Chapter 4 Flashcards
4.1: Should every organisation implement an identical risk-management framework?
The short answer to this question is no. Organisations differ in terms of the nature, scale and complexity of their
activities. Even organisations of a similar size or from the same sector may implement risk-management frameworks that
are designed differently. Many factors will influence the design of a framework. This might include:
- the structure and reporting lines of the organisation;
- its culture;
- the human and financial resources it has available; or
- the regulations with which it is expected to comply.
That said, most organisations should make use of elements such as the risk-management process and should generally
have a risk-management policy and risk-reporting arrangements
4.3: What type of organisation is the Orange Book aimed at?
The Orange Book is aimed at government organisations and departments, but it contains much that is of use to other
types of organisation. The Orange Book’s approach to risk management is relatively simple, so it is less useful for large, complex organisations. Small to medium-sized organisations may find much that is of use.
4.4: Explain how exposure to risk may prevent an organisation from achieving its objectives
All organisations have objectives. They might be business objectives such as increasing profit or market share, or they
may be social and environmental objectives, such as delivering a local public service or protecting the environment.
Risk events that occur may have a variety of adverse consequences. There may be financial losses, due to the damage or destruction of assets, or people may have been killed or injured. In addition, an organisation may find that its normal operations are disrupted, or that it suffers bad publicity and reputation damage.
All of these adverse consequences may affect an organisation’s ability to meet its objectives. The replacement of lost or damaged assets will hit organisational cash flows and profitability, reputation damage might lead a loss in demand for the organisation’s products, or business disruption may prevent the organisation from producing sufficient quantities of its goods and services.
4.5: Why are governance processes included as part of the COBIT 2019 IT risk-management framework?
Any risk-management framework needs governance processes to be effective. These processes ensure that the
framework is implemented fully and consistently by the organisation’s managers and employees. They also ensure that the framework considers the needs of the organisation’s stakeholders.
In addition, governance processes help to ensure that a risk-management framework remains up to date through regular effectiveness reviews, audits and the identification and implementation of framework enhancements.