Isaca Updated CRISC Exam Questions and Answers by elian

Reviewing the risk register change log is the best way for management to validate whether risk response activities have been completed, because it helps to track and monitor the changes and updates that have been made to the risk register, and to verify that the risk response activities have been implemented and closed. A risk register is a document that captures, identifies, assesses and tracks risk as part of the risk management process4. A risk register change log is a record that documents the date, description, and reason for each change or update that is made to the risk register. A risk response activity is an action or task that is performed to implement the chosen risk response strategy for a specific risk, such as avoid, transfer, mitigate, or accept. Reviewing the risk register change log is the best way, as it helps to ensure that the risk register is accurate and current, and that the risk response activities have been completed and reported. Reviewing evidence of risk acceptance, control effectiveness test results, and control design documentation are all possible ways to validate whether risk response activities have been completed, but they are not the best way, as they may not cover all the risk response activities, and they may not reflect the changes or updates in the risk register. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.4.1, page 101

The best tool to support the management of identified risk scenarios is maintaining a risk register, as it provides a comprehensive and structured record of the risk information and decisions, such as the risk description, rating, ownership, response, and status, and facilitates the communication and accountability of the risk management process and activities. The other options are not the best tools, as they are more related to the collection, measurement, or definition of the risk scenarios, respectively, rather than the management of the risk scenarios. References = CRISC Review Manual, 7th Edition, page 101.

 Understanding the Question:

The question asks what best enables the integration of IT risk management across an organization.

 Analyzing the Options:

A. Enterprise risk management (ERM) framework: Provides a comprehensive approach to integrating risk management across the entire organization.

B. Enterprise-wide risk awareness training: Important for education but doesn't ensure integration.

C. Robust risk reporting practices: Crucial for communication but not integration.

D. Risk management policies: Necessary but need to be part of an overall framework for effective integration.

 Detailed Explanation:

ERM Framework: An ERM framework ensures that risk management practices are standardized and integrated throughout the organization. It aligns risk management with business objectives, ensuring that IT risk is considered within the broader context of enterprise risk.

Comprehensive Approach: ERM covers all aspects of risk, including IT, and facilitates a unified approach to managing risk across all departments and levels.

References:

CRISC Review Manual, Chapter 1: Governance, details the role of an ERM framework in integrating risk management practices across an organization​​.

Key control indicators measure the operational effectiveness of specific controls, such as those contributing to defense-in-depth strategies. Monitoring these indicators ensures controls are functioning as intended, aligning with Control Effectiveness Monitoring.