Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CRISC Cards - Sybex 2023 > CRISC Domain 1 - A through H > Flashcards

CRISC Domain 1 - A through H Flashcards

Domain 1 - Riks Identification, Assessment and Evaluation

1
Q

Definition of Risk

A

Risk reflects the combination of the likelihood of events occuring and the impact those events have on the enterprise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Risk contains

A
  • Opportunities for benefit (upside)

Threats to success (downside)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the guiding principles for effective risk management

A
  • Maintain focus on the business mission, goals and objectives
  • Integrate IT risk mgt into enterprise risk mgt (ERM)
  • Balance the costs and benefits of manaing risk
  • Promote fair and open communication
  • Est tone at the top and assign personal accountability
  • Promote continuous improvement as part of daily activities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Definition of Management

A
  • Mgmt entails the judicious use of means (resources, people, processes, practices, etc) to achieve an identified end
  • Often differentiated from governance as the distinction between being “committed” (governance) and “involved” (management)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Explain Management

A
  • Mgmt is responsible for execution within the direction set by the guiding body or unit
  • Mgmt is about planning, building, organizing and controlling operational activities to align with the direction set by the governance body
  • Mgmt is a means or instrument by which the governenace body achieves a result or objective
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Definination of Risk Mgmt

A

Risk Mgmt is the identification, assessment and prioritization of risk folled by coordinated and economical application of resources to minimize, monitor and control the probablility and/or impact of adverse evtnes or to maximize the realization of opportunities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Explain Responsibilities and Accountability for Risk Mgmt

A
  • Responsibilitiey belongs to those whom must ensure that the activities are completed successfully
  • Accountability applies to those individuals, groups, or entities that are ultimately responsible for the subject matter, process or scope
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Explain Risk Governance

A
  • Risk governance address the oversight of the business risk mgmt strategy of the enterprise
  • Risk governance is the domain of senior mgmt and the shareholders of the enterprise
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Who establishes and responsible for the risk governance? Explain

A
  • Senior mgmt and shareholders
  • They establish the enterprise’s risk culture and the acceptable levels of risk
  • They set up the mgmt framework
  • They ensure that the risk mgmt function is operating effectively to identify, manage, monitor, and report on current and potential risk facing the enterprise
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Define Governance

A
  • Governance is a system referring to all the means and mechanisms that enable multiple stakeholders in an enterprise to have an organized say in evaluating conditions and options
  • Setting direction
  • and monitoring compliance, performance and progress against plans to satisfy specific enterprise objectives
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Definition of Risk Governance

A
  • Risk governance is a strategic business function that ensures:
  • risk mgmt activieis align with the enterprise’s loss capacity
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the objectives of risk governance

A
  1. Est and maintain a common risk view
  2. Integrate risk management into the enterprise
  3. Make risk-aware business decisions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

To effectively govern enterpirse and IT risk there must be an:

A
  • Understanding and consensus with respoect to the risk appetite and risk tolerance of the enterprise
  • Awareness of risk and the need for effective communication about risk throughout the enterprise
  • Understanding of the elements of risk culture
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What’s the definition of risk appetite

A

The broad-based amount of risk that a company or entity is willing to accept in pursuit of its mission (or vision)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What’s the definiiion of risk tolerance

A

The acceptable variation relative to the achievement of an objective (often bbest measured in the same units as those used to measure the related objective)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the major factors influencing risk appetitie

A
  • the enterprise’s objectrive capacitiy to obsorb lost, e.g., financial loss, reputation damage
  • The (management) culture or predispostion toward risk taking - cautious or agressive
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are the risk appetite bands and definitions

A

Really unacceptable - indicates really unacceptable risk. The enterprise est that this level of risk is far beyond its normal risk appetite. Any risk in this band may trigger an immediate risk response

  • Unacceptable - indicates elevated risk; also above acceptable risk appetite. The enterprise may, as a matter of policy, require mitigation or another edequate response to be defined within certain time boundaries
  • Acceptable - indicates a normal, acceptable level of risk, usually with no special action required, except for maintaining the current controls or other responses
  • Opportunity - indicates very low risk, in which cost-saving opportunities may be found by decreasing the degree of control or in which opportunities for assuming more risk may arise
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Define Risk Tolerance

