Which of the following are the MOST important risk components that must be communicated among all the stakeholders? Each correct answer represents a part of the solution. Choose three.
Correct Answer: B,C,D
Section: Volume C Explanation: The broad array of information and the major types of IT risk information that should be communicated are as follows: * Expectations from risk management: They include risk strategy, policies, procedures, awareness training, uninterrupted reinforcement of principles, etc. This essential communication drives all subsequent efforts on risk management and sets the overall expectations from risk management. * Current risk management capability: This allows monitoring of the status of the risk management engine in the enterprise. It is a key indicator for effective risk management and has predictive value for how well the enterprise is managing risk and reducing exposure. * Status with regard to IT risk: This describes the actual status with regard to IT risk including information of risk profile of the enterprise, Key risk indicators (KRIs) to support management reporting on risk, event-loss data, root cause of loss events and options to mitigate risk. Incorrect Answers: A: Risk response is only communicated to some of the stakeholders not all, as it is irrelevant for them. It is not communicated to the stakeholders of the project like project sponsors, etc.
Question 202
What are the PRIMARY objectives of a control?
Correct Answer: D
Explanation/Reference: Explanation: Controls are the policies, procedures, practices and guidelines designed to provide appropriate assurance that business objectives are achieved and undesired events are detected, prevented, and corrected. Controls, or countermeasures, will reduce or neutralize threats or vulnerabilities. Controls have three primary objectives: Prevent Recover Detect Incorrect Answers: A, B, C: One or more objectives stated in these choices is not correct objective of control.
Question 203
Which of the following should be a risk practitioner's NEXT step after learning of an incident that has affected a competitor?
Correct Answer: D
The risk practitioner's next step after learning of an incident that has affected a competitor is to develop risk scenarios, as it involves identifying and describing the potential sources, events, impacts, and responses of the risk that may affect the organization in a similar way as the competitor, and assessing the likelihood and magnitude of the risk. Activating the incident response plan, implementing compensating controls, and updating the risk register are not the next steps, as they are more related to the reaction, mitigation, or reporting of the risk, respectively, rather than the identification and assessment of the risk. References = CRISC Review Manual, 7th Edition, page 100.
Question 204
Which of the following should be the risk practitioner s FIRST course of action when an organization has decided to expand into new product areas?
Correct Answer: B
Question 205
Which of the following parameters are considered for the selection of risk indicators? Each correct answer represents a part of the solution. Choose three.
Correct Answer: A,B,D
Explanation/Reference: Explanation: Risk indicators are placed at control points within the enterprise and are used to collect data. These collected data are used to measure the risk levels at that point. They also track events or incidents that may indicate a potentially harmful situation. Risk indicators can be in form of logs, alarms and reports. Risk indicators are selected depending on a number of parameters in the internal and external environment, such as: Size and complexity of the enterprise Type of market in which the enterprise operates Strategy focus of the enterprise Incorrect Answers: C: Risk appetite and risk tolerance are considered when applying various risk responses.
