Risk Management and IT Governance Quiz

Questions and Answers

Which individual serves as the Chief Executive Officer of ISACA?

Rob Clyde

David Samuelson (correct)

Gregory Touhill

Brennan P. Baybeck

Which certification is held by both Tracey Dedrick and Rolf von Roessing?

CISA

CISM (correct)

CRISC

CGEIT

Who is the former Chief Risk Officer of Hudson City Bancorp?

Gerrard Schmid

Tracey Dedrick (correct)

Rolf von Roessing

Asaf Weisberg

Which of the following individuals is associated with Axio?

Lisa Young

Which Chairman position did Brennan P. Baybeck hold during 2019-2020?

ISACA Board Chair

What does Figure 5.5 illustrate in relation to risk?

The relationship between residual and inherent risk.

Which figure presents a framework for understanding risk acceptance?

Figure 5.2

In the context of risk response, what does Figure 5.6 highlight?

The process for risk prioritization and selection.

What is the focus of Figure 5.4 within the risk context?

Different states of risk within an organization.

Which figure contains terminology related to risk management?

Figure 5.7

What is the most critical aspect of risk management at the operational level?

Addressing the risk with the highest likelihood and impact

Which of the following best describes I&T-related risk?

Risks arising from the use and dependence on IT systems within an enterprise

What is a consequence of not properly understanding or communicating I&T-related risks?

Potential for more damaging risks to affect the enterprise

Which type of I&T-related risk focuses on the delivery and effectiveness of IT projects?

I&T program and project delivery risk

How does the reliance on IT systems affect the severity of I&T-related risks within an enterprise?

Higher dependence leads to more serious consequences from failures

What is the primary aim of threats in relation to enterprise vulnerabilities?

To exploit control deficiencies

Which of the following best defines business risk?

The likelihood of experiencing loss or gain due to uncertain events

Which type of risk is associated with making strategic decisions about expansion?

Strategic risk

Which of the following is NOT classified as a common type of business risk?

Financial risk

If an enterprise is hesitant to embrace risk, what potential effect could this have?

Reduced opportunities for innovation

What could represent a vulnerability in a business process?

An outdated technology infrastructure

What is a consequence of taking excessive risk in a business context?

Higher chances of financial disaster

Operational risk in a business setting primarily refers to which of the following?

Risk arising from the internal processes of the business

At which level are decisions primarily concerned with medium-term goals related to enterprise strategic objectives?

Program Level

What is a key aspect of the strategic level of risk management?

Making choices about risk in connection to innovation

Which level of risk management is concerned with ensuring the ongoing continuity of business services?

Operational Level

What is required at the project level to effectively manage risks and issues?

A strategic-level risk policy

How is risk management context different between strategic and operational levels?

Strategic level emphasizes long-term decisions, operational level addresses short-term issues.

What is one of the essential elements of business success related to risk at the strategic level?

Detecting, identifying and managing risk effectively

Which level primarily involves decisions that enable the implementation of actions?

Project Level

The risk and issues managed at the program level are primarily related to what?

Navigating circumstances that may impact program success

Which risk management framework emphasizes a life cycle approach for security and privacy?

NIST SP 800-37 Revision 2

Which of the following is NOT a recognized risk management framework mentioned?

CMMI Framework

The ISO 31000:2018 guidelines are focused on which aspect of risk management?

General risk management guidelines

What is the primary focus of the OCTAVE framework?

Information security assessments

Which of the following organizations is responsible for maintaining the ISACA Risk IT Framework?

ISACA

What type of risk does the NIST SP 800-39 publication primarily address?

Information security risk

What is the importance of tailoring risk management practices within an enterprise?

To align with specific enterprise goals

Which of these ISO standards specifically addresses information security risk management?

ISO/IEC 27005:2018

Study Notes

About This Study Guide

• The guide helps individuals understand IT risk and the enterprise risk management process.
• The topics cover risk introduction and overview, governance and management of risk, risk identification, assessing and analyzing risk, responding to risk, and monitoring, reporting, and communicating risk.
• Key resources include ISACA frameworks, guides, certification review manuals, and white papers.

Intended Audience

• Professionals interested in learning about IT risk and risk management.
• Professionals working with risk management.
• Those new to risk and IT risk.

Study Guide Scope and Organization

• The guide delivers essential risk knowledge through the following content areas:

  • Risk introduction and overview
  • Governance and management of risk
  • Identifying risk
  • Assessing and analyzing risk
  • Responding to risk
  • Monitoring, reporting, and communicating risk

• Every chapter includes learning objectives, chapters and sections, and a summary of terminology and a knowledge check.

Risk Introduction and Overview

• Risk is the combination of likelihood of an event and its impact.
• Common risk terms include:
  • Likelihood: probability of something happening (e.g., frequency, probability).
  • Impact: consequence, magnitude, and consequence of an event.
  • Event: something that happens at a particular time and place.
• Business risk is the probability of a situation with uncertain frequency and magnitude of loss (or gain) that could prevent the enterprise from meeting its objectives.
• Types of business risk include strategic, environmental, market, credit, operational, and compliance risk.

Risk Governance and Management

• Governance ensures balanced, agreed-upon enterprise objectives, direction, and performance.
• Risk governance has these objectives:
  • Establish and maintain a common risk view.
  • Integrate risk management into the enterprise.
  • Make risk-aware business decisions.
  • Ensure risk management controls are implemented and operating correctly.
• Risk management encompasses activities to direct and control an enterprise related to risk
• Risk management involves understanding the enterprise and the environment, including threats and capabilities, the relative value of assets, and existing vulnerabilities.
• Risk stakeholders include top executives, board members, business leaders, management, IT staff, third parties, and incident response teams.

Risk Identification

• Asset types include people, information, business processes, infrastructure, finances, and reputation.
• Asset classification:
  • Criticality: impact of loss of the asset.
  • Sensitivity: potential for damage from disclosure.
• Asset valuation: assigning a monetary value to assets, often based on loss scenarios.
• Valuation considerations include:
• Financial penalties or other regulatory sanctions relevant to security breaches.
• Operational issues associated with business continuity.
• External and internal threats include espionage, theft, sabotage, terrorism, and so on.
• Common types of I&T-related risk include access risk, availability risk, integrity risk, and investment risk.

Risk Assessment and Analysis

• Risk assessment is process to identify and evaluate risk and its effects.
• Risk analysis involves estimating the frequency and magnitude of risk scenarios.
• Risk evaluation compares estimated risks to predefined criteria to determine the significance of risk events.
• Risk scenarios use qualitative or quantitative approaches and combine likelihood and impact.
• Risk ranking prioritizes risks and risk response.
• Risk documentation summarizes risk findings and facilitates effective responses.

Risk Response

• Risk response strategies include acceptance, mitigation, transfer, and avoidance.
• Control design and implementation concerns processes, policies, procedures, practices, infrastructure, applications, and organizational structures. Controls may be preventive, detective, or corrective.
• Incident management, business continuity, and disaster recovery plan are important components.
• Risk states include inherent, current and residual risk.

Risk Monitoring, Reporting, and Communication

• Risk monitoring, reporting, and communication involves continuous monitoring, evaluation, assessment, and reporting risk.
• Key risk indicators (KRIs) and key performance indicators (KPIs) help monitor risk.
• Risk reporting methods and channels need to be clear, concise, and relevant to stakeholder needs.
• Comprehensive risk reporting is essential to support effective decision-making.

Description

Test your knowledge on risk management and IT governance with this quiz. It covers key concepts, figures, and notable individuals in the field. Enhance your understanding of risk response, IT-related risks, and their implications in organizations.