Isaca Ch2 - Risk Governance and Management PDF

Summary

This document provides an overview of risk governance and management within an enterprise, covering key aspects such as stakeholder needs, conditions, enterprise objectives, and benefits realization within an IT context. It also discusses risk optimization and resource optimization, highlighting the importance of people, data, and technology in achieving optimal value from investments.

Full Transcript

Risk Governance and Management

2.1 Risk Governance
Governance ensures that:
lStakeholder needs, conditions and options are evaluated to determine balanced,
agreed-on enterprise objectives
l Direction is set through prioritization and decision making
l Performance and compliance are monitored against agreed-on direction and objectives

In most enterprises, overall governance is the responsibility of the board of directors, under
the leadership of the chairperson. Specific governance responsibilities may be delegated to
special enterprise structures at an appropriate level, particularly in larger, complex
enterprises.

2.1.1 Governance Objectives ​
The objective of any governance system is to enable an enterprise to create value for its
stakeholders or to promote value creation. Value creation, in turn, comprises:
l Benefits realization
l Risk optimization
l Resource optimization

Benefits Realization
Benefits realization consists of creating value for the enterprise through I&T, maintaining and
increasing value derived from existing I&T investments, and eliminating IT initiatives and
assets that are not creating sufficient value. The basic principle of I&T value are delivery of
fit-for-purpose services and solutions, on time and within budget, that generate the intended
financial and nonfinancial benefits. The value that I&T delivers should be aligned directly
with the values on which the business is focused. IT value should also be measured in a
way that shows the impact and contributions of IT-enabled investments in the value creation
process of the enterprise.

Risk Optimization
Risk optimization involves addressing the business risk associated with the use, ownership,
operation, involvement, influence and adoption of I&T within an enterprise. I&T-related
business risk consists of I&T-related events that could potentially impact the business. While
value delivery focuses on the creation of value, risk management focuses on the
preservation of value. The management of I&T-related risk should be integrated within the
enterprise risk management approach to ensure a focus on IT by the enterprise. It should
also be measured in a way that shows the impact and contributions of optimizing I&T-related
business risk on preserving value. Risk optimization is an essential part of any governance
system and cannot be seen in isolation from benefits realization or resource optimization.

Resource Optimization
Resource optimization ensures that the appropriate capabilities are in place to execute the
strategic plan and sufficient, appropriate and effective resources are provided. Resource
optimization ensures that an integrated, economical IT infrastructure is provided, new
technology is introduced as required by the business, and obsolete systems are updated or
replaced. Because it recognizes the importance of people, in addition to hardware and
software, it focuses on providing training, promoting retention and ensuring competence of
key IT personnel. An important resource is data and information, and exploiting data and
information to gain optimal value is another key element of resource optimization.

2.1.2 Risk Governance Objectives
Risk governance:
l Sets the direction and strategy of risk management efforts
l Defines risk culture and acceptable levels of risk
l Makes risk-aware business decisions
lEnsures that the risk management function is operating effectively to identify, manage,
monitor and report on current and potential risk facing the enterprise

Risk governance ensures that:
lStakeholder needs, conditions and options are evaluated to determine balanced,
agreed-on enterprise objectives to be achieved.
l Direction is set through prioritization and decision making.
lPerformance, compliance and progress are monitored against agreed-on direction and
objectives.

In most enterprises, risk governance is the responsibility of the board of directors under the
leadership of the chairperson, as shown in figure 2.1.
Good risk governance means that risk optimization is part of the arrangements that are put
in place, and risk information is included in the decision-making process. At the same time,
the risk function needs to be governed, i.e., provided with direction and monitored. Effective
risk governance helps ensure that risk management practices are embedded in the
enterprise, enabling it to secure optimal risk-adjusted return.

Figure 2.2 describes the four main objectives of risk governance.

Figure 2.2—Risk Governance Objectives
Objective Description
1. Establish and maintain a common risk view. Effective risk governance establishes the common view
of risk for the enterprise. This determines which
controls are necessary to mitigate risk and how
risk-based controls are integrated into business
processes and information security.
The risk governance function sets the tone of the
business regarding how to determine an acceptable
level of risk tolerance. Risk governance is a continuous
life cycle that requires regular reporting and ongoing
review. The risk governance function must oversee the
operations of the risk management team.
2. Integrate risk management into the enterprise. Integrating risk management into the enterprise
enforces a holistic enterprise risk management (ERM)
approach across the entire enterprise. It requires the
integration of risk management into every department,
function, system and geographic location.
Understanding that risk in one department or system
may pose an unacceptable risk to another department
 or system requires that all business processes be
compliant with a baseline level of risk management.
The objective of ERM is to establish the authority to
require all business processes to undergo a risk
analysis on a periodic basis or when there is a
significant change to the internal or external
environment.
3. Make risk-aware business decisions. To make risk-aware business decisions, the risk
governance function must consider the full range of
opportunities and consequences of each such decision
and its impact on the enterprise, society and the
environment.
4. Ensure that risk management controls are Governance requires oversight and due diligence to
implemented and operating correctly. ensure that the enterprise is following up on the
implementation and monitoring of controls to ensure
that the controls are effective to mitigate risk and
protect organizational assets.

th
Source: ISACA, CRISC Review Manual, 6 Edition, USA, 2015, figure 0.2,
www.isaca.org/bookstore/crisc-exam-resources/crr6ed

2.2 Risk Management
The governing board should ensure there is a risk management process. Managers require
accurate information to be able to correctly understand risk and address circumstances that
indicate the need for a risk response.

There is a clear distinction between governance and management. Management focuses on
planning, building, running and monitoring activities in alignment with the direction set by the
governance body to create value by achieving objectives. A well-managed enterprise that is
subject to poor governance creates and executes clear, effective plans to attain objectives
that do not create value. Similarly, risk management foresees the challenges to achieving
objectives and attempts to lower the probabilities of negative outcomes occurring and/or
their impacts if they do occur, but the effectiveness of risk management depends in large
part on decisions made by managers who are responsible for risk governance.

2.2.1 Risk Management Overview
Risk management encompasses the coordinated activities to direct and control an
enterprise with regard to risk. Risk can be viewed as a challenge to achieving objectives,
and risk management as the activity undertaken to predict challenges and lower their
chances of occurring and/or their impact. Effective risk management can also assist in
maximizing opportunities. For example, a risk decision can take the form of potential
benefits that may accrue if opportunities are taken, versus missed benefits if those same
opportunities are foregone.

The dual nature of risk is a result of its use in different contexts by business and IT, and it is
not always easy to draw the distinction.

