What to read first: What is risk management? (supplement for risk specialists) What is risk management?
|For CRISC candidates (ISACA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRISC Study Guide.|
Definition of risk
The CRISC definition of risk is
the combination of the probability of an event occurring and the impact the event has on the enterprise. [2.1 page 14]
CRISC candidates should learn the CRISC definition and then forget it after the exam. For reference after the exam, the specific weaknesses of the CRISC definition of risk are:
- Risk is linked only to events, and not to other uncertainties. Therefore, ‘working on wrong assumptions’ may not be not recognised as a type ‘risk’ within the CRISC definition.
- The ‘impact’ is limited to the effect on the enterprise, and therefore may be taken (unhelpfully) to exclude effects on stakeholders outside the enterprise, such as customers or the community.
- The is no concept of objectives as found in ISO 31000 and COSO ERM. Objectives are very important for evaluating ‘impacts’. Objectives are also very important in COBIT, though with different vocabulary. In some better risk management practices, the objectives are the main basis on which risk scenarios are identified.
- The wording suggests that the probability (likelihood) of the event is the same as the probability of the impact on the enterprise. Those two likelihoods can be the same, if risk scenarios are very precisely and carefully defined to have only a single definite impact. In practice, risk scenarios are often written to include a range of different possible impacts from an event. Any specific impact, such as the worst, may or may not follow from occurrence of the event. There is a chain of unpredictable mitigation and exacerbation effects in between the event and the final consequences. In that common case, likelihood of the worst impact following is far less than the likelihood of the event.
Associating the event likelihood and the worst impact will systematically overstate the actual level of risk. Other sources recommend rating the scenario impact at the impact level that is ‘most likely’ to follow from the event, but that method ignores the less likely but very grave impacts, and is therefore unsafe.
HB 436 spells out that the relevant ‘likelihood’ is the likelihood of the defined effects on objectives arising from the risk scenario. For an event with a range of possible impacts, there should be different likelihood and consequence values for each possible impact.
Definition of risk management
According to CRISC, risk management is
the coordinated activities to direct and control an enterprise with regard to risk. The activities with risk management are defined as the identification, assessment and prioritization of risk followed by coordinated and economical application of resources to minimize, monitor and control the probability and/or impact of adverse events or to maximize the realization of opportunities. [Part 1 Domain 1 C 2.1, page 15]
CRISC follows this definition of risk management with a list of principles, parallel to the key principles of ISO 31000 [Part 1 Domain 1 C 2.1, pages 15-16]. There is a reasonable overlap with the ISO 31000 key principles, with the scope limited to ICT risk management.
In ISACA’s framework for governance and management of ICT, COBIT5, risk management is represented as a minor element. It is designated as Process APO12 within the COBIT5 Process Reference Model. This is paradoxical in view of the fact that ISACA and COBIT exist primarily to manage risk in ICT. However, it can make sense within the COBIT approach.
The RACI chart for risk management reproduced in the CRISC guide [Part 1 Domain 1 C 2.1, page 18] does not include any role for a risk specialist. This may be rather surprising to CRISC candidates. However, it is consistent with this blog’s position that risk is actually managed by decision makers (managers) and not by risk specialists, who only support management without making decisions.
I advise CRISC candidates to simply learn the ISACA models for the purpose of passing the exam. A critical view of those models is helpful in the exam only to the extent that it can make the otherwise dry details easier to remember.
Risk IT Practitioner Guide
The Risk IT Practitioner Guide [RiskIT] is another authoritative statement from ISACA. It is only occasionally referenced from the CRISC study guide. The Risk IT Practitioner Guide is available as a download from the ISACA web site at no cost to ISACA members. Members should take a look at some stage, as it contains some interesting material. I don’t advise non-members to bother with it. (It is not available for download to non-members.)
CRISC candidates can wait until after the exam before downloading RiskIT, because everything from RiskIT within the CRISC curriculum is reproduced in the CRISC study guide. It is very difficult and confusing for learners (and probably for everyone else).
RiskIT has its own complicated and difficult model for risk management, shown on Figure 1 page 8. This model does not include definitions for risk or risk management comparable to those in ISO 31000 and COSO ERM.
RiskIT generally assumes that there is a centrally coordinated risk management activity within the ICT organisation, and in subtle ways tends to move the responsibility for risk management away from managers who make decisions, and on to risk specialists. I believe this tendency should be opposed.
RiskIT, taken as a whole, can also leave the impression that risk management is about following prescribed processes, rather than about making good decisions in the real world. Unlike ISO 31000, RiskIT did not distance itself decisively from the system-following paradigm that has undermined risk management globally. Unlike the other sources I’ve quoted, RiskIT does not have anything resembling the ISO 31000 key principles.
RiskIT would have been developed before ISO 31000:2009 was published, and these tendencies can now be regarded as common faults of the times.
I remain unclear as to why ISACA has not formally replaced RiskIT with something more aligned with current risk management thinking. There are newer publications, COBIT5 for Risk and Risk Scenarios: Using COBIT5 for Risk, but these are not a direct replacement.
|Risk specialists||Version 1.0 Beta|
Main article on What is Risk Management?
Index to the series What is risk management?