Part I: The Big Picture: How Risk Management Relates to Risk Governance

A. Part I Overview
Introduction Part I provides an overview of risk management and risk governance to ensure that the CRISC candidate sufficiently understands the environment in which the CRISC functions. Relevance While the CRISC may not personally perform the tasks related to risk governance, the concepts that are addressed in Part I are important to effectively:

y Identify, assess and evaluate risk. y Assist in selecting the appropriate risk response. y Monitor risk. y Design, implement, monitor and maintain information systems controls to mitigate such
risk. NoteThe concepts introduced in Part I are considered a fundamental element of the CRISC job practice. Learning Objectives As a result of completing this chapter, the CRISC candidate should be able to:

y Differentiate between risk management and risk governance. y Identify the roles and responsibilities for risk management. y Distinguish among various risk management methodologies. y Apply and differentiate the standards, practices and principles of risk management. y List the main tasks related to risk governance. y Recognize relevant risk management standards, frameworks and practices. y Explain the meaning of key risk management concepts, including risk appetite and risk
tolerance.

Part I contains the following sections: Open table as spreadsheet A. B. C. D. E.

ontents

Section Part I Overview Overview of Risk Management Risk and Opportunity Management Roles and Responsibilities for IT-related Risk Management Risk Management Frameworks, Standards and Practices

Starting Page IA1 IB1 IC1 ID1 IE1

No. of Pages 1 1 2 1 3

Open table as spreadsheet F. G.

Section Essentials of Risk Governance Suggested Resources for Further Study

Starting Page IF1 IG1

No. of Pages 11 1

B. Overview of Risk Management

Introduction Risk management is the process of balancing the risk associated with business activities with an adequate level of control that will enable the business to meet its objectives. It holistically covers all concepts and processes affiliated with managing risk, including the systematic application of management policies, procedures and practices; the tasks of establishing the context, communicating and consulting; and identifying, analyzing, evaluating, treating, monitoring and reviewing risk. Relevance The CRISC must understand the principles and concepts of risk management and be able to apply these principles to a unique enterprise. Risk is an integral part of all enterprises and must be properly identified, managed and monitored to support the overall business objectives of the enterprise. While the CRISC is not expected to establish the risk tolerance or acceptance levels of the enterprisethose are decisions to be made strategically by senior managers and shareholders of the businessthe CRISC is expected to provide accurate reporting on the levels of risk facing the organization. This reporting is based on risk identification, assessment and analysis. Other CRISC activities include recommending the use of mitigating IS controls to avoid or limit adverse events and enabling the deployment of new business systems and initiatives to help ensure that the enterprise can confidently leverage new opportunities without facing an unacceptable level of risk.

C. Risk and Opportunity Management

Introduction Enterprises continuously plan, operate and deploy business activities and processes to achieve business objectives. The CRISC is actively involved in ensuring that the operational risk of each business activity is assessed; monitored; and, if necessary, addressed. Each business activity carries both risk and opportunity, and the CRISC must be aware of the need to balance business needs and productivity with IS controls. Definition of Risk Risk reflects the combination of the likelihood of events occurring and the impact those events have on the enterprise. Riskthe potential for events and their consequencescontains both:

y y

Opportunities for benefit (upside) Threats to success (downside)

Risk Management Is Key to Enterprise Success Risk and opportunity go hand in hand. To provide business value to stakeholders, enterprises must engage in various activities and initiatives, all of which carry degrees of uncertainty and, therefore, risk. Managing risk and opportunity is a key strategic activity for enterprise success. Guiding Principles for Effective Risk Management The following are guiding principles for effective risk management:

y y y y y y

Maintain business objective focus. Integrate IT risk management into enterprise risk management (ERM). Balance the costs and benefits of managing risk. Promote fair and open communication. Establish tone at the top and assign personal accountability. Promote continuous improvement as part of daily activities.

The following table provides further detail. Principle Maintain business objective focus. Description All risk is treated as a business risk, and the risk management approach must be comprehensive and cross-functional. The focus is on business outcome. Each business function supports the achievement of business objectives; IT-related risk is expressed as the impact it can have on the achievement of business objectives or strategy. Every risk analysis considers business and IT-process resilience and contains a dependency analysis of how the business process depends on IT-related resources, such as: People Information Applications Infrastructure IT-related business risk is viewed from two angles: Protection against value destruction Enablement of value generation Integrate IT risk Business objectives and the amount of risk that the enterprise is management into prepared to take are clearly defined and documented. enterprise risk management (ERM). The entitys risk appetite reflects its risk management philosophy and influences the culture and operating style (as stated in the Committee of Sponsoring Organizations of the Treadway Commission [COSO] Enterprise Risk ManagementIntegrated Framework). Risk issues are integrated for each business organization (i.e.,

Principle

Description the risk view is consolidated across the overall enterprise). Attestation of/sign-off on control environment is provided.

