Isaca Updated CGEIT Exam Questions and Answers by august

 The requirements for security and privacy of information should be defined when issuing RFPs to ensure that potential vendors can meet the enterprise’s expectations and comply with relevant regulations. This will also help the enterprise to evaluate and compare the proposals based on the predefined criteria. References: CGEIT Review Manual (Digital Version) or CGEIT Review Manual (Print Version), Chapter 3: Benefits Realization, Section 3.2: IT Investment Management, Subsection 3.2.2: IT Investment Selection, Page 97-98.

A succession plan is a process of identifying and preparing potential candidates to take over key roles in an organization when the current incumbents leave or retire. A succession plan is an important governance action to prepare for the possibility of losing a large portion of the organization’s key IT staff, as it can help to ensure the continuity and stability of the IT function and its alignment with the business objectives and strategies. A succession plan can also help to mitigate the risks and challenges associated with talent shortages, knowledge gaps, and leadership transitions. A succession plan should be developed in collaboration with the human resources (HR) department, the IT senior management, and the board of directors, and should include the following steps:

Identify the critical IT roles and their competencies, responsibilities, and performance expectations

Assess the current IT staff and their readiness, potential, and interest to assume higher-level or more complex roles

Conduct a gap analysis to determine the difference between the current and future skills and capabilities needed for the IT function

Develop a talent pipeline and a talent pool of internal and external candidates who can fill the critical IT roles

Provide learning and development opportunities for the identified candidates, such as training, coaching, mentoring, job rotation, or shadowing

Monitor and evaluate the progress and performance of the candidates and provide feedback and support

Review and update the succession plan periodically to reflect any changes in the business or IT environment

An enterprise that has identified potential environmental disasters that could occur in the area where its data center is located should next assess the likelihood and impact on the data center, because this would help to evaluate the level of risk and prioritize the appropriate risk response strategies. The likelihood and impact assessment should consider the frequency, severity, duration, and scope of the potential disasters, and the potential consequences for the data center’s availability, integrity, confidentiality, and performance12. References := ISACA, CGEIT Review Manual, 7th Edition, 2019, page 75-76.

The PRIMARY purpose of an effective set of key risk indicators (KRIs) is to identify possible future adverse impacts on the enterprise. KRIs are metrics or indicators used by organizations to identify, assess, and monitor potential risks. KRIs show how risky a decision, activity, strategy, or plan may be for a business or company. KRIs can be used to monitor operational, technological, financial and staff processes, such as security breaches, economic downturn and staff turnover rate. KRIs are like alarms that alert businesses of changes in the level of risk exposure1. By identifying possible future adverse impacts on the enterprise, KRIs can help to:

Prevent or mitigate the negative consequences of risks, such as financial loss, operational disruption, reputational damage, legal liability, etc.

Enhance the decision-making and planning processes by providing relevant and timely information on risks

Align the risk management activities with the business objectives and expectations

Communicate and report the risk status and performance to stakeholders and regulators

Therefore, identifying possible future adverse impacts on the enterprise is the primary purpose of an effective set of KRIs.

1: Key Risk Indicators: Examples & Definitions - SolveXia