CRISC Domain 1 - A through H

Question 1

Definition of Risk

Answer 1

Risk reflects the combination of the likelihood of events occuring and the impact those events have on the enterprise

Question 2

Risk contains

Answer 2

• Opportunities for benefit (upside)

Threats to success (downside)

Question 3

What are the guiding principles for effective risk management

Answer 3

• Maintain focus on the business mission, goals and objectives
• Integrate IT risk mgt into enterprise risk mgt (ERM)
• Balance the costs and benefits of manaing risk
• Promote fair and open communication
• Est tone at the top and assign personal accountability
• Promote continuous improvement as part of daily activities

Question 4

Definition of Management

Answer 4

• Mgmt entails the judicious use of means (resources, people, processes, practices, etc) to achieve an identified end
• Often differentiated from governance as the distinction between being “committed” (governance) and “involved” (management)

Question 5

Explain Management

Answer 5

• Mgmt is responsible for execution within the direction set by the guiding body or unit
• Mgmt is about planning, building, organizing and controlling operational activities to align with the direction set by the governance body
• Mgmt is a means or instrument by which the governenace body achieves a result or objective

Question 6

Definination of Risk Mgmt

Answer 6

Risk Mgmt is the identification, assessment and prioritization of risk folled by coordinated and economical application of resources to minimize, monitor and control the probablility and/or impact of adverse evtnes or to maximize the realization of opportunities

Question 7

Explain Responsibilities and Accountability for Risk Mgmt

Answer 7

• Responsibilitiey belongs to those whom must ensure that the activities are completed successfully
• Accountability applies to those individuals, groups, or entities that are ultimately responsible for the subject matter, process or scope

Question 8

Explain Risk Governance

Answer 8

• Risk governance address the oversight of the business risk mgmt strategy of the enterprise
• Risk governance is the domain of senior mgmt and the shareholders of the enterprise

Question 9

Who establishes and responsible for the risk governance? Explain

Answer 9

• Senior mgmt and shareholders
• They establish the enterprise’s risk culture and the acceptable levels of risk
• They set up the mgmt framework
• They ensure that the risk mgmt function is operating effectively to identify, manage, monitor, and report on current and potential risk facing the enterprise

Question 10

Define Governance

Answer 10

• Governance is a system referring to all the means and mechanisms that enable multiple stakeholders in an enterprise to have an organized say in evaluating conditions and options
• Setting direction
• and monitoring compliance, performance and progress against plans to satisfy specific enterprise objectives

Question 11

Definition of Risk Governance

Answer 11

• Risk governance is a strategic business function that ensures:
• risk mgmt activieis align with the enterprise’s loss capacity

Question 12

What are the objectives of risk governance

Answer 12

1. Est and maintain a common risk view
2. Integrate risk management into the enterprise
3. Make risk-aware business decisions

Question 13

To effectively govern enterpirse and IT risk there must be an:

Answer 13

• Understanding and consensus with respoect to the risk appetite and risk tolerance of the enterprise
• Awareness of risk and the need for effective communication about risk throughout the enterprise
• Understanding of the elements of risk culture

Question 14

What’s the definition of risk appetite

Answer 14

The broad-based amount of risk that a company or entity is willing to accept in pursuit of its mission (or vision)

Question 15

What’s the definiiion of risk tolerance

Answer 15

The acceptable variation relative to the achievement of an objective (often bbest measured in the same units as those used to measure the related objective)

Question 16

What are the major factors influencing risk appetitie

Answer 16

• the enterprise’s objectrive capacitiy to obsorb lost, e.g., financial loss, reputation damage
• The (management) culture or predispostion toward risk taking - cautious or agressive

Question 17

What are the risk appetite bands and definitions

Answer 17

Really unacceptable - indicates really unacceptable risk. The enterprise est that this level of risk is far beyond its normal risk appetite. Any risk in this band may trigger an immediate risk response

