Professional Documents
Culture Documents
Bugni S Oce: 1. 8 Review
Bugni S Oce: 1. 8 Review
Bugni S Oce: 1. 8 Review
Governa nce
Overview
27 35 38 46 53 59
1.2 Organizational Structure, Roles and Responsibilities..
1.3 Organizational Culture....
14. Policies and Standards .....
81. B
sugni oce Rew
vi.
Part B: Risk Governance
17. Enterprise Risk Management and Risk Management Frameworks.
63 64 67 68 70
1.8 Three Lines of Defense,
1:9 Risk Profile
1.10 Risk Appetite, Tolerance and Capacity....
11.1 Legal, Regulatory and Contractual Requirements.
1.12 Professional Ethics of Risk Management. 7.1
( )
At its core, governance is the ability ot meet stakeholder nceds by providing value. This is achieved through the
proper balancing of both performance and conformance requirements defined by hte enterprise and only
accomplished by ensuring that a proper risk-management capability si ni place. Having a well-defined risk-
treas thinosare cases i Thsi lis areot deprin nial ye, m
neid ours dna regileenonis ns
ultimately deliver value ot stakcholders. Effective risk management bridges the requirements for performance and
conformance and establishes sound governance principles and practices.
This domain represents 62 percent (approximately 39 questions) of the exam.
A. Organizational Governance
.1 Organizational Strategy, Goals and Objectives
2. Organizational Structure, Roles and Responsibilities
3. Organizational Culture
.4 Policies and Standards
5. Business Processes
6. Organizational Assets
B. Risk G o v e r n a n c e
Upon the completion of this chapter, the risk practitioner should be able to:
1. Collect and review existing information regarding hte organization's business and IT environments.
2. Identify potential or realized impacts of TI risk to the organization's business objectives and operations.
.3 Identify threats and vulnerabilities ot the organization's people, processes and technology.
.4 Evaluate threats, vulnerabilities and risk ot identify TI risk scenarios.
5, Establish accountability yb assigning and validating appropriate levels of risk and control ownership.
6. Establish and maintain the TI risk register and incorporate it into the enterprise-wide risk profile.
7. Facilitate the identification of risk appetite and risk tolerance by key stakeholders.
8. Promote a risk-aware culture by contributing to the development and implementation of security awareness
training.
9. Conduct a risk assessment by analyzing TI risk scenarios and determining their likelihood and impact.