CRISC 2022 Domain1

CRISC Virtual Instructor-Led Course – Participant Guide Session 1
Certified in Risk and

Information Systems
Control (CRISC)
COURSE OVERVIEW
Course Topics
Domain 1: Domain 3:
Governance Risk Response
Domain 2: and Reporting Domain 4:
IT Risk Information
Assessment Technology and
Security
©2021. ISACA. All Rights Reserved

1
CRISC Job Practice and Questions
22 26 • CRISC exam contains 150 questions total

• Percentage based on domain weight
• Multiple choice questions based on practical
knowledge
32 20
Domain 1 Domain 2
Domain 3 Domain 4
Governance
MODULE 1

2
Exam Relevance
The domain represents approximately
26% of the CRISC examination 22
(approximately 39 questions). 26
32 20
Domain 1 Domain 2
Domain 3 Domain 4
Session Topics
Key Risk Concepts
Organizational Strategy, Goals and Objectives
Organizational Structure, Roles and Responsibilities
Organizational Culture and Assets
Policies, Standards and Business Process Review
Risk Governance Overview
Enterprise Risk Management, Risk Management

Frameworks and Three Lines of Defense
Risk Profile, Risk Appetite and Risk Tolerance
Professional Ethics, Laws, Regulations and Contracts

3
Learning Objectives
Outline how the key concepts of risk impact the enterprise.
Distinguish between governance and management functions.
Describe the relationship between enterprise risk and IT risk.
Define roles and responsibilities within the organizational structure and explain
how they relate to risk management.
Outline the impact of organizational culture on risk management.
Identify organizational assets and how they are valued.
Explain how policies and standards provide direction to the enterprise.
Describe how the business process reviews help improve enterprise

effectiveness.
Learning Objectives
Describe the concepts of enterprise risk management.
Assess risk frameworks and their role enterprise risk management.
Explain role of the risk practitioner in the three lines of defense.
Define the types of risk profiles.
Describe the relationship between risk appetite and risk tolerance.
Describe the impact of legal, regulatory, and contractual obligations

regarding risk management.
Explain the importance of professional ethics in risk management.

4
Key Risk Concepts
Setting Context for Risk in the Enterprise

Setting Context
Communication
Key Risk
Terminology
Risk Reporting and Risk Identification and
Communication • Likelihood Assessment
• Event
• Impact
• Threat Risk Analysis and Business
Risk Response
Impact Evaluation
• Vulnerability
10

5
Quantifying Risk
Productivity
Damaged Reputation
Response Costs
Impaired Growth
Legal and Regulatory
Health, safety, environment
Competitive Advantage
Setting a monetary value of total losses an Awareness of potential losses associated

enterprise is willing to incur is easier than with risk helps with deciding how to
outlining possible negative outcomes. respond to risk beyond acceptable levels
11
11
Review Question
IT risk is measured by its:
A. level of damage to IT systems.
B. impact on business operations.
C. cost of countermeasures.
D. annual loss expectancy.
12

6
Organizational Strategy, Goals and

Objectives
13
13
Organizational Governance Overview
Accountability
Conformance Governance Performance
Responsibility
14
14

7
Governance of Enterprise IT
Governance is applicable to all Board of Directors
departments within an enterprise
Enterprise Strategy
Provides accurate information to
understand threats, subsequent risk Senior Management
and response tactics
Strategic Plans
System to evaluate, direct, monitor and
ultimately control the current and future Risk
Business Units
use of IT Management
Reporting Risk Guidance Reporting
Enables enterprises to create value
for stakeholders, leading to better
Business
planning and optimization
Operations and Risk Monitoring
Processes
15
15
Governance Answers Four Questions
Are we doing the Are we doing them

right things? 1 2 the right way?
Are we seeing
expected benefits? 4 3 Are we getting
them done well?
16
16

8
Enterprise Strategy
An enterprise exists for the sole purpose of achieving the defined strategic vision.
Enterprise strategy is the focus of its efforts; these are the primary drivers behind how investments
and decisions are being made and which actions are taken.
17
17
Context of IT Risk Management

