Pass Isaca CRISC Exam in First Attempt Easily

Introduction to Risk Management

1. Module Overview

Welcome to the ISACA Risk Management Series preparatory course. This is the first module of a total of five modules. In this first module, we will understand the whole context and essential concepts of risk management that are the foundation for the following modules. Some topics that we will address include why it is important to learn risk management, what it is for, how governance supports it, and where risk management fits within governance. What are risks, and what is risk governance? How to know how much you spend to respond to a risk and in what control mechanism the company should invest, what is it management and in. The next models are the phases of the risk management lifecycle as defined by Isaac. That is Module Two. We will deal with it. Risk Identification Module Three with it Risk Assessment Module Four with Risk Response and Mitigation and Module Five with Risk and Control monitoring and reporting. This training was based on the official ISACA material, the Review Manual Sixth Edition, and it's really intended to help you understand risk management in accordance with ISACA's vision and support your certification. Furthermore, to provide knowledge in this discipline that is becoming increasingly important and is increasingly required by businesses in order to enable you to add even more value to the activities that you carry out. After the last model, we will have an extra section with an overview of the certification test. But at that first moment, I really hope that everyone’s focus is on understanding discipline itself with the intention to learn not just the title. Thank you.

2. Why study risk management?

Learning a new area of knowledge requires motivation and discipline on the part of those who are dedicating themselves to this new endeavor. Learning means putting effort, time, and money into understanding something. Learning also means giving up other activities to study. If the reason you are doing this is not very clear, you will probably have difficulty developing the way you should in the discipline you want. Which, in this case, is risk management? Here we will discuss some basic reasons for studying risk management. But the main message that should be clear to everyone is to take some time, preferably in introspection, to reflect on why you are undertaking this trend and learn about risk management. The first reason is the needs of the market. You, as a professional, want to find your purpose. The best way to serve a purpose is to add value to help the company pursue its mission. Risk management has this function to support the organisation in its quest for its mission to make effective the creation of value for the area. Every day the internet becomes more important in our lives, and for every company that becomes important, it needs more security. Risk and information security professionals are highly demanded by the market for an obvious reason. as companies increasingly rely on the IT department for value creation for end consumers. And the value created by it must be consistent and reliable. It is precisely here that the risk professionals support the company, and that is precisely why the market demands these professionals. Everyone who studies risk management must understand that this is a key activity for companies to deliver value to their customers. The next reason is professional recognition. It's not enough for you to study and train yourself. The simplest way for the market to gauge the ability of a professional is through certification. Is a portion of the comparison process outsourced, with the activity of verifying if the professional has the necessary knowledge delegated to a third party, which in this case is the entity that certifies the professional? Of course, this is only part of the process, but it's a huge starting point. The market demands risk professionals, and the obvious recognition is certification. Another reason is to help you develop the essential skills needed to create value, whether in the company itself or the company you want to work in if you are hired. Our information security management depends on some form of risk management that should be structured. Every department creates value for the business. And the best way to ensure that this value creation is effective and consistent is through a proper risk management program. The professional with these essential skills can support the department to achieve its mission, which in turn supports the company itself to achieve its mission. Finally, a salary increase is certainly one of the reasons for studying risk management. Certainly the best strategy is to realize that money is not an end in itself. But it turns out that in practice, to meet day-to-day demands, We really need the financial viability to maintain the flow of life. Service certification is highly recognised by the market, and this recognition is also financial. Whether you want an opportunity in your current company or an opportunity to work in a different company, So conducting market research is a good way to achieve that goal in our market research. This is one of the most financially recognised certifications, as shown in the following image. This is a print of the CU site showing the 13 certifications that paid the most in 2018. That is professional acknowledgement. Also carried out as a financial recognition series is the first The reason is precisely because of its relevance to business. The more relevant it is, the greater the need to demonstrate consistency in value creation and the greater the need for proper risk management. Yes, I know I'm being repetitive, but if you have a risk management foundation that I want to make sure you know about, risk management helps it deliver value consistently. It is important to emphasise that most of the top 10 are certifications in the area of information security and risks, which is also very relevant. Certification for the information security market is second, followed by Amazon Cloud certification and two more secured certifications. In other words, make sure to be information secured filed. You will add value to the company, obtain professional recognition, and most of the time, obtain financial contributions compatible with the dedicated effort to learn the new art of knowledge.

