Isaca Updated CRISC Exam Questions and Answers by elian

Key control indicators (KCIs) are metrics that measure the performance and effectiveness of the controls that are implemented to mitigate the risks. KCIs can help to monitor the status and health of the controls, as well as to identify any issues or gaps that need to be addressed. The primary reason to adopt KCIs in the risk monitoring and reporting process is to provideassessments of mitigation effectiveness, meaning that they can help to evaluate how well the controls are reducing the risk exposure and achieving the desired outcomes. KCIs can also help to support the risk management decision making and improvement actions, as well as to demonstrate the value and benefits of the controls. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.3.1.2, p. 115-116

According to the CRISC Review Manual (Digital Version), the percentage of systems with long recovery target times has decreased is the information that would have the most impact on the overall recovery profile, as it indicates that the organization has improved its ability to restore its critical systems and processes within the acceptable time frames after a disaster. The recovery target time, also known as the recovery time objective (RTO), is the maximum acceptable time that an application, computer, network, or system can be down after an unexpected disaster, failure, or comparable event takes place. The recovery profile, also known as the recovery point objective (RPO), is the maximum acceptable amount of data loss measured in time. A lower percentage of systems with long recovery target times means that the organization has:

Reduced the gap between the business requirements and the IT capabilities for disaster recovery

Enhanced the resilience and availability of its critical systems and processes

Minimized the potential losses and damages caused by prolonged downtime

Increased the confidence and satisfaction of its stakeholders and customers

References = CRISC Review Manual (Digital Version), Chapter 3: IT Risk Response, Section 3.3: Risk Response Options, pp. 174-1751

The most significant benefit of using a consistent risk ranking methodology across an organization is that it enables a clear understanding of risk levels, as this facilitates the comparison and prioritization of risks, the communication and reporting of risks, and the alignment of risk management with the enterprise’s objectives and strategy. A consistent risk ranking methodology is a set of criteria and scales that are used to measure and rate the likelihood and impact of risks, as well as other factors such as urgency, velocity, and persistence. A consistent risk ranking methodology ensures that the risk assessment results are objective, reliable, and comparable across different business units, processes, and projects. The other options are not the most significant benefits of using a consistent risk ranking methodology,although they may be secondary benefits or outcomes of doing so. References = Risk and Information Systems Control Study Manual, Chapter 3: IT Risk Assessment, page 97.

A risk register is a document that records and tracks the information and status of the identified risks and their responses. It includes the risk description, category, source, cause, impact, probability, priority, response, owner, action plan, status, etc.

A risk register update is a change or modification to the information or status of the risks and their responses in the risk register. It may be triggered by the occurrence or resolution of a risk event, the identification or evaluation of a new or emerging risk, the implementation or completion of a risk response, the monitoring or review of the risk performance, etc.

The most important risk register update for senior management to review is avoiding a risk that was previously accepted, which means that the organization has decided to eliminate or withdraw from the risk exposure or activity that may cause the risk, instead of tolerating or retaining the risk as before. This may indicate a significant change in the organization’s risk appetite, strategy, objectives, or environment, and it may have a major impact on the organization’s performance and value.

The other options are not the most important risk register updates for senior management to review, because they do not indicate a significant change or impact on the organization’s risk profile or performance.

Extending the date of a future action plan by two months means that the organization has postponed the implementation or completion of the planned actions or measures to address the risk, due to some reasons or constraints. This may indicate a delay or deviation from the expected or desired risk outcome, but it may not have a major impact on the organization’s performance and value, unless the risk is very urgent or critical.

Retiring a risk scenario no longer used means that the organization has removed or discarded the risk scenario that is no longer relevant or applicable to the organization’s objectives or operations, due to some changes or developments. This may indicate a reduction or improvement in the organization’s risk exposure or level, but it may not have a major impact on the organization’s performance and value, unless the risk scenario was very significant or influential.

Changing a risk owner means that the organization has assigned or transferred the responsibility and accountability for the risk and its response to a different person or role, due to some reasons or circumstances. This may indicate a change or improvement in the organization’s risk governance or culture, but it may not have a major impact on the organization’s performance and value, unless the risk owner was very ineffective or inappropriate. References =

ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 19-20, 23-24, 27-28, 31-32, 40-41, 47-48, 54-55, 58-59, 62-63

ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 160

CRISC Practice Quiz and Exam Prep