The CRISC Review Manual does not discuss the possibility of discrete risk management processes within a single enterprise. There is implicit support for a discrete risk management process for ICT, which may be independent of enterprise or business risk management.
The relationship between the two levels of risk management is not explained clearly in the Review Manual. Enterprise Risk Management is referenced in the Review Manual at Part I, Domain 1, I IT Risk Identification and Assessment, section 3.
Possibly the most relevant section of the Review Manual is Part I, Domain 1, I IT Risk Identification and Assessment, section 4 Methods/Frameworks for Describing IT Risk in Business Terms.
Main articles on the topic: 1. Discrete risk management processes within an enterprise (Everyone) 2. Shapes for discrete risk management processes (Everyone) 3. Examples of discrete risk management processes (Everyone) 4. Risk ‘to’ an area of activity and risk ‘from’ the activity (Everyone)
Some other main topics
Coming soon: Scoping a risk management activity; ERM and RM; RM across an organisation, without a central register; Context setting, Objectives, expected and acceptable outcomes, priorities and tradeoffs.
All articles on ‘Discrete risk management processes within an enterprise’