A

The acceptable deviation from the level set by the risk appetite and business objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are the guidelines for risk appetite and risk tollerance

A
  • Risk appetite and risk tolerance must connect
  • Exceptions to risk tolerance stds must be reviewed and approved
  • Risk appetite and tolerance change over time
  • Cost of risk mitigation options can affect risk tolerance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Definition of risk culture

A

The shared values and beliefs that govern the attitudes and behaviors toward risk taking, care and integrity, and determines how openly risk and losses are reported and discussed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Definition of Framework

A

A framework is a generally accepted, business-process-oriented structure that establishes a common language and enables repeatable business processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Definition of Standard

A

A standard establishes mandatory rules, specifications, and metrics used to measure compliance against quality, value, etc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are standards intended for

A
  • Compliance purposes and to provide assurance to others who interact with a process or outputs of a process (e.g., food and drug qualilty)
  • To be implemented in a rigid way and to minimize the number of deviations based on a cost-benfit analysis.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

When should deviations from the standard be granted

A

Should only be granted on an “exception” basis and should follow a defined approval process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Definition of a Practice and Leading Practices
- Practice is a frequent or usual action performed as an application of knowledge - Leading practice is defined as an action that optimally applies knowledge in a particular area
26
Practices are issued by? and they may include
- A recognized authority that is appropriate to the subject matter - Issuing bodies may include professional associations and academic institutions or commercial entities such as software vendors
27
Why do frameworks, standards, and practices matter
- Provide a systematic view of "things to watch" that could result in harm to customers or an enterprise - Act as a guide to focus efforts of diverse teams - Save time and costs, such as training costs, operational costs and performance improvement costs - Help achieve business objectives more quickly and easily - Provide creditiability to engatge functional (CFO) leadership
28
What is risk identification
The process of determining and documenting the risk that an enterprise faces
29
What is the identification of risk based on
The recognition of threats, vulnerabilities, assets and controls in the enterprise's operational environment
30
What is risk assessment
A process used to identify and evaluate risk and its potential effects
31
What is risk evaluation
The process of comparing the estimated risk against given risk criteria to determine the significance of this risk
32
Definition of Frequency
A measure of the rate by which events occur over a certain period of time
33
Definition of Magnitude
A mearus of the potential severity of loss or the potential gain from a realized IT event/scenario
34
Definition of Risk Aggregation
The process of integrating risk assessments at a corporate level to obtain a complte view of the overall risk for the enterprise
35
Definition of Risk Analysis
A process by which frequency and magnitude of IT risk scenarios are estimated
36
Definition of IT Risk
The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise
37
Effective risk identification, assessment and evaluation involves
- Collecting data on: - The enterprise's operating environment (internal/external) - Risk Events - Identifiying risk factors (internal/external) - Analyzing and estimating risk - Identifying business process resilience level, including the related IT services and supporting assets
38
What are the three IT Risk Categories
- IT benefit/value enablement risk - IT program and project delivery risk - IT operations and service deiivery risk
39
Define IT benefit/value enablement risk
Associated with (missed) opportunities to use technology to improve efficiency or effectiveness of business proceses or as an enabler for new business initiatives
40
Define IT program and proejct delivery risk
Associated with the contribution of IT to new or improved business solutions, usually in the form or projects or programs
41
Define It operations and service delivery risk
Associated with the performance of IT systems and services, which can bring destruction or reduction of vlaue to the enterprise
42
What are the high-evel phases of risk identification, assessment and evaluation
1. Collect data 2. Analyze Risk 3. Maintain Risk Profile
43
What are some methods used to collect risk data
- Interviews - Questionnaires and surveys - Facilitated workshops - Observations - Testing
44
Definition to Risk Scenario
A description of an event that can lead to a business impact, when, and if, it should occcur
45
Risk scenario analysis is a technique used to
- Describe risk in a more concrete and tangible manner | - Allow for proper risk assessment and analysis
46
