CRISC Certification: IT Risk Management with AI Tools

Role Play 3: Design Risk Responses and Report to the Board

Scenario: You are the IT Risk Manager at Cascade Power & Electric, a regional electric utility serving 2 million customers. A recent penetration test revealed critical vulnerabilities in the SCADA/EMS systems that control the power grid. The CEO has asked you to design risk responses and present a risk treatment plan to the Board within 48 hours. Budget is constrained, so you must prioritize responses based on business impact.

Your Role: IT Risk Manager presenting risk response recommendations to the Board

Estimated Time: 60 minutes

Instructions:

1. Generate risk scenarios. Use the Scenario Generator to create 4 risk scenarios for a critical infrastructure utility, focusing on: SCADA vulnerability exploitation, ransomware on operational technology, insider threat to grid operations, and third-party vendor compromise.

2. Build a risk register and assign risk responses. Import scenarios into the Risk Register. For each risk, select the appropriate risk response strategy: Mitigate (reduce likelihood/impact), Transfer (insurance or outsource), Accept (within appetite), or Avoid (eliminate the activity). Document your rationale for each choice.

3. Design control recommendations. For risks you chose to mitigate, use the Control Recommender to identify specific controls. Map at least 2 controls per mitigated risk to NIST CSF and IEC 62443 (industrial control system security).

4. Create a risk dashboard. Load your register into the Dashboard Builder. Generate a heatmap showing residual risk after your proposed treatments. Identify any risks that remain above the organization’s risk appetite threshold.

5. Prepare a Board risk report. Use the Report Generator to create an executive summary that includes: current risk posture, proposed risk treatments with cost estimates, expected residual risk after treatment, timeline for implementation, and risks requiring Board acceptance.

Evaluation Criteria:

• Risk responses are appropriate to the scenario (not all risks should be mitigated)

• Control recommendations are specific and mapped to recognized frameworks

• Dashboard clearly shows before/after risk treatment comparison

• Board report is executive-appropriate: concise, business-focused, with clear recommendations

• Budget constraints are acknowledged with prioritized implementation approach

Role Play 4: Make Technology Security Decisions for a Healthcare Network

Scenario: You are the CISO at MedConnect Health Systems, a network of 12 hospitals and 40 outpatient clinics. The organization is undergoing a major technology transformation: migrating to a hybrid cloud infrastructure, deploying IoT medical devices across all facilities, and implementing a new Electronic Health Record (EHR) system. A recent ransomware attack on a neighboring health system has heightened urgency. You must make critical technology security decisions and present your security architecture to the executive committee.

Your Role: Chief Information Security Officer (CISO) making technology security decisions

Estimated Time: 60 minutes

Instructions:

1. Assess technology risks. Use the Scenario Generator to create 5 risk scenarios covering: cloud misconfiguration exposing patient data (HIPAA), IoT medical device compromise, ransomware targeting the EHR system, third-party vendor data breach, and insider threat from privileged IT staff.

2. Evaluate vendor security. Use the Vendor Assessor to evaluate two critical vendors:

  • “CloudHealth Platform” (IaaS, services: hybrid cloud hosting for EHR and clinical systems, data access: Protected Health Information (PHI), criticality: Critical)

  • “MedDevice Connect” (IoT Platform, services: medical device management and monitoring, data access: device telemetry and patient vitals, criticality: High)

3. Design security controls. Use the Control Recommender for your top 3 risks. Map controls to HIPAA Security Rule, NIST CSF 2.0, and HITRUST CSF. For each control, specify whether it is preventive, detective, or corrective.

4. Build a security dashboard. Create a risk dashboard showing the healthcare network’s security posture. Include a heatmap of all 5 risks and highlight any that exceed the organization’s risk appetite for patient safety.

5. Present your security architecture decision. Write a 1–2 page executive briefing that includes: security architecture overview (network segmentation, Zero Trust, encryption), vendor risk assessment summary, prioritized control implementation roadmap (30/60/90 days), budget request with ROI justification, and residual risks requiring executive acceptance.

Evaluation Criteria:

• Risk scenarios are realistic for healthcare and reference HIPAA/patient safety

• Vendor assessments differentiate risk profiles based on data sensitivity and service type

• Controls are mapped to healthcare-specific frameworks (HIPAA, HITRUST)

• Security architecture decisions demonstrate Zero Trust and defense-in-depth principles

• Executive briefing balances technical detail with business-level decision support

Comprehensive Risk Assessment for Cascade Power & Electric

Cascade Power & Electric is expanding into mobile utility and needs a full IT risk assessment before launch. As the CRISC-certified risk analyst, use the AI toolkit to identify scenarios, build a risk register, calculate financial exposure, and assess business impact. Your assessment will inform the board’s go/no-go decision for the mobile utility launch.

Estimated Time: 120 minutes | Difficulty: Advanced

Tasks:

1. Use the Scenario Generator to create risk scenarios for the critical infrastructure industry with assets: GridOS EMS v8 (SCADA/EMS), Customer PII, ICCP/TASE.2 Gateway, PowerTrader Energy Trading Platform. Include ‘Cybercriminals’ and ‘Insider Threats’ as threat actors.

