Isaca Updated CRISC Exam Questions and Answers by elian

The recovery time objective (RTO) is the planned recovery time for a process or system which should occur before reaching the business process’s maximum tolerable downtime (MTD) or maximum allowable outage (MAO). The RTO must be aligned with the MAO to ensure that the continuity of the business process is not compromised by a prolonged outage. The RTO is determined by the business impact analysis (BIA) based on the criticality and urgency of the business process and its dependencies. The RTO also helps to select and implement appropriate recovery methods and procedures for the process or system. References = Risk and Information Systems Control Study Manual, Chapter 6: IT Risk Monitoring and Reporting, Section 6.2: IT Risk Reporting, Page 307; What is the difference between RPO, RTO, and MTD? - Tandem Blog.

Escalating to senior management is the best course of action when an organization’s stakeholders are unable to agree on appropriate risk responses. This is because senior management has the authority and responsibility to make strategic decisions and resolve conflicts regarding risk management. Senior management can also provide guidance and direction on the risk appetite, tolerance, and criteria for the organization, as well as allocate resources and assign roles and responsibilities for risk response. According to the CRISC Review Manual 2022, one of the key risk response techniques is to escalate the risk to senior management when the risk exceeds the acceptable level or when there is a disagreement on the risk response1. According to the CRISC Review Questions, Answers & Explanations Manual 2022, escalating to senior management is the correct answer to this question2.

Identifying a risk transfer option, reassessing risk scenarios, and benchmarking with similar industries are not the best courses of action when an organization’s stakeholders are unable to agree on appropriate risk responses. These are possible actions that can be taken as part of the risk response process, but they do not address the underlying issue of stakeholder disagreement. Identifying a risk transfer option can help reduce or share the risk with a third party, such as an insurance company or a vendor, but it may not be suitable or acceptable for all types of risks or stakeholders. Reassessing risk scenarios can help update the risk analysis and evaluation, but it may not change the risk level or the risk response options. Benchmarking with similar industries can help compare the risk performance and practices of the organization with its peers, but it may not reflect the organization’s specific needs or risks.

Updating a risk register with assessment results for a key project must primarily capture action plans to address risk scenarios requiring treatment.

Risk Register Purpose:

Documentation of Risks:The risk register is a central repository for all identified risks and their respective treatment plans. It ensures that all risks are documented, tracked, and managed throughout the project lifecycle.

Action Plans:It is crucial to document action plans for risks that require treatment. This ensures that there are clear strategies in place to mitigate or manage these risks.

Importance of Action Plans:

Mitigation and Management:Action plans detail the steps necessary to mitigate identified risks, providing a clear path for risk management. This is vital for ensuring that risks do not negatively impact the project.

Accountability and Tracking:Including action plans in the risk register assigns responsibility and timelines for risk treatment, which is essential for accountability and tracking progress.