What are the approaches to Risk Scenario Development? Explain each
- Top-down approach: From the overall business objectives, an analysis of the most relevent and probable IT risk scenario impacting the business objectives is performed - Bottom-up approach: A list of generic scenarios is used to define a set of more concrete and customized scenarios, which are then applied to the individual enterprise situation
47
What drives the top-down risk scenario development approach and when is it most beneficial
Business objectives drives the approach; thus, the approach is unique to ea enterprise -The approach is most beneficial in ensuring that the risk scenarios remain relevant and linked to real business risk
48
What benefit is it to use generic risk scenarios in Risk Scenario Development
- Helps ensure that tno risk are overlooked | - Provides a comprehensive and complete view of IT risk
49
What are the steps in the bottom-up risk scenario development
1. Using a list of generic risk scenarios, define a set of concrete risk scenarios for the enterprise 2. Perform a vallidation against the business objectives of the entity 3. Refine the selected scenarios based on this validation, and detail them to a level in line with the criticality of the entity 4. Reduce the number of scenarios to a managable set 5. Keep all risk factors in a register so that they can be reevaluated in the next iteration and included for detailed analysis if they have become relevant at that time 6. Include in the scenarios an unspecified event - how to address an incident not covered by other scenarios
50
What are the Risk Scenario Components
1. Actor 2. Threat type 3. Event 4. Asset (tangible and intangible) 5. Timing dimension
51
When should a Risk Assessment be performed
At least on an annual baiss or when important internal or external changes occur
52
What is a Risk Register and what does it record?
- Also known as a risk log, it is a listing of all risks identified for the enterprise - It records: - All known risk - Priorities of risk - Likelihood of risk - Potential risk impact - Status of the risk mitigation plans - Contingency plans - Onwership of risk
53
What are the preequisites for developing a manageable set of risk scenarios
- Organizational buy-in or support from enterprise entities and business lines, risk management, IT, finance, compliance and other parties - Expertise and experience to not overlook relevant scenarios and not be drawn into highly unrealistic or irrelevant scenarios - A thourough understanding of the environment - The involvement of all stakeholders
54
What is Systemic Risk
Something that happens with an important business partner that affects a larrge group of enterprises within an area or industry
55
What is Contagious Risk
Events that happen at several of the enterprise's business partners within a very short time frame
56
What considerations must be required under Obscure or non-Historical Events
- Visibility: Be in a postion that it can be observe anything going wrong - Recognition: Have the capability to recognize an observed event as something that is going wrong
57
Definition of Risk Factors
Those features that influence the likelihood and/or business impact of risk scenarios
58
Name the Threats
- Internal and External - intentional or accidental - Skilled or amateur - Motivated or curious - Natural or man-made, - Physical or related to equipment or utility failrures
59
Define External Risk factor
Those circumstances that can increase the likelihood or impact of an event and that are not always directly controllable by the enterprise
60
Name the External Factors
- Market/economy - Rate of change in the market - Competition - Geopolitical situation - Regulatory environment - Technology innovation and evolution
61
Risk Assessment involves what two specific requirements
- Risk Identification | - Risk Analysis
62
What is Risk Monitoring
The process that systematically tracks and evaluates the performance of risk mitigation actions
63
The Risk Management structure involves
- Planning, - Assessment (identification-analysis), - Handling, - Monitoring and - Mitigation
64
Threats are characterized as:
Those that are Imminent; those that are Emerging; those that are Consistent and those that are Persistent.
65
What is Delphi
Is a security risk assessment and information gathering technique that uses the consensus of subject matter experts to determine mission risk
66
Quantitative Risk Assessment is
A process used to analyze numerically the probability of each risk and its consequence on mission objectives.
67
What techniques are used in Quantitative Risk Assessment
interviewing, sensitivity analysis, decision tree analysis, and simulation
68
Qaulitative Risk Analysis is
the process of assessing the impact and likelihood of identified risks. What is the the probability and likelihood that the risk will occur and what is the consequence to mission objectives
69
What are the NIST recommended steps for Risk Assessment Methodology
1. System characterization 2. Threat Identification 3. Vulnerbility Identification 4. Control Analysis 5. Liklihood Determination 6. Impact Analysis 7. Risk Determination 8. Control Recommendations 9. Results Documentation
70
What are the challenges of Qaulitative Risk Analysis