Balance the costs and benefits of managing risk.

Risk is prioritized and addressed in line with risk appetite and tolerance. Controls are implemented to address a risk and minimize impact and are based on a cost/benefit analysis. In other words, controls are not implemented simply for the sake of implementing controls. Existing controls are leveraged to address multiple risk factors or to address risk more efficiently.

Promote fair and open communication.

Open, accurate, timely and transparent information on IT risk is exchanged and serves as the basis for all risk-related decisions. Risk issues, principles and risk management methods are integrated across the enterprise. Technical findings are translated into relevant and understandable business terms.

Establish tone at the top, and assign personal accountability.

Key personnel, i.e., influences, business owners and the board of directors, is engaged in risk management. There is clear assignment and acceptance of risk ownership. Top management provides direction by means of policies, procedures and the right level of enforcement. Enterprise leadership actively promotes a risk-aware culture. Authorized individuals make risk decisions, including businessfocused IT risk, e.g., for IT investment decisions, project funding, major IT environment changes, risk assessments, and the monitoring and testing of controls.

Promote continuous improvement as part of daily activities.

Because of the dynamic nature of risk, risk management is an iterative, perpetual and ongoing process. The enterprise pays attention to consistent risk assessment methods, roles and responsibilities, tools, techniques, and criteria across the enterprise, noting especially: Identification of key processes and associated risk Understanding of impacts on achieving business objectives Identification of triggers that indicate when an update of the framework is required Risk management practices are appropriately prioritized and embedded in enterprise decision-making processes that enable riskreturn aware business decisions. Risk management practices are straightforward and easy to use and contain practices to detect, prevent and mitigate threat and potential risk.

D. Roles and Responsibilities for ITrelated Risk Management

Exhibit ID1: Responsibilities and Accountability for IT-related Risk Management Exhibit ID1 defines a number of roles for risk management and indicates where these roles carry responsibility or accountability for one or more activities within a process. In this context:

y Responsibility belongs to those who must ensure that the activities are completed
successfully.

y Accountability applies to those who:

Own the required resources Have the authority to approve the execution and/or accept the outcome of an activity within specific risk management processes Given that the roles in the figure are implemented differently in every enterprise and do not necessarily correspond to organizational units or functions, each role has been briefly described. Exhibit ID1: Responsibilities and Accountability for IT-related Risk Management

Note

Within this framework, the CRISC executes on risk evaluation and risk response activities and functions within the risk governance framework established within the enterprise.

E: Risk Management Frameworks, Standards and Practices

Contents This section contains the following topics: Topic 1. Differences Among Frameworks, Standards and Practices 2. Examples of Frameworks Related to Risk Management and IS Control Starting Page IE1 IE2 No. of Pages 1 1

Topic 3. Examples of Standards Related to Risk Management and IS Control 4. Examples of Leading Practices Related to Risk Management and IS Control

Starting Page IE3 IE3

No. of Pages 1 1

1. Differences Among Frameworks, Standards and Practices

Importance of Risk Management Frameworks, Standards and Practices Frameworks, standards and practices matter to the CRISC because they:

y y y y y

Provide a systematic view of things to watch that could result in harm to customers or an enterprise Act as a guide to focus efforts of diverse teams Save time and costs, such as training costs, operational costs and performance improvement costs Help achieve business objectives more quickly and easily Provide credibility to engage functional (e.g., chief financial officer [CFO]) and C-suite leadership

Frameworks, Standards and Practices Definitions The following table provide definitions for:

y y y
Term

Frameworks Standards Practices Definition Are generally accepted, business-process-oriented structures that establish a common language and enable repeatable business processes Note: This term may be defined differently in different disciplines. This definition suits the purposes of this manual.

Frameworks

Standards

Establish mandatory rules, specifications and metrics used to measure compliance against quality, value, etc. Standards are usually intended for compliance purposes and to provide assurance to others who interact with a process or outputs of a process (for example, food and drug quality).