Risk management is the coordinated activities to direct and control (measure) an enterprise
regarding risk.
Inform Direct Influence
18
18

9
Delivering a Successful Risk Management

Capability
Consider available methods,
1. models and frameworks that
best align with the enterprise
2. Define the risk taxonomy
Integrate risk efforts into

3. Define the risk ontology 4. the enterprise
Determine process to make

5. Manage risk within the enterprise 6. risk-based business decisions
Report on status of risk managed

7. Track and trend outcomes of
risk efforts 8. by the enterprise
Allocate the necessary resources

9. to implement IT risk management
19
19
Review Question
Which of the following is MOST important to determine when defining
risk management strategies?
A. Risk assessment criteria
B. IT architecture complexity
C. Enterprise disaster recovery plan
D. Business objectives and operations
20
20

10
Risk Practitioner Goals
To ensure the enterprise can deliver on its goals,

clearly defined objectives are necessary.
At a high level, risk practitioners’ goals are to:

• Provide accurate, complete and timely
information required for informed decisions
made by senior management
• Identify and assess risk, and its likelihood of
occurrence and impact to enterprise
• Allow for the ability to balance performance and
conformance requirements to best suit the
enterprise
21
21
Assessing Enterprise Context
Enterprise
Environment Context
22 Threats Value Vulnerabilities
22

11
I&T Related Risk Relative to

Other Major Categories of Risk
23
23
IT Risk Management Life Cycle
• Monitor controls, risk • Determine risk context and risk

management efforts and framework and enterprise risk
Risk and Control appetite and tolerance levels
current risk state IT Risk
Monitoring and • Identify and document risk
• Report results back to Identification
Reporting • Results in listing and
senior management
documentation of threats posed
• Seek and implement • Analyze and evaluate threats

cost-effective ways to Risk Response IT Risk • Assess and prioritize risk
address identified and and Mitigation Assessment • Provide details needed for
assessed risk response and mitigation
24
24

12
Engaging Senior Management
• Vitally important throughout the

risk management process
• Much more likely to have the • Senior management support

budget, authority, access to should be visible and active
personnel and information, and
Senior
legitimacy that will provide a Management
• Executives should be willing to
successful result Support intervene when necessary to:
• Communicate the
importance of risk
identification efforts
• Encourage everyone to
actively contribute to the
success of the program
25
25
Alignment With Business Goals and Objectives
Risk Overall Risk

Universe Strategy
Business
Goals
Overall Enterprise
Business Vision and
Risk Strategy
26
26

13
Risk Practitioner’s Role

To avoid being seen as obstructionist, the risk practitioner should seek to:
Understand the business in its

proper context Build relationships that promote
communication
Listen to and understand the
defined strategy
Be aware of changes to ensure the
ability to respond accordingly
Create a culture that encourages open
and informed discussions of risk
Advise on the various aspects of risk,
not make decisions on behalf of the
Secure appropriate technologies business
and business processes
27
27
Types of IT-related Business Risk
Cyber and Emerging

Access Risk Availability Risk
Information Risk Technology Risk
Infrastructure Investment or Program/Project

Integrity Risk
Risk Expense Risk Risk
Relevance Risk Schedule Risk Talent Risk Third-Party Risk
28
28

14
Organizational Structure, Roles and

Responsibilities
29
29
Risk Management Effectiveness
Support Positioning Integration
Risk management should be a function with enterprise scope, able to reach into all the
parts of the organization and provide leadership, advice and direction.
30
30

15
RACI
Responsible Accountable
Accountable for
Responsible for managing risk
the risk management effort
Consulted and provide support and Informed of the achievements

assistance to the risk management and/or deliverables of
effort the practice
Consulted Informed
Demonstrates the relationships and interactions between various roles

31
31
Applying the RACI Model
1
Risk management may be applied to an entire enterprise under a
singular, centralized formal risk management team or may be
practiced separately in each level of the enterprise
2 Enterprise size and diversity of the enterprise also influence risk

management. Cultural differences between departments can create
counterintuitive perspectives
3 Risk management may be too large a task for a single department

or team in larger enterprises. Arrange the risk management effort
by department, products, services or geographic region, following
the same standards and model.
32
32