3. What is IT for?

Having a macro view of where risk management is situated helps to clearly understand its role. Therefore, it is also extremely important that we understand the context in which risk management is embedded, which is the information technology department itself. Research & Development addresses risk management, so the first thing we need to understand is what it is for. First, it is accepted as an organizational imperative needed to drive the business. For those who are in doubt, imperative means just that which imposes itself with propriety. Our activities depend on information technology at some level to function. It is not a secondary function. It, in the vast majority of cases, has a primary hold, which is necessary to leverage the company's core activities. Despite this, the risk professional must understand that it is not an end in itself. It is essential, but it only serves because it helps the business achieve its mission. If the company is a pension-making company and pension is a product, it is of no use being the most modern and organized thing in the world if, in the end, it does not help the company produce in the right way the prices that customers need. Creating and delivering value to the business means three basic things Benefit realization entails ensuring that results are carried out as planned, risk reduction, consistency in achieving results, and resource optimization, which entails using resources efficiently to consistently produce those results. The lesson here is that risk management should help IT achieve its mission well and efficiently. Because it can have such a dramatic impact on a company's competitiveness and performance, failing to manage it effectively can have serious consequences. As a rule, organizational investments should deliver value. It is recognized that IT must be fully aligned with business strategy and direction. That is, if the company is in the recession phase, it is no use for it to have expansion plans. If the company is in the innovation phase, it is no use for It to be in the stabilization phase. In the end, IT and business must talk the same language and navigate in the same direction. Therefore, key risks should be identified and controlled and legislature achieving regulatory compliance must be demonstrated. This is where the risk professional comes in. It is trying to create value, and a security risk can put everything to waste either by using resources inefficiently, by delivering unstable results, or even by disrupting existing legislation. Identifying, evaluating, responding to, and monitoring risks means that the risk professional will help align the corporate strategy. In this respect, the fundamental difference between governance and management is that management focuses on planning, building, executing, and monitoring activities in alignment with the direction defined by governance to create value by achieving the objectives. It is governance that dictates the direction, and ultimately it is governance that is responsible for delivering value. We are saying this because risk management is one of the key performance tools. And every IT manager and risk professional must have those roles clear in their minds.

4. What does IT Governance help the company to understand?

We like to teach through questions because we understand that the action of questioning leads to fundamental reflection for the understanding of any activity. There is no point in getting answers ready. The risk professional must always know how to question, instigate, provoke, and imagine. When it comes to governance, there are some basic questions that need to be asked. And for the professionals who manage risk, these questions and their respective answers should be clear. These questions should be asked in a cyclical and continuous way. The first is, are we doing the right things? This means understanding whether the IT services portfolio is meeting the company's needs, if the company's mission is being pursued with the realisation of these services, and if there are any other services that would boost the company if executed. See that these are not simple questions and that a single person in the company cannot answer them individually. Leading leaders should discuss these questions and the response. At the end of the day, we will address our own strategy. The second question is, are we doing it right? That is, are we serving our customers within a reasonable deadline that actually solves their problems? When running the service, are we impacting our customers? Next are we doing well using resource in the right way? When running the service, are we using the resource in a way that justifies the value created? Because there's no point in creating value by spending more resources than the value it creates itself. To illustrate this point, we can say that it is no use spending $50,000 to paint a house if we want to increase $10,000 in the sale value of the house. It creates and delivers service, and it must be done in such a way that the costs justify the results. Anything that may impact this cost-benefit relationship must be mapped and responded to by the risk professional. So it's important to ask yourself if it's possible to make the execution of the service faster or cheaper while achieving the same benefits. And lastly, are we achieving the expected benefits? Because it is all too easy to get lost in the process and end up focusing more on providing a good service than on achieving the expected benefit. There is a professional who must always ask himself whether customer problems are being solved. It is no use to have the latest technology if it is too expensive or too slow to implement. It is important to be aware of what problems have to be solved. Sure, a particular solution actually solves the problem. For this, we always need to ask ourselves whether customers are satisfied with the services provided.

5. What does IT Governance enable the enterprise to achieve?

We are insisting on its governance because management is a huge method for it, regardless of where it is positioned within the enterprise structure. As risk professionals, we have to understand what IT governance allows the company to achieve to know exactly what we should try to achieve with risk management. First, strategic alignment means providing direction and alignment with the business regarding services, demands, and projects that will be realized. The second, as we have seen before, is value delivery, which means confirming that the organization is designed to deliver maximum value to the business with an advantageous return on investment. Governance also enables it to achieve risk management, which means ensuring that processes are in place and working to ensure that risks are being properly managed, including verification of resources related to its investment. That is, the identified risks and levels of risk are under control and available for senior management to make conscious decisions consciously. Then, the optimization of resources and performance, which means the high-level target to fund and use this resource, this means managing aggregate IT financing on a corporate level. That is, ensure that there is no other; ensure that there is great IT capacity and infrastructure to support current and future business requirements. Finally, compliance means ensuring that all of its needs are compliant with internal and external legislation and standards. That is not only compliant with laws but also compliant with internal policies and standards. This compliance is a relevant role of governance; which risk professionals should use directly.

