Which of the following provides the MOST useful input to the development of realistic risk scenarios?
Correct Answer: D
Risk events are specific occurrences or changes that have a potential impact on the achievement of objectives. They can be positive or negative, and they can be internal or external to the organization. Risk events provide the basis for developing realistic risk scenarios, which are hypothetical situations that illustrate the possible consequences of a risk event. Risk scenarios help to understand and communicate the nature, sources, and causes of risk, as well as the potential impact and likelihood of risk occurrence. Risk scenarios can also be used to test the effectiveness of risk responses and controls. The other options are not as useful as risk events for developing realistic risk scenarios. A balanced scorecard (A) is a strategic management tool that measures the performance of the organization against its objectives, vision, and strategy. It does not provide specific information about risk events or their consequences. A risk appetite (B) is the amount and type of risk that an organization is willing to accept in pursuit of its objectives. It does not describe the risk events or their scenarios, but rather the level of risk tolerance and acceptance. A risk map is a graphical representation of the risk profile of the organization, showing the relationship between the likelihood and impact of different risks. It does not provide the details or context of the risk events or their scenarios, but rather the relative ranking and prioritization of risks.
CRISC Exam Question 132
Which of the following elements of a risk register is MOST likely to change as a result of change in management's risk appetite?
Correct Answer: A
According to the CRISC Review Manual (Digital Version), key risk indicator (KRI) thresholds are the most likely elements of a risk register to change as a result of change in management's risk appetite, as they reflect the acceptable levels of risk exposure for the organization. KRI thresholds are the values or ranges that trigger an alert or a response when the actual KRI values deviate from the expected or desired values. KRI thresholds help to: * Monitor and measure the current risk levels and performance of the IT assets and processes * Identify and report any risk issues or incidents that may require attention or action * Evaluate the effectiveness and efficiency of the risk response actions and controls * Align the risk management activities and decisions with the organization's risk appetite and risk tolerance If the management's risk appetite changes, the KRI thresholds may need to be adjusted accordingly to ensure that the risk register reflects the current risk preferences and expectations of the organization. References = CRISC Review Manual (Digital Version), Chapter 4: IT Risk Monitoring and Reporting, Section 4.1: IT Risk Monitoring, pp. 217-2181
CRISC Exam Question 133
Which of the following is MOST important for a risk practitioner to confirm once a risk action plan has been completed?
Correct Answer: C
Verifying that the risk has been mitigated to the intended level ensures that the implemented controls have achieved their purpose. This step confirms that residual risk aligns with the organization's risk appetite and supports ongoing risk monitoring under the Risk Mitigation and Response framework.
CRISC Exam Question 134
During a risk treatment plan review, a risk practitioner finds the approved risk action plan has not been completed However, there were other risk mitigation actions implemented. Which of the fallowing is the BEST course of action?
Correct Answer: C
The best course of action for a risk practitioner who finds that the approved risk action plan has not been completed but other risk mitigation actions have been implemented is to verify the sufficiency of mitigating controls with the risk owner. This is because the risk owner is the person who is accountable for the risk and the risk response strategy, and therefore should be consulted to ensure that the alternative actions are adequate and effective in reducing the risk to an acceptable level. The other options are not the best course of action, although they may also be performed after verifying the sufficiency of mitigating controls with the risk owner. Reviewing the cost-benefit of mitigating controls, marking the risk status as unresolved within the risk register, and updating the risk register with implemented mitigating actions are secondary actions that depend on the outcome of the verification process. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.3.2, p. 193.
CRISC Exam Question 135
An organization's financial analysis department uses an in-house forecasting application for business projections. Who is responsible for defining access roles to protect the sensitive data within this application?
Correct Answer: D
According to the Data Roles and Responsibilities article, the business owner is the person who has authority over the business process that is supported by the data. The business owner is responsible for defining the access roles to protect the sensitive data within the application, as well as approving the access requests and ensuring the compliance with the data policies and standards. The business owner may delegate this responsibility to a data steward, who is a person who acts on behalf of the business owner to manage the data quality, security, and usage. Therefore, the answer is D. Business owner. References = Data Roles and Responsibilities