Risk management starts with understanding the enterprise and the environment in which it
operates. This understanding includes evaluating the:
l Intentional and unintentional threats and capabilities
l Relative value of assets or resources, and the trust that must be placed in them
lPresence and extent of vulnerabilities that might be exploited to intercept, interrupt, modify
or fabricate data in information assets
l Intentional and intentional human errors l Acts of nature

Other factors that must be evaluated include the:
lDependency of the enterprise on a supply chain, especially one based in another
geographic region or reliant on just-in-time delivery
l Influences of financing, debt, and partners or substantial stakeholders
l Susceptibility to changes in economic or political conditions
l Susceptibility to changes in market trends and patterns
l Emergence of new competition
l Impact of new legislation ​
l Existence of potential natural disasters or events
l Constraints caused by legacy systems and antiquated technology
l Likelihood of strained labor relations and inflexible management

2.2.2 I&T Risk Governance and Management ​
I&T risk governance and management is the implementation of a risk strategy that:
l Reflects the culture, appetite and tolerance levels of enterprise management
l Considers technology and budgets
l Addresses the requirements of regulation and compliance
An effective I&T risk management strategy is critical to the enterprise ability to effectively
and efficiently execute its overall business strategy. Any I&T-related risk that jeopardizes the
enterprise business or mission should be managed from the perspective of overall
enterprise objectives and should (see figure 2.3):
l Connect management of I&T-related risk to business or mission objectives.
l Align the management of I&T business or mission risk with ERM when possible.
l Balance the costs and benefits of managing I&T-related risk.
l Promote ethical and open communication of all I&T-related risk
lEstablish the tone at the top, while defining and enforcing personal accountability for
operating within acceptable and well-defined tolerance levels.
lUse a consistent approach, integrated into daily activities, that is standard, repeatable and
aligned to strategy.
Figure 2.3—I&T Risk Management Principles

®
Source: ISACA, COBIT 5 for Risk, USA, 2013, figure 15, www.isaca.org/bookstore/cobit-5/wcb5rk

Connect to Enterprise Business or Mission
I&T risk governance and management should connect to business or mission objectives,
which means that:
l I&T-related risk, including cyberrisk, is treated as a business risk, not as a separate type of
risk, and the approach to management is comprehensive and cross-functional.
lGovernance of I&T-related risk contributes to business or mission outcomes. I&T supports
the achievement of business objectives, and any associated risk is expressed in terms of
the impact and probability it may have on business objectives or strategy. Analysis of
I&T-related risk considers the connection between business processes and supporting I&T
assets, applications or infrastructure, and/or third-party dependencies.
lI&T risk management, including practices in information security and cybersecurity, strives
to advance the business or mission, rather than limit or inhibit it.

Align with Enterprise Risk Management
The effective enterprise governance of I&T-related risk aligns its management with overall
enterprise risk management (ERM), which means that:
l Business or mission objectives and risk appetite are clearly defined.
lEnterprise decision-making processes consider the full range of potential consequences
and opportunities from I&T-related risk.
lThe defined and stated risk appetite reflects the enterprise risk management policy and
tone at the top, and influences the culture of the enterprise.
lI&T-related risk assessment is coordinated and consolidated across the enterprise (e.g.,
across information security and cybersecurity).

Balance Costs and Benefits
The effective enterprise governance of I&T-related risk balances its costs and benefits,
which means that:
lI&T-related risk is prioritized and addressed in line with risk appetite and risk tolerance.
Risk appetite and risk tolerance are described in Section 2.3.
lRisk responses are implemented on the basis of cost/benefit analysis, analysis of
alternatives and prioritization of risk that has the greatest potential impact on enterprise
objectives.
lExisting controls and risk response actions are leveraged to address risk as efficiently as
possible.

Promote Ethical and Open Communication
The effective management of I&T-related risk promotes ethical and open communication,
which means that:
lOpen, accurate, timely and transparent information on I&T-related risk is freely exchanged
and informs riskrelated decisions.
l Risk culture and risk management methods are integrated across the enterprise.
lTechnical findings are translated into relevant and understandable business and financial
terms.
lInformation about an incident and the associated response is communicated openly to
stakeholders, government and/or regulatory authorities, customers, and (as necessary) the
public.
 Establish Tone at the Top and Accountability
The effective management of I&T-related risk establishes an engaged tone from the top
while defining and enforcing personal accountability for operating within acceptable and
well-defined tolerance levels, which means that:
lBusiness owners, the board of directors and executive leadership are engaged in risk
management.
l There is clear accountability and assignment of risk ownership.
lRisk assumptions are understood and supported by appropriate business leaders and are
clearly stated in documentation of risk appetite, tolerances, culture, policies and guidelines
for enforcement.
lRisk management performance is measured and integrated into the performance
management of those accountable and responsible.
l Risk-aware culture and personal responsibility are promoted.
lRisk-informed decisions are made at the right level in the enterprise, by authorized
individuals, in line with tolerances.
lRisk management practices are appropriately prioritized and embedded into enterprise
decision making.

Consistent Approach Aligned to Strategy
The effective management of I&T risk promotes continuous improvement and is part of daily
activities, which means that:
l The dynamic nature of risk requires the enterprise to prepare by giving advance
consideration to changes in: n The enterprise itself (mergers and acquisitions)
n Risk landscape
n Applicable laws and regulations
n Information and technology, as they evolve
n The industry at large
lRisk assessment methods, scales of measurement and criteria are consistent across the
enterprise, especially as applied to:
n Identification of key processes and associated risk
n Identification of impacts on objectives
n Identification of triggers that indicate when risk is out of tolerance, when an update of the
framework or ​ components in the framework are required, etc.
n Monitoring and testing of operating controls
n Actions to prevent risk from materializing
n Risk response (if adverse events occur)
nIdentification and, to the extent possible, mitigation of assessor bias in the quantitative risk
measurement process

2.2.3 Risk Universe ​
Managing I&T-related risk requires defining the boundaries of the enterprise risk universe.
The risk universe:
l Encompasses the overall risk environment
l Defines the areas that risk management activities address
l Provides a structure for I&T-related risk management
The risk universe (see figure 2.4):
lConsiders the overall mission and the enterprise objectives, business processes and their
dependencies throughout the enterprise. Identification of I&T dependencies aids in
understanding the risk that cut across different functions and operations of the enterprise.
lDescribes the I&T components, processes, assets and infrastructure that support the
business and mission objectives.
lUnderstands that I&T-related risk involves IT operations, project management, application
development, disaster recovery, security, etc.
lDescribes risk in a complete and comprehensive language so that risk can be viewed from
an end-to-end business or mission perspective.
lConsiders the full value chain of the enterprise (subsidiaries, business units, clients,
suppliers and service providers)
lViews all I&T-related business activities, including transformation programs, investments,
projects and operations
lIncludes a logical and workable segmentation of the overall risk landscape in which the
enterprise operates (e.g., business units and subunits; business processes or services;
geographic locations; technology types, i.e., internal IT function versus cloud components;
and other areas where there may be an opportunity to align differing views across the
enterprise).
lAligns the strategic planning of the enterprise with the identification of the risk types that
have the greatest impact on meeting the business strategy and objectives
lRequires regular reviewing and updating to navigate the constantly changing internal and
external environment.
lIs influenced by the business climate or geopolitical environment in which the enterprise
operates
Figure 2.4—Risk Universe

The value chain of an enterprise is the sequential set of primary and support activities
performed by an enterprise to turn inputs into value-added outputs for its external
customers. The risk universe should include value chain activities (see figure 2.5).

