Which of the following enterprise risk management concepts is MOST important to fully understand prior to finalizing the design of an IT governance system?
Which of the following enterprise risk management concepts is MOST important to fully understand prior to finalizing the design of an IT governance system?
Understanding the enterprise's risk appetite is most important before finalizing the design of an IT governance system. Risk appetite refers to the amount of risk an organization is willing to accept in pursuit of its objectives. It's a fundamental concept in ensuring that the governance system aligns with the organization's overall strategy and risk management approach. Without a clear understanding of risk appetite, it would be challenging to design a governance system that appropriately addresses and manages risks.
Ans B is correct Figure 7.2 Governance System Design Flow, Page47, COBIT 2019 Framework Introduction and Methodology
Step 1 understand enterprise context & strategy of design has a step for "understand risk profile"
p.42: Figure 7.2, 2.3
This question feels ill-formed. I hope this doesn't show up word for word on the exam. My thoughts: Risk Profile is what COBIT concerns itself with. It is an entire design principle. "3. Risk profile of the enterprise and current issues in relation to I&T—The risk profile identifies the sort of I&T related risk to which the enterprise is currently exposed and indicates which areas of risk are exceeding the risk appetite. The risk categories listed in figure 4.7 merit consideration." Risk appetite *is* a common risk management concept, but risk profile is more notably talked about in the book. Appetite would be an essential part of determining the risk profile though, so I'm honestly not sure. You don't have a risk profile without risk appetite, but risk profile is the design factor you reference to build your governance system.