2023 IT Examiner School

Internal Use Only

Residual Risks

Actions to address residual risk:

Reduce

Transfer

Accept

Ignore*

*This is not good

Internal Use Only

Risk Assessment Guidance  The Board is responsible for communicating their risk tolerance to management  Effective risk assessments are done by qualified personnel, have executive-level ownership & are enterprise-wide.  Risk acceptance decisions should be made at the Board and/or executive management level  An effective risk assessment process includes identification of assets, threats & vulnerabilities  Review Board minutes for support for answers provided by management during discussions (approval/discussion of risk assessment findings, risk acceptance decisions, etc.)