• Unacceptable - indicates elevated risk; also above acceptable risk appetite. The enterprise may, as a matter of policy, require mitigation or another edequate response to be defined within certain time boundaries
• Acceptable - indicates a normal, acceptable level of risk, usually with no special action required, except for maintaining the current controls or other responses
• Opportunity - indicates very low risk, in which cost-saving opportunities may be found by decreasing the degree of control or in which opportunities for assuming more risk may arise

Question 18

Define Risk Tolerance

Answer 18

The acceptable deviation from the level set by the risk appetite and business objectives

Question 19

What are the guidelines for risk appetite and risk tollerance

Answer 19

• Risk appetite and risk tolerance must connect
• Exceptions to risk tolerance stds must be reviewed and approved
• Risk appetite and tolerance change over time
• Cost of risk mitigation options can affect risk tolerance

Question 20

Definition of risk culture

Answer 20

The shared values and beliefs that govern the attitudes and behaviors toward risk taking, care and integrity, and determines how openly risk and losses are reported and discussed

Question 21

Definition of Framework

Answer 21

A framework is a generally accepted, business-process-oriented structure that establishes a common language and enables repeatable business processes

Question 22

Definition of Standard

Answer 22

A standard establishes mandatory rules, specifications, and metrics used to measure compliance against quality, value, etc

Question 23

What are standards intended for

Answer 23

• Compliance purposes and to provide assurance to others who interact with a process or outputs of a process (e.g., food and drug qualilty)
• To be implemented in a rigid way and to minimize the number of deviations based on a cost-benfit analysis.

Question 24

When should deviations from the standard be granted

Answer 24

Should only be granted on an “exception” basis and should follow a defined approval process

Question 25

Definition of a Practice and Leading Practices

Answer 25

• Practice is a frequent or usual action performed as an application of knowledge
• Leading practice is defined as an action that optimally applies knowledge in a particular area

Question 26

Practices are issued by? and they may include

Answer 26

• A recognized authority that is appropriate to the subject matter
• Issuing bodies may include professional associations and academic institutions or commercial entities such as software vendors

Question 27

Why do frameworks, standards, and practices matter

Answer 27

• Provide a systematic view of “things to watch” that could result in harm to customers or an enterprise
• Act as a guide to focus efforts of diverse teams
• Save time and costs, such as training costs, operational costs and performance improvement costs
• Help achieve business objectives more quickly and easily
• Provide creditiability to engatge functional (CFO) leadership

Question 28

What is risk identification

Answer 28

The process of determining and documenting the risk that an enterprise faces

Question 29

What is the identification of risk based on

Answer 29

The recognition of threats, vulnerabilities, assets and controls in the enterprise’s operational environment

Question 30

What is risk assessment

Answer 30

A process used to identify and evaluate risk and its potential effects

Question 31

What is risk evaluation

Answer 31

The process of comparing the estimated risk against given risk criteria to determine the significance of this risk

Question 32

Definition of Frequency

Answer 32

A measure of the rate by which events occur over a certain period of time

Question 33

Definition of Magnitude

Answer 33

A mearus of the potential severity of loss or the potential gain from a realized IT event/scenario

Question 34

Definition of Risk Aggregation

Answer 34

The process of integrating risk assessments at a corporate level to obtain a complte view of the overall risk for the enterprise

Question 35

Definition of Risk Analysis

Answer 35

A process by which frequency and magnitude of IT risk scenarios are estimated

Question 36

Definition of IT Risk

Answer 36

The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise

Question 37

Effective risk identification, assessment and evaluation involves

Answer 37

• Collecting data on:
• The enterprise’s operating environment (internal/external)
• Risk Events
• Identifiying risk factors (internal/external)
• Analyzing and estimating risk
• Identifying business process resilience level, including the related IT services and supporting assets

Question 38

What are the three IT Risk Categories

Answer 38

• IT benefit/value enablement risk
• IT program and project delivery risk
• IT operations and service deiivery risk

Question 39

Define IT benefit/value enablement risk

Answer 39

Associated with (missed) opportunities to use technology to improve efficiency or effectiveness of business proceses or as an enabler for new business initiatives

Question 40

Define IT program and proejct delivery risk

Answer 40

Associated with the contribution of IT to new or improved business solutions, usually in the form or projects or programs

