Skip to main content

1.5 The IT Risk Strategy of the Business

1.5 IT Risk Strategy of the Business


1.5 IT Risk Strategy of the Business


IT Risk Strategy of the Business


  • It is very important for a risk practitioner to understand a business's overall risk strategy to guide development of an IT risk strategy that aligns with organizational goals and priorities.

  • IT risk must be measured not only by its impact on IT services but also by the impact of risk on business operations


Types of IT-related Business Risk


It is expected from a CRISC aspirant to understand below risk: 




Access Risk

Risk of unauthorized access resulting in loss of confidentiality.

Availability Risk

Risk that service/data is not accessible when needed.

Infrastructure Risk

Risk of inadequate IT infrastructure and systems to effectively support the needs of the business. Infrastructure includes hardware, networks, software, people and processes.

Integrity Risk

Risk of incomplete, incorrect or inaccurate data.

Investment or Expense Risk

The risk that the IT investment fails to provide value commensurate with its cost or is otherwise excessive or wasteful, including the overall IT investment portfolio.

Project Ownership Risk

Risk of IT projects failure due to lack of accountability and commitment.

Relevance Risk

Risk that the right information may not get to the right recipients at the right time to allow the right action to be taken.

Schedule Risk

Risk of IT projects not completing within expected timelines.

Senior Management Support

  • Support from senior management is utmost important for the success of risk management process.


  • Support from senior management ensures budget, authority, access to personnel and information, and legitimacy that will provide a successful result.


  • Senior management having a strategic view and knowledge of the performance metrics and indicators should be involved in the sign-off process of IT Risk Management.


Alignment with Business Goals and Objectives


  • Interaction with senior management is the best way to understand the goals and objectives of the organization.


  • This gives risk practitioner insight into the potential & evolving risk universe of the organization.

  • Risk practitioner can enhance the risk management process by:


  • Understanding the business & strategy

  • Taking proactive steps to secure new technologies and processes

  • Embedding risk management process & culture into each business

  • Be aware of and mitigate the risk of change

  • Watching for new threats and future issues


  • Risk appetite should be aligned with business objectives. This helps an enterprise to evaluate and deploy valuable resources toward high risk areas which can impact business objectives.


Organizational Structures and Impact on Risk


  • Risk management to be effective should provide a consistent way to manage risk. Risk framework should serve as a basis for risk management for all departments and business functions.


  • The organization should have established three lines of defense as follow:

    • First line should actively manage the risk.

    • Second line should guide, direct, influence and assess risk management processes.

    • Third line should have independent oversight, review and monitoring.


  • Key factor in managing risk is the size and the diversity of the organization.


  • Information security governance models are highly dependent on the overall organizational structure and complexity of the business.


  • Risk management methodology depends on the risk culture of the organization.

RACI (Responsible, Accountable, Consulted, Informed)


Following are the four roles that are involved in the risk management process:




They are responsible for performing the actual work to meet stated objectives.


A single person who oversees and manages the person(s) responsible. He is liable and answerable for the project.

For effective accountability, it should be assigned to a specific person. 


They provide support and assistance to the risk management effort. Consulted personnel may be from other departments or from external sources or from regulators.


They are not directly responsible for the work effort. The individuals who are informed of the risk management effort but may not necessarily be involved in its execution

The RACI model assists in understanding the relationships or interactions between the various stakeholders and the roles of each stakeholder in the successful completion of the risk management effort.


Organizational Culture, Ethics and Behavior and the Impact on Risk

  • It is very important for a risk practitioner to determine the risk appetite of the organization. 

  • It must be noted that risk appetite may change over time and hence requires periodic re-determination.


  • Ethics plays an important role in risk management. Organizations with poor ethical standards may be more prone to risk of fraud or theft.


  • Ethics are related to an individual’s view about what is right and what is wrong. Policy and processes should be clearly communicated to address the risk of a person violating the ethics. Processes should be visibly enforced and equally applicable for the employees.


Laws, Regulations, Standards and Compliance


  • It is very important for a risk practitioner to know what laws apply to the organization.


  • It is advisable for organizations having global presence to build a global program of policies and a control suite to handle the common regulations and then have a regional or nation-specific addendum to handle the exceptions and their controls.


  • It is recommended to have a global policy that can be locally amended to comply with local laws.


  • In case of foreign assignments, the most critical consideration is that laws and regulations of the origin country may not be enforceable to foreign countries


Establishing an Enterprise Approach to Risk Management


  • It is ideal to have a standardized and structured risk management approach that can be applied to the entire enterprise without substantial modification or customization.

  • In absence of a structured approach, there can be a gap in risk measurement of different projects or systems.

  •  Risk identified on a system-by-system or project-by-project basis creates new risk of false assurance by having neither consistency nor interoperability among the risk solutions that are implemented.


  • Results of risk management in one process should be comparable to the results in another.


  • A critical part of establishing the risk management process is availability of concise and coherent risk management policy.

  •  A compliance-oriented business impact analysis (BIA) will identify all of the compliance requirements to which the enterprise has to align and their impacts on business objectives and activities.

Key aspects from CRISC exam perspective


CRISC Question

Possible Answer

What is the best approach for development of a corporate policy for an organization operating in multiple countries/regions?

Develop a global policy that can be locally amended to comply with local laws

What is the objective of aligning risk appetite with business objectives?

Resources are directed to areas/processes where risk tolerance is low

Who should provide a final sign-off on the IT risk management plan?

Senior Management

Accountability for the risk to an IT system resides with

Senior Management

Information security governance model depends on:

complexity of the organizational structure

Risk management methodology primarily depends on

Risk culture of the organization

Most important consideration while outsourcing to a foreign country

Laws and Regulations (privacy laws)

Most effective way to understand the potential impact of law and other contractual requirements on business objectives is: 

Compliance oriented business impact analysis

Video Tutorial - 1.5A - Roles in Risk Management (RACI)


Flashcards - The IT Risk Strategy of the Business

Practice Questions - The IT Risk Strategy of the Business

Popular posts from this blog

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: Acceptance deviation from risk appetite

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with lates

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statistical methods are us