Practices

Are frequent or usual actions performed as an application of knowledge A leading practice would be defined as an action that optimally applies knowledge in a particular area. They are issued by a recognized authority that is appropriate to the subject matter. Issuing bodies may include professional associations and academic institutions or commercial entities such as software vendors. They are generally based on a combination of research, expert insight and peer review. Note: Practices usually are derived from and supplement/support standards and frameworks and are the least formal of the three.

2. Examples of Frameworks Related to Risk Management and IS Control

Examples of Risk Management of Frameworks The following table provides examples of frameworks related to risk management. Issuing Body ISACA ISACA ISACA Committee of Sponsoring Organizations of the Treadway Commission (COSO) US National Institute of Standards and Technology (NIST) Publication The Risk IT Framework Enterprise Value: Governance of IT Investments, The Val IT Framework 2.0 COBIT 4.1 Enterprise Risk ManagementIntegrated Framework Risk Management Framework (RMF)

Reminder: Frameworks can be applied flexibly within an enterprise.

3. Examples of Standards Related to Risk Management and IS Control

Examples of Risk Management Standards Standards related to risk management include, but are not limited to, those in the following table. Issuing Body ISACA International Organization for Standardization (ISO) Publication IT Audit and Assurance Standards ISO 31000:2009 (at the time of this manuals publication, the newest for general purpose risk management) Note: Unlike other standards, this was not intended to be used for certification. ISO/International Electrotechnical Commission (IEC) British Standards Institution (BSI) ISO/IEC 2700x (for information security management systems [ISMSs]) BS 25999-x (for business continuity) BS 25999 comprises two parts: Part 1, the Code of Practice, provides business continuity management (BCM) best practice recommendations. Please note that this is a guidance document only. Part 2, the Specification, provides the requirements for a BCM system (BCMS) based on BCM best practice. This is the part of the standard that can be used to demonstrate compliance via an auditing and certification process. Payment Card Industry (PCI) Security Standards Council PCI Data Security Standard (PCI DSS)

Reminder: Standardsincluding corporate standards, which are not addressed hereideally define measurable objectives to enable compliance assessments. Standards are intended to be implemented in a rigid way with variations only as allowed in the standard.

4. Examples of Leading Practices Related to Risk Management and IS Control

Examples of Risk Management or Control Leading Practices The following table provides examples leading practices related to risk management or control. Issuing Body ISACA ISO/IEC NIST Publication The Risk IT Practitioner Guide ISO/IEC 2700x (for ISMSs) NIST Special Publication (SP) 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems

Carnegie Mellon University (CMU) Operationally Critical Threat, Asset, and Vulnerability Software Engineering Institute (SEI) EvaluationSM (OCTAVE) Spanish Ministry for Public Administrations Methodology for Information Systems Risk Analysis and Management (MAGERIT version 2)

F: Essentials of Risk Governance Section Overview This section contains a brief introduction to risk governance to provide the CRISC candidate with a baseline understanding of the holistic environment in which the CRISC functions. Relevance Risk is an integral part of business and a core factor related to the stability, growth and success of the enterprise. Risk represents the opportunity for growth and levels of profit, but also poses the possibility of loss or damage to the business objectives. Risk governance addresses the oversight of the business risk strategy of the enterprise. Risk governance is the domain of senior management and the shareholders of the enterprise. They establish the organization s risk culture and the acceptable levels of risk; set up the management framework; and ensure that the risk management function is operating effectively to identify, manage, monitor and report on current and potential risk facing the enterprise. Contents This section contains the following topics: Topic 1. Risk Governance 2. Risk Governance Objectives Starting Page No. of Pages I F 1 I F 2 1 1

Topic 3. Risk Appetite and Tolerance

Starting Page No. of Pages I F 3 3 5 1

4. Risk Awareness and Communication I F 6 5. Risk Culture 1. Risk Governance Topic Overview I F 10

Risk governance is a strategic business function. Ultimately, it is the board of directors and senior management s responsibility to set up the risk governance process, establish and maintain a common risk view, make risk-aware business decisions, and set the enterprise s risk culture. This section discusses the elements of risk governance and how to put an effective risk management structure in place. It is important to recognize that risk must be addressed from a business perspective and not from a purely IT viewpoint. The principles of risk governance must also be applied from an enterprisewide perspective and not solely on a department by department or a system by system basis. NoteWhile risk governance and the decisions made in the execution of risk governance ultimately are not the responsibility of the CRISC, the practitioner must nevertheless contribute to and enable sound risk management decisions through the execution of many underlying tasks associated with the risk governance process. 2. Risk Governance Objectives Risk Governance Objectives Effective risk governance helps ensure that risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return. Risk governance has three main objectives: Establish and maintain a common risk view Integrate risk management into the enterprise Make risk-aware business decisions Foundation for Effective Risk Governance To effectively govern enterprise and IT risk, there must be an: Understanding and consensus with respect to the risk appetite and risk tolerance of the enterprise

