Skip to main content

1.8 IT Risk Scenarios

1.8 IT Risk Scenarios

1.8 IT Risk Scenarios


  • A risk scenario is a visualization of a possible event that can have some adverse impact on the business objective.

  • Organizations use the risk scenario to imagine what could go wrong and create hurdles in achievement of business objectives.

  • Risk scenario should be based on an identified risk.  Risk scenario is developed on the basis of potential threats to the business assets. A risk practitioner can identify potential threats from the risk register.

  • Risk scenarios may be based on risk scenarios such as system failure, natural calamities, network unavailability or any other event that can impact the business operations.

  • Risk scenarios are considered as the most effective technique to assess the business risk.

  • Risk scenario helps to estimate the frequency and impact of the risk.

Risk Scenario Development Tools and Techniques


  • Risk scenarios should be based on real and relevant risk events.

  • Though past incidents can serve as the basis of creating a risk scenario, risk practitioners should also look for new and emerging risks.

  • Imagination of risk scenarios requires creativity, thought, consultation and questioning.

  • Risk scenarios can be either developed from a top-down perspective or a bottom up perspective.

Top-down Approach


  • In a top-down approach, risk events are identified from a senior management perspective.

  • In top-down approach, risk scenario development is performed by identifying business objectives. Risk scenarios are developed for risk events that can directly impact the business goals and objectives.

  • Involvement of senior management in designing the risk scenario is of utmost important.

  • Top-down approach looks at both IT & non IT risk events and hence can be referred to as general risk management.


  • As top down approach deals with senior management goals, a risk practitioner can easily buy in for a risk management program.


Bottom-up Approach


  • In a bottom-up approach, risk events are identified from the process owner/employee's perspective.


  • Risk scenarios are identified by employees performing the job functions in specific processes.



An organization should make use of both the top-down approach and bottom up approach for developing risk scenarios. They are complementary to each other and should be used simultaneously. 

In a top-down approach, major risks to business objectives are addressed where as in bottom up approach process level risks are addressed.


Benefits of Using Risk Scenarios


  • Risk scenario is the easiest and most effective way to explain risk to business process owners and other stakeholders.

  • As the risk scenario requires involvement of all the process owners, information gathering becomes more relevant and realistic.

  • Risk scenario helps to identify the risks that are aligned with business objectives.


Developing IT Risk Scenarios


A risk scenario includes following components:





Agent is the element that generates the threat. Agents can be internal or external to the organization.

Threat Type

Type of threat i.e. natural, system failure, external attack, accidental etc.


Nature of the incident i.e. data leakage, system down, theft etc.


Asset that is being impacted i.e. IT infrastructure, organization’s reputation, data compromised etc.


Impact on the basis of time element i.e. immediate impact of network failure, long term impact of system unavailability etc.

Key aspects from CRISC exam perspective


CRISC Question

Possible Answer

In top-down approach, most important factor is to identify the 

Business Objective

Which is the best approach for development of a risk scenario? ( i.e. top down or bottom up)

Combination of both as they are complementary to each other

Most effective technique in assessing business risk is 

Risk scenarios

Most important information in a risk register that helps in developing a risk scenario

Potential threats

Assessment in which risk scenarios are used to estimate the likelihood and impact of the risk is known as

Threat and vulnerability assessment



Video Tutorials -1.8 IT Risk Scenarios

Flashcards -1.8 IT Risk Scenarios


Practice Questions - 1.8 IT Risk Scenarios

Popular posts from this blog

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: Acceptance deviation from risk appetite

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statistical methods are us

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with lates