The best time to identify the risk associated with a major project to determine a mitigation plan is the project initiation phase. The project initiation phase is the first phase of the project management process, where the project is defined, authorized, and planned. The project initiation phase includes the activities of developing the project charter, identifying the stakeholders, and defining the scope and objectives of the project. The project initiation phase is the best time to identify the risk associated with the project, as it provides the opportunity to understand the project context, requirements, and expectations, and to establish the risk management framework, process, and plan. By identifying the risk early in the project, the mitigation plan can be integrated with the project plan, and the resources, budget, and schedule can be allocated accordingly. The other options are not as optimal as the project initiation phase, as they are related to the execution, closing, or planning of the project, not the definition or authorization of the project. References = Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.1: IT Risk Management Process, page 15.

The most appropriate action when a tolerance threshold is exceeded is to communicate the potential impact to the decision makers. A tolerance threshold is the acceptable level of variation or deviation from the expected or planned performance or outcome of a risk response. When a tolerance threshold is exceeded, it means that the risk response is not effective or efficient enough to reduce the risk to an acceptable level, and that the enterprise is exposed to unacceptable levels of risk that could impair its ability to achieve its objectives.
Therefore, the potential impact of the risk should be communicated to the decision makers, such as senior management, risk owners, or risk committee, who have the authority and responsibility to decide on the appropriate actions to address the risk situation. Communicating the potential impact can help to raise the awareness and urgency of the risk issue, and to facilitate the risk-based decision making process. Researching the root cause of similar incidents, verifying the response plan is adequate, and increasing human resources to respond in the interim are not as appropriate as communicating the potential impact, as they do not address the primary need of informing and involving the decision makers, and may not be feasible or effective in resolving the risk issue. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 41.

The main purpose of reviewing a control after implementation is to validate that the control operates as intended, as this can help to ensure that the control is effective and efficient in mitigating the risk, and that it meets the control objectives and requirements. Reviewing a control after implementation can also help to identify and address any issues or gaps that may arise during the control operation, and to monitor and evaluate the performance and impact of the control. Reviewing a control after implementation can also provide feedback and information to the control owners and stakeholders, and enable them to adjust the control design and implementation accordingly. References = Most Asked CRISC Exam Questions and Answers. CRISC: Certified in Risk & Information Systems Control Sample Questions, Question 254. ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, Question 254. CRISC by Isaca Actual Free Exam Q&As, Question 9.

According to the CRISC Review Manual (Digital Version), a contract associated with a cloud service provider must include ownership of responsibilities, as this defines the roles and obligations of both the cloud provider and the customer in relation to the cloud services. The contract should specify who is responsible for:
* Service delivery and performance
* Data security and privacy
* Compliance with regulations and standards
* Incident management and reporting
* Business continuity and disaster recovery
* Change management and configuration control
* Intellectual property rights and licensing
* Termination and data egress
The contract should also include service level agreements (SLAs) that measure and monitor the quality and availability of the cloud services, as well as remedies and penalties for non-compliance. The contract should also address pricing and payment terms, dispute resolution mechanisms, and liability and indemnification clauses.
References = CRISC Review Manual (Digital Version), Chapter 3: IT Risk Response, Section 3.3: Risk Response Options, pp. 173-1741