* IT control self-assessments are techniques that involve identifying and evaluating the effectiveness and efficiency of the IT controls that are designed and implemented to mitigate the IT risks, by the managers and staff within the organization12.
* An ineffective control is a control that does not achieve its intended objective or purpose, or does not operate as designed or expected34.
* A low residual risk scenario is a situation or occurrence that has a low likelihood and impact of affecting the organization's objectives, performance, or value creation, after considering the existing controls and their effectiveness56.
* The next course of action when reviewing management's IT control self-assessments and noting an ineffective control that links to several low residual risk scenarios is to recommend management accept the low-risk scenarios, which is a risk response strategy that involves acknowledging and tolerating the level of risk exposure, and not taking any further action to reduce or eliminate it78.
* Recommending management accept the low-risk scenarios is the next course of action because it is the most cost-effective and reasonable option, given that the level of risk exposure is low and acceptable, and the cost and effort of implementing or improving the control may outweigh the potential benefits or value78.
* Recommending management accept the low-risk scenarios is also the next course of action because it is consistent with the risk management process and objectives, which are to identify and address the risks
* that may affect the achievement of the organization's goals and the delivery of value to the stakeholders, and to optimize the balance between risk and reward78.
* The other options are not the next course of action, but rather possible alternatives or steps that may be considered or followed in different circumstances or scenarios. For example:
* Assessing management's risk tolerance is a step that involves determining and communicating the acceptable or tolerable level of risk exposure for the organization or its business units, based on the organization's risk appetite, criteria, and objectives78. However, this step is not the next course of action because it is usually done before or during the risk assessment process, and not after noting an ineffective control that links to several low residual risk scenarios78.
* Proposing mitigating controls is a course of action that involves suggesting or recommending additional or alternative controls that can reduce or eliminate the level of risk exposure, and improve the effectiveness and efficiency of the risk management process78. However, this course of action is not the next course of action because it is not necessary or appropriate for low residual risk scenarios, as the cost and effort of implementing or improving the controls may outweigh the potential benefits or value78.
* Re-evaluating the risk scenarios associated with the control is a course of action that involves revising and updating the likelihood and impact of the risk scenarios, and the level of risk exposure or tolerance for the organization, based on the current or changed conditions or factors that influence the risk landscape78. However, this course of action is not the next course of action because it is not required or relevant for low residual risk scenarios, as the level of risk exposure is already low and acceptable, and the ineffective control does not significantly affect the risk assessment78. References =
* 1: Control Self Assessments - PwC1
* 2: Control self-assessment - Wikipedia2
* 3: Ineffective Controls: What They Are and How to Identify Them3
* 4: Ineffective Controls: What They Are and How to Identify Them4
* 5: Residual Risk - Definition and Examples5
* 6: Residual Risk: Definition, Formula & Management6
* 7: Risk IT Framework, ISACA, 2009
* 8: IT Risk Management Framework, University of Toronto, 2017

is incorrect. Risk-reward describes the balance between accepting risks and the
expected reward for the risk event. Risk-reward mentality is not a valid project management term.

Section: Volume D
Explanation:
A risk register is an inventory of risks and exposure associated with those risks. Risks are commonly found in project management practices, and provide information to identify, analyze, and manage risks. Typically a risk register contains:
* A description of the risk
* The impact should this event actually occur
* The probability of its occurrence
* Risk Score (the multiplication of Probability and Impact)
* A summary of the planned response should the event occur
* A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact of the event)
* Ranking of risks by Risk Score so as to highlight the highest priority risks to all involved.
* It records the initial risks, the potential responses, and tracks the status of each identified risk in the project.
Incorrect Answers:
A: The project scope statement does document initially defined risks but it is not a place that will record risks responses and status of risks.
B: The project charter does not define risks.
C: The risk low-level watch list is for identified risks that have low impact and low probability in the project.

Business process owners are the most important to include in the assessment of existing IT risk scenarios, as they have the authority and responsibility to manage the business processes and their associated risks and controls, and to provide the business perspective and requirements for the IT risk scenarios. Technology subject matter experts, business users of IT systems, and risk management consultants are not the most important to include, as they may have different roles and responsibilities related to the technical, operational, or advisory aspects of IT risk scenarios, respectively, but they do not own the business processes or the IT risk scenarios. References = CRISC Review Manual, 7th Edition, page 101.