16
Review Question
Who is responsible for explaining the ramifications of a new zero-day
exploit to the enterprise to senior management?
A. Chief operating officer
B. Chief risk officer
C. Chief information security officer
D. Chief information officer
33
Key Roles
Risk Manager
Control Owner
Risk Analyst
Control Stewards
Risk Owner
Subject Matter Experts
34
34

17
Example Organizational Structure

Governing Senior
Body Management
Risk Business Information

Assurance
Management Units Technology
Human Lead
Manager Finance Operations Stewards
Resources Auditor
General HRIS
Analysts Applications Systems Analysts
Ledger Owner
Risk Owner Risk Owner Network Control
Control Control
Systems
Owner Owner
Security
35 Operations
35
Review Question
The risk to an information system that supports a critical business
process is owned by:
A. the IT director.
B. senior management.
C. the risk management department.
D. the system users.
36
36

18
Organizational Structure and Culture
The structure and culture of the organization directly influence and inform staff
decisions relating to risk prevention, risk detection and risk response efforts.
Identify Assess Respond
Lessons learned may be applicable in protecting other departments, systems or

applications from the same problems. Collaboration and sharing of information is an
important part of using risk scenarios.
37
37
38
38

19
Risk Management and Organizational Culture
Organizational
Culture
39
39
Organizational Culture Relating to Risk
Vulnerable Reactive Compliant Proactive Resilient

(Don’t Care Culture) (Blame Culture) (Compliance Culture) (Ownership Culture) (Way of Life)
Apathy Resistance to caring Responsibilities Clear lines of Lines of accountability

assigned accountability and and responsibility
Near misses not Some near-miss responsibility defined communicated and
considered reporting Reporting limited to understood
compliance areas Processes defined to
Negligence Some window enhance long-term Active monitoring and
dressing As-required process sustainability and reporting
Hiding of incidents definition operationalization
Ad hoc/inconsistent Advanced
No or little training training Limited instrumentation Appropriate instrumentation and
and investments instrumentation and investments made
Poor or no Communication on a investments are made
communication need-to-know basis Minimal required Training is encouraged
training Training defined and
required Active communication
Compartmentalized
communications Open communication
40
40

20
Applying Organizational Culture
Determine the risk appetite of senior management Enterprise decisions:

• Invest
Culture and ethics help determine risk-appetite variances • Take on a new line of business
• Develop a new product
Risk appetite can change or vary based on risk type and • Open a new office
should be reviewed periodically • Hire a new employee
• Invest in new hardware or
Extent of risk-appetite change depends on market software
conditions, confidence, past successes or failures, global • Upgrade existing applications
economics, reports in the media, availability of resources, • Implement new controls
new regulations or long-term strategy
41
41
Comparing Risk Cultures
Misalignment of actual risk appetite,

Begins at the top stated tolerances and risk policies
Promotes an open discussion of risk Failure to align risk policy with

management direction and/or enterprise
Ensures acceptable levels of risk are norms regarding compliance with policy
understood and maintained
Existence of a blame culture
Risk-Aware Problematic
42
42

21
Risk Culture Elements
Aggressive:
Risk Taking Behavior
towards Informed
Conservative: risk taking
Risk Averse
Behavior Risk Behavior Compliant

Learning Culture towards towards
negative Culture policy
Blaming Culture outcomes compliance Noncompliant
43
43
Review Question
Which of the following is MOST important when selecting an
appropriate risk management methodology?
A. Risk culture
B. Countermeasure analysis
C. Cost-benefit analysis
D. Risk transfer strategy
44
44

