Raystafarian wrote: » That's the thing about ISACA, IMO. They are asking you to look at the problem through the "lens" of governance. Given that governance is all about alignment between IT and the entire organization, we can eliminate C. D is also not a governance related risk, it's an auditor independence risk - it won't effect the alignment of goals. Now we know it's A or B. If you look at it from an auditor's perspective, in a general audit, it's of course A. But we're not looking at it that way, we're looking at it from the governance only lens - it doesn't matter if the documents are informal or incomplete because that doesn't affect what the actual strategy is (as absurd as that really is). So we know it's B - the risk management committee is responsible for knowing the strategy and assessing the risk of mis-alignment and we have no idea if they are doing that or just playing paper football in a conference room. That's ISACA and their "lenses" for you. I struggled with that through the CISM, they can ask pretty much the same basic question and depending on the domain in which they are drawing a conclusion from, the answer can be different.
636-555-3226 wrote: » Strategy comes before risk. Have to know where you're going before you can evaluate the likelihood & impact of something going wrong on the road you're traveling down. although there is an argument for determining the risk of going down Path A before you go down it, so risk can inform strategy.
