• Review session two pre-work

• Study and answer session two questions

98

98

©2021. ISACA. All Rights Reserved

49