Figure 2.5—Value Chain

Value chain activities include:
lInbound logistics—Activities that facilitate receiving and storing materials from external
sources
lProcurement—Processes by which an enterprise acquires resources (e.g., sourcing and
negotiating with materials suppliers)
l Infrastructure—Concerned with a wide range of support systems and functions (e.g.,
finance, planning, quality control, general senior management, etc.)
lOperations—The manufacture of products and services; the processes by which the
enterprise converts resource inputs (e.g., materials) to outputs (e.g., products)
lTechnology development—Activities concerned with managing information processing
and the development and protection of knowledge in an enterprise
lMarketing and sales—An information activity; informing buyers and consumers about
products and services (e.g., benefits, use, price)
lHuman resource management—Recruiting, developing, motivating and rewarding the
workforce of an enterprise
l Service—Activities associated with maintaining a product, following its sale
lOutbound logistics—Activities associated with transferring finished goods and services to
buyers

2.3 Positioning Risk
Before an enterprise can begin to govern and manage risk, the enterprise must position risk
in the context of the enterprise mission, strategy and objectives. Pairing a risk-based
approach with a strategic view of the enterprise enables communication and clarification of
the risk (uncertainties) that has the highest potential to prevent the enterprise from meeting
its intended targets, objectives and mission.

Establishing the criteria against which the identified risk is evaluated is an important part of
the overall risk management process. The development of risk appetite and risk tolerances
can assist in quickly evaluating and understanding the risk that is in alignment with risk
appetite and the risk that may need further analysis or investigation to make that
determination.

2.3.1 Risk Appetite, Risk Tolerance and Risk Capacity ​
When developing strategies and/or operating plans, an enterprise must decide to take on
some level of risk to achieve its objectives. The amount or magnitude of risk is generally
expressed as risk appetite and risk tolerance.

Risk Appetite
Risk appetite is the amount of risk, on a broad level, that an enterprise or other entity is
willing to accept in pursuit of its mission (or vision) and the achievement of business
objectives.

When considering risk appetite levels for the enterprise, three major factors are important:
lThe objective capacity of the enterprise to absorb loss, e.g., financial loss or damage to
reputation.
lThe (management) culture or predisposition towards risk taking— cautious or aggressive.
What amount or magnitude of loss will the enterprise accept to pursue its strategy or
objectives?
lThe nature of the business and the type of risk involved, e.g., the failure of a conveyor belt
system in a candy factory vs. the failure of a flight-control system on a commercial airliner
Risk appetite is different in each enterprise, and there is no absolute norm or standard of
what constitutes acceptable and unacceptable risk.

Risk appetite is presented in a risk statement. A risk statement is a description of the current
15
conditions that may lead to the loss; and a description of the loss. For risk to be
1

understandable, it must be expressed clearly. Such a treatment must include a description
of the current conditions that may lead to a loss; and a description of the loss.

Risk statements that are too broad, are difficult to cascade down through the enterprise as
management directives and should be avoided. Risk statements should also avoid absolute
prohibitions on risk, such as:
l “The enterprise will not accept the risk of noncompliance.”
l “The enterprise will not accept I&T-related risk.”

Absolute prohibitions on risk are impossible to maintain and therefore impractical. Under
such a prohibition against risk, every control deficiency is fixed, and every business
endeavor with risk is declined. In practice, this approach is not a productive or efficient use
of resources. Instead, enterprises should attempt to determine a loss amount that is
acceptable and manage to that amount.

An example of a more practical, concrete, quantified risk appetite statement follows:
Although the enterprise desires to have no appetite for I&T risk, it recognizes that this is
impractical in the achievement of its objectives. Therefore, the enterprise will remediate
loss scenarios whereby aggregate losses of $1 million or more are at risk.
Large enterprises may find it useful to have a risk appetite statement for each line of
business or business risk type. However, a risk appetite statement that covers the entire
enterprise should reflect (or aggregate) all the line-ofbusiness or business risk type
statements.

15
1
Software Engineering Institute (SEI) cited in the ISACA Glossary
Every enterprise must define its own risk appetite levels and review them on a regular basis.
Risk appetite should align with the overall risk culture that the enterprise wants to express
(i.e., ranging from very risk averse to risk taking/opportunity seeking). Although there is no
universal right or wrong, risk appetite needs to be defined, well understood and
communicated throughout the enterprise.

When evaluating, testing and improving risk appetite statements over time an enterprise
should consider the following:
lAre the management and governance entities of the enterprise aligned on the business
outcomes that are unacceptable to the enterprise? What is the process to periodically
evaluate the enterprise risk appetite statements if there are significant changes in its
business, mission, or other conditions?
lAre unacceptable outcomes clear and communicated to everyone in the enterprise who
needs to know? Is there a clear distinction between the types of risk that the enterprise is
willing to accept versus those to avoid?
lAre processes in place that allow a potential risk or concern to be raised before a negative
event occurs? Are ​ reviews conducted to determine the effectiveness of the enterprise
process for identifying, assessing, and reporting risk in relation to the stated risk appetite?
l Do the people on the front line of the enterprise know the boundaries, parameters, control
limits, or other constraints on risk-taking decisions for their role? In many businesses, there
are upper and lower limits on decision making that are integrated into the workflow that
assist in making sure the optimal risk appetite is maintained.
lAre there published financial loss limits, regulatory compliance, business interruption,
operational performance, life, health, or safety impacts that are clearly defined and
communicated? Do these published limits exist for information security, cybersecurity,
technology, events or incidents?

Risk Tolerance
Risk tolerance is the acceptable level of variation that management is willing to allow for any
particular risk as the enterprise pursues its objectives. Risk tolerance is the acceptable
deviation from the level set by the risk appetite and business objectives.

Risk appetite and tolerance are defined at the enterprise level, reviewed and/or influenced
by the board of directors, and reflected in strategy and policies set by executives. At lower
(tactical) levels of the enterprise, or perhaps within certain enterprise entities or subsidiaries,
exceptions can be tolerated (or different thresholds defined), as long as overall exposure at
the enterprise level does not exceed the determined risk appetite. Any business initiative
includes a risk component, so management should have discretion to pursue new
opportunities in the context of risk. Enterprises that have a conservative risk appetite and
tolerance policies can lack the agility or innovation to exploit new business opportunities.
Conversely, risk appetite and tolerance policies can be dictated by legal, regulatory or
industry requirements, and it may be appropriate to have no risk tolerance for failure to meet
such mandates.

Risk appetite and tolerances should be defined, reviewed and updated periodically (as
determined by the enterprise), and clearly communicated to all stakeholders. New market
conditions, changing risk landscape, revised strategy and many other factors require the
enterprise to reconfirm its risk appetite at regular intervals, triggering risk policy reviews. In
this respect, the enterprise should understand that risk management can provide value to
the enterprise by allowing it to pursue risk-inclusive strategies and optimize allocation of
resources. Risk appetite and risk tolerance should be applied to all I&T-related decision
making.

Risk Capacity
Risk capacity is typically defined as the objective magnitude or amount of loss that an
enterprise can tolerate without risking its continued existence. As such, it differs from risk
appetite, which generally reflects a board or management decision regarding how much risk
is desirable, as illustrated in figure 2.6.
Figure 2.6—Risk Capacity, Risk Appetite and Actual Risk

®
Source: ISACA, COBIT 5 for Risk, USA, 2013, figure 68, www.isaca.org/bookstore/cobit-5/wcb5rk
l The left diagram shows a relatively sustainable situation in which risk appetite is lower than
risk capacity, and actual risk exceeds risk appetite in several situations, but always remains
below the risk capacity.
lThe right diagram shows a rather unsustainable situation, where risk appetite is defined by
management at a ​ level beyond risk capacity. Management is prepared to accept risk
well over the objective capacity to absorb loss. As a result, actual risk routinely exceeds risk
capacity, despite remaining below the risk appetite level most of the time.

