Domain 1 - Part A Flashcards
What does governance establish?
Governance establishes requirements for how to achieve the proper balance and conformance within an enterprise in order to meet stakeholder needs and deliver value.
It also establishes the accountability for protection of organizational assets.
- How to achieve proper balance and conformance to meet stakeholder needs and deliver value
- Establishes accountability for protection of organizational assets
Who is in a corporate structure accountable for governance?
In a corporate structure, the directors of an enterprise (frequently organized as a board) are accountable for governance and entrust the senior management team with the responsibility to manage the day-to-day operations in alignment with the strategic mandates that the directors approve.
Describe the risk governance structure.
Governance may take the form of: … ? (name 6)
It may take the form of:
- financial accountability and oversight,
- operational effectiveness,
- legal and regulatory compliance,
- adoption of fair labor practices,
- social responsibility and governance of IT investment,
- operations and control.
What is the keystone of governance?
Risk management is the keystone of governance.
Accurate information is required to be able to correctly understand the various threats and subsequent risk being faced and influences how the enterprise chooses to respond.
Corporate governance is the system by which organizations… do what? (name 4)
Corporate governance is the system by which organizations:
- evaluate,
- direct,
- monitor,
- and ultimately control
an enterprise.
By extension, the governance of enterprise IT is the system by which the current and future use of IT are… ? (name 4)
By extension, the governance of enterprise IT is the system by which the current and future use of IT are:
- evaluated,
- directed,
- monitored
- and ultimately controlled.
What is the objective of any governance system?
The objective of any governance system is to enable enterprises to create value for their stakeholders or to promote the creation of value.
Value creation, in turn, consists of:
- benefit realization,
- risk optimization
and resource optimization.
What 4 questions does governance answer?
Governance answers four questions:
- Are we doing the right things?
- Are we doing them the right way?
- Are we getting them done well?
- Are we seeing expected benefits?
What happens in a well-management enterprise that lacks proper governance?
There is a distinciton between the governance and management functions:
Management activities focus on:
- planning,
- building,
- running
- and monitoring
to ensure proper and continued alignment with the defined goals and objectives established by the governing body.
A well-managed enterprise that lacks proper governance often develops and executes defined plans to meet objectives; however, because those objectives are not aligned with the enterprise’s strategic vision and goals, they do not create any value.
As with enterprise governance, those who are responsible for governance over risk management must evaluate, direct and monitor risk management efforts.
Senior management needs to: … ? (name 3)
Senior management needs to:
- identify,
- define
- and communicate
the goals and objectives of risk management capabilities.
This communication ensures that risk-management processes, practices and activities are properly aligned and become part of business processes and are embedded within the normal routine and operations of the enterprise.
Why does an enterprise exists?
An enterprise exists for the sole purpose of achieving the defined strategic vision.
What is the enterprise’s strategy?
An enterprise’s strategy is the focus of its efforts; these are the primary drivers behind how investments and decisions are made and which actions are taken.
What are according to COBIT four strategic archetypes that help describe strategies?
- Growth/Acquisition
- Innovation/Differentiation
- Cost Leadership
- Client Service/Stability
Please describe the COBIT strategic archetype: Growth/Aquisition.
The enterprise has a focus on growing (revenues).
Please describe the COBIT strategic archetype: Innovation/Differentiation.
The enterprise has a focus on offering different and/or innovative products and services to their clients.
Please describe the COBIT strategic archetype: Cost Leadership.
The enterprise has a focus on short-term cost minimization.
Please describe the COBIT strategic archetype: Client Service/Stability.
The enterprise has a focus on providing stable and client-oriented service.
What does understanding the strategy archetype allows the enterprise to do?
Understanding the strategy archetype allows the enterprise to align risk governance processes and ensure that risk efforts are:
- evaluated,
- directed,
- and monitored
in the proper context.
At a high.level what are the goals for risk practitioners to do?
- Provide accurate, complete and timely information required to make the best, most well-informed decision possibly by senior management.
- Identify, assess and advise, with the appropriate response, the risk that has the highest likelihood of occurrence and/or ability to impact the enterprise’s ability to successfully achieve its goals and objectives.
- Allow for the ability to balance performance and conformance requirements that best suit the enterprise through the activities previously described.
What are the four core objectives of risk governance?
- Establish and maintain a common risk view.
- Integrate risk management into the enterprise.
- Make risk-aware business decisions
- Ensure that risk management controls are implemented and operating correctly.
Four core objectives of risk governance: Describe Establish and maintain a common risk view.
Effective risk governance establishes the common view of risk for the enterprise.
The risk governance function sets the tone of the business regarding how to determine an acceptable level of risk tolerance.
Risk governance is a continuous life cycle that requires regular reporting and ongoing review.
The risk governance fucntion must oversee the operations of the risk management team.
Four core objectives of risk governance: Describe Integrate risk management into the enterprise.
Integrating risk management into the enterprise enforces a holistic enterprise risk management (ERM) approach across the entire enterprise. It requires the integration of risk management into every department, function, system and geographic lcoation.
Understanding that risk in one department or system may pose an unacceptable risk to another department or system requires that all business processes be compliant with a baseline level of risk management.
Therefore, it is important to provide both top-down and bottom-up approaches to enterprise risk.
The objective of ERM is to establish the authority to require all business processes to udnergo a risk analysis on a periodic basis or when there is a signfificant change to the internal or external environment.
Four core objectives of risk governance: Describe Make risk-aware business decisions.
To make risk-aware business decisions, the risk governance function must consider the full range of opportunities and consequences of each decision and its impact on the enterprise, society and the environment.
Four core objectives of risk governance: Describe Ensure that risk management controls are implemented and operating correctly.
Governance requires oversight and due dilligence to ensure that the enterprise is following up on the implementation and monitoring of controls to ensure that the controls are effective in mitigating risk and protecting organizational assets.
What should enterprises do to deliver and provide successful risk management capabiltiy? (9 answers)
In order to deliver and provide a successful risk management capability, enterprises should:
- consider the available methods, models and frameworks that best align with the enterprise’s culture, maturity and industry.
- Define the risk taxonomy (i.e., how risk is classified)
- Define the risk ontology (i.e., the set of concepts, categories and their properties and the relations of the various risk elements)
- Integrate risk efforts into the enterprise
- Manage risk within the enterprise
- Determine the process for making risk-based business decisions
- Track and trend the outcomes of risk efforts
- Report on the status of risk being managed by the enterprise
- Allocate the necessary resources to implement IT risk management (e.g., staff with the right experience and skills)
How is Risk Management defined?
Risk management is defined as the coordinated:
- activities,
- practices
- and processes
that are used in an attempt to inform, direct and influence an enterprise with regard to risk.
What is the International Organization for Standardization (ISO) 31000:2018 - Risk Management Principles and Guidelines definition of risk?
International Organization for Standardization (ISO) 31000:2018 - Risk Management Principles and Guidelines calls risk :
“the effect of uncertainty on objectives. An effect is a deviation from the expected - positive and/or negative.”
What is the ISO/International Electrotechnical Commission (IEC) 27005:2018 - Information technology - Security techniques - Information security risk management definition of risk?
However, ISO/International Electrotechnical Commission (IEC) 27005:2018 - Information technology - Security techniques - Information security risk management regards risk solely from a negative angle, stating “information security risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization.”
What are other environmental factors that should be considered in risk management? (10 factors)
Other factors to consider include:
- Dependency of the enterprise on third parties, such as a supply chain - especially when based in another geographic region or reliant upon just-in-time delivery
- Influence of financing, debt and partners or substantial stakeholders
- Vulnerability to changes in economic or political conditions
- Changes to market trends and patterns
- Emergence of new competition
- Emergence of new, disruptive technologies
- Impact of new legislation
- Existence of potential natural disaster
- Constraints caused by legacy systems and antiquated technology
- strained labor relations and inflexible management.
Scope of IT-releated Risk relative to other Major Categories of Risk - Explain the figure 1.4
Name examples of strategic risk.
- Strategic: Changes in customer preference or stakeholder preference, executive turnover
Name examples of Environmental risk.
Pollution or disturbance of protected areas
Name examples of Market risk.
Foreign-exchange rates, availability of commodities and raw materials, interest rates
Name examples of Credit risk.
Callable loans, damage to assets for which the organization is an insurer
Name examples of Operational risk.
Employee errors, fraud, theft
Name examples of Compliance risk.
Failure to meet regulatory requirements, inaccurate documentation
Name examples of IT benefit/value enablement risk.
Delivered projects do not create expected value
Name examples of IT program and project delivery risk.
Projects are not delivered in a manner consistent with plans
Name examples of IT operations and service delivery risk.
Delivered services fall short of service level agreements (SLAs)
Name examples of Cyber and information security risk risk.
Data breach
Risk is an influencing factor and must be evaluated … (continue this sentence)
Risk is an influencing factor and must be evaluated at all levels of the enterprises - the strategic level, the business unit level and the information systems level.
What does a properly-managed risk program do?
