Skip to main content

3.1 Aligning Risk Response with Business Objective


3.1 Aligning Risk Response with Business Objective



Enterprise Wide Risk Management Framework


  • Enterprise wide risk management framework means adoption of common framework throughout the organization. Organizations adopting an enterprise risk management framework have an advantage of consistent risk management approach. All the functions and departments use the same standard risk management framework. This ensures a standardized risk management approach through the organization. It helps to club all the risks faced by the organization at one place and thus risk can be prioritized in an effective manner and accordingly risk response strategy can be designed.

Involvement of Stakeholders


  •  It is utmost important for an effective risk management program to have participation and involvement of relevant stakeholders in risk related decision and risk monitoring. Stakeholders who are aware of business goals and objectives and who understand the business processes play a meaningful role in the success of a risk management program. Process owners and other stakeholders have ground level knowledge and detailed understanding related to risk faced by their function. Their involvement in the risk management program improves the overall effectiveness of the risk management program.

  • To determine whether a system is serving the needs of the business process, risk practitioners should interact with business process owners.


Involvement of Senior Management


  • Involvement of senior management in information security investment can be best ensured by explaining the impact of security risk on business objectives. Once the senior management understands the impact of risk on business goals and achievement, they get themselves involved in the risk management process.


Alignment of Risk Appetite with Business Objective


  • Organizations should align each risk and risk appetite with business objectives. Risk appetite is the amount of risk an organization is willing to take. This will help to prioritize the risk response and also helps to monitor the areas of low risk tolerance. For example, an organization with 10 business objectives may have a different risk appetite for each objective. They may have 2 critical business objectives with very low risk appetite and for other objectives risk appetite is higher. Resources should be utilized primarily to address the risks of these 2 business objectives with low risk appetite.

  • Risk impacting the law and regulations and top business objectives should be addressed on priority.

  • Risk assessment report and risk register should indicate the priority level of each risk.

  • Organizations should determine the best response and develop a mitigation plan to address the risk.

  • In a top down risk analysis, business objectives are identified first and then risk related to business objectives are determined. These risks are given priority for mitigation.

IT Steering Committee


  • The role of an IT steering committee is to ensure that the IT department is in harmony with the organization's mission and objectives. To ensure this, the committee must determine whether IT processes support the business requirements. The IT steering committee monitors and facilitates deployment of IT resources for specific projects in support of business plans. Steering committee should consist of Key executives and representatives from user management.


Key aspects from CRISC exam perspective

CRISC Question
Possible Answer
Benefit of adopting organization wide risk management framework
Consistent approach for risk management
Effectiveness of a risk management program can be ensured by
Participation of relevant stakeholders
Alignment of risk appetite with business objective ensures
Monitoring the areas of low risk tolerance
In a top down approach, most important factor to identify is
Business Objectives
To determine that systems are meeting their individual business process needs, interview should be conducted with

Business Process Owner





Popular posts from this blog

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: A...
Read more

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical backgrou...
Read more

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statist...
Read more