Isaca Updated CRISC Exam Questions and Answers by andrei

According to the ERM - Step 3 - Risk Treatment article, risk transfer is a risk treatment option that involves passing ownership and/or liability of a risk to a third party, such as an insurance company, a contractor, or a supplier. Risk transfer is usually adopted when the organization does not have the capability or the resources to manage the risk internally, or when the cost of transferring the risk is lower than the cost of retaining the risk. In this case, the organization has outsourced its lease payment process to a service provider who lacks evidence of compliance with a necessary regulatory standard. This means that the organization has transferred the risk ofnon-compliance to the service provider, who is now responsible for ensuring that the lease payment process meets the regulatory requirements. Therefore, the answer is B. Transfer. References = ERM - Step 3 - Risk Treatment

Defining risk response options is performed after a risk assessment is completed. A risk assessment is the process of identifying, analyzing, and evaluating the risks that affect the enterprise’s objectives and operations. After a risk assessment is completed, the enterprise needs to define the risk response options, which are the actions that can be taken to address the risks.The risk response options include accepting, avoiding, transferring, mitigating, or exploiting the risks. Defining risk response options helps to select the most appropriate and effective strategy to manage the risks. Defining risk taxonomy, identifying vulnerabilities, and conducting an impact analysis are performed before or during a risk assessment, not after. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.1.4, page 541

1: ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide, Answer to Question 644.

Risk management maturity level is the degree to which an organization has developed and implemented a systematic and proactive approach to managing the risks that it faces across its various functions, processes, and activities. Risk management maturity level reflects the organization’s risk culture and capability, and its alignment with its objectives and strategies1.

The best measurement of an organization’s risk management maturity level is the key risk indicators (KRIs), which are metrics or measures that provide information on the current or potential exposure and performance of the organization in relation to specific risks. KRIs can help to:

Monitor and track the changes or trends in the risk level and the risk response over time

Identify and alert the risk issues or events that require attention or action

Evaluate and report the effectiveness and efficiency of the risk management processes and practices

Support and inform the risk decision making and improvement23

KRIs can be classified into different types, such as:

Leading KRIs, which are forward-looking and predictive, and indicate the likelihood or probability of a risk event occurring in the future

Lagging KRIs, which are backward-looking and descriptive, and indicate the impact or consequence of a risk event that has already occurred

Quantitative KRIs, which are numerical or measurable, and indicate the magnitude or severity of a risk event or outcome

Qualitative KRIs, which are descriptive or subjective, and indicate the nature or characteristics of a risk event or outcome4

The other options are not the best measurements of an organization’s risk management maturity level, but rather some of the factors or outcomes of it. Level of residual risk is the level of risk that remains after the risk response has been implemented. Level of residual risk reflects the effectiveness and efficiency of the risk response, and the need for further action or monitoring. The results of a gap analysis are the differences between the current and the desired state of the risk management processes and practices. The results of a gap analysis reflect the completeness and coverage of the risk management activities, and the areas for improvement or enhancement. IT alignment to business objectives is the extent to which IT supports and enables the achievement of the organization’s goals and strategies. IT alignment to business objectives reflects the integration and coordination of the IT and business functions, and the optimization of the IT value and performance. References =

Risk Maturity Assessment Explained | Risk Maturity Model

Key Risk Indicators - ISACA

Key Risk Indicators: What They Are and How to Use Them

Key Risk Indicators: Types and Examples

[CRISC Review Manual, 7th Edition]

The application owner must formally approve changes after reviewing impact—per ISACA's change management and governance frameworks that assign control over operational fallouts to functional owners .