Skip to main content

4.6 Result of Control Assessment


4.6 Result of Control Assessment

4.6 Result of Control Assessment


Effectiveness of the control monitoring program depends on following parameters:


  • Accuracy of the data on the basis of which controls are evaluated


  • Timely reporting on risk to management for taking corrective action


  • Skill set of risk practitioner to properly evaluate the controls


Maturity Model Assessment and Improvement Techniques


  • Risk management program should be a dynamic process and should evolve and improve on a continuous basis.


  • Risk management programs should be improved on the basis of learnings from past events.


  • Adoption of a capability maturity model (CMM) helps to indicate the maturity of the risk management process year over year.


  • CMM helps an organization to understand its level of maturity by analyzing the operational effectiveness, efficiency and readiness. It provides insight into an organization's risk management capabilities.


  • Maturity can be determined by analyzing the risk aware culture of the organization. Employees of a matured organization are aware about the risk of their processes and willing to resolve the same.


  • With the help of the maturity model, the level of competence of the organization can be benchmarked and compared with the peers.


  • Objective of adopting a maturity model is to strive for continuous improvement. This can be done by assessing the current maturity level of the business process and comparing the same with desired level. Gaps, if any, needs to be addressed to improve the process and maturity level.




Key aspects from CRISC exam perspective


CRISC Questions 

Possible Answer 

What kind of  model provides insight into organization's risk management capabilities?

Capacity maturity model (CMM)


Maturity of an organization’s risk management policy can be determined by

Risk culture and awareness of the organization

Organization can measure its risk management process against its peer by

Adoption of maturity model

Best reason to implement a maturity model

To enable continuous improvement


Best approach to determine whether existing security control is in accordance with desired level

To conduct maturity assessment/Gap Assessment 



Self-Assessment Questions


Flashcards - 4.6 Result of Control Assessment


Practice Questions - 4.6 Result of Control Assessment


Popular posts from this blog

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: A...
Read more

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statist...
Read more

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical backgrou...
Read more