Isaca Updated CRISC Exam Questions and Answers by harri

 A business impact analysis (BIA) is a process that identifies and evaluates the potential effects of a disaster on the critical functions and processes of an organization1. A BIA helps to forecast the operational, financial, legal, and reputational impacts of a disaster, as well as the recovery priorities and resources needed to resume normal operations2. A BIA also helps to determine the recovery time objectives (RTO), which are the maximum acceptable time frames for restoring the critical functions and processes after a disaster3. Therefore, developing a BIA is the most important step for an organization to forecast the effects of a disaster and plan for its recovery. Defining RTOs is a part of the BIA process, not a separate activity. Analyzing capability maturity model gaps is a method to assess the effectiveness and efficiency of the organization’s processes and practices, but it does not directly forecast the effects of adisaster4. Simulating a disaster recovery is a way to test and validate the recovery plans and procedures, but it does not forecast the effects of a disaster either5. References = Risk and Information Systems Control Study Manual, Chapter 5: Risk Response and Mitigation, Section 5.3: Business Continuity Planning, pp. 227-238.

When selecting a risk mitigation option, management should consider the cost of control implementation, as well as the benefits and residual risks. The cost of control implementation includes the direct costs of acquiring, installing, and maintaining the control, as well as the indirect costs of potential side effects, suchas reduced performance, increased complexity, or decreased user satisfaction. The cost of control implementation should be balanced with the expected reduction in risk exposure and the alignment with the enterprise’s risk appetite and tolerance. The maturity of the enterprise architecture, the reliability of key performance indicators (KPIs), and the reliability of key risk indicators (KRIs) are relevant factors for risk identification and assessment, but not for risk response selection. References = Risk and Information Systems Control Study Manual, Chapter 4: Risk Response, page 149.

Risk aggregation in a complex organization will be MOST successful when using the same scales in assessing risk, because it can help to ensure the consistency and comparability of the risk assessment results across different units, levels, and domains of the organization. Using the same scales in assessing risk can also help to avoid the potential errors or biases that may arise from using different scales, such as overestimating or underestimating the risk exposure, or misaligning the risk appetite and tolerance. The other options are not as important as using the same scales in assessing risk, because:

Option B: Utilizing industry benchmarks is a good way to improve the quality and validity of the risk assessment results, but it does not ensure the success of the risk aggregation, which is the process of combining and consolidating the risk assessment results into a holistic and comprehensive view of the risk profile and exposure of the organization.

Option C: Using reliable qualitative data for risk items is a useful way to capture and describe the risk items, which are the sources and causes of the risks, but it does not ensure the success of the risk aggregation, which is the process of quantifying and measuring the risk items, and their likelihood and impact on the business objectives and processes.

Option D: Including primarily low-level risk factors is a necessary way to identify and assess the risk factors, which are the characteristics and attributes of the risks, but it does not ensure the success of the risk aggregation, which is the process of prioritizing and ranking the risk factors, and their significance and relevance to the organization’s strategy and goals. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 105.

According to the CRISC Review Manual1, vendor risk mitigation action items are the specific tasks and activities that are assigned to the vendors or the organization to address the identified risks and implementthe risk responses. The percentage of vendor risk mitigation action items completed on time is the best key performance indicator (KPI) to measure the effectiveness of a vendor risk management program, as it helps to evaluate the timeliness and quality of the vendor performance, the alignment of the vendor activities with the organization’s risk appetite and objectives, and the achievement of the expected outcomes and benefits of the risk responses. The percentage of vendor risk mitigation action items completed on time also helps to identify and resolve any issues or gaps in the vendor risk management process, and to improve the vendor relationship and communication. References = CRISC Review Manual1, page 230.