Defining risk capacity and risk appetite at the enterprise level has benefits that include:
l Supporting and providing evidence of the risk-based decision-making processes
lSupporting the understanding of how each component of the enterprise contributes to the
overall risk profile
l Showing how different resource allocation strategies can add to or lessen the burden of
risk by simulating different risk response options
lSupporting the prioritization and approval process of risk response actions through risk
budgets
l Identifying specific areas where a risk response should be made

2.4​ Risk Stakeholders, Roles and Culture

2.4.1 I&T Risk Management Stakeholders
To be effective, an I&T-related risk management effort should hold as its principal goal the
protection of the enterprise and its ability to meet its business objectives. To this end,
I&T-related risk management must consider IT as an integrated component of the enterprise
and target the protection of all assets and processes, not just those belonging to IT.

A stakeholder is anyone who has a responsibility for, an expectation from, or some other
interest in, the enterprise.
Stakeholders protect enterprise assets and their value, and minimize risk by establishing
control objectives and establishing controls in an effort to achieve the business objectives of
the enterprise. A control objective is a statement of the desired result or purpose to be
achieved by implementing control procedures in a particular process.

Stakeholders in the I&T risk management process include business management who
determine what IT needs to do to support their business. This includes enterprise roles,
business-line leaders and support functions (see figure 2.7).
Figure 2.7—I&T Risk Management Stakeholders
Across enterprises, the stakeholders for I&T risk management may differ in name and
structure. Figure 2.8 describes typical enterprise roles that are involved in the management
of I&T-related risk.

Figure 2.8—Stakeholders for I&T Risk Management
Role/Structure Description
Board of Directors Group of the most senior executives and/or
nonexecutive directors accountable for governance
and overall control of enterprise resources
Executive Committee Group of senior executives appointed by the board to
ensure that the board is involved in, and kept informed
of, major decisions.
(The executive committee is accountable for managing
the portfolios of I&T-enabled investments and
I&T-related services and assets, ensuring the value is
delivered, and managing risk. The committee is
normally chaired by a board member.)
Chief Executive Officer (CEO) Highest-ranking officer charged with the total
management of the enterprise
Chief Financial Officer (CFO) Most senior official accountable for all aspects of
financial management, including financial risk and
controls and reliable and accurate accounts.
Chief Operating Officer (COO) Most senior official accountable for operation of the
enterprise
Chief Risk Officer (CRO) Most senior official accountable for all aspects of risk
management across the enterprise (An I&T risk
officer function may be established to oversee
I&T-related risk.)
Chief Information Officer (CIO) Most senior official responsible for aligning IT and
business strategies and accountable for planning,
resourcing and managing delivery of I&T-related
services and solutions.

Figure 2.8—Stakeholders for I&T Risk Management (cont.)
Role/Structure Description
Chief Technology Officer (CTO) Most senior official tasked with technical aspects of
I&T, including managing and monitoring decisions
related to I&T services, solutions and infrastructures.
(This role may be assumed by the CIO.)
Chief Digital Officer (CDO) Most senior official tasked with putting into practice the
digital ambition of the enterprise or business unit.
(This role may be assumed by the CIO or another
member of the executive committee.)
I&T Governance Board Group of stakeholders and experts accountable for
guiding I&T-related matters and decisions, including
managing IT-enabled investments, delivering value
and monitoring risk
Architecture Board Group of stakeholders and experts accountable for
guiding enterprise-related matters and decisions and
for setting architectural policies and standards
Enterprise Risk Committee Group of executives accountable for enterprise-level
collaboration and consensus required to support
enterprise risk management (ERM) activities and
decisions
 (An I&T risk council may be established to consider
I&T-related risk in more detail and advise the
enterprise risk committee.)
Chief Information Security Officer (CISO) Most senior official accountable for all aspects of
security management across the enterprise
Business Process Owner Individual accountable for performing processes and/or
realizing process objectives, driving process
improvement and approving process changes
Portfolio Manager Individual responsible for guiding portfolio
management, ensuring selection of correct programs
and projects, managing and monitoring programs and
projects for optimal value, and realizing long-term
strategic objectives effectively and efficiently
Steering Committee Group of stakeholders and experts accountable for
(Programs/Projects) guiding programs and projects, including managing
and monitoring plans, allocating resources, delivering
benefits and value, and managing program and project
risk
Program Manager Individual responsible for guiding a specific program
(including articulating and following up on goals and
objectives of the program) and managing risk and
impact on the business
Project Manager Individual responsible for guiding a specific project,
including coordinating and delegating time, budget,
resources and tasks across the project team
Project Management Office Function responsible for supporting program and
project managers and for gathering, assessing and
reporting information about the conduct of programs
and constituent projects
Data Management Function Function responsible for supporting enterprise data
assets across the data life cycle and managing data
strategy, infrastructure and repositories
Head Human Resources Most senior official accountable for planning and
policies regarding human resources in the enterprise
Relationship Manager Senior individual responsible for overseeing and
managing the internal interface and communications
between business and I&T functions
Head Architect Senior individual accountable for the enterprise
architecture process
Head Development Senior individual accountable for the I&T-related
solution development process
Head IT Operations Senior individual accountable for IT operational
environments and infrastructure
Head IT Administration Senior individual accountable for I&T-related records
and responsible for supporting I&Trelated
administrative matters
Figure 2.8—Stakeholders for I&T Risk Management (cont.)
Role/Structure Description
Service Manager Individual who manages the development,
implementation, evaluation and ongoing maintenance
of new and existing products and services for a
specific customer (user) or group of customers (users)
Information Security Manager Individual who manages, designs, oversees and/or
assesses an enterprise’s information security
Business Continuity Manager Individual who manages, designs, oversees and/or
assesses an enterprise’s business continuity capability,
 to ensure that the enterprise’s critical functions
continue to operate following disruptive events
Privacy Officer Individual responsible for monitoring risk and business
impact of privacy laws and for guiding and coordinating
the implementation of policies and activities that
ensure compliance with privacy directives
(In some enterprises, the role may be referenced as
the data protection officer.)
Legal Counsel Function responsible for guidance on legal and
regulatory matters
Compliance Function responsible for all guidance on external
compliance
Audit Function responsible for provision of internal audits

®
Source: Adapted from ISACA, COBIT 2019 Framework: Governance and Management Objectives,
USA, 2019, Appendix B, www.isaca.org/bookstore/bookstore-cobit_19-digital/wcb19fgm

2.4.2 Risk Roles ​
The effectiveness of the risk management effort is often influenced by the positioning of the
risk management function. Ideally, risk management should be a function with enterprise
scope, able to reach into all the parts of the enterprise and provide leadership, advice and
direction. An effective risk management program provides a consistent way to manage risk
and creates a risk process that serves as a foundation for risk management for all
departments and business functions.

The enterprise should establish three lines of defense with the first line of defense managing
risk; the second line of defense guiding, directing, influencing and/or assessing risk; and the
third line of defense independently overseeing, reviewing and monitoring risk.

Risk management may be applied to an entire enterprise as one or more formal risk
management teams, or it may be practiced separately in each level of the enterprise or in
regard to specific functions, projects and activities.

