Project 6RISC is a structured, end-to-end IT risk management initiative designed to demonstrate practical application of CRISC principles within a regulated healthcare environment. The initiative follows a risk-first approach, emphasizing governance, decision-making, and business alignment over control checklists.
The program is organized into six sequential projects, each building on the previous to simulate how an enterprise IT risk program is established, executed, and communicated.
Establishes organizational context, governance assumptions, and foundational risk management parameters to support consistent, risk-informed decision-making across subsequent IT risk management initiatives.
Establishes an enterprise view of IT risk by identifying critical assets, articulating business-driven risk events, and documenting initial inherent risk exposure. This project focuses on understanding what could go wrong and why it matters to the organization.
Primary Focus: IT risk identification and business impact alignment
Expands identified risks into realistic scenarios to assess likelihood, impact, and potential outcomes. This project emphasizes semi-quantitative and scenario-based analysis to support informed prioritization and decision-making.
Primary Focus: Risk assessment and impact analysis
Evaluates existing administrative, technical, and procedural controls to determine how effectively identified risks are mitigated. This project distinguishes between control presence and control effectiveness and identifies gaps requiring attention.
Primary Focus: Control evaluation and risk-to-control alignment