- Subjectivity or bias in data collected - Overemphasis on minor events - Does not provide good data for cost-benefit analysis - Ranking levels may not be meaningful to data providers
71
What are typical Qualitative RA Methods
- Risk Control Self-assessment (RCSA) - Scorecards - Key risk indicators (KRI) - Liklihood impact matrix - Attribute analysis - Delphi forecasting
72
Benefits of Quantitative Analysis
- Allows for: - Data to be classified and counted - Statistical models to be contructed to explain what is being observed - Findings to be generalized to a larger population and direct comparison between two different data sets - Produces statically reliable results - Allows discovery of phenomena likely to be geniune vs merlely chance occurances
73
Quantitative Analysis is
The use of numerical and statistical techniques to calculate liklihood and impact of risk
74
Challenges of Quantitative Analysis
- It is not always easy to collect data on ea and every process - Data may not be in the desired format or may not meet the needs of quant analysis - Reliable historical data are not always avail for analysis - Past data do not necessarily help predict future events (black swan phenom) - It is difficult to apply statistical models for events that happen infrequently - The cost is generally signficantly higher than the cost of qualitative analysis
75
What are typical Quantitative RA Methods
- Internal Loss Data - External Data - Business Process Modeling (BPM) and simulation - Statistical process control (SPC)
76
Methods for Uncovering Less Obvious Risk Factors
- Cause-and-Effect analysis - Fault Tree analyisis - Sensitivity analysis
77
What is a key business continuity planning (BCP) activity that focuses on determining the impact of an event over time
- Business Impact Analysis
78
Definition of Business Impact Analysis
A specialized process to determine the impact of losing the support of any resource
79
A BIA discovery process is meant to
- Reveal the importance of a process and the potential impact that any disruption to that process would have on the enterprise - Est the escalation of loss over time - Answer questions about actual procedures, shortcuts, workarounds and the types of failures that may occur
80
In BIA, when answering questions about actual procedures, shortcuts, workarounds and the types of failures that may occur. What does it involve
- What the process does - Who performs the process - What the output is - The value of the process output to the enterprise - How the impact of the loss would escalate over time and at which point failure of the process might threaten the viability of the enterprise
81
Proper execution of the BIA process entails what? What does it include?
- Series of discovery exercises. - Includes: Asking questions that focus on identifying trigger events - Interviewing key personnel - Reviewing existing documentation - Collecting data by observiing business processes and personnel performing actual processes - Looking for existing workarounds and alternate procedures
82
Using surveys in the BIA process can do what?
Raise issues of accuracy and consistency
83
True or False: The data gathered during the BIA can be used later to guide the formulation of the risk response strategy
True
84
What process verifies critical success factors (CSFs)
BIA
85
The strategic importance of IT to the modern enterprise is seen through:
- High investment - Pervaisiveness of IT - Relience on IT's continuing operation - Impact caused when IT does not perform as expected - IT's critical role in realizing efficiences - Ways in which IT enables business to take strategic action
86
Why is monitoring and reporting on risk made difficult?
There is no shared language between those estimating the risk and those making risk response decisions
87
What is critical for understanding where there are threats and vulnerabilities and where there are opportunities?
Clarity in defining the business impact (both positive and negative) of IT-related risk
88
Definition of Risk as a derived value
- Refers to the liklihood (or frequency) and magnitude of loss that exists from a combination of assets, threats, and control conditions
89
Define Threat
An action or actor that/who may act in a manner that can result in loss or harm
90
Define Vulnerability
A weakness in design, implementation, operation or internal control
91
The adverse impact of a risk event can be described in terms of loss or degredation of any or a combination of the following three basic IT risk goals:
- Integrity - Availability - Confidentiality
92
Define Integrity
Relates to the accuracy and completeness of information and its validity in accordance with business values
93
What IT risk goal refers to the requirement that information be protected from improper modification
-System and data integrity
94
What is Loss of Integrity
- Unauthorized changes are made to the data or information system by either intentional or accidental acts
95
What's the impact of Loss of Integrity
- Continued use of the contaminated system or corrupted data may result in inaccuracy, fraud or erroneous decisions - Violation of integrity may be the firest step in a successful attack against system availability and confidentiality
96
Define Availability
Relates to the information being accessible, when requiredby the business process, and also concerns the safegaurding of necessary resources and associated capabilities