Each function within the three lines of defense should be explicitly mapped to at least one of
the roles in the RACI chart. A RACI chart illustrates individuals who are:
l Responsible (R) for managing the risk
l Accountable (A) for the risk management effort
l Consulted (C) and provide support and assistance to the risk management effort
lInformed (I) of the risk management effort but may not necessarily be involved in its
execution

A RACI model often serves as a method to define and depict roles and responsibilities. The
purpose of a RACI model is to clearly show the relationships and interactions between the
various roles.
Ideally, only one person should be held accountable (assigned an A) for each key activity.
This person should have the authority and resources required to successfully support the
activity. Depending on the activity scope, responsibility may fall to one or more people.
Depending on the enterprise industry, regulatory requirements may require responsibilities
to be assigned to specific roles. Banking regulations, for example, require boards to be
responsible for activities that may not receive such a high level of attention in another
industry, and a business continuity leader may be responsible for specific activities because
of financial market regulations.

Figure 2.9 describes the components of a RACI model and figure 2.10 provides an
example of a RACI chart.

Figure 2.9—RACI Model
Assigned Role and Responsibility Description
Responsible Individuals tasked with getting the job done, performing
the actual work effort to meet stated objectives.
Accountable The single person liable or answerable for the
completion of the task, who oversees and manages the
person(s) responsible for performing the work effort,
who may also play a role in the project. Accountability
for a particular task should be assigned to a specific
person in order to be effective.
Consulted Individuals who provide input data, advice, feedback or
approvals. Consulted personnel may be from other
departments, from all layers of the organization, from
external sources or from regulators.
Informed Individuals who are informed of the status,
achievement and/or deliverables of the task but who
are often not directly responsible for the work effort.

th
Source: ISACA, CRISC Review Manual, 6 Edition, USA, 2015, figure 1.16,
www.isaca.org/bookstore/crisc-exam-resources/crr6ed
Figure 2.10—Sample RACI Chart

Task Senior Steering Committee (Chair) Department Risk Practitioner
Management Managers
Collect risk data I A C R
Deliver the risk I A I R
report
Prioritize risk A I R C
response
Monitor risk I A R C

th
Source: ISACA, CRISC Review Manual, 6 Edition, USA, 2015, figure 1.17,
www.isaca.org/bookstore/crisc-exam-resources/crr6ed

2.4.3 Risk Culture ​
Risk culture is the set of shared values and beliefs that governs attitudes toward risk-taking,
care and integrity, and determines how openly risk and losses are reported and discussed.

A risk-aware culture:
l Begins at the top (board members and business executives set the direction, communicate
risk-aware decision making and reward effective risk management behaviors)
l Promotes an open discussion of risk

l Ensures acceptable levels of risk are understood and maintained
 Begins at the top (board members and business executives set the direction, communicate
Figure 2.11—Risk Governance and Management
risk-aware decision

Behaviors ​
making and reward effective risk management behaviors)
Promotes an open discussion of risk ​ General Enterprise Behavior
Has a risk- and compliance-aware culture Ensures understood and maintainedThe enterprise defines
acceptable levels of risk are
an approach to risk management and risk appetite and
Risk culture is not easy to describe. It consists of a series of behaviors, as shown in
throughout, including the proactiveidentification andestablishes a policy of zero tolerance for noncompliance
escalation of risk
with legal andregulatory requirements.
figure 2.11.
Has defined policies that have been communicated and All personnel understand and implement the
that drive behavior requirements of the enterprise as defined in relevant
policies.
Shows active receptivity towards raising Whistle-blowers are regarded as positive contributors to
issues and acknowledging negative outcomes the enterprise. The blame culture is avoided. Personnel
understand the need for risk awareness and reporting of
potential exposures.
Recognizes the value of risk Personnel understand the importance of maintaining
risk awareness and the value that managing risk adds
to their roles.
Has transparent and participative culture Communication is open and facts are not omitted,
misrepresented or understated. The negative impact of
hidden agendas is avoided.
Shows mutual respect Stakeholders and risk assessors are encouraged to
collaborate, respected as professionals and treated as
experts in their roles.
Accepts ownership of risk Risk practices are incorporated throughout the
enterprise. Accountability is clearly assigned and
accepted. I&T-related risk is owned by the enterprise
and not viewed solely as the responsibility of the IT
department or IT risk function.
Allows risk acceptance as a valid option Management understands the consequences of risk
acceptance. Impact is determined to be within the
enterprise’s risk appetite.
Risk Professional Behavior
Shows effort to understand what risk is for each Risk professionals understand the business impact of
stakeholder and how it impacts their objectives risk, including competitive, operational, regulatory and
compliance requirements. Although risk may be
common across a given industry, each enterprise is
unique in terms of how risk affects its objectives.
Creates awareness and understanding of risk policy Alignment of risk capacity, risk appetite and enterprise
policy leads to effective risk strategy.
Fosters collaboration and two-way communication Risk assessment is fundamentally accurate and
during risk assessment complete, and addresses stakeholder needs.
Defines risk appetite clearly and communicates in a Stakeholders manage risk more effectively and there is
timely fashion with relevant stakeholders appropriate alignment with organizational strategy and
objectives.
Sets policies that reflect risk appetite and risk tolerance Employees and management operate within risk
tolerance. Business lines apply formal risk appetite and
tolerance to daily practice. There is a clear process for
proposing and making changes to risk appetite levels,
with senior management consideration and approval.
Risk culture is not easy to describe. It consists of a series of behaviors, as
shown in figure 2.11. A risk-aware culture:

Fundamentals Study Guide
ISACA. All Rights Reserved.
CHAPTER 2— RISK GOVERNANCE AND MANAGEMENT

Figure 2.11—Risk Governance and Management Behaviors (cont.)
 Supports effective risk practice Stakeholders understand risk from common portfolio
view (product, process) and apply risk-based decision
making to daily practice.
Uses KRIs effectively as an early warning KRIs are associated with valid metrics and can be
used as an indicator of process or control failure. KRI
metrics are available and accessible for regular
reporting and relate to objectives.
Acts promptly on the basis of risk indicators or events Risk indicators are linked to the management risk
that fall outside of appetite and tolerance response and remediation activities.
Management Behavior
Sets direction and demonstrates visible and genuine Quality risk management practices are maintained
support for risk practices through genuine support from senior management.
Engages with all relevant stakeholders to agree on The correct stakeholders are appropriately involved in
actions and follow up on action plans ensuring timely resolution of issues and achievement
of business plans.
Obtains genuine commitment and assigns resources Personnel are empowered to execute actions required
for execution of actions by risk management decisions.
Aligns policies and actions to risk appetite Management makes appropriate risk decisions in
complying with policies. Risk adjusted revenue aligns
with management expectations.
Monitors risk and progress against action plans Remediation plans are completed within expected
business time frames and have a positive impact on
enterprise objectives.
Reports risk trends to senior executives and board The timely reporting of risk trends proactively manages
risk and avoids lost opportunities.
Rewards effective risk management Good risk practice is acknowledged. Employees’
performance goals and reward structures stimulate
effective risk management practices and appropriate
execution of mitigation actions.

®
Source: Adapted from ISACA, COBIT 5 for Risk, USA, 2013, figure 26,
www.isaca.org/bookstore/cobit-5/wcb5rk
The best indicator of the enterprise risk culture is how the enterprise handles risk. Risk
culture reflects a balance between weighing the negative, positive and regulatory elements
of risk.

