Isaca Updated CRISC Exam Questions and Answers by yasmine

The most important course of action for a risk practitioner when reviewing the results of control performance monitoring is to validate whether the controls effectively mitigate risk, as it involves verifying and testing the adequacy and performance of the controls, and identifying any control gaps or deficiencies that may affect the risk level and response. The other options are not the most important courses of action, as they are more related to the evaluation, confirmation, or analysis of the risk profile, compliance, or indicators, respectively, rather than the validation of the control effectiveness. References = CRISC Review Manual, 7th Edition, page 154.

Events exceeding risk thresholds are situations or occurrences that result in the actual level of risk exceeding the acceptable or tolerable level of risk, as defined by the organization’s risk appetite, criteria, and objectives12.

The most effective way to enable a business operations manager to identify events exceeding risk thresholds is to implement continuous monitoring, which is a process that involves collecting and analyzing data and information on the performance and status of the business processes, systems, and controls, and detecting and reporting any deviations, anomalies, or issues that may indicate a risk event34.

Continuous monitoring is the most effective way because it provides timely and accurate visibility and insight into the risk landscape, and enables the business operations manager to identify and respond to the events exceeding risk thresholds before they escalate or cause significant harm or damage to the organization34.

Continuous monitoring is also the most effective way because it supports the risk management process and objectives, which are to identify and address the risks that may affect the achievement of the organization’s goals and the delivery of value to the stakeholders34.

The other options are not the most effective ways, but rather possible tools or techniques that may complement or enhance the continuous monitoring. For example:

A control self-assessment is a technique that involves engaging and empowering the business process owners and operators to evaluate and report on the effectiveness and efficiency of the controls that are designed and implemented to mitigate the risks56. However, this technique is not the most effective way because it is periodic rather than continuous, and it may not capture or communicate the events exceeding risk thresholds in a timely or consistent manner56.

Transaction logging is a tool that involves recording and storing the details and history of the transactions or activities that are performed by the business processes or systems, and providing an audit trail for verification or investigation purposes78. However, this tool is not the most effective way because it is passive rather than active, and it may not detect or report the events exceeding risk thresholds unless they are analyzed or queried78.

Benchmarking against peers is a technique that involves comparing and contrasting the performance and practices of the business processes or systems with those of the similar or leading organizations in the same or related industry, and identifying the gaps or opportunities for improvement . However, this technique is not the most effective way because it is external rather than internal, and it may not reflect or align with the organization’s specific risk appetite, criteria, and objectives . References =

1: Risk IT Framework, ISACA, 2009

2: IT Risk Management Framework, University of Toronto, 2017

3: Continuous Monitoring - ISACA1

4: Continuous Monitoring: A New Approach to Risk Management - ISACA Journal2

5: Risk and control self-assessment - KPMG Global3

6: Control Self Assessments - PwC4

7: Transaction Log - Wikipedia5

8: Transaction Logging - IBM6

Benchmarking - Wikipedia7

Benchmarking: Definition, Types, Process, Advantages & Examples

Sensitivity and reliability are the most important criteria for selecting KRIs, as they indicate how well the KRIs reflect the changes in the risk level and how consistent and accurate the KRIs are in measuring the risk.Sensitivity means that the KRIs should respond quickly and proportionally to the variations in the risk exposure, and provide early warning signals of potential risk events. Reliability means that the KRIs should be based on valid and verifiable data sources, and produce consistent and comparable results over time and across different units or functions. Historical data availability, implementation and reporting effort, and ability to display trends are also useful criteria, but they are not as critical as sensitivity and reliability.

The primary reason to update a risk register with risk assessment results is to communicate the level and priority of assessed risk to management, as this enables them to make informed decisions about risk response and allocation of resources. The risk register is a tool for documenting and reporting the current status of risks, their causes, impacts, likelihood, and responses. Updating the risk register with risk assessment results ensures that the information is accurate, relevant, and timely. The risk register also helps to monitor and track the progress and effectiveness of risk management activities. The other options are not the primary reasons to update the risk register, although they may be secondary benefits or outcomes of doing so. References = Risk and Information Systems Control Study Manual, Chapter 3: IT Risk Assessment, page 109.