What is risk management? (CRISC)

What to read first: What is risk management? (supplement for risk specialists) What is risk management?

For CRISC candidates (ISACA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRISC Study Guide.

CRISC is less focused on risk management concepts and principles than on roles for ICT risk specialists, and on specific kinds of risk in ICT.

CRISC Part 1 Domain 1 C [2014]

Definition of risk

The CRISC definition of risk is

the combination of the probability of an event occurring and the impact the event has on the enterprise. [2.1 page 14]

This definition of risk is approximately consistent with the COSO ERM definition and more loosely consistent with the ISO 31000 definition. CRISC is not concerned with subtleties in risk concepts.

CRISC candidates should learn the CRISC definition and then forget it after the exam. For reference after the exam, the specific weaknesses of the CRISC definition of risk are:

  • Risk is linked only to events, and not to other uncertainties. Therefore, ‘working on wrong assumptions’ may not be not recognised as a type ‘risk’ within the CRISC definition.
  • The ‘impact’ is limited to the effect on the enterprise, and therefore may be taken (unhelpfully) to exclude effects on stakeholders outside the enterprise, such as customers or the community.
  • The is no concept of objectives as found in ISO 31000 and COSO ERM. Objectives are very important for evaluating ‘impacts’. Objectives are also very important in COBIT, though with different vocabulary. In some better risk management practices, the objectives are the main basis on which risk scenarios are identified.
  • The wording suggests that the probability (likelihood) of the event is the same as the probability of the impact on the enterprise. Those two likelihoods can be the same, if risk scenarios are very precisely and carefully defined to have only a single definite impact. In practice, risk scenarios are often written to include a range of different possible impacts from an event. Any specific impact, such as the worst, may or may not follow from occurrence of the event. There is a chain of unpredictable mitigation and exacerbation effects in between the event and the final consequences. In that common case, likelihood of the worst impact following is far less than the likelihood of the event.

Associating the event likelihood and the worst impact will systematically overstate the actual level of risk. Other sources recommend rating the scenario impact at the impact level that is ‘most likely’ to follow from the event, but that method ignores the less likely but very grave impacts, and is therefore unsafe.

HB 436 spells out that the relevant ‘likelihood’ is the likelihood of the defined effects on objectives arising from the risk scenario. For an event with a range of possible impacts, there should be different likelihood and consequence values for each possible impact.

Definition of risk management

According to CRISC, risk management is

the coordinated activities to direct and control an enterprise with regard to risk. The activities with risk management are defined as the identification, assessment and prioritization of risk followed by coordinated and economical application of resources to minimize, monitor and control the probability and/or impact of adverse events or to maximize the realization of opportunities. [Part 1 Domain 1 C 2.1, page 15]

These definitions are substantially consistent with the definitions in ISO 31000 and COSO ERM.

CRISC follows this definition of risk management with a list of principles, parallel to the key principles of ISO 31000 [Part 1 Domain 1 C 2.1, pages 15-16]. There is a reasonable overlap with the ISO 31000 key principles, with the scope limited to ICT risk management.

Surprises

In ISACA’s framework for governance and management of ICT, COBIT5, risk management is represented as a minor element. It is designated as Process APO12 within the COBIT5 Process Reference Model. This is paradoxical in view of the fact that ISACA and COBIT exist primarily to manage risk in ICT. However, it can make sense within the COBIT approach.

The RACI chart for risk management reproduced in the CRISC guide [Part 1 Domain 1 C 2.1, page 18] does not include any role for a risk specialist. This may be rather surprising to CRISC candidates. However, it is consistent with this blog’s position that risk is actually managed by decision makers (managers) and not by risk specialists, who only support management without making decisions.

I advise CRISC candidates to simply learn the ISACA models for the purpose of passing the exam. A critical view of those models is helpful in the exam only to the extent that it can make the otherwise dry details easier to remember.

Risk IT Practitioner Guide

The Risk IT Practitioner Guide [RiskIT] is another authoritative statement from ISACA. It is only occasionally referenced from the CRISC study guide. The Risk IT Practitioner Guide is available as a download from the ISACA web site at no cost to ISACA members. Members should take a look at some stage, as it contains some interesting material. I don’t advise non-members to bother with it. (It is not available for download to non-members.)