22
Risk Awareness Program

Topics include:
Tailor to the needs of the individual
• Required procedures
groups within an enterprise.
• Policy compliance
• Identifying enterprise risk
Can help mitigate some types of • Potential impacts of risk
organizational risk • Addressed vulnerabilities
• Past attacks and compromises
Most cost-effective improvement in Management:

risk and security • Supervisory role in protecting systems
and applications from attack
• Overseeing staff action
Reinforce the need for diligence and • Directing compliance with enterprise
caution when addressing risk policies and practices
45
45
Measuring Risk Awareness Programs
Use a standardized approach to

gauge awareness levels across Provides metrics for awareness
the enterprise (paper or computer- trends and training effectiveness
based quizzes)
Use skills assessment or testing Derive additional training

approach to determine further requirements from tracking help
training needs desk activity, operational errors,
security events and audits
46
46

23
Risk-Driven Business Approach

Mitigation - Reduce Risk
START N
Technical Controls
Risk falls Organizational Measures

Analyze & within
Identify
Assess defined
limits? Transfer Risk - Insure
Y
Avoid Risk – Stop
Accept Residual N
Monitor Risk risk
Y acceptable?
Y
Re-assess
47
47
Risk Communication
Plays a key role in defining and understanding
the risk culture of an enterprise
Removes the uncertainty and doubts

concerning risk management
Discuss and communicate risk to stakeholders

and personnel throughout the enterprise,
appropriate to their respective roles.
Include threats, incidents, existing vulnerabilities

and value of assets
Be open and transparent about issues or failures

for better decision-making
48
48

24
Risk Communication Benefits
More
Greater informed
awareness Greater awareness Transparency to
risk decisions
among stakeholders among stakeholders external stakeholders
Gain Trust
49
49
Risk Components to Communicate
Expectations Capability Status
• Risk strategy, policies, • Allows for monitoring the Actual status of IT risk:
procedures, awareness state of a risk management • Enterprise risk profile
training and continuous engine in the enterprise • Key risk indicators to
reinforcement of principles • Key indicator for good risk support management
• Drives all subsequent management reporting on risk
efforts on risk management • Event/loss data
• Sets the overall • Has predictive value for • Root cause of loss events
expectations about the risk how well the enterprise is • Options to mitigate risk
management program managing risk and reducing
exposure
50
50

25
Organizational Assets
The identification of risk Service and Business

People
depends on the successful Processes
identification of assets,
threats to those assets and
the vulnerabilities that the Data, Information
assets contain. Reputation and Brand
and Knowledge
Facilities and
Assets Cash and Investments
Equipment
Customer Lists Research

51
51
Impact on Organizational Assets
Technology Intellectual
People Data
Property
Enterprises are Customer lists, financial Outdated technology is Trademarks, copyrights,
vulnerable to loss of data, marketing plans, often overlooked patents, trade secrets
key employees HR data or research or research
Extended support can
Identify and support Must ensure protection lengthen availability but Represents future
through cross-training of data in all forms and increase costs earning potential of
locations at all times the enterprise
Provide sufficient Apply patches and
Identify business regular maintenance
documentation of key
value and define Protect and handle IP
processes Securely dispose of
security classifications properly and
technology containing responsibly
data
52
52

26
Intellectual Property Terms
Trademark Copyright Patent Trade Secret
A formula, process,
Protection of research
A sound, color, logo, design, practice or
Protection of any work and ideas that led to
saying or other other form of secret
that is captured in a the development of a
distinctive symbol that business information
tangible form (e.g., new, unique and
is closely associated that provides a
written works, useful product to
with a certain product competitive
recordings, images, prevent the
or company. Some advantage to the
software, music, unauthorized
trademarks are organization that
sculpture, dance, etc.) duplication of the
eligible for registration possesses the
patented item
information
53
53
Asset Inventory and Documentation

Update to reflect items currently in use Common requirement in regulations, standards
when implementing changes or updates and agreements relating to privacy
Data/information assets Hardware Assets

• System(s) • Equipment
• Source • Supplier
• Acquisition method • Acquisition date
• Business use • Original cost
• Business criticality • Actual cost
• Availability • Location
• Completeness • Equipment owner
• Processing • Maintenance details
• Storage • Insurance and warranty data
• Transmission
• Sensitivity
• Classification
54 • Business owner
54