Question 41

Define It operations and service delivery risk

Answer 41

Associated with the performance of IT systems and services, which can bring destruction or reduction of vlaue to the enterprise

Question 42

What are the high-evel phases of risk identification, assessment and evaluation

Answer 42

1. Collect data
2. Analyze Risk
3. Maintain Risk Profile

Question 43

What are some methods used to collect risk data

Answer 43

• Interviews
• Questionnaires and surveys
• Facilitated workshops
• Observations
• Testing

Question 44

Definition to Risk Scenario

Answer 44

A description of an event that can lead to a business impact, when, and if, it should occcur

Question 45

Risk scenario analysis is a technique used to

Answer 45

• Describe risk in a more concrete and tangible manner

- Allow for proper risk assessment and analysis

Question 46

What are the approaches to Risk Scenario Development? Explain each

Answer 46

• Top-down approach: From the overall business objectives, an analysis of the most relevent and probable IT risk scenario impacting the business objectives is performed
• Bottom-up approach: A list of generic scenarios is used to define a set of more concrete and customized scenarios, which are then applied to the individual enterprise situation

Question 47

What drives the top-down risk scenario development approach and when is it most beneficial

Answer 47

Business objectives drives the approach; thus, the approach is unique to ea enterprise
-The approach is most beneficial in ensuring that the risk scenarios remain relevant and linked to real business risk

Question 48

What benefit is it to use generic risk scenarios in Risk Scenario Development

Answer 48

• Helps ensure that tno risk are overlooked

- Provides a comprehensive and complete view of IT risk

Question 49

What are the steps in the bottom-up risk scenario development

Answer 49

1. Using a list of generic risk scenarios, define a set of concrete risk scenarios for the enterprise
2. Perform a vallidation against the business objectives of the entity
3. Refine the selected scenarios based on this validation, and detail them to a level in line with the criticality of the entity
4. Reduce the number of scenarios to a managable set
5. Keep all risk factors in a register so that they can be reevaluated in the next iteration and included for detailed analysis if they have become relevant at that time
6. Include in the scenarios an unspecified event - how to address an incident not covered by other scenarios

Question 50

What are the Risk Scenario Components

Answer 50

1. Actor
2. Threat type
3. Event
4. Asset (tangible and intangible)
5. Timing dimension

Question 51

When should a Risk Assessment be performed

Answer 51

At least on an annual baiss or when important internal or external changes occur

Question 52

What is a Risk Register and what does it record?

Answer 52

• Also known as a risk log, it is a listing of all risks identified for the enterprise
• It records:
• All known risk
• Priorities of risk
• Likelihood of risk
• Potential risk impact
• Status of the risk mitigation plans
• Contingency plans
• Onwership of risk

Question 53

What are the preequisites for developing a manageable set of risk scenarios

Answer 53

• Organizational buy-in or support from enterprise entities and business lines, risk management, IT, finance, compliance and other parties
• Expertise and experience to not overlook relevant scenarios and not be drawn into highly unrealistic or irrelevant scenarios
• A thourough understanding of the environment
• The involvement of all stakeholders

Question 54

What is Systemic Risk

Answer 54

Something that happens with an important business partner that affects a larrge group of enterprises within an area or industry

Question 55

What is Contagious Risk

Answer 55

Events that happen at several of the enterprise’s business partners within a very short time frame

Question 56

What considerations must be required under Obscure or non-Historical Events

Answer 56

• Visibility: Be in a postion that it can be observe anything going wrong
• Recognition: Have the capability to recognize an observed event as something that is going wrong

Question 57

Definition of Risk Factors

Answer 57

Those features that influence the likelihood and/or business impact of risk scenarios

Question 58

Name the Threats

Answer 58

• Internal and External
• intentional or accidental
• Skilled or amateur
• Motivated or curious
• Natural or man-made,
• Physical or related to equipment or utility failrures

Question 59

Define External Risk factor

Answer 59

Those circumstances that can increase the likelihood or impact of an event and that are not always directly controllable by the enterprise

