From the course: ISACA Certified in Risk and Information Systems Control (CRISC) Cert Prep

Organizational governance and risk governance

From the course: ISACA Certified in Risk and Information Systems Control (CRISC) Cert Prep

Start my 1-month free trial Buy for my team

Organizational governance and risk governance

- [Instructor] First, when we talk about governance, we're going to start with Organizational Governance and Risk Governance. Before we get into the two different types of governance, let's talk about what governance is. So, governance establishes requirements for how to achieve the proper balance of conformance and performance within an enterprise. That enterprise's goal is to meet stakeholder needs and deliver value. Think about it like the speed limit like you see on the screen. We could allow people to travel the fastest on roads that we want them to, 90 miles an hour, 100 miles an hour, but where does that leave people's safety when they're driving on the road? We could also require that people go five miles an hour or four miles an hour, but are people going to actually be able to achieve that goal, and does that actually make people safer? So, now think about that in corporate America and in an IT setting. We could give people laptops to do whatever they wanted on whatever applications that they wanted, but we might have different people using different applications to achieve the same thing, so are we really balancing cost for the value that we're getting? We could allow people to copy and paste and use sensitive information, whether owned by the organization or personally identifiable information for whatever purpose they want, however they feel like they want to use it, however they feel like they should be using it. But then we're not giving protection to that information, and it could easily be leaked, it could easily be given to our competitors. And so, governance is really about drawing that line. Where are we going to achieve that balance between the protection that we need and the conformance that we want and the value that we're looking to deliver to our stakeholders? When we look at the two different types of governance, thinking that we're trying to achieve that balance, there's Organizational Governance and Risk Governance. Organizational is concerned with your organization, the structure, the purpose, the culture, the processes, how you document things, where you document them. And Risk Governance is really how your risk management functions are governed. So, how do you manage external requirements, whether that's from third parties, whether that's from investors, whether that's from regulators. How do you internally govern? How do you take those board mandates and turn them into action to make sure that items that need to be escalated are escalated? And as this Venn diagram shows, there's going to be some things that are Organizational Governance and Risk Governance. So, for example, how your organization is structured in your organizational chart may need to be structured a certain way because you want dual controls to exist, and you want some departments to have governance over other departments. Or maybe you want some groups to be structured to be auditors, or to be your compliance department, or to be lawyers. And that's going to play into how you actually manage risk within your organization.

Contents