Skip to main content

3.3 Analysis Techniques


3.3 Analysis Techniques


  • Organizations need to evaluate various risk responses to determine appropriate responses for the given risk.


  • Organization should consider following factors for selecting a risk response:


  1. Risk priority

  2. Recommendation of risk assessment report

  3. Cost of risk response as against possible cost of risk event

  4. Legal and regulatory compliance

  5.  Alignment of the response as per the organization’s strategy

  6. Efforts for control implementation in terms of time, resources and expenditure

  7. Compatibility with existing controls


  • Organization should determine what the cost of implementing a specific risk response provides enough value to the organization.


  • Business case provides detailed analyses on various risk responses on which management may take a decision.


  • Business case is prepared with use of following two common methods of analysis:


  1. Cost benefit analysis

  2. Return on investment (ROI)


Cost-benefit Analysis



  • Cost benefit analysis is conducted during the risk response planning stage.


  • Objective of a cost benefit analysis is to determine cost of implementing controls and relevant benefit realization.


  • If the benefit realized from the control is less than the cost of implementation of control, then It does not justify the implementation of the control.


  • Cost and benefit is calculated either through qualitative or through quantitative methods.


  • While determining the cost, total cost of ownership (TCO) should be considered to cover total cost spread across the life cycle of control implementation.


  • The impact or benefit realization is considered on the basis of length of the outage, the frequency of the outage and other associated damage to the organization.


  • Selection of a risk response is primarily based on the cost benefit analysis.



Return on Investment


  • Return on investment is a method in which it is determined how long it will take to recover the cost of control through value added or other savings produced.


  • It is also known as return on security investment for expenditure made on security controls.


  • For investing in control, this is a tricky calculation as it depends on predicting the likelihood and impact of an attack.


  • Most important criteria for selection of risk response is cost benefit analysis. Investment in implementing a control should bring appropriate benefit to the organization.



Key aspects from CRISC exam perspective



CRISC Question
Possible Answer
On what basis, risk response is selected and prioritized?
Cost benefit analysis
What is the most relevant cost to be included in a cost benefit analysis?
Total cost of ownership (TCO)
(to cover total cost spread across the life cycle of control implementation)
At what stage of risk management, cost-benefit analysis is conducted?
Risk Response


Practice Questions - 3.3 Analysis Techniques 


Popular posts from this blog

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statist...
Read more

30% Discount - CRISC Recorded Lecture

We are pleased to announce that we are offering CRISC recorded lectures at 30% discount. Please use below link to avail the discount https://www.udemy.com/course/crisc-with-hemang-doshi/?couponCode=CRISCMARCH21037
Read more

2.5 Project & Program Management

2.5 Project & Program Management ·          It is very important for a risk practitioner to monitor the risk related to the management of the projects.   ·          Some of major reason for failing of IT projects are:   §   Scope creep i.e. requirements are not properly defined at the initial phase. §   Lack planning resulting into over budget and unavailability of skilled resources. §   Lack of structured project management process. §   Systems not tested before implementation §   Compliance or regulatory issues   ·          Root cause for the system failure is to be determined so the learnings can be applied to all the future projects.   ·          Major cause for a project failure is delay in completion. It may happen to make for the time lapsed...
Read more