CRISC Domain 3: Risk Response and Mitigation
What is Risk Response and Mitigation?
In order to understand Risk Response and Mitigation, we first need to separate the two definitions and define them properly. The two work together hand in hand, but are different in their approaches to keeping your company going.
Risk Response: Risk response is a series of processes and procedures that help to create tactical options for businesses that both increase positive outcomes and decreases threats to the business and its projects. In order to manage these processes effectively, a member is assigned to manage each risk response within a department. This is done to ensure that each risk and its reciprocal response is being monitored closely by a dedicated staff member. A person assigned to take responsibility for the risk and response doesn’t necessarily need to be the responder, which means that a specialized person or team of people can be dispatched when the processes determined in the procedures documentation require action to be taken.
Mitigation: The mitigation of risk is slightly different to the processes laid out in the risk response procedures. Mitigation steps are put into place to avoid and lessen the chances of an incident from occurring in the first place. Once an incident occurs and the risk response procedures are under way, then mitigation plays a further role by lessening the potential risk of damage to the business, which is built into the risk response procedures.
How much is this domain covered on the exam & what topics are discussed?
Below are the 7 topics that are most likely to be covered in the CRISC exam.
3.1 Consult with risk owners to select and align recommended risk responses with business objectives and enable informed risk decisions.
3.2 Consult with, or assist, risk owners on the development of risk action plans to ensure that plans include key elements (e.g., response, cost, target date).
3.3 Consult on the design and implementation or adjustment of mitigating controls to ensure that the risk is managed to an acceptable level.
3.4 Ensure that control ownership is assigned to establish clear lines of accountability.
3.5 Assist control owners in developing control procedures and documentation to enable efficient and effective control execution.
3.6 Update the risk register to reflect changes in risk and management’s risk response.
3.7 Validate that risk responses have been executed according to the risk action plans
What are the most common risk response options and their criteria for selection?
Knowing which tactic to use for a specific scenario is really important if you are going to manage risk and avoid unnecessary liability for your organization. The 4 main tactics that are available to you are:
- Avoidance: The best way to protect your company from risk is to avoid it all together. These risks can usually be avoided by removing the root cause of the risk, or by re-evaluating how your project is being executed. This execution should be changed until the elements of risk that raise concern have been eliminated. Having said that, not all risks are avoidable, so this approach does not always work and is not always possible to pursue.
- Transference: The transferring of risk is achieved by finding others that are able to take on the task of managing it for you. The parties bear the liability of this risk if the worst happens. This ensures that only those that are capable of bearing the burden of this risk deal with it in the best possible way. Service providers will take on this risk for a price, so the risk benefit has to be greater than that of the fee that you will be paying to this third party.
- Mitigation: Risk mitigation seeks to lessen the effects of a high risk event should it ever take place. This means taking a catastrophic event and reducing the damage that it could potentially do by creating safeguards and contingencies. This approach is also a compromise, as repairing the damage after such a failure might be cheaper than installing all of the mitigation safeguards. A cost analysis must be conducted to establish feasibility.
- Acceptance: This is a strategy that is employed when the potential loss or damage to a particular system is not catastrophic to the operation of business, or if the cost of repairing the damage is minimal. It can also be used when the expense of avoiding the risk all together is too high to justify the cost. In this scenario a workaround plan or a contingency plan would be employed to offer relief to that eventuality.
What are Key Risk Indicators?
A Key Risk Indicator, or KRI, is a method by which risks to business operations are identified, quantified and managed. This information is then measured against the company’s risk appetite, which shows how much the company is willing to risk within different scenarios. Each business segment within a larger corporation will have its own KRI measurements, meaning that management makes the final call regarding risk appetite.
Policy makers within the organization need to ensure that the following are considered properly before being instituted:
- All stakeholders are consulted within the organization so that a proper risk analysis can be created.
- KRIs also intersect with other metrics, such as Performance Indicators, Lead Indicators and Trends.
Candidates wishing to complete their CRISC certification must have a firm grasp of the following:
4.1 Define and establish key risk indicators (KRIs) and thresholds based on available data, to enable monitoring of changes in risk.
4.2 Monitor and analyze key risk indicators (KRIs) to identify changes or trends in the IT risk profile.
4.3 Report on changes or trends related to the IT risk profile to assist management and relevant stakeholders in decision making.
4.4 Facilitate the identification of metrics and key performance indicators (KPIs) to enable the measurement of control performance.
4.5 Monitor and analyze key performance indicators (KPIs) to identify changes or trends related to the control environment and determine the efficiency and effectiveness of controls.
4.6 Review the results of control assessments to determine the effectiveness of the control environment.
4.7 Report on the performance of, changes to, or trends in the overall risk profile and control environment to relevant stakeholders to enable decision making.
What is the impact of emerging technologies on design and implementation of controls?
The rate at which emerging technologies have been emerging in recent years has been incredible. Enhanced mobile services and the Internet of Things (IoT) have become increasingly prevalent. These devices and services connect to the internet, and have the potential to cause system breaches and security issues if they are not managed correctly within your environment.
It is for this reason that these types of emerging technologies are more commonly being addressed when controls are being designed and implemented. All stakeholders must be aware of such devices and be more prepared.
The technologies themselves are disruptive to businesses in many ways, which means that competitors must all race one another to implement new technologies that will put them ahead of the competition. This can lead to security and risk incidents further down the line if the technologies are not vetted and tested thoroughly before they are rolled out.
Getting CRISC Certified
Learning how to deal with risk by managing and mitigating the root causes of negative business outcomes is challenging. Take a look here to see how you can get started!