Isaca Updated CRISC Exam Questions and Answers by benji

The primary reason to perform ongoing risk assessments is that the risk environment is subject to change. The risk environment is the external and internal factors that influence the level and nature of the risks that the organization faces1. These factors include economic, political, social, technological, legal,and environmental aspects, as well as the organization’s objectives, strategies, culture, and resources2. The risk environment is dynamic and unpredictable, and may change due to various events, trends, ordevelopments that create new or modify existing risks3. Therefore, it is important to perform ongoing risk assessments to identify, analyze, and evaluate the changes in the risk environment, and to adjust the risk response and management accordingly. Ongoing risk assessments help to ensure that the organization’s risk profile is up to date and reflects the current reality, and that the organization’s risk appetite and tolerance are aligned with the changing risk environment4. The other options are not the primary reason to perform ongoing risk assessments, as they are either less comprehensive or less relevant than the changing risk environment. Emerging risk must be continuously reported to management. This option is a consequence or outcome of performing ongoing risk assessments, not a reason for doing so. Emerging risk is a new or evolving risk that has the potential to affect the organization’s objectives, operations, or performance5. Ongoing risk assessments can help to identify and monitor emerging risks, and to report them to management for decision making and action. However, this is not the main reason for performing ongoing risk assessments, as it does not cover the existing or modified risks that may also change due to the risk environment. New system vulnerabilities emerge at frequent intervals. This option is a specific or narrow example of a changing risk environment, not a general or broad reason for performing ongoing risk assessments. System vulnerabilities are weaknesses or flaws in the design, implementation, or operation of information systems that can be exploited by threats to cause harm or loss6. Ongoing risk assessments can help to discover and assess new system vulnerabilities that may emerge due to technological changes, cyberattacks, or human errors. However, this is not the primary reason for performing ongoing risk assessments, as it does not encompass the other types or sources of risks that may also change due to the risk environment. The information security budget must be justified. This option is a secondary or incidental benefit of performing ongoing risk assessments, not a primary or essential reason for doing so. The information security budget is the amount of money that the organization allocates for implementing and maintaining information security measures and controls7. Ongoing risk assessments can help tojustify the information security budget by demonstrating the value and effectiveness of the security measures and controls in reducing the risks, and by identifying the gaps or needs for additional or improved security measures and controls. However, this is not the main reason for performing ongoing risk assessments, as it does not address the purpose or objective of risk assessment, which is to identify, analyze, and evaluate the risks and their impact on the organization. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.1, Page 47.

The most important characteristic of an effective risk management program is that risk ownership is assigned. Risk ownership is the accountability and authority to manage a risk1. Assigning risk ownership means identifying and assigning the person or entity who is responsible for evaluating, treating, monitoring, and reporting on a specific risk2. Assigning risk ownership is essential for ensuring that the risk management program works effectively and efficiently, as it helps to:

Clarify the roles and responsibilities of the different functions or groups involved in risk management and internal control;

Ensure that the risks are managed in accordance with the organization’s objectives, strategies, and risk appetite;

Provide guidance and support to the risk owners in identifying, assessing, and mitigating the risks;

Monitor and evaluate the performance and effectiveness of the risk owners and the risk response actions;

Communicate and report on the risk status and issues to the relevant stakeholders and authorities. The other options are not the most important characteristic of an effective risk managementprogram, as they are either less relevant or less specific than assigning risk ownership. Risk response plans are documented. This option is a consequence or outcome of an effective risk management program, not a characteristic of it. Risk response plans are the actions or measures that are taken to modify the risk, such as reducing, avoiding, transferring, or accepting the risk3. Documenting risk response plans means recording and maintaining the details and outcomes of the risk responseactions, such as the objectives, scope, resources, timelines, performance indicators, and results4. Documenting risk response plans can help to improve the consistency and transparency of the risk management process, as well as to support the monitoring and evaluation of the risk response actions. However, documenting risk response plans is not the most important characteristic of an effective risk management program, as it does not address the accountability and authority for managing the risk. Controls are mapped to key risk scenarios. This option is a specific or narrow example of an effective risk management program, not a general or broad characteristic of it. Controls are the measures or actions that are taken to reduce the likelihood or impact of a risk, or to increase the likelihood or impact of an opportunity5. Mapping controls to key risk scenarios means linking the controls to the specific situations or events that may affect the organization’s objectives, operations, or performance6. Mapping controls to key risk scenarios can help to enhance the design and implementation of the controls, as well as to evaluate the effectiveness and efficiency of the controls in mitigating the risk. However, mapping controls to key risk scenarios is not the most important characteristic of an effective risk management program, as it does not cover the other aspects of risk management, such as risk identification, assessment, treatment, and monitoring. Key risk indicators are defined. This option is a component or element of an effective risk management program, not a characteristic of it. Key risk indicators are the metrics that measure thelevel and trend of a risk that may affect the organization’s objectives, operations, or performance7. Defining key risk indicators means establishing and maintaining the criteria and methods for measuring and reporting on the risk8. Defining key risk indicators can help to enhance the risk identification, assessment, and reporting processes, as well as to support the risk decision making and prioritization. However, defining key risk indicators is not the most important characteristic of an effective risk management program, as it does not indicate the accountability and authority for managing the risk. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 3, Section 3.1.1, Page 85.