A properly-managed risk program addresses the impact of risk at all levels and describes how risk at one level may affect the other levels.
Finish the sentence:
IT risk management is the implementation of a risk strategy that reflects the…
IT risk management is the implementation of a risk strategy that reflects the:
- culture,
- appetite,
- and tolerance levels of risk
from organizational management; considers:
- resources,
- maturity,
- technology
- and budgets;
and addresses business requirements stemming from regulatory, statutory and contractual compliance drivers.
An effective IT risk management strategy is critical to an enterprise’s ability to execute its overall business strategy effectively and efficiently.
Describe the IT Risk Management Life Cycle:
- IT Risk identification
- IT Risk Assessment
- Risk Response and Mitigation
- Risk and Control Monitoring and Reporting
What is the first step in the IT risk management process?
IT Risk Identification
IT risk management is a cyclical process.
The first step in the IT risk-management process is the identification of IT risk, which includes determining the:
- risk context,
- and risk framework,
- the enterprise’s risk appetite and tolerance levels
- and the process of identifying and documenting risk.
What should the first step of the IT Risk Management Process - IT Risk Identification result in?
The risk identification effort should result in the listing and documentation of the threats posed to:
- organizational assets,
- efficacy of existing controls,
- any personnel,
- processes
- and technology
that may be vulnerable or have a perceived weakness and the potential harm introduced should the threat be realized, which serves as the input for the next phase of the process, IT risk assessment.
What is the second step in the IT risk management process?
IT Risk Assessment
An assessment effort requires the analysis and evaluation of threats in order to then assess and prioritize risk in context of the enterprise’s defined risk appetite and criteria for deviations where risk tolerances would be increased.
What is the third step in the IT risk management process?
Risk Response and Mitigation
The second step (IT Risk Assessment) provides management with the information needed for risk response and mitigation, the third phase of the cycle, which seeks and implements cost-effective ways to address the risk that has been identified and assessed.
What is the fourth and final step in the IT risk management process?
Risk and Contrl Monitoring and Reporting
The final phase is risk and control monitoring and reporting, in which controls, risk management efforts and the current risk state are monitored, and the results reported back to senior management.
What are the consequences if a failure to perform any one of the phases in a complete and thorough manner?
A failure to perform any one of the phases in a complete and thorough manner may result in deficiencies being carried forward that cause the overall process to be ineffective.
What should happen the more the IT risk management life cycle is repeated?
As with all life cycles, the process continues with refinement, adaptation and a focus on continuous improvement and maturity. The more often the risk management life cycle is repeated, the more effective the IT risk management effort will be and the more consistency the organization will see.
What must be formally defined:
- defined,
- approved,
- accepted,
- established,
- and communicated
to all parties, before discussing risk?
Taxonomies and ontologies for risk must be formally defined, approved, accepted, established and communicated to all parties, ensuring that there is no miscommunication or misunderstanding when discussing risk.
What is the fundamental nature of risk?
The fundamental nature of risk is that it addresses the odds that some event will happen (likelihood) and what it would mean for the enterprise if that event did happen (impact/consequence).
When the viewed from the perspective of how these assets are used within the enterprise, it becomes possible to quantify impact in terms of:…. (name 7)
When the viewed from the perspective of how these assets are used within the enterprise, it becomes possible to quantify impact in terms of:
- productivity
- Response costs
- Legal (fines/penalties/summary judgements)
- Competitive advantage
- Damaged reputation/brand impact
- Impaired growth
- Health, safety, security and environment concerns.
Knowing the potential losses associated with risk provides a basis for what… ?
Knowing the potential losses associated with risk provides a basis for deciding how to respond to risk that is beyond acceptable levels because it does not make sense to spend more to respond to a risk than the cost the risk itself presents.
IT Risk Management is important to the organization because of the benefits that the program delviers, such as the following: … (name at least 6)
- Better oversight and understanding of organizational assets
- Reduced or minimized losses
- Identification of threats, vulnerabilities and consequences on a proactive basis
- Prioritization of risk response efforts that align with organizational goals and priorities
- A more holistic basis for and approach to legal and regulatory compliance
- Increased likelihood of project success
- Improved performance
- Greater stakeholder confidence
- Creation of a risk-aware culture with less reliance on specialists
- Better incident, business continuity management, and overall organizational resiliency
- Improved control selection and implementation
- Monitoring and reporting that is meaningful to the organization
- Improved decision making as a result of expanded access to accurate, timely information
- An increased ability to meet business objectives and create value
- Transparency of operations and transactions processing for added value to the enterprise’s image