Risk culture includes:

l Behavior toward taking risk—What are the norms and attitudes towards risk-taking,
identification of risk and analysis of risk?

l Behavior toward policy—Is policy something that exists but is not followed? Do policies
drive behavior? Are policies easy to read, understand and follow?

l Behavior toward negative outcomes—How does the enterprise deal with negative
outcomes, policy exceptions, loss events, cyberincidents, missed opportunities and incident
investigations? Will it learn from them and try to adjust, or will blame be assigned without
treating the root cause?
Symptoms of an inadequate or problematic risk culture include:

l Misalignment of actual risk appetite, stated tolerances and risk policies

l Failure to align risk policy with management direction and/or enterprise norms regarding
compliance with policy

l Existence of a blame culture. This type of culture should be avoided, because it inhibits
relevant and efficient communication. In a blame culture, business units tend to point the
finger at the IT department—or at each other—when projects are not delivered on time or do
not meet expectations. In doing so, they fail to realize how the business unit’s involvement
up front affects project success. In extreme cases, the business unit may assign blame for
failure to meet expectations that it never clearly communicated. Blame diminishes effective
communication across units, further exacerbating delays. Executive leadership must identify
and quickly rectify a blame culture to foster collaboration throughout the enterprise.

2.5​ Risk Communication, Policy, Scope and Workflow

​ 2.5.1 Risk Communication

Risk communication plays a key role in defining and understanding the risk culture of an
enterprise. Communication is important because it removes the uncertainty and doubts
concerning risk management. If risk is to be managed and mitigated, it must first be
discussed and effectively communicated to the various stakeholders and personnel
throughout the enterprise in ways that are appropriate for their respective roles.

The benefits of open communication on risk include:

l More informed risk decisions by executive management due to an improved understanding
of actual exposure and potential business impact

l Greater awareness among all stakeholders of the importance and value of integrating risk
management into their daily duties

l Transparency to external stakeholders regarding both the actual levels of risk facing the
enterprise and the risk management processes in use

The consequences of poor communication on risk include:

l A false sense of confidence at all levels of the enterprise and unintentional acceptance due
to ignorance of risk that exceeds the enterprise’s risk appetite
l Lack of direction or strategic planning to mandate risk management efforts ​

l Unbalanced communication of risk to external stakeholders, potentially leading to incorrect
and negative perceptions by third parties such as clients, investors and regulators

l The perception that the enterprise is trying to hide risk from stakeholders

Establishing clear lines of communication for risk reporting is an important element of risk
management. Figure 2.12 provides a description of the type of I&T-related information that
should be shared and discussed.

Figure 2.12—Risk Communication

Type Description
Expectations from risk management Risk strategy, policies, procedures, awareness training
and continuous reinforcement of principles. This is
essential communication regarding the enterprises
overall strategy toward I&T risk.
l Drives all subsequent efforts on risk
management
l Sets the overall expectations about the risk
management program
Current risk management capability l Allows for monitoring of the state of risk management
in the enterprise
l Is a key indicator for good risk management
lHas predictive value for how well the enterprise is
managing risk and reducing exposure
 Figure 2.12—Risk Communication (cont.)
Type Description
Status Includes the actual status with regard to I&T-related
risk, including information such as:
l The risk profile of the enterprise (i.e., the overall
portfolio of [identified] risk to which the enterprise is
exposed)
l Key risk indicators (KRIs) to support management
reporting on risk
l Event/loss data
l The root cause of loss events
l Options to mitigate risk (including cost and benefits)

th
Source: ISACA, CRISC Review Manual, 6 Edition, USA, 2015, figure 1.6,
www.isaca.org/bookstore/criscexam-resources/crr6ed
The involvement of stakeholders in the risk management process provide many benefits to
the enterprise. Figure 2.13 depicts some of the core benefits derived from active
involvement by both internal and external participant groups.

Figure 2.13—Stakeholder Communication About Risk
Role Benefits
Boards and executive management An improved understanding of I&T risk management
roles and responsibilities of how I&T-related risk
applies to strategy objectives and of how it can be
better used to reduce risk incurred in strategic moves.
Enterprise risk managers Increased assistance managing I&T-related risk
following established ERM principles
Operational risk managers An increased understanding of links between
operations and I&T-related risk, as well as improved
identification of key operational losses and
development of key risk indicators (KRIs)
IT management Improved identification, management and
communication of I&T-related risk to business decision
makers
IT service managers An improved understanding of operational I&T-related
risks—an important component of an overall I&T risk
management framework
Business continuity managers Improved alignment of enterprise risk management as
risk is a central component of continuity management
responsibility
IT security managers Better positioning of security risk in relation to other
I&T-related risk
CFOs An improved understanding of I&T-related risk and its
significance in investment and portfolio management
Enterprise governance officers More informed monitoring and reviewing of I&T
governance roles and responsibilities
Business managers Improved understanding of management of
I&T-related risk toward alignment of all types of
business risk
IT auditors More detailed analysis of risk, improving audit plans
and reports
 Figure 2.13—Stakeholder Communication (about
Risk)
Role Benefits
Regulators More informed assessment of an enterprise’s approach
to I&T risk management
External auditors Improved view of I&T-related risk levels when
assessing the quality of an enterprise’s internal control
Insurers Support in establishing adequate insurance coverage
and establishing agreement on I&T risk levels
Rating agencies A reference for assessing and objectively rating an
enterprise’s treatment of I&T-related risk in
collaboration with insurers

​ 2.5.2 Risk Policy

Risk management requires that policies be part of an overall governance and management
framework, providing a (hierarchical) structure into which all policies should nest and
provide support to the underlying principles.

As part of including risk management norms or conditions into the enterprise policy
framework, the following items should also be described in risk policies:

l Scope and authority—tie to risk appetite or tolerance statements

l Roles and responsibilities of the stakeholders

l The consequences of failing to comply with the policy

l The means for handling exceptions

l The manner in which compliance with the policy will be checked and measured

Policies should be aligned with the enterprise risk appetite. Policies are a key component of
the enterprise system of internal control, whose purpose it is to ensure that an enterprise
meets its stated objectives. As part of risk governance activities, the enterprise risk appetite
is defined, and this risk appetite should be reflected in the policies. This is not meant to
suggest that risk appetite or risk tolerance statements be embedded into policy documents,
rather, that the policies need to be aligned with the risk-taking culture of the enterprise.
Policies need to be revalidated and updated at regular intervals to ensure relevance to
business requirements and practices.

Policies provide detailed guidance on how to put principles into practice and how they will
influence decision making. Not all relevant policies are written and owned by the IT,
information security, information privacy, or risk function. Different types of risk policies are
presented in figure 2.14.
 Figure 2.14—Risk Policy Types

Policies Description
Core IT risk policy Defines, at strategic, tactical and operational levels,
how the risk of an enterprise needs to be governed
and managed pursuant to its business objectives. This
policy translates enterprise governance into risk
governance principles and policy and elaborates risk
management activities.
Information security policy Sets behavioral guidelines in protecting corporate
information and the associated systems and
infrastructure. The business requirements regarding
security and storage are more dynamic than IT risk
management, so, for effectiveness, their governance
needs to be handled separately from the governance
of IT risk. However, for operational efficiency, it is
necessary to keep the information security policy in
sync with the IT risk policy.

