3.1 Aligning Risk Response with Business Objective
Enterprise Wide Risk Management Framework
- Enterprise wide risk management framework means adoption of common framework throughout the organization. Organizations adopting an enterprise risk management framework have an advantage of consistent risk management approach. All the functions and departments use the same standard risk management framework. This ensures a standardized risk management approach through the organization. It helps to club all the risks faced by the organization at one place and thus risk can be prioritized in an effective manner and accordingly risk response strategy can be designed.
Involvement of Stakeholders
- It is utmost important for an effective risk management program to have participation and involvement of relevant stakeholders in risk related decision and risk monitoring. Stakeholders who are aware of business goals and objectives and who understand the business processes play a meaningful role in the success of a risk management program. Process owners and other stakeholders have ground level knowledge and detailed understanding related to risk faced by their function. Their involvement in the risk management program improves the overall effectiveness of the risk management program.
- To determine whether a system is serving the needs of the business process, risk practitioners should interact with business process owners.
Involvement of Senior Management
- Involvement of senior management in information security investment can be best ensured by explaining the impact of security risk on business objectives. Once the senior management understands the impact of risk on business goals and achievement, they get themselves involved in the risk management process.
Alignment of Risk Appetite with Business Objective
- Organizations should align each risk and risk appetite with business objectives. Risk appetite is the amount of risk an organization is willing to take. This will help to prioritize the risk response and also helps to monitor the areas of low risk tolerance. For example, an organization with 10 business objectives may have a different risk appetite for each objective. They may have 2 critical business objectives with very low risk appetite and for other objectives risk appetite is higher. Resources should be utilized primarily to address the risks of these 2 business objectives with low risk appetite.
- Risk impacting the law and regulations and top business objectives should be addressed on priority.
- Risk assessment report and risk register should indicate the priority level of each risk.
- Organizations should determine the best response and develop a mitigation plan to address the risk.
- In a top down risk analysis, business objectives are identified first and then risk related to business objectives are determined. These risks are given priority for mitigation.
IT Steering Committee
- The role of an IT steering committee is to ensure that the IT department is in harmony with the organization's mission and objectives. To ensure this, the committee must determine whether IT processes support the business requirements. The IT steering committee monitors and facilitates deployment of IT resources for specific projects in support of business plans. Steering committee should consist of Key executives and representatives from user management.
Key aspects from CRISC exam perspective
|
CRISC
Question
|
Possible
Answer
|
|
Benefit of adopting organization wide risk management framework
|
Consistent approach for risk management
|
|
Effectiveness of a risk management program can be ensured by
|
Participation of relevant stakeholders
|
|
Alignment of risk
appetite with business objective ensures
|
Monitoring the areas of low risk tolerance
|
|
In a top down approach,
most important factor to identify is
|
Business Objectives
|
|
To determine that systems are meeting their individual business process
needs, interview should be conducted with
|
Business Process Owner |