27
Asset Inventory
Record Build
Record all relevant assets owned by Common methods to build the
the enterprise: inventory include reviewing purchasing
• Financial or nonfinancial systems, contracts and current
• Required to deliver services software installations.
• Owned or controlled by the
enterprise for a future benefit Determine assets importance in
• Differs between enterprises context of enterprise activities:
• Not all assets are equal
• Prioritize most valuable assets
55
55
Asset Valuation
Determine the importance of assets in the context of organizational activities giving priority to
protecting the most important assets first and less significant assets as time and budget allow.
An asset may be valued according to what another person would pay for it or by its measure of
value to the enterprise.
• Completed by assigning a quantitative (monetary) value
• Calculating the value an asset provides to an enterprise is not as straightforward as it may appear
• Consider impact and consequences of data breaches (sanctions or lawsuits)
• Base valuation on the total range of potential losses and other impacts
• Protects the enterprise from paying more for protection than the net worth
• Calculate based on impact of confidentiality, integrity or availability loss

56
56

28
Review Question
Which of the following is MOST useful when computing annual loss
exposure?
A. The cost of existing controls
B. The number of vulnerabilities
C. The net present value of the asset
D. The business value of the asset
57
57
Policies, Standards and Business Process

Review
58
58

29
Risk Management Policies

The risk practitioner should identify the presence or lack of policies
and work to determine whether the policies are enforced.
Information Risk Appetite/

Enterprise Risk Privacy
Security Tolerance
59
59
Procedures Risk Management Procedures
• Risk Identification
Detailed description of steps necessary to perform specific
operations in conformance with applicable standards: • Risk Analysis
• Defined as part of processes • Risk Evaluation
• Created to define how processes should be completed
• Risk Assessment
• Implementing the intent of policy by outlining tasks
A lack of standards and procedures makes it difficult to carry out • Risk Response
activities in a systematic manner and may result in undependable,
• Control Selection
inconsistent operations and elevated risk
• Distinguish between the existence of published procedures • Control Monitoring
and their actual use
• Establish KPIs, KCIs, and KRIs
• Ensure continued use of procedures long term, especially
when precision is important • Risk Monitoring
• Risk Reporting
60
60

30
Review Question
Which of the following provides the GREATEST support to a risk
practitioner recommending encryption of corporate laptops and
removable media as a risk mitigation measure?
A. Benchmarking with peers
B. Evaluating public reports on encryption algorithms in the public

domain
C. Developing a business case
D. Scanning unencrypted systems for vulnerabilities
61
61
Exception Management
1 2 3 4
If exceptions are May result in an Exceptions should only Ensure that exceptions
undocumented and undesired level of risk be allowed through a are removed when no
uncontrolled, the level or overconfidence in documented, formal and longer needed
of risk is unknown effectiveness of time-bound process.
established controls
62
62

31
Business Process Review Purpose
Identify problems or issues Gather information toward

with the current process improving processes
Prepare a road map to Assign responsibility and

implement required changes accountability for projects
Schedule individual projects Monitor project progress for

according to priority milestones and deliverables
Obtain and review feedback Verify compliance to

on project results standards and policies
63
63
Business Process Review Steps
1. Document and
2. Identify 3. Schedule and 4. Feedback and
evaluate current
potential changes implement changes Evaluation
business processes
• List critical processes • Use focus groups • Measure

• Design changes
• Document current business and workshops to operational
• Identify dependencies
processes and risk determine process efficiencies
• Communicate change
• Document identified issues improvements schedule
and problems • Validate proposed
• Baseline other changes with
organizations management and
• Discover potential solutions obtain approval to
and improvements proceed
64
64

32
Processes and Controls

Consider how controls will integrate into the existing environment:
Communicate Be transparent with Implementing

benefits and value end-users when controls can
with appropriate implementing/ reduce
stakeholders modifying processes workarounds
and controls
Design risk Compliant

responses with a companies may
focus on derive competitive
compliance advantages
65
65
Risk Management Principles

Connect to
enterprise
objectives
Use a consistent
approach aligned Align with ERM
with strategy
Risk
Management
Principles
Establish tone at Balance

the top and cost/benefit of
accountability I&T-related risk
Promote ethical
and open
communication
66
66