Figure 2.14—Risk Policy Types (cont.)
Policies Description
Crisis management policy As with IT security, network management and data
security, IT crisis management is one of the operational
level policies that needs to be considered for complete
IT risk management. It sets the guidelines on how to act
in situations of crisis and details the sequence in which
to deal with each of the identified (key) areas of risk.
Third-party IT service delivery management policy Sets guidelines for managing risk related to third-party
services. It sets out a framework of expectations in
behavior and security precautions taken by third-party
service providers to manage the risk related to the
service provision.
Business continuity policy Contains management commitment and view on:
l Business impact analysis (BIA)
l Business contingency plans with trusted recovery
l Recovery requirements for critical systems
l Defined thresholds and triggers for contingencies
l How to handle escalation of incidents
l Disaster recovery plan (DRP)
l Training and testing

Program/project management policy Deals with managing risk linked to projects and
programs. It details management position and
expectation regarding program and project
management. Moreover, it handles accountability, goals
and objectives regarding performance, budget, risk
analysis, reporting and mitigating adverse events during
the execution of programs and projects.
Human resources (HR) policies Detail what employees can expect from the enterprise
and what the enterprise expects from employees. They
provide detailed acceptable and unacceptable behavior
by employees, and, in doing so, manage the risk that is
linked to human behavior.
Fraud risk policy Is concerned with protecting the enterprise brand,
reputation and assets from loss and/or damage,
resulting from incidents of fraud and/or misconduct. The
policy provides guidance to all employees on reporting
any suspicious activity and ways to handle sensitive
 information and evidence. It helps to raise an anti-fraud
culture and raise awareness of the risk.
Compliance policy Explains the assessment process regarding compliance
with regulatory, contractual and internal requirements. It
lists roles and responsibilities for the different activities
in the process and provides guidance on metrics to be
used to measure compliance.
Ethics policy Defines the essentials of how people within an
enterprise will interact with each other, as well as how
they will interact with any customers or clients they
serve.
Quality management policy Details management vision on the quality objectives of
the enterprise, the acceptable level of quality and the
duties of specific departments to ensure quality.
Service management policy Provides direction and guidance to ensure the effective
management and implementation of all information
technology services to meet the business and customer
requirements, within a framework of performance
measurement. It also deals with management of risk
related to IT services. Detailed guidance on service
management and the optimization of risk related to
services is included in the ITIL V3 framework.
Change management policy Communicates management intent that changes to the
enterprise information technology be managed and
implemented in a way that minimizes risk and impact to
the stakeholders. The policy contains information on the
assets in the scope and the established standard
change management process.
Figure 2.14—Risk Policy Types (cont.)
Policies Description
Delegation of authority policy Details:
l The authority that the board strictly retains for itself
l The general principles of delegation of authority
lA schedule of the delegation of authority (including
clear boundaries)
lA clear definition of the organizational structures to
which the board delegates its authority
Whistle-blower policy Should:
lEncourage employees to raise concerns and
questions
l Provide avenues for employees to raise concerns in
full confidence
l Ensure employees will receive a response to raised
concerns and be able to escalate a concern if they are
not satisfied with the response
l Reassure the employees that they are protected when
they raise issues and should not be afraid of reprisals
Internal control policy The purpose is to:
l Communicate management internal control objectives
l Establish standards for the design and operation of
the enterprise system of internal controls to reduce the
expose to all risk faced by the enterprise
Intellectual property (IP) policy The purpose is to ensure that all risk related to the use,
ownership, sale and distribution of the outputs of
IT-related creative endeavors by employees of the
 enterprise, e.g., software development, is detailed in an
appropriate way, from the start of any endeavor.
Data privacy policy A statement or document that discloses the ways that a
party gathers, uses, discloses and manages personal
data. Personal information can be anything that can be
used to identify an individual, including but not limited
to name, address, date of birth, marital status, contact
information, ID issue and expiry date, financial records,
credit history, medical history, travel destination, and
intentions to acquire goods and services. The policy
defines how an enterprise collects, stores and releases
the personal information that it collects. The policy
informs the client of the specific information that is
collected and whether it is kept confidential, shared
with partners, or sold to other firms and enterprises.
Furthermore, the policy ensures compliance with
relevant legislation related to data protection.

®
Source: ISACA, COBIT 5 for Risk, USA, 2013, figure16, www.isaca.org/bookstore/cobit-5/wcb5rk

​ 2.5.3 Risk Scope

The selection of items included in the risk activities are generally based on understanding
the full risk universe and then selecting the specific part of the enterprise to which the risk
activities will be applied. This is often called risk scoping.

Risk management requires that the scope of the risk landscape, or risk universe, is set and
the criteria against which the identified risk will be assessed, or evaluated are defined. Risk
management starts with understanding the enterprise and how it is influenced by the
environment, or context, in which it operates. This is particularly true of enterprises that
operate in a single sector of the economy, such as financial services, manufacturing or
healthcare, because there is a heavy dependency on many of the same supply chains.

The scope should be determined within the context of the enterprise objectives. Defining an
initial, preliminary scope for risk management activities can be done using a high-level
evaluation of the overall I&T-related risk that the enterprise faces. The outcome of the risk
scoping activity is used to focus and prioritize more-detailed risk management activities,
and:

l Allows identification of the potential high-impact risk areas throughout the enterprise.

l Provides an overview of major risk factors to which the enterprise is subject, whether or not
it has the ability to influence those factors.

lGathers data on any overarching compliance, regulatory, privacy or other obligations (e.g.,
GDPR, HIPAA, or ​ country-specific regulations) or contractual obligations that commit
the enterprise to specific risk management activities.
l Provides first indications of major risk scenarios, which is an important input to the
scenario-building phase of the more-detailed risk analysis activities to be performed at a
later stage.

The enterprise risk scoping activity may need to be repeated on a periodic basis; this can be
a simple annual confirmation of earlier results if no major changes occurred in any of the
risk factors. If major changes (e.g., mergers, new markets) occur to the enterprise, the
scoping activity should be refreshed. In stable environments, a yearly update or confirmation
of the preliminary scope is recommended. Periodically evaluate risk activities to ensure that
the most important assets and services are in scope. Some enterprises start with high-value
assets that support the most critical business lines, processes or products, or critical
services, and then expand the scope as the risk management capability matures.

Data to collect in the scoping activity include:

l The units or subunits, business processes or services, geographic locations that will be
subject to risk management activities

l Impact criteria, e.g., potential consequences of realized risk, and the risk appetite and risk
tolerance statements of the enterprise

l Current scoring, severity ratings, or other risk measurement or metrics criteria that is used
across the enterprise

l Expected depth and breadth of the risk management activities

l The defined areas that will be subject to reporting and analysis requirements

l The current risk profile of the enterprise, if one exists

l Risk and control self-assessments that may have been completed l Audit or compliance
priorities

An enterprise I&T-related risk scoping exercise should involve all major stakeholders of the
enterprise.

