Domain 1 - Part B Flashcards
What is IT risk? (6 points)
IT risk is the business risk associated with the:
- use,
- ownership,
- operation,
- involvement,
- influence
- and adoption
of IT within an enterprise.
ALl IT risk must be considered by both its impact on ____ and its impact on ___ . (Complete)
All IT risk must be considered both by its impact on IT services and its impact on enterprise operations.
All IT risk must be considered both by its impact on IT services and its impact on enterprise operations.
It is the abilit yto see these dual perspectives which provide the practitioner the appropriate context when: … (4 points)
It is this ability to see these dual perspectives which provide the practitioner the appropriate context when:
- analyzing,
- evaluating,
- assessing
- and recommending
potential response options.
Name 12 types of IT-related Business risks.
- Access Risk
- Availability risk
- Cyber and information risk
- Emerging technology risk
- Infrastructure risk
- Integrity risk
- Investment or expense risk
- Program/Project risk
- Relevance risk
- Schedule risk
- Talent risk
- Third-party risk
Explain the IT-related Business Risk: - Third-party risk.?
Third-party risk.
Threats introduced by an external entity (vendor, provider, regulatory body) which impact the enterprise.
Explain the IT-related Business Risk: - Access Risk?
Access Risk.
The risk that information may be divulged or made available to recipients without authorized access by the information owner, reflecting a loss of Confidentiality and Integrity.
Explain the IT-related Business Risk: - Availability risk?
Availability risk.
The risk that service may be lost, or data are not accessible when needed.
Explain the IT-related Business Risk: - Cyber and information risk?
Cyber and information risk.
Failure to ensure the proper safeguarding of:
- [[Privacy]]
- [[Confidentiality]]
- [[Integrity]]
- [[Availability]]
of information, regardless of medium.
Explain the IT-related Business Risk: - Emerging technology risk?
Emerging technology risk.
Threats associated with the use and implementation of new technology, which have not yet been fully adopted, evaluated or tested for operational:
- resiliency,
- suitability,
- sustainability,
- or security.
Explain the IT-related Business Risk: - Infrastructure risk?
Infrastructure risk.
The risk that the IT infrastructure and system may be unable to effectively support the current and future needs of the business in an:
- efficient,
- cost-effective,
- and well controlled fashion
(includes hardware, networks, software, people and processes).
Explain the IT-related Business Risk: - Integrity risk?
Integrity risk.
The risk that data may be unreliable due to incompleteness or inaccuracy.
Explain the IT-related Business Risk: - Investment or expense risk?
Investment or expense risk.
The risk that the IT investment fails to provide value commensurate with its cost or is otherwise excessive or wasteful, including the overall IT investment portfolio.
Explain the IT-related Business Risk: - Program/Project risk?
Program - project risk
The risk of IT projects failing to meet objectives through lack of accountability and commitment.
Explain the IT-related Business Risk: - Relevance risk.?
Relevance risk.
The risk that the right information may not get to the right recipients at the right time to allow the right action to be taken or the right decisions to be made.
Explain the IT-related Business Risk: - Schedule risk.?
Schedule risk.
The risk of IT projects taking longer than expected.
Explain the IT-related Business Risk: - Talent risk.?
Talent risk.
The failure to source and the inability to retain the qualified talent needed to achieve the enterprise’s strategy.
IT risk is only one component of the overall risk universe of an enterprise, which also includes risk associated with: ….. (name 5 points)
In addition, the risk practitioner should be aware that IT risk is only one component of the overall risk universe of an enterprise, which also includes risk associated with:
- credit,
- regulatory compliance,
- environmental
- and labor considerations,
plus other factors substantially independent of IT.
Senior management support is vitally important throughout the risk-management process.
With it, the risk-management process is much more likely to have what? (4 points)
Senior management support is vitally important throughout the risk-management process. With it, the risk-management process is much more likely to have the:
- budget,
- authority,
- access to personnel and information,
- and legitimacy
that will provide a successful result.
What does effective risk management depends on?
Effective risk management depends on knowing the enterprise’s goals and objectives.
What is the best way to understand the goals and objectives of the enterprise?
The best way to understand the goals and objectives of the enterprise is to maintain an active dialogue and regular communication with senior management.
Risk considers both the potential gains and possible losses of pursuing new ventures, which may include:
Name 4 points.
Risk considers both the potential gains and possible losses of pursuing new ventures, which may include:
- financial loss,
- reputational damage,
- changes in employment agreements
- and entry into new markets which introduce new regulatory environments.
What should the risk practitioner seek to avoid being seen as obstructionist? (7 points)
To avoid being seen as obstructionist, the risk practitioner should seek to:
- Understand the business in its proper context
- Listen to and understand the defined strategy
- Proactively seek out ways to secure appropriate technologies and business processes
- Build relationships that promote communication, allowing risk management functions to be incorporated into business processes and new projects.
- Be aware of changes to ensure the ability to respond accordingly
- Work to create a culture that encourages open and informed discussions of risk
- Advise on the various aspects of risk, but do not make decisions on behalf of the business.
What is the RACI Model?
The use of a RACI model can assist in outlining the roles and responsibilities of the various stakeholders. The purpose of a RACI model is to clearly show the relationships between the various stakeholders, the interaction between the stakeholders and the roles that each stakeholder plays in the successful completion of the risk management effort.
What does RACI mean?
There are four main types of roles that are involved in the risk management process:
- Responsible
- Accountable
- Consulted
- Informed
RACI Model: Explain R
Responsible.
These individuals, often the risk practitioner, are responsible for carrying out risk management efforts. Management can be responsible if risk includes the decisions made by the enterprise.
RACI Model: Explain A
Accountable.
These individuals, often senior management, are accountable for ensuring that risk management efforts are properly staffed, budgeted and are being carried out as planned.
RACI Model: Explain C
Consulted.
These individuals, often business process owners or executive leadership, provide required support and assistance in ensuring that risk management efforts are able to be carried out, in accordance with the direction of senior management.