Question 60

Name the External Factors

Answer 60

• Market/economy
• Rate of change in the market
• Competition
• Geopolitical situation
• Regulatory environment
• Technology innovation and evolution

Question 61

Risk Assessment involves what two specific requirements

Answer 61

• Risk Identification

- Risk Analysis

Question 62

What is Risk Monitoring

Answer 62

The process that systematically tracks and evaluates the performance of risk mitigation actions

Question 63

The Risk Management structure involves

Answer 63

• Planning,
• Assessment (identification-analysis),
• Handling,
• Monitoring and
• Mitigation

Question 64

Threats are characterized as:

Answer 64

Those that are Imminent; those that are Emerging; those that are Consistent and those that are Persistent.

Question 65

What is Delphi

Answer 65

Is a security risk assessment and information gathering technique that uses the consensus of subject matter experts to determine mission risk

Question 66

Quantitative Risk Assessment is

Answer 66

A process used to analyze numerically the probability of each risk and its consequence on mission objectives.

Question 67

What techniques are used in Quantitative Risk Assessment

Answer 67

interviewing, sensitivity analysis, decision tree analysis, and simulation

Question 68

Qaulitative Risk Analysis is

Answer 68

the process of assessing the impact and likelihood of identified risks. What is the the probability and likelihood that the risk will occur and what is the consequence to mission objectives

Question 69

What are the NIST recommended steps for Risk Assessment Methodology

Answer 69

1. System characterization
2. Threat Identification
3. Vulnerbility Identification
4. Control Analysis
5. Liklihood Determination
6. Impact Analysis
7. Risk Determination
8. Control Recommendations
9. Results Documentation

Question 70

What are the challenges of Qaulitative Risk Analysis

Answer 70

• Subjectivity or bias in data collected
• Overemphasis on minor events
• Does not provide good data for cost-benefit analysis
• Ranking levels may not be meaningful to data providers

Question 71

What are typical Qualitative RA Methods

Answer 71

• Risk Control Self-assessment (RCSA)
• Scorecards
• Key risk indicators (KRI)
• Liklihood impact matrix
• Attribute analysis
• Delphi forecasting

Question 72

Benefits of Quantitative Analysis

Answer 72

• Allows for:
• Data to be classified and counted
• Statistical models to be contructed to explain what is being observed
• Findings to be generalized to a larger population and direct comparison between two different data sets
• Produces statically reliable results
• Allows discovery of phenomena likely to be geniune vs merlely chance occurances

Question 73

Quantitative Analysis is

Answer 73

The use of numerical and statistical techniques to calculate liklihood and impact of risk

Question 74

Challenges of Quantitative Analysis

Answer 74

• It is not always easy to collect data on ea and every process
• Data may not be in the desired format or may not meet the needs of quant analysis
• Reliable historical data are not always avail for analysis
• Past data do not necessarily help predict future events (black swan phenom)
• It is difficult to apply statistical models for events that happen infrequently
• The cost is generally signficantly higher than the cost of qualitative analysis

Question 75

What are typical Quantitative RA Methods

Answer 75

• Internal Loss Data
• External Data
• Business Process Modeling (BPM) and simulation
• Statistical process control (SPC)

Question 76

Methods for Uncovering Less Obvious Risk Factors

Answer 76

• Cause-and-Effect analysis
• Fault Tree analyisis
• Sensitivity analysis

Question 77

What is a key business continuity planning (BCP) activity that focuses on determining the impact of an event over time

Answer 77

• Business Impact Analysis

Question 78

Definition of Business Impact Analysis

Answer 78

A specialized process to determine the impact of losing the support of any resource

Question 79

A BIA discovery process is meant to

Answer 79

• Reveal the importance of a process and the potential impact that any disruption to that process would have on the enterprise
• Est the escalation of loss over time
• Answer questions about actual procedures, shortcuts, workarounds and the types of failures that may occur

Question 80

In BIA, when answering questions about actual procedures, shortcuts, workarounds and the types of failures that may occur. What does it involve

Answer 80

• What the process does
• Who performs the process
• What the output is
• The value of the process output to the enterprise
• How the impact of the loss would escalate over time and at which point failure of the process might threaten the viability of the enterprise

Question 81

Proper execution of the BIA process entails what? What does it include?

