CRISC Certification Job Practice

Collect and review environmental risk data

• Identify potential vulnerabilities to people, processes and assets
• Develop IT scenarios based on information and potential impact to the organization
• Identify key stakeholders for risk scenarios
• Establish risk register
• Gain senior leadership and stakeholder approval of the risk plan
• Collaborate to create a risk awareness program and conduct training

Domain 2 – IT Risk Assessment

• Analyze risk scenarios to determine likelihood and impact
• Identify current state of risk controls and their effectiveness
• Determine gaps between the current state of risk controls and the desired state
• Ensure risk ownership is assigned at the appropriate level
• Communicate risk assessment data to senior management and appropriate stakeholders
• Update the risk register with risk assessment data

Domain 3 – Risk Response and Mitigation

• Align risk responses with business objectives
• Develop consult with and assist risk owners with development risk action plans
• Ensure risk mitigation controls are managed to acceptable levels
• Ensure control ownership is appropriately assigned to establish accountability
• Develop and document control procedures for effective control
• Update the risk register
• Validate that risk responses are executed according to risk action plans

Domain 4 – Risk and Control Monitoring and Reporting

• Risk and control monitoring and reporting
• Define key risk indicators (KRIs) and identify key performance indicators (KPIs) to enable performance measurement key risk indicators (KRIs) and key performance indicators (KPIs)
• Determine the effectiveness of control assessments
• Identify and report trends/changes to KRIs/KPIs that affect control performance or the risk profile