IT RISK FUNDAMENTALS

– Common risk terminology and types of risk
– Risk-related business functions
– How the three lines of defense are important to the risk management process
– General and I&T controls and their role in the risk management process

– Articulate the purpose, objectives and importance of risk governance and risk management.
– Summarize how risk management fits within an enterprise governance strategy.
– Explain how an enterprise decides the amount of risk it is willing to accept (risk appetite, tolerance and capacity).
– Describe the structure, roles and responsibilities of risk stakeholders.
– Summarize the risk management process and workflow.

– Categorize enterprise assets and how they are valued.
– Describe the factors that can put enterprise assets at risk.
– Explain the different types of threats and vulnerabilities that exist.
– Identify IT areas of concern that can lead to I&T-related risk.
– Describe the risk identification process.
– Summarize how to apply risk identification methods.
– Define the types and benefits of risk scenarios.
– Describe how to develop a risk scenario.

– Explain the risk assessment process.
– Describe frequency and magnitude and how they apply to a risk scenario.
– Explain the risk analysis process and available approaches.
– Apply risk analysis methods and techniques.
– Explain how to rank and prioritize risk.
– Describe risk aggregation and it applies to risk maps.
– Summarize how to document risk (risk register).
– Explain how to assess the current state of controls.
– Define risk and control ownership.

– Explain the risk response process and the importance of alignment with business objectives.
– Illustrate risk response strategies and examples of each.
– Outline control design and implementation and control activities that can reduce risk to acceptable levels.
– Articulate the role that incident management, business continuity and disaster recovery play in mitigating risk.
– Define the characteristics of inherent and residual risk.
– Explain how to select and prioritize risk response alternatives.
– Describe how to document and communicate risk responses.
– Define the elements of a risk response plan.

– Gather available sources of data to monitor and report on risk.
– Articulate how to monitor risk through the use of key risk indicators (KRIs) and key performance indicators (KPIs).
– Describe how to monitor existing controls.
– Explain risk reporting guidelines and types.
– Outline the importance of an ongoing risk monitoring process and a proactive and continuous approach to risk management.