Answer 81

• Series of discovery exercises.
• Includes: Asking questions that focus on identifying trigger events
• Interviewing key personnel
• Reviewing existing documentation
• Collecting data by observiing business processes and personnel performing actual processes
• Looking for existing workarounds and alternate procedures

Question 82

Using surveys in the BIA process can do what?

Answer 82

Raise issues of accuracy and consistency

Question 83

True or False: The data gathered during the BIA can be used later to guide the formulation of the risk response strategy

Answer 83

True

Question 84

What process verifies critical success factors (CSFs)

Answer 84

BIA

Question 85

The strategic importance of IT to the modern enterprise is seen through:

Answer 85

• High investment
• Pervaisiveness of IT
• Relience on IT’s continuing operation
• Impact caused when IT does not perform as expected
• IT’s critical role in realizing efficiences
• Ways in which IT enables business to take strategic action

Question 86

Why is monitoring and reporting on risk made difficult?

Answer 86

There is no shared language between those estimating the risk and those making risk response decisions

Question 87

What is critical for understanding where there are threats and vulnerabilities and where there are opportunities?

Answer 87

Clarity in defining the business impact (both positive and negative) of IT-related risk

Question 88

Definition of Risk as a derived value

Answer 88

• Refers to the liklihood (or frequency) and magnitude of loss that exists from a combination of assets, threats, and control conditions

Question 89

Define Threat

Answer 89

An action or actor that/who may act in a manner that can result in loss or harm

Question 90

Define Vulnerability

Answer 90

A weakness in design, implementation, operation or internal control

Question 91

The adverse impact of a risk event can be described in terms of loss or degredation of any or a combination of the following three basic IT risk goals:

Answer 91

• Integrity
• Availability
• Confidentiality

Question 92

Define Integrity

Answer 92

Relates to the accuracy and completeness of information and its validity in accordance with business values

Question 93

What IT risk goal refers to the requirement that information be protected from improper modification

Answer 93

-System and data integrity

Question 94

What is Loss of Integrity

Answer 94

• Unauthorized changes are made to the data or information system by either intentional or accidental acts

Question 95

What’s the impact of Loss of Integrity

Answer 95

• Continued use of the contaminated system or corrupted data may result in inaccuracy, fraud or erroneous decisions
• Violation of integrity may be the firest step in a successful attack against system availability and confidentiality

Question 96

Define Availability

Answer 96

Relates to the information being accessible, when requiredby the business process, and also concerns the safegaurding of necessary resources and associated capabilities

Question 97

What is Loss of Availabiity

Answer 97

A mission critical IT system is unavailable to its end users and the enterprise’s objectives may be effected

Question 98

What is the impact of Loss of Availabiity

Answer 98

Loss of system functionality and operational effectiveness may result in loss of productive time, thus impeding the end user’s performance of their functions in supporting the enterprise’s objectives

Question 99

Define Confidentiality

Answer 99

Relates to the protection of information from unauthorized disclosure

Question 100

Data must be protected from improper disclosure depending on

Answer 100

The sensitivity of the data and associated legal requirements

Question 101

What is Loss of Confidentiality

Answer 101

Unauthorized disclosure of confidential or sensitive information

Question 102

What is the Impact of Loss of Confidentiality

Answer 102

• Range from jeapordizing national security to the disclosure of data covered under the local privacy law
• Unauthorized, unanticipated or unintentional disclosure of such information can result in loss of public confidence, loss of competative advantage, embarrassment or legal action agsint the enterprise

Question 103

Some tangible impacts of IT risk can be measured quantitatively as in:

Answer 103

• Lost revenue
• Cost of repariing the system
• The level of effort required to correct problems caused by a successful threat action

Question 104

Business impact of IT-related risk in terms of High, Med, Low include:

Answer 104

• Loss of public confidence
• Loss of credibility
• Damage to an enterprise’s interest
• Impact on morale in the enterprise

Question 105

What is the key task related to risk assessment during the functional requirements definition phase? What will the level of risk associated with a system depend on?

