What is risk management? (CRISC)

This article assumes you have read What is risk management? (Everyone). You will probably also want to look at What is risk management? (Specialists) sooner or later.

CRISC is less focused on risk management concepts and principles than on roles for ICT risk specialists, and on specific kinds of risk in ICT.

CRISC Part 1 Domain 1 C [2014]

Definition of risk

The CRISC definition of risk is

the combination of the probability of an event occurring and the impact the event has on the enterprise. [2.1 page 14]

This definition of risk is approximately consistent with the COSO ERM definition and more loosely consistent with the ISO 31000 definition. CRISC is not concerned with subtleties in risk concepts.

CRISC candidates should learn the CRISC definition and then forget it after the exam. For reference after the exam, the specific weaknesses of the CRISC definition of risk are:

  • Risk is linked only to events, and not to other uncertainties. Therefore, ‘working on wrong assumptions’ may not be not recognised as a type ‘risk’ within the CRISC definition.
  • The ‘impact’ is limited to the effect on the enterprise, and therefore may be taken (unhelpfully) to exclude effects on stakeholders outside the enterprise, such as customers or the community.
  • The is no concept of objectives as found in ISO 31000 and COSO ERM. Objectives are very important for evaluating ‘impacts’. Objectives are also very important in COBIT, though with different vocabulary. In some better risk management practices, the objectives are the main basis on which risk scenarios are identified.
  • The wording suggests that the probability (likelihood) of the event is the same as the probability of the impact on the enterprise. Those two likelihoods can be the same, if risk scenarios are very precisely and carefully defined to have only a single definite impact. In practice, risk scenarios are often written to include a range of different possible impacts from an event. Any specific impact, such as the worst, may or may not follow from occurrence of the event. There is a chain of unpredictable mitigation and exacerbation effects in between the event and the final consequences. In that common case, likelihood of the worst impact following is far less than the likelihood of the event.

Associating the event likelihood and the worst impact will systematically overstate the actual level of risk. Other sources recommend rating the scenario impact at the impact level that is ‘most likely’ to follow from the event, but that method ignores the less likely but very grave impacts, and is therefore unsafe.

HB 436 spells out that the relevant ‘likelihood’ is the likelihood of the defined effects on objectives arising from the risk scenario. For an event with a range of possible impacts, there should be different likelihood and consequence values for each possible impact.

Definition of risk management

According to CRISC, risk management is

the coordinated activities to direct and control an enterprise with regard to risk. The activities with risk management are defined as the identification, assessment and prioritization of risk followed by coordinated and economical application of resources to minimize, monitor and control the probability and/or impact of adverse events or to maximize the realization of opportunities. [Part 1 Domain 1 C 2.1, page 15]

These definitions are substantially consistent with the definitions in ISO 31000 and COSO ERM.

CRISC follows this definition of risk management with a list of principles, parallel to the Key Principles of ISO 31000 [Part 1 Domain 1 C 2.1, pages 15-16]. There is a reasonable overlap with the ISO 31000 Key Principles, with the scope limited to ICT risk management.


In ISACA’s framework for governance and management of ICT, COBIT5, risk management is represented as a minor element. It is designated as Process APO12 within the COBIT5 Process Reference Model. This is paradoxical in view of the fact that ISACA and COBIT exist primarily to manage risk in ICT. However, it can make sense within the COBIT approach.

The RACI chart for risk management reproduced in the CRISC guide [Part 1 Domain 1 C 2.1, page 18] does not include any role for a risk specialist. This may be rather surprising to CRISC candidates. However, it is consistent with this blog’s position that risk is actually managed by decision makers (managers) and not by risk specialists, who only support management without making decisions.

I advise CRISC candidates to simply learn the ISACA models for the purpose of passing the exam. A critical view of those models is helpful in the exam only to the extent that it can make the otherwise dry details easier to remember.

Risk IT Practitioner Guide

The Risk IT Practitioner Guide [RiskIT] is another authoritative statement from ISACA. It is only occasionally referenced from the CRISC study guide. The Risk IT Practitioner Guide is available as a download from the ISACA web site at no cost to ISACA members. Members should take a look at some stage, as it contains some interesting material. I don’t advise non-members to bother with it. (It is not available for download to non-members.)

CRISC candidates can wait until after the exam before downloading RiskIT, because everything from RiskIT within the CRISC curriculum is reproduced in the CRISC study guide. It is very difficult and confusing for learners (and probably for everyone else).

RiskIT has its own complicated and difficult model for risk management, shown on Figure 1 page 8. This model does not include definitions for risk or risk management comparable to those in ISO 31000 and COSO ERM.

RiskIT generally assumes that there is a centrally coordinated risk management activity within the ICT organisation, and in subtle ways tends to move the responsibility for risk management away from managers who make decisions, and on to risk specialists. I believe this tendency should be opposed.

RiskIT, taken as a whole, can also leave the impression that risk management is about following prescribed processes, rather than about making good decisions in the real world. Unlike ISO 31000, RiskIT did not distance itself decisively from the system-following paradigm that has undermined risk management globally. Unlike the other sources I’ve quoted, RiskIT does not have anything resembling the ISO 31000 Key Principles.

RiskIT would have been developed before ISO 31000:2009 was published, and these tendencies can now be regarded as common faults of the times.

I remain unclear as to why ISACA has not formally replaced RiskIT with something more aligned with current risk management thinking. There are newer publications, COBIT5 for Risk and Risk Scenarios: Using COBIT5 for Risk, but these are not a direct replacement.

Further Reading

Main article on What is risk management? (Everyone)

Recommended next articles:

Discrete risk management processes within an enterprise (Everyone)

Risk management happens across the whole of any enterprise, whether or not it is formalised and explicit. There may be multiple discrete risk management processes across the enterprise. Any discrete risk management process needs to have a definite scope. Discrete and independent risk management processes are the work-horses within formal risk management, even if they are not recognised at all in ISO 31000 or COSO ERM.

Stream supplements: Risk Specialists Executives Australian Government CRMA CRISC

Some other main topics Discrete risk management processes within an enterprise

‘Enterprise Risk Management’ and risk management (coming soon)

All pages on What is Risk Management?

Articles for everyone The goal of risk management (Everyone) Key Principles for actually managing risk (Everyone) How does ‘risk management’ fit with all the other kinds of ‘management’? What separate activities are specific to ‘risk management’? What is risk management? Examples What is risk management? Thinking too narrowly What is risk management? Less common errors
Supplements for reader streams
For Risk Specialists: What is risk management? (Specialists)
For CRMA Candidates: What is risk management? (CRMA)
For CRISC Candidates: What is risk management? (CRISC)
Extras for risk specialists: What is risk management? Reconciling definitions of risk management What is risk management? Definition of ‘risk’ (Specialists) What is risk management? Definition of ‘risk management’ (Specialists) What is risk management? Defining the end result of effective risk management (Specialists) What is risk management? It’s not following a risk management process What is risk management? It’s not what ‘risk managers’ do

Risk consequences as the final effect on objectives (LinkedIn – registration required)

For Executives: What is risk management? What matters for management (Executives)
For Australian Government readers: What is risk management? (Australian Government)

Leave a Reply

Your email address will not be published. Required fields are marked *