6. Governance - General Topics

Here we will present some general topics to finalize the alignment of information on governance. We hope that everyone has the same vision of what governance is for within the company and how risk management fits within that governance. First, governance is not an action. It's a cyclical activity that requires continuous improvement. That is, it governance is not a single action or something that can be achieved by an order or set of rules. You don't go there and end with governance. It is something that is always being accomplished. There's no use doing these, and they're not following up on the environment. Change needs change and the company sales change. Its governance should always be looking for ways to answer these questions in a systematic way to follow the evolution of the company. Next, governance requires a high level of commitment from the organization to administer, manage, and control. It is not possible without the commitment of the top management of the company. and this is something that can be categorically declared without any fears. No change can be made without the commitment of those responsible for the company as a whole. And the best way to demonstrate the company's interest is with the involvement of top management. Finally, let's stress that governance must deliver value consistently. Please do a word-for-word analysis of this sentence: "Deliver value consistently." All value created by its governance must be consistent, so that our stakeholders know they can count on that benefit or value created by it. And the way we created consistency is true. Risk management. This is why risk management preserves the investments made by the company.

7. What is risk?

Now entering in risks properly. What is our risk, after all? First of all, it is important to note that ISAACA considers only negative events, even if in general, risk can also be something positive, such as the risk of winning the lottery, for example. In this way, risk is a challenge to achieve the goals. Goals are mapped out by governance and top management, and risk means anything that can present a challenge to achieving those goals. There should be a mapping of the goals of the company, and the risk professional should have clarity about how it can help in the pursuit of those goals. The next step is to identify possible challenges for these goals to be achieved. See here. The definition is proposed as quite broad. A challenge may be, for example, an operational failure or the delay of a project. The important thing here is that anything that proves to be a challenge to achieving the goals should be considerable. Risk that can be difficult to manage in terms of process projects or even available technology services such as applications, infrastructure, and so on. To be characterised as a risk, it is important that two factors—the probability and consequence—of these challenges be identified in order to know what we really have to do with them. This means management. We must identify the likelihood of this challenge becoming real. And if they do, what are the impacts? First, the company's assets are identified, followed by vulnerabilities in those assets and threats that can exploit those vulnerabilities. Only then can the probability of a risk and its consequences be identified. The probability is related to the change in threat of an attacker exploiting a vulnerability and the consequence in relation to the relative impact on the company's assets. Relative impact means the value of an asset for the business. Depending on the applications that process all of the stored data, a server with a capacity of 3000 can be worth more than a million dollars to the business. Yes, I know there are many terms, but you can watch the video more than once. Anyway, we will explore all these concepts very deeply throughout the course. So my recommendation is to watch the training twice. At first, you focus on paying as much attention as possible, even if you do not understand everything right from the start. In the second, you take notes and repeat a specific video until you are totally comfortable with the knowledge presented. It is important to speak of probability because a risk's impact rises. The probability cannot be identified. It's only an uncertainty, and it is very difficult to be treated constantly and effectively. Uncertainty should be addressed separately, for example, by applying the main security contrasts against combined threats to our enterprises. I want to point out here that secured controls are the measures we take to protect the company's assets. It could be, for example, a viral antivirus talent retention program, process documentation, or even an additional employee in a critical area to ensure that the service will always be provided. Finally, managing risk means predicting challenges and reducing their chance of occurrence or impact. See here that there are two possibilities: either reduce the probability or reduce the consequence. Each unitized risk should be taken to a management board so that, firstly, it gives visibility to the top management of the risk to which the company is exposed and, secondly, it can decide what to do with those risks.