97
What is Loss of Availabiity
A mission critical IT system is unavailable to its end users and the enterprise's objectives may be effected
98
What is the impact of Loss of Availabiity
Loss of system functionality and operational effectiveness may result in loss of productive time, thus impeding the end user's performance of their functions in supporting the enterprise's objectives
99
Define Confidentiality
Relates to the protection of information from unauthorized disclosure
100
Data must be protected from improper disclosure depending on
The sensitivity of the data and associated legal requirements
101
What is Loss of Confidentiality
Unauthorized disclosure of confidential or sensitive information
102
What is the Impact of Loss of Confidentiality
- Range from jeapordizing national security to the disclosure of data covered under the local privacy law - Unauthorized, unanticipated or unintentional disclosure of such information can result in loss of public confidence, loss of competative advantage, embarrassment or legal action agsint the enterprise
103
Some tangible impacts of IT risk can be measured quantitatively as in:
- Lost revenue - Cost of repariing the system - The level of effort required to correct problems caused by a successful threat action
104
Business impact of IT-related risk in terms of High, Med, Low include:
- Loss of public confidence - Loss of credibility - Damage to an enterprise's interest - Impact on morale in the enterprise
105
What is the key task related to risk assessment during the functional requirements definition phase? What will the level of risk associated with a system depend on?
- To ensure that the risk associated with the system is identified - The criticality of the system (how important it is to suppor business ops) as well as the sensitivity (privacy) needs and criticality needs of the data being processed on the system
106
What are the risks associated with Outsourcing? What is one risk the enterprise must be aware of? How can it protect itself?
- Enterprise becomes reliant on another enterprise for its support - Risk related to privacy laws that may affect where data are stored and the need to protect sensitive data in transit, storage and processing from inadvertent or unauthorized disclosure - In many jurisdictions the responsibility for protection of data remains with the original enterprise, not the outsourcing firm - Ensure the security requirements and the proper audits are included in contracts
107
IT projects are subject to risk of failure due to what factors?
- Unrealistic delivery schedules or budget - Lack of skilled resources - Unclear or changing business reqs - Challenges with technology - Poor project mgmt - Resistence from users
108
IT project failure may have an impact on BIA such as?
- Loss of opportunity or market share - Inability to meet customer or regulatory demand - Lost revenue - Other tangible or intangible consequences
109
What are the three broad risk factors to consider when planning a BPR project
- Design risk - Implementation risk - Operation or rollout risk
110
What are the risk types under BPR project Design Risk Area?
- Sponsorship risk - Scope risk - Skill risk - Political risk
111
What are the risk types under BPR project Implementation Risk Area?
- Leadership risk - Technical risk - Transition risk - Personnel risk - Scope risk
112
What are the risk types under BPR project Operation or Rollout Risk Area?
- Management risk - Technical risk - Cultural risk
113
What is the most effective way to achieve the highest return investment (ROI)?
Thinking big
114
It is a design failure if what is excluded from the scope of change?
- Politically sensitive process and existing jobs are excluded
115
What are the Risk Components
- Inherent risk - Residaul risk - Control risk - Detection risk
116
What are the control types in Inherent Risk
- Pervasive IT Controls | - Specific IT Controls
117
Define Inherent Risk and provide an example? Is this risk ordinarilyt high, med. or low?
- The risk level/exposure without taking controls or other management actions into account - Example: Inhernent risk associated with OS security is high due to changes to, or even disclosure of, data or programs through OS security weaknesses could result in system failure, security breach or regulatory penalties - Ordinarily high
118
Define Residual Risk?
Risk that remains after managment has implemented a risk response
119
Define Control Risk and provide an example? Is this risk ordinarilyt high, med. or low?
- Risk of failure of the internal control systems to prevent, detect or correct an incident in a timely manner - Example: Control risk associated with manual reviews of computer logs can be high because activities requiring investigation are often easily missed due to the volume of logged information - Ordinarily low
120
Define Detection Risk and provide an example?
- Risk that the prescribed controls, substantive testing procedures, or monitoring will not detect an error that could be material, individually or in combination with other errors - Example: An IDS, an AV system, or FW is unable to detect or notice adverse conditions and trigger an adequate response
121