Awareness of risk and the need for effective communication about risk throughout the enterprise Understanding of the elements of risk culture Establish and Maintain a Common Risk View Effective risk governance establishes the common view of risk for the enterprise. This determines which controls are necessary to mitigate risk and how risk-based controls are integrated into business processes and IS. The risk governance function sets the tone of the business in how to determine an acceptable level of risk tolerance. In the end, the senior management team is liable for the impact of the risk faced by the enterprise and bears the responsibility to ensure that it is provided ongoing risk assessment results, monitors the risk environment and mandates corrective action where the risk levels are not within acceptable limits. Risk governance is a continuous life cycle that requires regular reporting and ongoing review. The risk governance function must oversee the operations of the risk management team. Integrate Risk Management Into the Enterprise Integrating risk management into the enterprise enforces a holistic enterprise risk management (ERM) approach across the entire organization. It requires the integration of risk management into every department, function, system and geographic location. Understanding that risk in one department or system may pose an unacceptable risk to another department or system requires that all business processes be compliant with at least a minimal or baseline level of risk management. The objective of ERM is to establish the authority to require all business processes to undergo a risk analysis on a periodic basis or when there is a significant change to the internal or external environment. Make Risk-aware Business Decisions To make risk-aware business decisions, the risk governance function must consider the full range of opportunities and consequences of each such decision and its im pact on the enterprise, its place in society and the environment. 3. Risk Appetite and Tolerance Definitions and Clarification of Risk Appetite and Risk Tolerance Risk appetite and risk tolerance are concepts that are frequently used, but the potential for misunderstanding is high. Some people use the concepts interchangeably; others see a clear difference. The following table provides definitions of each term.

Term Risk appetite

Definition The broad-based amount of risk a company or other entity is willing to accept in pursuit of its mission (or vision)

Risk The acceptable variation relative to the achievement of an objective (and often is tolerance best measured in the same units as those used to measure the related objective) Note These definitions are compatible with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) ERM definitions, which are equivalent to the ISO 31000 definition in Guide 73:2009, Risk Management Vocabulary.

Major Factors When Considering Risk Appetite Levels Risk appetite is the broad-based amount of risk an enterprise is prepared to accept while pursuing its business objectives. When considering the risk appetite levels for the enterprise, the following two major factors are important: The enterprise s objective capacity to absorb loss, e.g., financial loss, reputation damage The (management) culture or predisposition toward risk taking cautious or aggressive. (What is the amount of loss the enterprise wants to accept to pursue a return?) Risk appetite can and will be different among enterprises there is no absolute norm or standard of what constitutes acceptable and unacceptable risk. Every enterprise has to define its own risk appetite levels and should: Ensure that such definitions/levels are: In line with the overall risk culture that the enterprise wants to express (that is, ranging from very risk averse to risk taking/opportunity seeking) Well defined, understood and communicated Review them on a regular basis NoteRisk appetite and risk tolerance should be applied not only to risk assessments, but also to all risk decision making. Exhibit I F 1: Risk Map Indicating Risk Appetite Bands In practice, risk appetite can be defined, in terms of combinations of frequency and magnitude of a risk, using risk maps. Exhibit I F 1 and the following table depict and describe different bands of risk significance, based on frequency and magnitude of risk. Exhibit I F 1: Risk Map Indicating Risk Appetite Bands

Risk Level Really Unacceptable

Description Indicates really unacceptable risk. The enterprise estimates that this level of risk is far beyond its normal risk appetite. Any risk found to be in this band may trigger an immediate risk response. Indicates elevated risk, i.e., also above acceptable risk appetite. The enterprise may, as a matter of policy, require mitigation or another adequate response to be defined within certain time boundaries. Indicates a normal, acceptable level of risk, usually with no special action required, except for maintaining the current controls or other responses Indicates very low risk, in which cost-saving opportunities may be found by decreasing the degree of control or in which opportunities for assuming more risk may arise This risk appetite scheme is an example. Each enterprise has to define its own risk appetite levels and review them regularly.