33
IT Risk in Relation to Other Business Functions
Business Audit Information

Continuity Security
• Preservation of critical business • Formal inspection and • Drives selection of controls and
functions verification of compliance and justifies operation.
• Ability to survive an adverse accuracy • Traceable back to a specific I&T-
event • Provides management with related risk
• Attempts to reduce all I&T- assurance of frameworks, • Prevents poor control design and
related risk to acceptable levels programs and compliance efforts implementation
67
67
Review Question
Which of the following should be of MOST concern to a risk
practitioner?
A. Failure to notify the public of an intrusion
B. Failure to notify the police of an attempted intrusion
C. Failure to internally report a successful attack
D. Failure to examine access rights periodically
68
68

34
Break
69
70
70

35
Risk
Management
Functions
Processes Activities
Practices
71
71
Risk Governance Objectives

The four core objectives of risk governance:
1 3
Ensure that risk

Establish and maintain Integrate risk Make risk-aware management controls
a common risk view. management into the business decisions. are implemented and
enterprise. operating correctly
2 4
72
72

36

73
73
Enterprise Risk Management

Risk management is defined as the coordinated activities to
direct and control (measure) an enterprise regarding risk.
Challenge Opportunity
74
74

37
Establishing an Enterprise Approach to Risk

Management
Risk management is an enterprise activity that benefits from a standardized
and structured approach, enterprise awareness, and executive sponsorship
Identifying risk by Risk may be measured No single approach is

1. system or by project 2. differently, creating 3. best for all types of
can create new risk of gaps between projects enterprises
false assurance. or systems.
Be sensitive to local Apply approach to

4. departmental cultures,
5. entire enterprise without
priorities, regulations, substantial modification
goals and restraints or customization
75
75
Review Question
Which of the following choices provides the BEST view of risk
management?
A. An interdisciplinary team within the enterprise
B. A third-party risk assessment service provider
C. The enterprise’s IT department
D. The enterprise’s internal compliance department
76
76

38
Risk Management Standards and Frameworks

The common privacy standards include:
COBIT Focus Area Information Risk
International Organization for Standardization (ISO)/

International Electrotechnical Commission (IEC)
NIST Privacy Standards and Guidelines
77
77
NIST Risk Guidance
NIST SP 800-30 NIST SP 800-39
Guide for Conducting Risk Managing Information

Assessments Security Risk
Risk assessments are a key part Provide guidance for an

of effective risk management integrated, organization-wide
and facilitate decision making in program for managing information
the risk management hierarchy security risk on an ongoing basis
78
78

39
Three Lines of Defense

Enhance enterprise risk management capabilities across the organization’s
various lines of business, establishing a more robust ERM program.
First Line Second Line Third Line

Owns and manages risk Oversees risk Provides independent
Establishes control Monitors controls testing and assurance
functions
79
79
Visualizing the Three Lines of Defense

Governing Body/Audit Committee
Senior Management
1st Line 2nd Line 3rd Line External Audit

Regulators
Financial Controls
Security
Management Internal Risk Management
Control Internal Audit
Controls Quality
Measures
Inspection
Compliance
Risk Management
• Data/system/risk ownership • Risk Framework and Policy • Independent assurance to

• Business operation • Compliance and oversight Board, Senior Management and
• Process & procedure information • Check and challenge Audit Committee
80 Assurance
80

40
Review Question
Which of the following is one of the MAIN purposes of the first line of
defense in the three lines of defense model?
A. Ensure that financial controls are in place
B. Ensure control deficiencies are addressed
C. Ensure risk management practices are effective
D. Ensure compliance with rules and regulations
81
81
82
82

41
Risk Profile
Changes in the risk profile can be caused by:

Based on the overall risk posture  New technologies
of the enterprise and its:  Changes to business procedures
• Attentiveness to monitoring  Mergers or acquisitions
control effectiveness  New or revised regulations
• Proactivity in identifying and  Changes in customer expectations
addressing or preventing risk  Actions of competitors
 Effectiveness of risk awareness programs
• Development of a risk culture
83
83
Determining the Risk Profile
Assets Business Events

