Download - Intro to CRISC and Skills Assessment
Introduction to IT Risk Management
Risk is defined as the combination of the probability of an event and
its consequence.
Often, risk is seen as an adverse event that can threaten an
organization’s assets or exploit vulnerabilities and cause harm.
Several factors are considered when evaluating risk, such as:
the mission of the organization
assets
threat
vulnerability
likelihood and impact.
Introduction to IT Risk Management
Governance and Risk Management
Governance is the accountability for protection of the assets of an
organization.
Over the past decade, the term “governance” has moved to the forefront of
business thinking in response to examples demonstrating the importance of
good governance and, on the other end of the scale, global business
mishaps.
The corporate governance of IT is the system by which the current and future
use of IT is evaluated, directed and controlled.
Introduction to IT Risk Management
Governance and Risk Management Value creation is comprised of benefits realization, risk optimization
and resource optimization.
Risk optimization is, therefore, an essential part of any governance system and cannot be seen in isolation from benefits realization or resource optimization.
Governance answers four questions:
Are we doing the right things?
Are we doing them the right way?
Are we getting them done well?
Are we getting the benefits?
Introduction to IT Risk Management
Governance and Risk Management
There is a clear distinction between governance and management.
Management focuses on planning, building, running and monitoring within the directions set by the governance system to create value
by achieving objectives.
Risk management foresees the challenges to achieving these
objectives and attempts to lower the chances and impacts of them
occurring.
Introduction to IT Risk Management
Governance and Risk Management
Exhibit 0.1 provides an overview of the risk governance structure.
Introduction to IT Risk Management
Governance and Risk Management
Effective risk governance helps ensure that risk management
practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return.
Risk governance has four main objectives:
1. Establish and maintain a common risk view.
2. Integrate risk management into the enterprise.
3. Make risk-aware business decisions.
4. Ensure that risk management controls are implemented and operating
correctly.
Introduction to IT Risk Management
The Context of IT Risk Management
Risk management is defined as the coordinated activities to direct
and control an enterprise with regard to risk.
In simple terms, risk can be considered as a challenge to achieving
objectives.
Therefore, risk management can be considered as the activity
undertaken to foresee challenges and lower the chances of those
challenges occurring and their impact.
Effective risk management can also assist in maximizing opportunities.
Introduction to IT Risk Management
The Context of IT Risk Management
Risk management starts with understanding the organization, but
the organization is mostly a servant of the environment, or context, in which it operates.
Assessing the organization’s context includes evaluating the intent
and capability of threats; the relative value of, and trust required in,
assets; and the respective relationship of vulnerabilities that threats
could exploit to intercept, modify or fabricate data in information
assets.
Introduction to IT Risk Management
The Context of IT Risk Management
The strategy of the organization will drive the individual lines of
business that make up the organization, and each line of business will develop information systems that support its business function.
Exhibit 0.3 illustrates how IT risk relates to overall risk of the
organization.
Introduction to IT Risk Management
The Context of IT Risk Management
It risk management is a cyclical process, as shown in exhibit 0.4.
Introduction to IT Risk Management
The Context of IT Risk Management The first step in the IT risk management process is the identification of IT
risk, which includes determining risk context and risk framework, and the process of identifying and documenting risk.
The risk identification effort should result in the listing and documentation of risk.
This step aligns with the next phase of the IT risk management process: IT risk assessment.
The effort to asses risk, including the prioritization of risk, will provide management with data required for consideration as a key factor in the next phase, risk response and mitigation.
Risk response and mitigation addresses the risk appetite and tolerance of the organization and the need to find cost-effective ways to address risk.
Introduction to IT Risk Management
The Context of IT Risk Management
The final phase of IT risk management is risk and control monitoring
and reporting.
In this phase, controls and risk management efforts, as well as the
current risk state, are monitored and results are reported back to
senior management, who will determine the need to return to any
of the previous phases of the process.
Introduction to IT Risk Management
The Context of IT Risk Management
The IT risk management process is based on the complete cycle of
all the elements.
A failure to perform any one of the phases in a complete and
thorough manner will result in an ineffective risk management
process.
A failure in any step of the cycle may cause a deficiency that will
affect the other phases.
As with all life cycles, the process management life cycle is repeated and continuously improved, the more effective the IT risk
management effort will be, and consistent results will be obtained.
Introduction to IT Risk Management
Importance of IT Risk Management The benefits of IT risk management include:
Better oversight of organizational assets
Minimized loss
Identification of threats, vulnerabilities and risk
Prioritization of risk response efforts
Legal and regulatory compliance
Increased likelihood of project success
Improved performance and the ability to attain business goals
Increased confidence of stakeholders
Creation of a risk-aware culture
Better incident and business continuity management
Improved controls
Better monitoring and reporting
Improved decision making
Ability to meet business objective
Introduction to IT Risk Management
Business Risk Versus IT Risk
Risk is a critical part of business.
Unless of a business is willing to take a risk, it will not be able to realize the benefits associated with risk.
However, taking too much risk may lead to increased likelihood of
failure of the business and loss of investment.
Every business faces the decision of how much risk to take and what
opportunities to forego.
This is a decision that reflects the risk acceptance level of the senior management.
Introduction to IT Risk Management
Business Risk Versus IT Risk
Risk and Business Continuity
IT risk management is closely linked with business continuity, and IT risk assessment is often a precursor to a business impact analysis (BIA).
In many ways, business continuity starts where risk management ends.
Through IT risk management, the organization attempts to reduce all IT risk to an acceptable level.
The risk is that the business continuity plan (BCP) may not be adequate or accurate, thereby leading to a failure to recover effectively from an incident.
Introduction to IT Risk Management
Business Risk Versus IT Risk
IT Risk and Information Security
Information security is usually based on risk.
The national Institute of Standards and Technology (NIST) states that an organization must provide risk-based, cost-effective controls.
The risk practitioner should be able to demonstrate the purpose of each control and explain the reasoning behind the selection and enforcement of the control.
Control Risk
Project Risk
Change Risk
Introduction to IT Risk Management
Summary This section provided an overview of the areas of IT risk that will be
addressed by the risk practitioner.
There are many variables that a risk practitioner must consider and many decisions that a risk practitioner must make, but the success of the IT risk management effort is usually based on having an organization wide perspective of the risk management of risk, following a structured methodology and gathering the correct information.
It is through the success of the IT risk management effort that a risk practitioner will be able to add value, recommend appropriate controls, and report status of the risk profile to management and all relevant stakeholders.
Introduction to IT Risk Management
Now that you have learned a little bit
about CRISC, test yourself with this 16
question multiple choice skills assessment
to see what areas you need more help
with. All you need to do to start is click
quiz button below.
If you would rather skip the quiz and dive into
more detailed material you can sign up now for
our next CRISC class here!