Unacceptable

Acceptable

Opportunity

Note

Risk Tolerance Example Risk tolerance is the acceptable deviation from the level set by the risk appetite and business objectives. Example: Standards require projects to be completed within the estimated budgets and time, but overruns of 10 percent of budget or 20 percent of time are tolerated.

Risk Appetite and Risk Tolerance Guidelines The guidelines listed in the following table apply to risk appetite and risk tolerance. Guideline Description

Risk appetite and Risk appetite and risk tolerance go hand in hand. Risk tolerance is risk tolerance must defined at the enterprise level and is reflected in policies set by the connect. executives. At lower (tactical) levels of the enterprise, or in some entities of the enterprise, exceptions can be tolerated (or different thresholds defined) as long as the overall exposure does not exceed the set risk appetite at the enterprise level. Any business initiative includes a risk component, so management should have the discretion to pursue new opportunities of risk. Enterprises in which policies are cast in stone, rather than lines in the sand, could lack the agility and innovation to exploit new business opportunities. Conversely, there are situations in which policies are based on specific legal, regulatory or industry requirements in which it is appropriate to have no risk tolerance for failure to comply. Exceptions to risk Risk tolerance is defined at the enterprise level by the board and tolerance standards clearly communicated to all stakeholders. A process should be in place to must be reviewed review and approve any exceptions to such standards. and approved. Risk appetite and tolerance change over time. Risk appetite and tolerance change due to: New technology New organizational structures New market conditions New business strategy Many other factors Such factors require an enterprise to reassess its risk portfolio at regular intervals and also require the enterprise to reconfirm its risk appetite at regular intervals, triggering risk policy reviews. In this respect, an enterprise also needs to understand that the better risk management it has in place, the more risk can be taken in pursuit of return. Cost of risk mitigation options There may be circumstances in which the cost/business impact of risk mitigation options exceeds an enterprise s capabilities/resources, thus

Guideline can affect risk tolerance.

Description forcing higher tolerance for one or more risk conditions. Example: If a regulation states that sensitive data at rest must be encrypted, yet there is no feasible encryption solution or the cost of implementing a solution would have a large negative impact, the enterprise may choose to accept the risk associated with regulatory noncompliance, which is a risk trade-off.

4. Risk Awareness and Communication Defining Risk Awareness Risk awareness is about acknowledging that risk is an integral part of the business. This does not imply that all risk is to be avoided or eliminated, but rather that: Risk is well understood and known. IT risk issues are identifiable. The enterprise recognizes and uses the means to manage risk. Importance of Risk Communication Risk communication is a critical part in the risk management process. People are naturally uncomfortable talking about risk and tend to put off admitting that risk is involved and communicating about issues; incidents; and; eventually, even crises. If risk is to be managed and mitigated, it must first be discussed and effectively communicated throughout an enterprise. Benefits of Effective Risk Communication The benefits of open communication on risk include: Assistance in executive management s understanding of the actual exposure to IT risk, enabling the definition of appropriate and informed risk responses Awareness among all internal stakeholders of the importance of integrating risk and opportunity in their daily duties Transparency to external stakeholders regarding the actual level of risk and risk management processes in use Consequences of Poor Risk Communication The consequences of poor communication of risk include: A false sense of confidence at the top on the degree of actual exposure related to IT and lack of a well-understood direction for risk management from the top down

Unbalanced communication to the external world on risk, especially in cases of high, but managed risk, which may lead to an incorrect perception on actual risk by third parties such as: Clients Investors Regulators The perception that the enterprise is trying to cover up known risk from stakeholders Exhibit I F 2: IT Risk Communication Components Exhibit I F 2 and the following table depict and describe the broad array of information flows and the major types of IT risk information that should be communicated. Exhibit I F 2: IT Risk Communication Components

Risk Component to Be Description Communicated Expectations from This includes risk strategy, policies, procedures, awareness training, continuous reinforcement of principles, etc. This is essential