• New assets • Changes to the scope of risk • New threats (internal and
• Total cost of ownership assessment external)
(TCO) of assets • Changes in business • Newly discovered
• People and the morale of priorities, assets, services, vulnerabilities
the organization products and operations • Possibility of increased risk
• Regulations and legal • Risk acceptance levels due to aggregation of threats
changes • Actions of competitors and vulnerabilities
• Availability of • Changes in the supply chain • Incidents
staff/resources • Changes in financial markets • Logs and other data sources
• Impact from external events
84
84

42
IT Risk Management Objectives and Goals
Review
Awareness
IT risk management objectives and goals
on a regular basis (annually) to ensure
continued alignment with goals and
The risk practitioner has a key role ensuring
objectives of senior management
that management is aware of the current IT
Review program in terms of increasing risk profile and that risk is being managed to
maturity (risk response/mitigation activities, meet objectives.
training, improved response time, and better
alignment and communication Work with stakeholders to monitor risk and
evaluate the control framework effectiveness
Criteria for monitoring, thresholds used for and efficiency
KPIs and KRIs, policies and strategies of
risk, reporting schedule and list of key Apply lessons learned to improve the risk
stakeholders to be notified when KPIs or management process
KRIs exceed their thresholds
85
85
Risk Capacity, Appetite and Tolerance
Risk Capacity Risk Appetite Risk Tolerance
Objective amount of loss an Broad-level amount of risk an Acceptable level of deviation

enterprise can accept to entity is willing to accept in allowed by management to
ensure continued existence pursuit of its mission pursue enterprise objectives
Defined by enterprise owners

Defined and approved by senior management
or board of directors
Communicated to all stakeholders

Informs risk appetite
Reassess and reconfirm over time
86
86

43
Illustrating Risk Appetite, Tolerance and Capacity

Risk Capacity
Risk Tolerance
Risk Appetite
Risk Appetite
Tolerance Criteria Risk Capacity
(Amount & Duration)
Drastic and extreme measures would be A realized risk that

This to
required is ensure
the correct way to survival.
organization’s properly exceeds the risk
manage risk within the enterprise. capacity threatens an
enterprise’s ability to
continue operations
87
87
Review Question
Senior management has defined the enterprise risk appetite as
moderate. A business-critical application has been determined to
pose a high risk. What is the NEXT action the risk practitioner should
take?
A. Remove the high-risk application and replace it with another

system.
B. Recommend that management increase its acceptable risk level

for the application.
C. Assess the impact of planned controls to the application.
D. Restrict access to the application only to trusted users.
88
88

44
Benefits of Enterprise-Level Definitions
Show impact of
Support
different Support the
Support and understanding
resource prioritization and
provide of how each Identify specific
allocation approval
evidence of risk- component of areas where a
strategies by process of risk
based decision- the enterprise risk response
simulating response
making contributes to should be made
different risk actions through
processes the overall risk
response risk budgets
profile
options
89
89
Creating Risk Aware Culture

Used by senior management to
Important aspect of monitoring risk
revisit and reinforce risk appetite
Consistent Consistent
implementation understanding
Effective monitoring Consistency between

and communication relevant systems
90
90

45
Professional Ethics, Laws, Regulations and

Contracts
91
91
Professional Ethics of Risk Management

Risk is often impacted by professional ethics.
Certain industries
incorporate ethics into
expectations, which can
Well-treated employees then result in establishing
can be an example or ally. reporting and conformance
Poorly treated employees requirements for
Enterprises with poor may seek revenge causing professionals
management processes serious consequences.
in place may not identify
errors, misuse or fraud.
92
92

