CRISC - Certified in Risk & Information System Control

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statistical methods are us

2.6 Risk and Control Analysis Risk Assessment Risk assessment is conducted by evaluating the current state of risk as against the desired level. It also takes into consideration the effectiveness of existing control. Main objective of risk assessment is to identify all the areas where current level of risk exceeds the acceptable risk level and use this information for deciding the risk response. Risk Appetite Risk appetite is the level of risk that an organization is willing to take to achieve the business objectives. Risk appetite of the organization will help to determine the desired state of IT risk. Two important factors for determining the risk appetite is: the management culture and the predisposition toward risk taking. When risk appetite is aligned with business objective, organization can allot more resource to the areas where risk tolerance is low. For example, for one business objective risk appetite is low while for other business objective risk appetite

2.5 Project & Program Management ·          It is very important for a risk practitioner to monitor the risk related to the management of the projects.   ·          Some of major reason for failing of IT projects are:   §   Scope creep i.e. requirements are not properly defined at the initial phase. §   Lack planning resulting into over budget and unavailability of skilled resources. §   Lack of structured project management process. §   Systems not tested before implementation §   Compliance or regulatory issues   ·          Root cause for the system failure is to be determined so the learnings can be applied to all the future projects.   ·          Major cause for a project failure is delay in completion. It may happen to make for the time lapsed, critical steps of projects (like testing) is skipped. This can lead to major failure of the project.   ·       Most important factor for implementing a risk-based approach in a project management i

2.4 Changes in Risk Environment As the business processes and technology changes, risk environment also gets changed with new types of threats. No systems can be considered as secured perpetually.  This indicates that risk assessment should be done at regular interval to address the emerging risks.  Main benefit of performing a risk assessment on a consistent basis is that it helps to understand the trends in the risk profile.  Technological changes are inevitable in today’s world. However, new technology should be properly assessed and tested before implementation. Risk practitioner is responsible to ensure that any new technology implemented should be subject to risk assessment. A risk practitioner should determine the maturity of the enterprise toward monitoring and adapting to new market trends. An independent benchmark of capabilities helps an organization to determine its level of capability compared to other organizations within its industry. Key aspects from CRISC