2.5.4 Risk Management Workflow ​

I&T risk management is a cyclical process that includes the:

l Context of risk management—where risk is positioned in the context of the enterprise
mission, strategy and objectives, and where value-added activities are considered as part of
the overall risk management process.
l Identification of I&T-related risk—includes identifying assets subject to risk, common risk
factor and areas of concern, and the process of identifying and documenting risk. The risk
identification effort should result in the listing and documentation of risk.

l Assessment of I&T-related risk —the effort to assess and prioritize risk, including the
development of risk scenarios.

l Analysis of I&T-related risk ​ —includes qualitative assessment or quantitative
analysis to estimate the frequency and impact of the risk scenarios and business impact,
taking into account the risk factors.

l Response and mitigation of I&T-related risk—seeks and implements cost-effective ways
to address the risk that is identified, assessed and analyzed. This step should be performed
in cooperation with the relevant owners.

l Monitoring, reporting and communicating of I&T-related risk—controls, risk
management efforts and the current risk state are monitored, and the results are reported
back to senior management. The process repeats as the risk environment changes, which
may occur as a result of internal or external factors.

Figure 2.15 shows the risk management workflow steps. The steps in the diagram are not
necessarily performed sequentially. Each enterprise should develop a workflow that
supports the most efficient and effective means to perform these steps.

Figure 2.15—Risk Management Workflow
 Source: Adapted from ISACA, Getting Started With Risk Management, USA, 2018, figure 2,
www.isaca.org/bookstore/bookstore-wht_papers-digital/whpgsr

2.6 Summary of Terminology

It is important to recognize and understand I&T-related risk terminology. The following terms
were introduced in this chapter (figure 2.16).
CHAPTER 2—RISK GOVERNANCE AND MANAGEMENT

Figure 2.16—Chapter 2 Terminology

Term Description
Control objective A statement of the desired result or purpose to be
achieved by implementing control procedures in a
particular process
Governance Ensures that stakeholder needs, conditions and options
are evaluated to determine balanced, agreed on
 enterprise objectives to be achieved; setting direction
through prioritization and decision making; and
monitoring performance and compliance against
agreed-on direction and objectives
I&T risk governance and management The implementation of a risk strategy that reflects the
culture, appetite and tolerance levels of enterprise
management, considers technology and budgets and
addresses the requirements of regulation and
compliance
RACI chart Illustrates who is Responsible, Accountable, Consulted
and Informed within an enterprise framework
RACI model A method to define and depict roles and responsibilities
Risk appetite The amount of risk, on a broad level, that an enterprise
or other entity is willing to accept in pursuit of its
mission (or vision) and the achievement of business
objectives
Risk capacity The objective magnitude or amount of loss that an
enterprise can tolerate without risking its continued
existence
Risk culture The set of shared values and beliefs that governs
attitudes toward risk-taking, care and integrity, and
determines how openly risk and losses are reported
and discussed
Risk governance Sets the direction and strategy of risk management
efforts, defines risk culture and acceptable levels of
risk, makes risk-aware business decisions and ensures
that the risk management function is operating
effectively to identify, manage, monitor and report on
current and potential risk facing the enterprise
Risk management The coordinated activities to direct and control an
enterprise with regard to risk
Risk scope The selection of items included in the risk activities
based upon understanding the full risk universe and
then down-selecting the specific part of the enterprise
to which the risk activities will be applied
Risk statement A description of the current conditions that may lead to
the loss; and a description of the loss. Source: Software
Engineering Institute (SEI)
Risk tolerance The acceptable level of variation that management is
willing to allow for any particular risk as the enterprise
pursues its objectives
Risk universe Encompasses the overall risk environment, defines the
areas risk management activities will address and
provides a structure for I&T-related risk management
Stakeholder Anyone who has a responsibility for, an expectation
from or some other interest in the enterprise

Chapter 2 Knowledge Check

Review questions are provided as a means to support the content presented within this
study guide and serve as a gauge or assessment of knowledge of I&T-related risk topics.
One question is provided for each topic.
For individuals intending to earn the ISACA IT Risk Fundamentals Certificate, these
questions are written to depict the type of questions that may appear on the exam. These
questions will not specifically appear on the exam, but similar ones may on the exam.
REVIEW QUESTIONS

1. Which of the following approaches to risk governance could result in an enterprise not
taking risk that unintentionally exposes other parts of the enterprise?

A. Establishing a risk governance function to oversee the operations of risk
management activities.
B. Enforcing a departmental approach to risk where each department manages risk
independently of other departments.
C. Making risk decisions only after evaluating the full range of opportunities and
consequences of each decision and its impact on the enterprise.

​

2. The effective governance and management of I&T-related risk requires that risk
responses are implemented and prioritized:

A. According to the ease of developing new controls over considering existing
controls.
B. Based on a cost/benefit analysis or where there can be the greatest impact.

C. Independent of the enterprise-stated risk appetite and risk tolerance. ​

3. The amount of risk that an enterprise is willing to accept to achieve its business
objectives is commonly known as its:

A. Risk capacity
B. Risk tolerance

C. Risk appetite ​

4. A risk aware culture:

A. Ensures that acceptable levels of risk are understood and maintained.
B. Restricts a discussion of risk to only those responsible for managing risk.
C. Allows business units to voice their complaint when other business units are not
meeting expectations.
 ​

5. Risk scoping is used to focus risk management activities on: A. The full risk universe
that an enterprise is subject to.
B. Potential high-impact risk areas throughout the enterprise.
C. Only risk that the enterprise has an ability to influence.​

Answers on page 68

CHAPTER 2—RISK GOVERNANCE AND MANAGEMENT

Chapter 2 ANSWER KEY
R eview Questions
​
1. A. As part of establishing and maintaining a common view of risk, the risk governance function must
oversee the operations of the risk management team.
B. Taking a departmental approach to risk could lead to unacceptable consequences. There
must be an understanding that risk in one department or system may pose an
unacceptable risk to another department or system requires the integration of risk
management into the enterprise.
C. In order to make risk aware decisions, the risk governance function must consider the full range of
opportunities and consequences of each risk related decision and its potential impact on the
enterprise.
​
2. A. As part of establishing and maintaining a common view of risk, the risk governance function must
oversee the operations of the risk management team.
B. An effective risk strategy should include a proper balance between cost and benefits.
Therefore, risk responses should be implemented on the basis of cost/benefit analysis,
analysis of alternatives and prioritization of risk that has the greatest potential impact on
enterprise objectives.
C. I&T-related risk should be prioritized and addressed in line with risk appetite and risk tolerance.

3. A. Risk capacity is the amount of loss that an enterprise can tolerate without risking its continued
existence. Risk capacity
differs from risk appetite, which generally reflects a board or management decision regarding how much
risk is desirable. B. Risk tolerance is the acceptable level of variation that management is willing to allow
for any particular risk as the enterprise pursues its objectives, i.e., the acceptable deviation from the
level set by the risk appetite and business objectives. C. Risk appetite is the amount of risk an
enterprise or other entity is willing to accept in pursuit of its mission (or vision) and the
achievement of business objectives.

4. A. A risk aware culture ensures acceptable levels of risk are understood and maintained. B. A risk
aware culture promotes an open discussion of risk.
C. A risk aware culture should avoid blame, because it inhibits relevant and efficient communication and
fails to foster collaboration throughout the enterprise.

5. A. Although risk scoping requires a full understanding of the full risk universe that an enterprise is
subject to, it represents selecting or focusing on the specific risk areas to which the risk activities will be applied.
B. The outcome of a risk scoping activity is used to focus and prioritize more detailed risk
management activities on potential high-impact risk areas throughout the enterprise.
C. Risk scoping provides an overview of major risk factors to which the enterprise is subject, whether
or not it has the ability to influence those factors.