Risk Component to Be Description Communicated risk management communication on the enterprise s overall strategy toward IT risk and: Drives all subsequent efforts on risk management Sets the overall expectations from risk management Current risk management capability This information: Allows for monitoring of the state of the risk management engine in the enterprise Is a key indicator for good risk management Has predictive value for how well the enterprise is managing risk and reducing exposure Status with regard to IT risk This includes the actual status with regard to IT risk including information such as: Risk profile of the enterprise, i.e., the overall portfolio of (identified) risk to which the enterprise is exposed Key risk indicators (KRIs) to support management reporting on risk Event/loss data Root cause of loss events Options to mitigate risk (including cost and benefits) Effective Communication The following table lists the required elements for effective communication. Communication Element Clear Concise Description

Risk information must be known and understood by all stakeholders. Information or communication should not inundate the recipients. All ground rules of good communication apply to communication on risk. This includes the avoidance of jargon and technical terms regarding risk because the intended audiences are generally not deeply technologically skilled.

Communication Element Useful

Description

Any communication on risk must be relevant. Technical information that is too detailed and/or is sent to inappropriate parties will hinder, rather than enable, a clear view of risk. For each risk, critical moments exist between its origination and its potential business consequence. Examples: A risk may originate when an inadequate IT organization is set up; the business consequence is inefficient IT operations and service delivery. The origination point may be project failure; the business consequence is delayed business initiatives. Communication is timely when it allows action to be taken at the appropriate moments to identify and treat the risk. It serves no useful purpose to communicate a project delay a week before the deadline

Timely

Aimed at the correct target audience

Information must: Be communicated at the right level of aggregation Be adapted for the audience Enable informed decisions In this process, aggregation must not hide root causes of risk. Example: A security officer needs technical IT data on intrusions and viruses to deploy solutions. An IT steering committee may not need this level of detail, but it does need aggregated information to decide on policy changes or additional budgets to treat the same risk.

Available on a Information related to IT risk should be known and communicated to all need-to-know basis parties with a genuine need. A risk register with all documented risk is not public information and should be properly protected against internal and external parties with no need for it. Communication does not always need to be formal, through written reports or messages. Timely face-to-face meetings between stakeholders are an important means of communication for information related to IT risk. Exhibit I F 3: Risk Communication Flows Stakeholders Exhibit I F 3 provides a quick overview of the most important communication channels for effective and efficient risk management. The figure s intent is to provide a high-level overview

of the main communication flows on IT risk that should exist in one form or another in any enterprise. NoteThis exhibit is focused on the most important information that each stakeholder needs to process. The CRISC may hold one of the more of the tactical or operational roles depicted. Exhibit I F 3: Risk Communication Flows Stakeholders Input

5. Risk Culture Importance of a Risk-aware Culture Risk management is about helping enterprises take more risk in pursuit of return. A risk-aware culture: Characteristically offers a setting in which components of risk are discussed openly and acceptable levels of risk are understood and maintained Begins at the top, with board and business executives who: Set direction. Communicate risk-aware decision making. Reward effective risk management behaviors. Risk awareness also implies that all levels within an enterprise are aware of why a response is needed and how to respond to adverse IT events. Exhibit I F 4: Elements of a Risk Culture Risk culture is a concept that is not easy to describe. Exhibit I F 4 and the following table depict and describe the series of behaviors that are elements of a risk culture.

Exhibit I F 4: Elements of a Risk Culture

Elements of a Risk Culture Behavior toward taking risk Behavior toward following policy Behavior toward negative outcomes How much risk does the enterprise feel it can absorb, and what specific risk is it willing to take? To what extent will people embrace and/or comply with policy?

How does the enterprise deal with negative outcomes, i.e., loss events or missed opportunities? Will it learn from them and try to adjust, or will blame be assigned without treating the root cause? Symptoms of an Inadequate or Problematic Risk Culture

Misalignment between real risk appetite and translation into policies Existence of a blame culture

Management s real position toward risk can be reasonably aggressive and risk taking, whereas the policies that are created reflect a much stricter attitude.

This type of culture should, by all means, be avoided; it is the most effective inhibitor of relevant and efficient communication.

Elements of a Risk Culture In a blame culture, business units tend to point the finger at IT when projects are not delivered on time or do not meet expectations. In doing so, they fail to realize how the business unit s involvement up front affects project success. In extreme cases, the business unit may assign blame for a failure to meet the expectations that the unit never clearly communicated. The blame game only detracts from effective communication across units, further fuelling delays. Executive leadership must identify and quickly control a blame culture if collaboration is to be fostered throughout the enterprise.