8. What are the main objectives of Risk Governance?

We've been working hard to clarify the concept of governance. It is critical that you now have the awareness and peace of mind to distinguish governance from risk governance, which is what we will discuss in this slide. What are the main objectives of risk governance? see that we are specifically dealing with risk. What we are going to answer here is how to ensure that the entire risk management process really adds value to the company and helps you make guided decisions in a conscious way. First of all, establish and maintain a common risk view. All people involved should have the same view of the risks. Our risks should be visible to all those requiring them. Risks cannot be mapped in separate locations, as this would obstruct the common risk view. This is important because for all the decision-making, the single common risk view will serve as the source of risk that should be considered. Once this common risk vision is published, the next step is to integrate risk management into the enterprise. There is no point in risk management. In some areas, risk management must cover the whole enterprise. All meetings, whether for scoping, discussion of process, decisionmaking, or even new strategies, should take into account the risks to which the company is exposed and even help identify new risks. Risks must be identified in a wide range of contexts people, process, and tools). It must be observed in the table in search of a common risk view that is sound and reliable. Another objective is precisely to allow risk-sensitive business decisions to be made. If the information does not reach the necessary people in an efficient and timely manner, then the whole risk management effort will have been in vain. All decision-making should take into account the risks already identified. This may not change the decision. The risk may simply be accepted. But it is certainly better to accept a risk with our RNS than to be exposed unconsciously. Notice how all of these objectives are interconnected and contagious. It is important to be clear about this risk management function that risk governance seeks to ensure. Lastly, ensure that risk management controls are implemented and operate correctly. In order for decision-making to be conscious, that is, aware of all the risks the company is exposed to, it is necessary that our risk management operates correctly and that it is integrated into every company. If it does not operate properly in a department, it can make the entire process inefficient, lose readability, and not add value where it really should add. Let's explore these concepts later. However, a control can range from a checklist in a critical process to a fire or an IP on the outskirts of nature. if it serves to shape the risk It is a culture.

9. How do you know how much to spend to respond to a risk?

At the end of the day, it's all about investing efficiently in available resources. If you are mapping out risk in your personal life, It works the same way you evaluate the risk of studying new content and identify whether it is worth the effort. Time. Money for books and courses in the new item of knowledge, even at the risk of no financial return, incorporates the environment. These decisions are even more critical because they often deal with a lot of money or with widely distributed expectations. How do you know how much to spend to respond to risk? In a perfect world, our risk would be eliminated, but this is simple: not possible at all. The correct way to do this is to never spend more to respond to a risk than the risk itself presents in terms of the cost of impact. We are talking about negative risks here; we first check the impact of that risk to see how much damage or loss it can cause, then we evaluate how much it would cost to mitigate this risk. We should never spend more to mitigate a risk than the risk itself presents in terms of the cost of impact. It would be the same as paying for car insurance that would cost more than the car itself. The rule is very simple but having invisibility of the factors can be very complicated. It is not always possible to measure in objective terms the impact of a risk and identify the cost of our scenarios to mitigate that risk, which can be a great effort. It should be very clear that we must know the potential losses associated with the risk or we will not be able to decide how to respond to the risk. The company will need to spend effort on risk management It will need to allocate professionals to access the mitigation options how am each would cost what the effort? Without this, there is no decision-making.

10. How to know in which control mechanisms should the company invest?

The budget is always a finite, restricted, and highly controlled item. Our companies should be economically viable in the long run. Risk Management I should give managers visibility into what risks the company is exposed to so that decisions can be made in a conscious way. However, it is not possible to simply mitigate other risk encounterment. Only a few cultural mechanisms can be implemented due to several limitations, among them investments, human resources, and time. Yes, sometimes you have the money, but not the time. Sometimes you have money and time, but you don't find the right professional to do that. Our restrictions should be considered careful. A control mechanism is a system that addresses a security risk. It can be a policy, a process, an application, or even an audit. The question here is how to know which control mechanisms to invest in. If resources were infinite, the company would simply implement all possible control mechanisms and be covered against a large number of risks. But because resources are scarce, the company must decide how best to use the resource. For this, risk management adds value, giving visibility so that the managers can prioritise the investments and become aware of the risks that have not yet been treated. Simply implementing a control mechanism without having it mapped to one or more specific risks Maybe this is an inefficient way of applying enterprise resources. What if there is another risk with greater potential to impact the company that needs more investments? Therefore, any control must be traceable back to specific risks that the control is designed to mitigate. Over time, the profile of this risk may change, or the control may no longer be effective. Because of this, it is important that this control be traceable so that it can be monitored in a way that ensures that the risk is within acceptable levels. Information security experts are often tech-savvy geeks and simply want to implement the next generation of tools. Professionals should treat the matter seriously and identify the risks the company is exposed to, the potential impact, and what the options are. To respond to risk, it is necessary to have a rationale to explain why Mechanism A was implemented and not Mechanism B. The best way to handle the selection of contrast is to create an information security roadmap according to the prioritisation of identified risks, as new risks are always emerging and even the risks already identified are always changing in probability and impact. Risk management must have a continuous operation so that the best information is always available to manage. I'm.

Hide