Isaca Updated CGEIT Exam Questions and Answers by imaan

 A quantitative risk assessment method uses numerical values and mathematical models to estimate the likelihood and consequences of risks. This reduces the subjectivity and bias that may arise from qualitative methods that rely on personal judgment and experience. A quantitative method also allows for more objective comparison and prioritization of risks based on their impact and probability. References :=

Quantitative Risk Analysis (Definition, Benefits and Steps) - Indeed

Risk Assessment and Analysis Methods: Qualitative and Quantitative - ISACA

An IT balanced scorecard is the most appropriate mechanism for measuring overall IT organizational performance, because it is a framework that translates the enterprise’s vision and strategy into a set of performance measures that cover four perspectives: financial, customer, internal business process, and learning and growth12. An IT balanced scorecard can help to communicate and monitor the IT strategy and goals, and align the IT activities and resources with the business needs and expectations. An IT balanced scorecard can also provide a balanced and comprehensive view of the IT performance and value delivery, and highlight the strengths, weaknesses, opportunities, and threats for improvement12. References := ISACA, CGEIT Review Manual, 7th Edition, 2019, page 43-44.

The committee should find the information about who is responsible for the risk response in the RACI chart, as this is a tool that assigns the roles and responsibilities of the stakeholders for each task or activity in a project or process. RACI stands for Responsible, Accountable, Consulted,and Informed, which are the four types of involvement or participation that a stakeholder can have in a task or activity. A RACI chart is a matrix that shows the tasks or activities as rows and the stakeholders as columns, and indicates their roles and responsibilities using the RACI codes. A RACI chart can help clarify and communicate who is doing what, who is making decisions, who is providing input, and who is being updated in a project or process1.

A resource management plan, a risk management plan, and a risk register are also important documents for managing IT risks, but they do not provide the information about who is responsible for the risk response. A resource management plan is a document that defines how the resources, such as human, financial, physical, or technological resources, will be acquired, allocated, managed, and controlled in a project or process. A resource management plan can help ensure that the resources are available and sufficient for the risk response activities. A risk management plan is a document that defines how the risks will be identified, analyzed, evaluated, treated, monitored, and communicated in a project or process. A risk management plan can help ensure that the risks are managed effectively and efficiently according to the enterprise’s objectives and policies. A risk register is a document that records the risks that may affect the achievement of an objective or the performance of an activity, as well as their likelihood, impact, mitigation strategies, and status. A risk register can help identify and prioritize the risks that need to be addressed or monitored.

According to the CGEIT exam guide, the main focus of IT policies is to provide business value by aligning IT with business objectives and strategies, ensuring effective and efficient use of IT resources, and delivering IT-enabled capabilities that meet stakeholder needs and expectations. IT policies should also support the optimization of operational benefits, the enhancement of organizational capability, and the limitation of IT costs, but these are not the main focus of IT policies. References: CGEIT Exam Candidate Guide, page 13. CGEIT Certification