Answer 105

• To ensure that the risk associated with the system is identified
• The criticality of the system (how important it is to suppor business ops) as well as the sensitivity (privacy) needs and criticality needs of the data being processed on the system

Question 106

What are the risks associated with Outsourcing? What is one risk the enterprise must be aware of? How can it protect itself?

Answer 106

• Enterprise becomes reliant on another enterprise for its support
• Risk related to privacy laws that may affect where data are stored and the need to protect sensitive data in transit, storage and processing from inadvertent or unauthorized disclosure
• In many jurisdictions the responsibility for protection of data remains with the original enterprise, not the outsourcing firm
• Ensure the security requirements and the proper audits are included in contracts

Question 107

IT projects are subject to risk of failure due to what factors?

Answer 107

• Unrealistic delivery schedules or budget
• Lack of skilled resources
• Unclear or changing business reqs
• Challenges with technology
• Poor project mgmt
• Resistence from users

Question 108

IT project failure may have an impact on BIA such as?

Answer 108

• Loss of opportunity or market share
• Inability to meet customer or regulatory demand
• Lost revenue
• Other tangible or intangible consequences

Question 109

What are the three broad risk factors to consider when planning a BPR project

Answer 109

• Design risk
• Implementation risk
• Operation or rollout risk

Question 110

What are the risk types under BPR project Design Risk Area?

Answer 110

• Sponsorship risk
• Scope risk
• Skill risk
• Political risk

Question 111

What are the risk types under BPR project Implementation Risk Area?

Answer 111

• Leadership risk
• Technical risk
• Transition risk
• Personnel risk
• Scope risk

Question 112

What are the risk types under BPR project Operation or Rollout Risk Area?

Answer 112

• Management risk
• Technical risk
• Cultural risk

Question 113

What is the most effective way to achieve the highest return investment (ROI)?

Answer 113

Thinking big

Question 114

It is a design failure if what is excluded from the scope of change?

Answer 114

• Politically sensitive process and existing jobs are excluded

Question 115

What are the Risk Components

Answer 115

• Inherent risk
• Residaul risk
• Control risk
• Detection risk

Question 116

What are the control types in Inherent Risk

Answer 116

• Pervasive IT Controls

- Specific IT Controls

Question 117

Define Inherent Risk and provide an example? Is this risk ordinarilyt high, med. or low?

Answer 117

• The risk level/exposure without taking controls or other management actions into account
• Example: Inhernent risk associated with OS security is high due to changes to, or even disclosure of, data or programs through OS security weaknesses could result in system failure, security breach or regulatory penalties
• Ordinarily high

Question 118

Define Residual Risk?

Answer 118

Risk that remains after managment has implemented a risk response

Question 119

Define Control Risk and provide an example? Is this risk ordinarilyt high, med. or low?

Answer 119

• Risk of failure of the internal control systems to prevent, detect or correct an incident in a timely manner
• Example: Control risk associated with manual reviews of computer logs can be high because activities requiring investigation are often easily missed due to the volume of logged information
• Ordinarily low

Question 120

Define Detection Risk and provide an example?

Answer 120

• Risk that the prescribed controls, substantive testing procedures, or monitoring will not detect an error that could be material, individually or in combination with other errors
• Example: An IDS, an AV system, or FW is unable to detect or notice adverse conditions and trigger an adequate response

Question 121

What is it called when an IDS, AV system or FW is unable to detect or notice an adverse condition and trigger an adequate response?

Answer 121

A false-negative: An indication that everything is fine when there actually is a problem

Question 122

The calculation of risk for IT system is directly affected by?

Answer 122

The type of architecture the enterprise is using

Question 123

True/False: IT has the task of assisting in the managment of business risk?

Answer 123

True

Question 124

What is IT relied on and specifically for what domain?

Answer 124

• Relied on for advanced risk analytics and reporting in the domain of Risk Mgmt Information Systems (RMIS)

Question 125

An Enterprise Risk Management model must address the enterprise’s objectives with control objectives for risk in what categories of business?