CRISC candidates can wait until after the exam before downloading RiskIT, because everything from RiskIT within the CRISC curriculum is reproduced in the CRISC study guide. It is very difficult and confusing for learners (and probably for everyone else).

RiskIT has its own complicated and difficult model for risk management, shown on Figure 1 page 8. This model does not include definitions for risk or risk management comparable to those in ISO 31000 and COSO ERM.

RiskIT generally assumes that there is a centrally coordinated risk management activity within the ICT organisation, and in subtle ways tends to move the responsibility for risk management away from managers who make decisions, and on to risk specialists. I believe this tendency should be opposed.

RiskIT, taken as a whole, can also leave the impression that risk management is about following prescribed processes, rather than about making good decisions in the real world. Unlike ISO 31000, RiskIT did not distance itself decisively from the system-following paradigm that has undermined risk management globally. Unlike the other sources I’ve quoted, RiskIT does not have anything resembling the ISO 31000 key principles.

RiskIT would have been developed before ISO 31000:2009 was published, and these tendencies can now be regarded as common faults of the times.

I remain unclear as to why ISACA has not formally replaced RiskIT with something more aligned with current risk management thinking. There are newer publications, COBIT5 for Risk and Risk Scenarios: Using COBIT5 for Risk, but these are not a direct replacement.


Parent articles

What is risk management?

Risk is not a mysterious hypothetical substance. Unlike radioactive waste, it does not require a management system. You should never ask how much of it there is. Risk is nothing other than the possibility that your world might not end up the way you meant it to be. To manage risk is to understand and act on the effects of uncertainty on objectives. ‘Objectives’ are the preferred outcomes of an activity. ‘Effects’ can be positive or negative. ‘Uncertainty’ includes all kinds of unknowns, including unknown unknowns. ‘Act on’ includes many kinds of response. Risk management comes naturally from human capacity to plan for the future with conscious actions. Risk management is not defined by any step by step process based on rules and templates. Risk management is simply ‘management’, with recognition of the effects of uncertainty.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

The goal of risk management

The end-points of effective risk management are that the organisation has a current, correct and comprehensive understanding of its risks, [and] the organisation’s risks are within its risk criteria. The ‘organisation’ is optional. Stakeholders are mandatory. Risk ‘criteria’ are agreed limits.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

Key principles for actually managing risk

Risk management comes naturally from human capacity to plan for the future with conscious actions. Risk management is not defined by any step by step process based on rules and templates. Risk management is simply ‘management’, with recognition of the effects of uncertainty. ‘Treating a risk’ means doing something different, not turning a knob. Risks are managed by managers, not risk specialists.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

How does ‘risk management’ fit with all the other kinds of ‘management’?

Risk management is not just another dimension of management. It’s a dimension of all the other dimensions.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

What separate activities are specific to ‘risk management’?

Activities specific to ‘risk management’ are typical activities specific to ‘management’, with special features. They also have special names, defined in places like ISO 31000. Different specialists assume different boundaries of ‘risk’.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

What is risk management? (supplement for risk specialists)

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

What is risk management? Reconciling definitions of risk management

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

What is risk management? Definition of ‘risk’

The main differences between ISO 31000 and COSO ERM definitions of ‘risk’ are about ‘positive’ risk and about ‘uncertainty’ other than events.

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

What is risk management? Definition of ‘risk management’

ISO 31000 defines risk management for an ‘organisation’, broadly defined, while COSO ERM is only about ‘enterprise’ risk management.

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

What is risk management? Defining the end result of effective risk management

The end result of effective risk management is to be sure that the ‘organisation’ understands its risks, and that those risks are acceptable.

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

What is risk management? It’s not following a risk management process

Risk management not defined by its methods. Risk registers, matrices, and bureaucracy are not part of ISO 31000. Registers and scales do not define Enterprise Risk Management either.

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

What is risk management? It’s not what ‘risk managers’ do

If you are a risk specialist supporting management, you advise the decision makers and their teams on how approach the organisational understanding of risk, and on taking action with that understanding. If you are risk specialist at the governance level (as an audit and risk committee member, say), your primary advice and support will be directed to the board or CEO rather than to the management hierarchy underneath them. The Chief Risk Officer (CRO) is a risk specialist operating at the C-level, the top level of management below the board and directors.

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

Index to the topic What is Risk Management?

Leave a Reply

Your email address will not be published. Required fields are marked *