A risk register is a tool that records and tracks the risks that may affect the organization, as well as the actions that are taken or planned to manage them1. A risk register provides the best evidence that the IT risk profile is up to date, because it reflects the current and potential IT risks that the organization faces, as well as their likelihood, impact, severity, owner, status, and response2. An IT risk profile is a document that describes the types, amounts, and priority of IT risk that the organization finds acceptable and unacceptable3. An IT risk profile is developed collaboratively with various stakeholders within the organization, including business leaders, data and process owners, enterprise risk management, internal and external audit, legal, compliance, privacy, and IT risk management and security4. By maintaining and updating the risk register regularly, the organization can ensure that the IT risk profile is aligned with the changing IT risk environment, and that the IT risk management activities and performance are consistent and effective. The other options are not the best evidence that the IT risk profile is up to date, as they are either less comprehensive or less relevant than the risk register. A risk questionnaire is a tool that collects and analyzes the opinions and perceptions of the stakeholders about the risks that may affect the organization5. A risk questionnaire can help to identify and assess the risks, as well as to communicate and report on the risk status and issues. However, a risk questionnaire is not the best evidence that the IT risk profile is up to date, as it may not capture all the IT risks that the organization faces, or reflect the actual or objective level and nature of the IT risks. A management assertion is a statement or declaration made by the management about the accuracy and completeness of the information or data that they provide or report. A management assertion can help to increase the confidence and trust of the stakeholders and auditors in the information or data, as well as to demonstrate the accountability and responsibility of the management. However, a management assertion is not the best evidence that the IT risk profile is up to date, as it does not provide the details or outcomes of the IT risk management activities or performance, or verify the validity and reliability of the IT risk information or data. A compliance manual is a document that contains the policies, procedures, and standards that the organization must follow to meet the legal, regulatory, or contractual requirements that apply to its activities or operations. A compliance manual can help to ensure the quality and consistency of the organization’s compliance activities or performance, as well as to avoid or reduce the penalties or sanctions for non-compliance. However, a compliance manual is not the best evidence that the IT risk profile is up to date, as it does not address the IT risks that the organization faces, or the IT risk management activities or performance. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.5, Page 55.

Residual risk is the risk that remains after applying controls to mitigate the inherent risk. Inherent risk is the risk that exists before considering the controls. Key risk indicators (KRIs) are metricsthat measure the level and impact of risks. Risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives. The failure of the data loss prevention (DLP) system to detect outgoing emails containing credit card data would most impact the residual risk, because it would increase the likelihood and impact of data leakage, data loss, and data exfiltration incidents. These incidents could cause financial, reputational, legal, and regulatory damages to the organization. The failure of the DLP system would also affect the KRIs, as they would show a higher level of risk exposure and a lower level of control effectiveness. However, the KRIs are not the risk itself, but rather the indicators of the risk. The failure of the DLP system would not directly impact the inherent risk or the risk appetite, as they are independent of the controls. The inherent risk would remain the same, as it is based on the nature and value of the data and the threats and vulnerabilities that exist. The risk appetite would also remain the same, as it is based on the organization’s culture, strategy, and stakeholder expectations. Therefore, the most impacted factor would be the residual risk, as it reflects the actual risk level that the organization faces after applying the controls. References = Risk IT Framework, ISACA, 2022, p. 131