After the implementation of a blockchain solution, a risk practitioner discovers noncompliance with new industry regulations. Which of the following is the MOST important course of action prior to informing senior management?
Correct Answer: D
Before escalating to senior management, a risk practitioner must understand how serious the issue is for the enterprise. That means first assessing the business impact of the noncompliance (financial, regulatory, reputational, operational) so that management is given contextualized information rather than just "we are noncompliant." In ISACA's CRISC framework, risk assessment always requires understanding likelihood and impact before risk response and escalation decisions. Evaluating the potential impact allows: * Identification of which processes, customers, or jurisdictions are affected. * Estimation of the magnitude of legal/regulatory exposure. * Understanding whether immediate containment actions are needed. * Preparation of meaningful options and recommendations for senior management. Options A and B (evaluating controls and implementing compensating controls) are important later, as part of risk response / treatment. However, without first knowing the impact, you cannot determine how urgent or extensive the remedial actions must be. Option C (evaluating industry response) may be useful for benchmarking, but it does not help the enterprise understand its own specific exposure and obligations and therefore is secondary to an internal impact assessment. This aligns with CRISC guidance that the primary result of a risk assessment is input for risk-aware decisions and that risk professionals must assess likelihood and impact to determine risk significance before escalation and treatment (see the risk assessment and risk profile-related guidance in your CRISC notes).
CRISC Exam Question 457
An organization is implementing robotic process automation (RPA) to streamline business processes. Given that implementation of this technology is expected to impact existing controls, which of the following is the risk practitioner's BEST course of action?
Correct Answer: A
Robotic process automation (RPA) is the use of software robots or artificial intelligence (AI) agents to automate repetitive, rule-based tasks that are normally performed by humans. RPA can improve efficiency, accuracy, and scalability of business processes, but it can also introduce new risks or change the existing risk profile. Therefore, the risk practitioner's best course of action is to reassess whether the mitigating controls that were designed for the human-performed processes are still effective and adequate for the RPA-enabled processes. This may involve reviewing the control objectives, testing the control performance, identifying the control gaps, and recommending the control enhancements or modifications. References = CRISC Review Manual, 7th Edition, page 177.
CRISC Exam Question 458
Which of the following would be MOST relevant to stakeholders regarding ineffective control implementation?
Correct Answer: C
Ineffective control implementation can result in increased risk exposure, reduced compliance, and diminished performance for the organization. Therefore, the most relevant information for stakeholders is the impact of ineffective control implementation on the business objectives, processes, and outcomes. The impact on business can include financial losses, reputational damage, operational inefficiencies, customer dissatisfaction, and legal liabilities. The other options are not as relevant as the impact on business, because they do not directly link the control effectiveness to the business value. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.3.2, page 128.
CRISC Exam Question 459
Which of the following provides the MOST reliable evidence of a control's effectiveness?
Correct Answer: C
The most reliable evidence of a control's effectiveness is a system-generated testing report. A system-generated testing report is a document that shows the results of automated tests performed by the system to verify that the control is functioning as intended and producing the expected outcomes. A system-generated testing report is reliable, because it is objective, consistent, accurate, and timely, and because it can provide a high level of assurance and confidence in the control's effectiveness. The other options are not as reliable as a system-generated testing report, although they may provide some evidence of the control's effectiveness. A risk and control self-assessment, senior management's attestation, and a detailed process walk-through are all examples of manual or subjective evidence, which may be prone to errors, biases, or inconsistencies, and which may provide a lower level of assurance and confidence in the control's effectiveness. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.4.1, page 3-32.
CRISC Exam Question 460
A risk practitioner is assisting with the preparation of a report on the organization s disaster recovery (DR) capabilities. Which information would have the MOST impact on the overall recovery profile?
Correct Answer: D
According to the CRISC Review Manual (Digital Version), the percentage of systems with long recovery target times has decreased is the information that would have the most impact on the overall recovery profile, as it indicates that the organization has improved its ability to restore its critical systems and processes within the acceptable time frames after a disaster. The recovery target time, also known as the recovery time objective (RTO), is the maximum acceptable time that an application, computer, network, or system can be down after an unexpected disaster, failure, or comparable event takes place. The recovery profile, also known as the recovery point objective (RPO), is the maximum acceptable amount of data loss measured in time. A lower percentage of systems with long recovery target times means that the organization has: Reduced the gap between the business requirements and the IT capabilities for disaster recovery Enhanced the resilience and availability of its critical systems and processes Minimized the potential losses and damages caused by prolonged downtime Increased the confidence and satisfaction of its stakeholders and customers References = CRISC Review Manual (Digital Version), Chapter 3: IT Risk Response, Section 3.3: Risk Response Options, pp. 174-1751