46
Legal, Regulatory and Contractual Requirements

Enterprises are required to comply with the laws and regulations of the
jurisdictions where they operate and face penalties for failing to do so.
Identify which laws apply to the enterprise and understand their

requirements including issues like interpretation and compliance.
Operation across regions or nations may build global and specialized

programs to handle regulations more effectively.
GDPR PCI-DSS
93
93
Review Question
A key objective when monitoring information systems control
effectiveness against the enterprise’s external requirements is to:
A. design the applicable information security controls for external

audits.
B. create the enterprise’s information security policy provisions for

third parties.
C. ensure that the enterprise’s legal obligations have been satisfied.
D. identify those legal obligations that apply to the enterprise’s

security practices.
94
94

47
Review Question
Shortly after performing the annual review and revision of corporate
policies, a risk practitioner becomes aware that a new law may affect
security requirements for the human resources system. The risk
practitioner should:
A. analyze in detail how the law may affect the enterprise.
B. ensure that necessary adjustments are made during the next

review cycle.
C. initiate an ad hoc revision of the corporate policy.
D. notify the system custodian to implement changes.
95
95
Review Question
It is MOST important that risk appetite is aligned with business
objectives to ensure that:
A. resources are directed toward areas of low risk tolerance.
B. major risk is identified and eliminated.
C. IT and business goals are aligned.
D. the risk strategy is adequately communicated.
96
96

48
Summary and Q/A

Key Risk Concepts
Organizational Strategy, Goals and Objectives
Organizational Structure, Roles and Responsibilities
Policies, Standards and Business Process Review

Professional Ethics, Laws, Regulations and Contracts
97
97
Preparing for Session Two

• Complete session one activities
• Review session two pre-work

• Study and answer session two questions
98
98

49

CRISC 2022 Domain1

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CRISC 2022 Domain1

Uploaded by

Copyright:

Available Formats

CRISC Virtual Instructor-Led Course – Participant Guide Session 1

Certified in Risk and

©2021. ISACA. All Rights Reserved

CRISC Job Practice and Questions

22 26 • CRISC exam contains 150 questions total

©2021. ISACA. All Rights Reserved

Organizational Strategy, Goals and Objectives

Organizational Structure, Roles and Responsibilities

Organizational Culture and Assets

Policies, Standards and Business Process Review

Risk Governance Overview

Enterprise Risk Management, Risk Management

Risk Profile, Risk Appetite and Risk Tolerance

Professional Ethics, Laws, Regulations and Contracts

©2021. ISACA. All Rights Reserved

Distinguish between governance and management functions.

Describe the relationship between enterprise risk and IT risk.

Outline the impact of organizational culture on risk management.

Identify organizational assets and how they are valued.

Explain how policies and standards provide direction to the enterprise.

Describe how the business process reviews help improve enterprise

Describe the concepts of enterprise risk management.

Assess risk frameworks and their role enterprise risk management.

Explain role of the risk practitioner in the three lines of defense.

Define the types of risk profiles.

Describe the relationship between risk appetite and risk tolerance.

Describe the impact of legal, regulatory, and contractual obligations

Explain the importance of professional ethics in risk management.

©2021. ISACA. All Rights Reserved

Key Risk Concepts

Setting Context for Risk in the Enterprise

©2021. ISACA. All Rights Reserved

Setting a monetary value of total losses an Awareness of potential losses associated

A. level of damage to IT systems.

B. impact on business operations.

D. annual loss expectancy.

©2021. ISACA. All Rights Reserved

Organizational Strategy, Goals and

Organizational Governance Overview

Conformance Governance Performance

©2021. ISACA. All Rights Reserved

Governance Answers Four Questions

Are we doing the Are we doing them

©2021. ISACA. All Rights Reserved

Context of IT Risk Management

Inform Direct Influence

©2021. ISACA. All Rights Reserved

Delivering a Successful Risk Management

Integrate risk efforts into

Determine process to make

Report on status of risk managed

Allocate the necessary resources

A. Risk assessment criteria

C. Enterprise disaster recovery plan

D. Business objectives and operations

©2021. ISACA. All Rights Reserved

Risk Practitioner Goals

To ensure the enterprise can deliver on its goals,

At a high level, risk practitioners’ goals are to:

Assessing Enterprise Context

22 Threats Value Vulnerabilities

©2021. ISACA. All Rights Reserved