What is it called when an IDS, AV system or FW is unable to detect or notice an adverse condition and trigger an adequate response?
A false-negative: An indication that everything is fine when there actually is a problem
122
The calculation of risk for IT system is directly affected by?
The type of architecture the enterprise is using
123
True/False: IT has the task of assisting in the managment of business risk?
True
124
What is IT relied on and specifically for what domain?
- Relied on for advanced risk analytics and reporting in the domain of Risk Mgmt Information Systems (RMIS)
125
An Enterprise Risk Management model must address the enterprise's objectives with control objectives for risk in what categories of business?
- Planning, Operational, Financial reporting and Compliance
126
Separation of Duties (SOD) is also called what?
Segregation of duties
127
What is a key component to maintaining a strong internal control environment? Why?
- Separation of Duties | - It reduces risk of errors and fraudulent transactions
128
What is the result of of duties for a process or transaction are segregated? Why?
It forces the involvement of more than one person to accomplish a task and it becomes more difficult for fraudulent activity occur - It would require collusion among several employees
129
Automated SOD tools contain what three elements?
- Access control - Process control - Continuous monitoring
130
In SOD, explain Access Controls?
- Restrict access to the business system and data to ensure only authorized individuals have access and the user is granted the minimal level of access required to perform their duties
131
In SOD, explain Process Controls? What are some of the techniques employed?
Restrict the activities performed by authorized users. - Dual control - requiring two people to take action simulataneously to perform a task - Mutual exclusivity - one person has executed a task, they are prohibited from executing subsequent tasks
132
in SOD, explain Continuous monitoring?
-Employs automation to detect system transactions, setup or data changes that contravene corporate policy
133
What are two specific contribution areas for IT in managing business risk?
- Locked-down operating | - Decision support, risk analytics and reporting
134
What is Locked-down operating? Give an example?
- IT can be used to build in business process controls through automation. Automation forces routine aspects of business to be locked down to a predictible and repeatable pattern - Example: Using templates
135
What is the goal of risk management for information systems?
To achieve compatible and efficient IT monitoring and reporting processes for capturing; analyzing; and ultimately reporting risk factors of all types across the enterprise
136
What does Risk Awareness acknowledge?
- Risk is well understood and known - IT risk issues are identifable - The enterprise recognizes and uses the means to risk
137
If risk is to be managed and mitigated what must first be done?
-Discussed and effectively communicated at an appropriate level tothe various stakeholders and personnel
138
What are the benefits of open communication on risk?
- Assitance in executive management's understanding of the actual exposure to IT risk - Awareness among all internal stakeholders of the importance of integrating risk management into their daily duties - Transparency to external stakeholders regarding the actual level of risk and risk management processes in use
139
What are the consequences of poor risk communication?
- A false sense of confidence at all levels of the enterprise and higher risk of a breach or incident that could have been prevented - Lack of direction or strategic planning to mandate risk management efforts - Unbalanced communication to the external world on risk, especially in cases of high, but managed, risk, which may lead to an incorrect perception on actual risk by third parties - Perception that the enterprise is trying to cover up known risk from stakeholders
140
What is an unacceptable risk management strategy?
-Risk ignorance
141
What are the risk components to be communicated?
- Expectations from risk management - Current risk management capability - Status
142
Why is Expectations from Risk Management an essential communication component?
- Communicates the risk strategy, policies, procedures, awareness training, continuopus reinforcement of principles - Drives all subsequent efforts on risk management - Sets the ovall expectations about the risk management program
143
What information comes from Current Risk Management Capability communication?
- Allows for monitoring of the state of the "risk management engine" in the enterprise - Is a key indicator for good risk management - Has predictive vaule for how well the enterprise is managing risk and reducing exposure
144
Status communication consists of?
- Risk profile of the enterprise; the overall portfolio of (identified) risk to which the enterprise is exposed - Key risk indicators (KRI) to support management reporting on risk - Event/loss data - Root cause of loss events - Options to mitigate risk (incl cost and benefits)
145
What are the required elements of effective communication?
- Clear - Concise - Useful - Timely - Correct target audience - Available on a need-to-know basis

CRISC Cards - Sybex 2023 (3 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions