Certified: The ISACA CISA Prepcast

Welcome to The Bare Metal Cyber CISA Prepcast. This series helps you prepare for the exam with focused explanations and practical context.
Enterprise Risk Management, often referred to as ERM, is a structured and coordinated approach to identifying, assessing, and managing risks that affect an entire organization, not just its IT function. Rather than treating risks in isolated silos—such as IT risk, compliance risk, or financial risk—ERM integrates all of these into a holistic model that helps organizations make better decisions and protect value. It embeds risk consideration into strategic planning, project selection, operations, and vendor relationships. By elevating risk to the enterprise level, ERM creates accountability across functions and enables leadership to see how risks interact, overlap, and evolve. For auditors, ERM offers a reference point for evaluating whether risk governance is functioning as intended and whether strategic decisions are informed by accurate risk assessments. On the CISA exam, expect to see questions that test your understanding of ERM structures, frameworks, and the auditor’s role in assessing risk oversight and integration.
An effective ERM program has several clear objectives that auditors must be able to recognize and assess. First, it exists to identify risks across all areas of the business that may affect the achievement of strategic, operational, or compliance goals. These risks must be documented, owned, and regularly reviewed. Second, ERM ensures that risk ownership is clearly assigned to appropriate leaders who are accountable for mitigation or acceptance decisions. It also provides a consistent method for assessing risks, comparing them, and applying response strategies. Importantly, ERM helps align risk appetite—the level of risk the organization is willing to accept—with risk tolerance, or how much deviation from that appetite is acceptable. Finally, ERM supports oversight at the board and executive level, enabling regular review of systemic risks, emerging threats, and the effectiveness of risk responses. On the CISA exam, be prepared to evaluate whether these objectives are being met and whether audit findings point to gaps in the organization’s risk maturity.
The COSO ERM framework is one of the most widely recognized and applied models for enterprise risk management, and CISA candidates are expected to understand its structure and terminology. COSO’s framework consists of five interrelated components: governance and culture, strategy and objective-setting, performance, review and revision, and information and communication. These components guide how organizations embed risk awareness into their strategic goals, measure risk-related performance, and refine risk responses based on new information or feedback. COSO emphasizes aligning risk with value creation, encouraging organizations to treat risk management not just as a compliance activity but as a core element of decision-making. Key themes include tone at the top, accountability, timely reporting, and integration across departments. Auditors must understand how to use COSO as a reference for evaluating risk registers, board oversight, or control alignment with business goals. Expect CISA questions that require identifying COSO components in a scenario or evaluating whether ERM design reflects the framework’s guidance.
ISO 31000 is another foundational ERM standard, offering a flexible, globally applicable approach that emphasizes tailoring risk practices to the organization’s unique context. Rather than prescribing specific metrics or control designs, ISO 31000 provides high-level principles and a risk process that can be adapted to any industry or sector. These principles include stakeholder inclusion, continual improvement, integration with business processes, and proactive decision-making. The ISO 31000 risk management process includes risk identification, assessment, evaluation, treatment, monitoring, and review. It focuses on understanding the environment in which risk exists and adapting accordingly. While COSO is more structured and governance-focused, ISO is more flexible and useful for decentralized or agile environments. The CISA exam may ask you to compare or select between frameworks depending on organizational needs, and your ability to articulate the differences between ISO 31000 and COSO can help you succeed in framework-driven scenario questions.
ERM organizes risk into categories to facilitate understanding, prioritization, and reporting. Strategic risk refers to anything that threatens the organization’s ability to achieve long-term goals, such as changes in market conditions or poor executive decisions. Operational risk involves failures in business processes, systems, or procedures, including supply chain breakdowns or IT outages. Financial risk includes exposure to market volatility, credit instability, or liquidity shortfalls that could impact the organization’s economic position. Compliance risk arises when an organization fails to meet regulatory, contractual, or policy obligations, potentially resulting in fines, penalties, or reputational damage. Cyber and IT risk spans incidents like data breaches, ransomware attacks, system failures, or misconfigured access controls. CISA candidates must understand these categories, as exam questions will often present audit findings or control weaknesses and ask you to classify the associated risk type or assess its potential impact.