Answer 125

• Planning, Operational, Financial reporting and Compliance

Question 126

Separation of Duties (SOD) is also called what?

Answer 126

Segregation of duties

Question 127

What is a key component to maintaining a strong internal control environment? Why?

Answer 127

• Separation of Duties

- It reduces risk of errors and fraudulent transactions

Question 128

What is the result of of duties for a process or transaction are segregated? Why?

Answer 128

It forces the involvement of more than one person to accomplish a task and it becomes more difficult for fraudulent activity occur
- It would require collusion among several employees

Question 129

Automated SOD tools contain what three elements?

Answer 129

• Access control
• Process control
• Continuous monitoring

Question 130

In SOD, explain Access Controls?

Answer 130

• Restrict access to the business system and data to ensure only authorized individuals have access and the user is granted the minimal level of access required to perform their duties

Question 131

In SOD, explain Process Controls? What are some of the techniques employed?

Answer 131

Restrict the activities performed by authorized users.

• Dual control - requiring two people to take action simulataneously to perform a task
• Mutual exclusivity - one person has executed a task, they are prohibited from executing subsequent tasks

Question 132

in SOD, explain Continuous monitoring?

Answer 132

-Employs automation to detect system transactions, setup or data changes that contravene corporate policy

Question 133

What are two specific contribution areas for IT in managing business risk?

Answer 133

• Locked-down operating

- Decision support, risk analytics and reporting

Question 134

What is Locked-down operating? Give an example?

Answer 134

• IT can be used to build in business process controls through automation. Automation forces routine aspects of business to be locked down to a predictible and repeatable pattern
• Example: Using templates

Question 135

What is the goal of risk management for information systems?

Answer 135

To achieve compatible and efficient IT monitoring and reporting processes for capturing; analyzing; and ultimately reporting risk factors of all types across the enterprise

Question 136

What does Risk Awareness acknowledge?

Answer 136

• Risk is well understood and known
• IT risk issues are identifable
• The enterprise recognizes and uses the means to risk

Question 137

If risk is to be managed and mitigated what must first be done?

Answer 137

-Discussed and effectively communicated at an appropriate level tothe various stakeholders and personnel

Question 138

What are the benefits of open communication on risk?

Answer 138

• Assitance in executive management’s understanding of the actual exposure to IT risk
• Awareness among all internal stakeholders of the importance of integrating risk management into their daily duties
• Transparency to external stakeholders regarding the actual level of risk and risk management processes in use

Question 139

What are the consequences of poor risk communication?

Answer 139

• A false sense of confidence at all levels of the enterprise and higher risk of a breach or incident that could have been prevented
• Lack of direction or strategic planning to mandate risk management efforts
• Unbalanced communication to the external world on risk, especially in cases of high, but managed, risk, which may lead to an incorrect perception on actual risk by third parties
• Perception that the enterprise is trying to cover up known risk from stakeholders

Question 140

What is an unacceptable risk management strategy?

Answer 140

-Risk ignorance

Question 141

What are the risk components to be communicated?

Answer 141

• Expectations from risk management
• Current risk management capability
• Status

Question 142

Why is Expectations from Risk Management an essential communication component?

Answer 142

• Communicates the risk strategy, policies, procedures, awareness training, continuopus reinforcement of principles
• Drives all subsequent efforts on risk management
• Sets the ovall expectations about the risk management program

Question 143

What information comes from Current Risk Management Capability communication?

Answer 143

• Allows for monitoring of the state of the “risk management engine” in the enterprise
• Is a key indicator for good risk management
• Has predictive vaule for how well the enterprise is managing risk and reducing exposure

Question 144

Status communication consists of?

Answer 144

• Risk profile of the enterprise; the overall portfolio of (identified) risk to which the enterprise is exposed
• Key risk indicators (KRI) to support management reporting on risk
• Event/loss data
• Root cause of loss events
• Options to mitigate risk (incl cost and benefits)

Question 145

What are the required elements of effective communication?

Answer 145

• Clear
• Concise
• Useful
• Timely
• Correct target audience
• Available on a need-to-know basis