GRC - governance, risk and compliance

Question 1

Governance

Answer 1

set of rules principles, policies that an organization must achieve in order to align with its business goals

Question 2

Risk management

Answer 2

Identifying, evaluating and monitoring the risk (legal, financial, security)
=> creates value and contribute to achievement of objectives + improvement of performance

Question 3

Risk management system

Answer 3

Technologies + people + processes => enforce risk mitigation

Question 4

Framework for Risk

Answer 4

ISO 31 000: guidelines for managing risks

Question 5

Framework for Governance

Answer 5

ISO/IEC 38500:2015: Governance is part of corporate governance

Question 6

IT management

Answer 6

internal + present oriented focus

Question 7

IT governance

Answer 7

external + future oriented focus

Question 8

Compliance

Answer 8

ORG adhering to government regulation, industrial standards and internal policies (failure: financial penalties + legal issues)

Question 9

Success of compliance

Answer 9

ORG should track and control internal + external compliance requirements and provide training to employees

Question 10

Digital trust

Answer 10

confidence in the integrity of the interactions among providers and consumers within a digital ecosystem

Question 11

Digital trust relevance

Answer 11

brand reputation + operational resilience

Question 12

Key factors of DT

Answer 12

quality, availability, security, privacy, ethics, transparency, honesty, resiliency

Question 13

GRC capability model 3.5 (OCEG)

Answer 13

integrates risk governance and audit, ethics/culture, IT and compliance

Question 14

OCEG

Answer 14

open compliance and ethics group
=> help solve problems using interdisciplinary approach

Question 15

4 components of GRC capability model

Answer 15

Learn
Align
Perform
Review

Question 16

Dimensions to assess total performance

Answer 16

Effectiveness
Efficiency
Agility
Resilience

Question 17

Structure of GRC Capability model 3.5

Answer 17

GRC concepts
GRC capabilities
GRC glossary

Question 18

Principled performance

Answer 18

Reliability
Achieving objectives
Address uncertainty
Act with integrity

Question 19

Assurance

Answer 19

provides reliability and confidence to management

Question 20

Assurance quality

Answer 20

1. Competence/rigor
2. Objectivity

Question 21

Maturity model

Answer 21

1. Siloed
2. Transition
3. Managed
4. Transform
5. Advantaged

Question 22

Success of maturity journey

Answer 22

Top management commitment
Budget and resources
Performance and acceptable risk
stakeholder involvement

Question 23

GRC tools

Answer 23

Audit & assessment
Control library (ICS)
Policies and instructions
Risk management
Templates and checklist
Dashboard and reporting
Action item management

Question 24

All under 1 roof approach (Control library)

Answer 24

Control standard
Assets category
Functional scope

Question 25

ISACA

Answer 25

• Information system audit and control association
• provider of GRC tools, trainings and certifications in the context of digital ecosystem

Question 26

COBIT

Answer 26

Control objectives for information and related technology
=> provides guideline for directors on the effective use of IT within ORG

Question 27

Process Reference model of governance and management objectives (ISACA)

Answer 27

Governance + management view

Question 28

APO01: Management view

Answer 28

Managed information & Technology mgmt framework
Domain: Align, plan, organize

Question 29

Director should govern through 3 tasks:

Answer 29

1. Evaluate (current and future use of IT)
2. Direct (implementation of plan and policies to meet business goals)
3. Monitor (conformance to policies + performance)

Question 30

Governance perspective

Answer 30

board level (EDM)
=> ensure objectives met by evaluating stakeholders needs
=> set prioritization and decision making
=> monitor performance against agreed direction and objectives

Question 31

Management perspective

Answer 31

executive level (PBRM)
=> plan, build, run, monitor activities (business processes) aligned with governance body to achieve ORG goals

Question 32

IT refers to

Answer 32

department responsible for technology

Question 33

I & T refers to

Answer 33

all information a company generates

Question 34

key concepts
Internal stakeholders

Answer 34

executives, board members, business managers, IT managers, Assurance providers, risk managers

Question 35

key concepts
External stakeholders

Answer 35

regulators, IT vendors, business partners

Question 36

6 principle for governance system

Answer 36

1. Stakeholder value
2. Holistic approach
3. Dynamic governance system
4. Distinction between MNGT and GOV
5. Tailored to enterprise’s needs
6. E2E GOV system

Question 37

5 domains - Core components

Answer 37

GOV
EDM: evaluate direct monitor

MGMT
APO: align plan organize
BAI: build acquire implement
DSS: deliver service support
MEA: monitor evaluate assess

Question 38

Components of a GOV system

Answer 38

1. Processes
2. ORG structure
3. Policies/principles
4. Information
5. Culture/ ethics
6. People/skills
7. service infrastructure and APP

Question 39

3 types of design factors

Answer 39

Enterprises strategy
Threat landscape
Role of IT

Question 40

When should be the design factors considered ?

Answer 40

When designing and implementing Enterprise governance of information and technology (EGIT)

Question 41

Process EDM01

Answer 41

Ensured governance framework setting and maintenance

Question 42

APO12

Answer 42

Managed risk

Question 43

COBIT 19 tools

Answer 43

• Management awareness diagnostic
• RACI by role
• GOV mgmt objectives - practices- activities