Cobit-3 - RACI Chart Board of Directors Governance Practice Board EDM03.01 Evaluate risk management A EDM03.02 Direct risk management A EDM03.03 Monitor

Cobit-3 - RACI Chart Board of Directors Governance Practice...

This preview shows page 1 - 3 out of 9 pages.

RACI Chart – Board of Directors Governance Practice Board EDM03.01 Evaluate risk management. A EDM03.02 Direct risk management. A EDM03.03 Monitor risk management. A RACI Chart - Management Management Practice Chief Executive Officer Chief Information Security Officer Chief Risk Officer Chief Information Officer APO12.01 Collect data. I R R A APO12.02 Analyze risk. I C R A APO12.03 Maintain a risk profile. I C A R APO12.04 Articulate risk. I C R A APO12.05 Define a risk management action portfolio. I C A R APO12.06 Respond to risk. I R R A Board of Directors – 1. EDM03.01 Evaluate risk management. Continually examine and make judgment on the effect of risk on the current and future use of IT in the enterprise. Consider whether the enterprise’s risk appetite is appropriate and that risk to enterprise value related to the use of IT is identified and managed. ACTIVITY DETAILED ACTIVITIES 1. Determine the level of IT-related risk that the enterprise is willing to take to meet its risk objectives. 2. Evaluate and approve proposed IT risk tolerance thresholds against the enterprise’s acceptable risk and opportunity levels. 3. Determine the extent of alignment of the IT risk strategy to enterprise risk strategy. 4. Proactively evaluate IT risk factors in advance of pending strategic enterprise decisions and ensure that risk-aware The board needs to actively take part in the risk evaluation process of the enterprise, which also includes the IT-related risks, and, in assessing the risk, define a risk tolerance threshold for acceptable risks and opportunity levels. The board needs to evaluate the risk factors before taking decisions on strategies to ensure that impact of risk has been factored. The board should evaluate the risk management activities and regularly define the 1
Image of page 1
enterprise decisions are made. 5. Determine that IT use is subject to appropriate risk assessment and evaluation, as described in relevant international and national standards. 6. Evaluate risk management activities to ensure alignment with the enterprise’s capacity for IT-related loss and leadership’s tolerance of it. enterprise’s capacity for loss and the tolerance limits. 2. EDM03.02 Direct risk management. Direct the establishment of risk management practices to provide reasonable assurance that IT risk management practices are appropriate to ensure that the actual IT risk does not exceed the board’s risk appetite. ACTIVITY DETAILED ACTIVITIES 1. Promote an IT risk-aware culture and empower the enterprise to proactively identify IT risk, opportunity and potential business impacts. 2. Direct the integration of the IT risk strategy and operations with the enterprise strategic risk decisions and operations. 3. Direct the development of risk communication plans (covering all levels of the enterprise) as well as risk action plans.
Image of page 2
Image of page 3

You've reached the end of your free preview.

Want to read all 9 pages?

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture