Isaca Certification CGEIT Updated Exam

A new regulation introduces a potential risk that must be assessed to understand its impact on the enterprise’s operations and compliance obligations. The CGEIT Review Manual 8th Edition stresses that the first step in addressing new risks, such as regulations, is to conduct a risk assessment to evaluate their significance and implications.

Extract from CGEIT Review Manual 8th Edition (Domain 3: Risk Optimization):"When a new regulation is identified, the first step is to assess the associated risk, including its potential impact on operations, compliance requirements, and the likelihood of enforcement. This assessment informs subsequent actions, such as developing mitigation plans or updating governance frameworks." (Approximate reference: Domain 3, Section on Risk Assessment)

Assessing the risk associated with the new regulation (option D) provides the enterprise with a clear understanding of the regulation’s impact, enabling informed decisions about compliance, mitigation, or strategic adjustments.

Why not the other options?

A. Request an action plan from the risk team: An action plan is premature without first assessing the risk’s scope and impact.

B. Determine whether the board wants to comply with the regulation: The board’s decision on compliance should be informed by a risk assessment, not precede it.

C. Update the risk management framework: Updating the framework may be necessary later but is not the first step, as the specific risk must be understood first.

Lead indicatorsare proactive metrics that provide early signals of performance, enabling timely action before outcomes are realized. In this case, insufficient investment led to missed targets—a lead indicator could help forecast spending trends or progress toward milestones before year-end.

Lag indicators (e.g., annual performance) show outcomes after the fact. KRIs and stage gates are valuable but are not direct predictors of performance outcomes related to investment levels.

The best way for an enterprise to address new legal and regulatory requirements applicable to IT is to treat them as a risk to be assessed before developing a response. This approach involves identifying the potential impact of the new requirements on the organization, evaluating the likelihood and consequences of non-compliance, and then developing a prioritized response plan based on this risk assessment. This method ensures a measured and proportional response that aligns with the organization's risk appetite and strategic objectives. While benchmarking, adopting a zero-tolerance approach, and using cost-benefit analysis are useful, they should be part of a broader risk-based strategy to address compliance effectively.

Key performance indicators (KPIs) are metrics that measure the performance of a project, program, or investment against a set of targets, objectives, or benchmarks. KPIs can help an enterprise to determine whether a current program for IT infrastructure migration to the cloud is continuing to provide benefits by tracking the progress, efficiency, quality, and outcomes of the program. KPIs can also help to identify any gaps, issues, or risks that may affect the program’s success and enable timely corrective actions12.

Total cost of ownership (TCO) is the purchase price of an asset plus the costs of operation over its life span. TCO can help an enterprise to compare the costs and benefits of different IT infrastructure options, such as cloud versus on-premise, but it does not measure the ongoing performance or benefits of a chosen option3.

Key risk indicators (KRIs) are metrics that monitor and predict potential risks that may negatively impact an enterprise’s objectives or operations. KRIs can help an enterprise to identify and mitigate any risks associated with IT infrastructure migration to the cloud, such as security breaches, data loss, or service disruptions, but they do not measure the benefits or value of the program45.

Net present value (NPV) is the difference between the present value of cash inflows and the present value of cash outflows over a period of time. NPV is used to evaluate the profitability or return on investment of a project or investment by discounting the future cash flows to their present value. NPV can help an enterprise to decide whether to undertake an IT infrastructuremigration to the cloud based on its expected net value, but it does not measure the actual performance or benefits of the program16. References :=

3: Total Cost of Ownership: How It’s Calculated With Example - Investopedia

4: Key Risk Indicators (KRIs) - National Treasury

2: How to Develop Key Risk Indicators (KRIs) to Fortify Your Business | AuditBoard

5: How to Develop Effective Key Risk Indicators - Secureframe

1: Net Present Value (NPV) - Definition, Examples, How to Do NPV Analysis

6: NPV Formula - Learn How Net Present Value Really Works, Examples