Isaca Updated CRISC Exam Questions and Answers by isla-rose

The primary basis for prioritizing risk responses is the impact of the risk. The impact of the risk is the consequence or effect of the risk on the organization’s objectives or operations, such as financial loss, reputational damage, operational disruption, or legal liability. The impact of therisk is one of the key dimensions of risk analysis, along with the likelihood of the risk. The impact of the risk helps to determine the severity and priority of the risk, and to select the most appropriate and effective risk response. The impact of the risk also helps to evaluate the cost-benefit and trade-off of the risk response, and to measure the residual risk and the risk performance. The other options are not the primary basis for prioritizing risk responses, although they may be considered or influenced by the impact of the risk. The replacement cost of the business asset, the cost of risk mitigation controls, and the classification of the business asset are all factors that could affect the value or importance of the business asset, but they do not necessarily reflect the impact of the risk on the business asset or the organization. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.3.1, page 4-25.

The percentage of projects introduced into production without high-risk issues is the most important measure of the effectiveness of risk management in project implementation, as it reflects the ability of risk management to ensure that the project deliverables meet the quality,functionality, and security requirements, and do not introduce unacceptable risks to the organization. The percentage of projects having the risk register updated regularly, having key risk indicators (KRIs) established to measure risk, or having an action plan to remediate overdue issues are not the most important measures, as they are more related to the process, performance, or compliance of risk management, rather than the outcome or value of risk management. References = CRISC Review Manual, 7th Edition, page 110.

Artificial intelligence (AI) solutions can offer significant benefits to an organization, such as improved efficiency, accuracy, and innovation. However, AI also poses new challenges and risks that need to be considered and addressed by senior management. Some of these risks include:

Ethical and social risks: AI solutions may have unintended or undesirable impacts on human values, rights, and behaviors, such as privacy, fairness, accountability, and transparency. For example, AI systems may exhibit bias, discrimination, or manipulation, or may infringe on personal data or autonomy.

Technical and operational risks: AI solutions may have vulnerabilities, errors, or failures that affect their performance, reliability, or security. For example, AI systems may be subject to hacking, tampering, or misuse, or may malfunction or produce inaccurate or harmful outcomes.

Legal and regulatory risks: AI solutions may have unclear or conflicting legal or regulatory implications or obligations, such as liability, compliance, or governance. For example, AI systems may raise questions about ownership, responsibility, or accountability, or may violate existing laws or regulations, or create new ones.

Therefore, a risk practitioner should communicate to senior management that AI potentially introduces new types of risk that need to be identified, assessed, and managed in alignment with the organization’s objectives, values, and risk appetite. References = ISACA CRISC Review Manual, 7th Edition, Chapter 3, Section 3.2.2, page 113.