Isaca Updated CRISC Exam Questions and Answers by dolcie

The best way to mitigate an identified risk scenario is to execute a risk response plan. A risk response plan is a document that describes the actions and resources that are needed to address the risk scenario. A risk response plan can include one or more of the following strategies: avoid, transfer, mitigate, accept, or exploit. By executing a risk response plan, the organization can reduce the likelihood and/or impact of the risk scenario, or take advantage of the opportunities that the risk scenario may present. The other options are not as effective as executing a riskresponse plan, as they are related to the awareness, assessment, or monitoring of the risk scenario, not the actual treatment of the risk scenario. References = Risk and Information Systems Control Study Manual, Chapter 3: IT Risk Response, Section 3.2: IT Risk Response Options, page 133.

Risk appetite should be primarily driven by stakeholder requirements. Stakeholder requirements are the needs and expectations of the internal and external parties that have an interest or influence in the organization’s objectives or operations, such as the board, management, employees, customers, regulators, investors, etc. Risk appetite is the amount and type of risk that the organization is willing to accept or pursue in order to achieve its objectives. Risk appetite should be driven by stakeholder requirements, because they reflect the organization’s mission, vision, values, and strategy, and they provide the basis and direction for the organization’s risk management activities. Risk appetite should also be aligned and communicated with stakeholder requirements, because they affect the organization’s performance and reputation, and they require the organization’s accountability and transparency. The other options are not the primary drivers of risk appetite, although they may be considered or influenced by risk appetite. Enterprise security architecture roadmap, legal and regulatory requirements, and businessimpactanalysis (BIA) are all factors that could affect the organization’s risk profile, risk assessment, or risk response, but they do not necessarily determine or reflect the organization’s risk appetite. References = Risk and Information Systems Control Study Manual, Chapter 2, Section 2.3.1, page 2-23.

The primary purpose of using a framework for risk analysis is to improve consistency. A framework for risk analysis is a set of principles, standards, methods, and tools that guide and govern the risk analysis process. Risk analysis is the process of estimating the impact and likelihood of the risk events, and determining the level and nature of the risk exposure. A framework for risk analysis helps to improve consistency, which is the degree of uniformity and agreement among the risk analysis results and practices. Improving consistency helps to ensure that the risk analysis is performed in a systematic and structured way, and that the risk analysis results are comparable and reliable. Improving consistency also helps to reduce the bias, uncertainty, and variability in the risk analysis process, and to enhance the quality and accuracy of the risk analysis results. Improving accountability, helping define risk tolerance, and helping develop risk scenarios are not the primary purposes of using a framework for risk analysis, asthey are either the benefits or the objectives of the risk analysis process, and they do not addressthe primary need of improving the quality and reliability of the risk analysis results. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 49.