Risk appetite and tolerance are foundational to ERM because they guide how much risk the organization is willing to take and how much deviation from that position is acceptable. Risk appetite is usually defined at the executive or board level and reflects the organization's strategic intent, market position, and risk culture. Tolerance represents the operational limits within which risk is acceptable—too far outside of those limits, and the risk becomes excessive or misaligned. These thresholds must be documented, reviewed regularly, and communicated to relevant stakeholders. They also guide project approvals, policy enforcement, and response strategies. Auditors must evaluate whether risks exceed stated appetite or whether risk owners have accepted levels of risk without proper approval. On the CISA exam, expect to assess situations where a control failure exposes the organization to more risk than it tolerates, and determine whether escalation, mitigation, or acceptance is the appropriate response.
Risk identification and assessment are core activities in every ERM program, and auditors must evaluate whether these processes are comprehensive, consistent, and current. Techniques for identifying risks include structured interviews, stakeholder surveys, SWOT analysis, control self-assessments, and the use of analytics to detect anomalies or trend changes. Once identified, risks are assessed for likelihood and impact, often using scoring models or risk matrices that convert qualitative insights into ranked priorities. Some organizations include velocity—how quickly a risk can materialize—or persistence—how long it can cause disruption—as part of their evaluation. Emerging risks, such as disruptive technologies or regulatory shifts, are harder to quantify but must still be documented and monitored. Auditors review whether risk inventories are updated regularly, whether ownership is assigned, and whether assessment methods are repeatable. The CISA exam will test your ability to assess whether a risk register is complete and whether the risk scoring supports meaningful prioritization and control planning.
Once risks are identified and assessed, organizations must choose appropriate response strategies that reflect both exposure and appetite. Common options include avoiding the risk by ceasing the associated activity, accepting the risk if it falls within tolerable limits, transferring the risk through insurance or contracts, reducing the risk with controls, or sharing it through partnerships. The selected response must then be integrated into planning processes—such as budgeting, procurement, or project design—and supported by controls that match the intended mitigation. For example, if the response to system downtime risk is reduction, then redundancy and monitoring controls should be in place. Auditors assess whether control design supports the stated response, whether mitigation is tracked, and whether decisions are reviewed over time. ERM maturity is reflected in how well these steps are embedded across business units and functions. On the CISA exam, you may be asked whether a control matches a risk response or how to evaluate residual risk after mitigation has been applied.
ERM is not a one-time effort—it requires monitoring, reporting, and adaptation to remain effective. Risk dashboards and key risk indicators allow leadership to see where risks are rising, where controls may be failing, or where external pressures are changing the risk landscape. Boards and executives rely on timely, accurate, and digestible reports to make strategic decisions and allocate resources. ERM programs should evolve based on incidents, near misses, audit findings, and lessons learned from past decisions. Periodic reassessment ensures that risks remain aligned with strategy, especially when entering new markets, undergoing acquisitions, or facing regulatory changes. Auditors review the frequency, quality, and scope of risk reporting, as well as whether escalation protocols are followed when risk thresholds are exceeded. The CISA exam may test your ability to interpret a risk dashboard, identify reporting deficiencies, or evaluate the governance of risk monitoring activities.
For CISA candidates, understanding ERM is essential because risk management is the foundation for audit planning, control evaluation, and governance assurance across all exam domains. Be ready to identify the components of COSO or ISO 31000 in real-world scenarios, interpret risk appetite statements, audit risk registers, and assess whether controls reflect organizational risk decisions. Know how to recognize weak risk ownership, ineffective reporting, or fragmented response strategies. Understand that auditing ERM is not about checking boxes—it is about evaluating whether leadership is seeing the full picture and whether decisions are based on structured, evidence-based risk awareness. Strong ERM practices support organizational resilience, improve response to change, and help auditors move from compliance reviewers to strategic advisors. Mastering this material will prepare you not just for the CISA exam—but for a leadership role in enterprise assurance.
Thanks for joining us for this episode of The Bare Metal Cyber CISA Prepcast. For more episodes, tools, and study support, visit us at Baremetalcyber.com.