2. Import at least 3 scenarios into the Risk Register. For each, review the AI-generated threats, vulnerabilities, and treatment plans. Adjust risk owners to appropriate roles (CISO, CTO, Head of Operations).

3. Use the Risk Calculator (quantitative mode) to calculate ALE for the highest-rated risk. Use realistic values: asset value based on annual mobile utility revenue ($50M), appropriate exposure factor, and ARO based on industry data.

4. Run a Business Impact Analysis for two critical processes: ‘Grid Operations Energy Management’ and ‘Customer Authentication Service’. Compare RTO/RPO values.

5. Create a summary table comparing all risks by inherent vs. residual risk level. Identify which risks require immediate treatment vs. acceptance.

Key Evaluation Criteria:

• At least 5 distinct risk scenarios with varied threat actors and assets

• Risk register entries have appropriate categories and realistic treatment plans

• Quantitative analysis uses defensible assumptions with documented rationale

• BIA results reflect critical infrastructure regulatory requirements (NERC CIP, FERC)

• Summary demonstrates understanding of risk treatment options: mitigate, transfer, accept, avoid

Role Play 2: Conduct a Risk Assessment Under Real-World Pressure

Scenario: You are the Lead IT Risk Analyst at Meridian Financial Group, a growing fintech company that processes $2B in annual transactions. The company is preparing for its SOC 2 Type II audit in 6 weeks. During a routine review, the security team discovered that a legacy payment processing API has not been included in any previous risk assessment. The CTO is pressuring you to “just mark it as low risk” so it doesn’t delay the audit timeline. You must conduct a proper risk assessment under time pressure while maintaining professional integrity.

Your Role: Lead IT Risk Analyst navigating time pressure and stakeholder management

Estimated Time: 50 minutes

Instructions:

1. Assess the overlooked API risk. Use the Scenario Generator to create 3 risk scenarios for a legacy payment processing API in a fintech environment. Consider threats such as: API exploitation, data exfiltration through the API, and authentication bypass.

2. Quantify the financial exposure. Use the Risk Calculator in quantitative mode to calculate the Annual Loss Expectancy (ALE) for the highest-rated API risk. Use realistic values: transaction volume ($2B annually), potential exposure factor for a payment API breach, and annualized rate of occurrence based on fintech industry data.

3. Build a risk register entry. Import your highest scenario into the Risk Register. Assign appropriate risk ownership and document the current control gaps. Note: the API currently has no API gateway, basic authentication only (no MFA), and no rate limiting.

4. Run a Business Impact Analysis. Conduct a BIA for the ‘Payment Transaction Processing’ business process. Determine appropriate RTO and RPO values considering PCI-DSS requirements and customer SLAs.

5. Navigate the stakeholder conflict. Write a professional memo (1 page) to the CTO that:

  • Explains why the API cannot be rated as “low risk” based on your assessment findings

  • Quantifies the potential financial and regulatory exposure

  • Proposes a pragmatic remediation timeline that works within the SOC 2 audit window

  • Recommends compensating controls that can be implemented quickly while long-term fixes are planned

Evaluation Criteria:

• Risk scenarios are specific to API and payment processing threats

• Quantitative analysis uses defensible assumptions with clear documentation

• Risk register entry accurately reflects the current control gaps

• BIA reflects PCI-DSS and fintech regulatory requirements

• Stakeholder memo balances professional integrity with pragmatic solutions

IT Governance Framework for NovaTech Solutions

You are the newly appointed IT Risk Manager at NovaTech Solutions, a mid-sized fintech company processing $2B in annual transactions. The board has requested a governance framework aligned with COBIT 2019 and ISO 27001. Using the AI toolkit, draft two policies and map controls between frameworks to identify gaps. Present your findings to the audit committee.

Estimated Time: 90 minutes | Difficulty: Intermediate

Tasks:

1. Use the Policy Drafter to generate a Risk Management Policy for NovaTech Solutions (fintech industry, scope: all payment processing and customer data systems). Export as PDF.

2. Use the Policy Drafter to generate an Information Security Policy for the same company. Review both policies for consistency in terminology and scope.

3. Use the Compliance Mapper to map COBIT 2019 controls to ISO 27001:2022 with focus area ‘Risk Assessment’. Document all gaps identified.

4. Use the Compliance Mapper to map NIST CSF 2.0 to COBIT 2019 with focus area ‘Access Control’. Compare the gap analysis with your first mapping.

5. Write a one-page executive memo summarizing your governance framework: which policies are in place, key compliance gaps found, and three prioritized remediation actions.

Key Evaluation Criteria:

• Policies are internally consistent and reference the same organizational context

• Compliance mappings identify at least 2–3 meaningful gaps (not just formatting differences)

• Executive memo demonstrates understanding of governance hierarchy: framework → policy → controls

• Recommendations are actionable with clear ownership and timeline