Isaca Updated CRISC Exam Questions and Answers by macsen

Residual risk is the remaining risk after the risk response has been implemented. Residual risk can be expressed as a combination of the probability and impact of the risk scenario, or as a single value such as loss expectancy. Residual risk can be compared with the inherent risk, which is the risk level before considering the existing controls or responses, to evaluate the risk reduction and value creation of the risk response. Senior management has asked the risk practitioner for the overall residual risk level for a process that contains numerous risk scenarios. The best way to provide this information is to calculate the average of anticipated residual risklevels for each risk scenario, and to present it as a single value or a range. This can help to provide a comprehensive and consistent view of the residual risk exposure and performance of the process, as well as to align it with the organization’s risk appetite and tolerance. The sum of residual risk levels for each scenario, the loss expectancy for aggregated risk scenarios, or the highest loss expectancy among the risk scenarios are not the best ways to provide the overall residual risk level, as they may overestimate or underestimate the risk exposure and performance of the process, and may not reflect the actual risk reduction and value creation of the risk response. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.2.2, p. 108-109

Comprehensive and Detailed Explanation From Exact Extract:

The business process manager is best suited to own business continuity controls because they have direct responsibility for the continuity of the business process and understand the criticality of maintaining operations during disruptions. While security officers and operations managers have important roles, the business process manager is accountable for ensuring the process continues to meet business objectives and should lead continuity efforts【5:513, 5:514†CRISC_SentenceinNOTE30.pptx】.

The risk owner is primarily accountable for risk treatment decisions, as they are the person or entity with the authority and responsibility to manage a particular risk. The risk owner shouldevaluate the available risk response options, select the most appropriate one, implement the chosen response, and monitor its effectiveness. The risk owner should also communicate and report on the risk status and any issues or changes. The business manager, data owner, and risk manager are not primarily accountable for risk treatment decisions, although they may be involved in the risk management process. The business manager is responsible for the overall performance and objectives of a business unit or function. The data owner is responsible for the security and quality of a specific data asset. The risk manager is responsible for facilitating and coordinating the risk management activities across the organization. References = Risk and Information Systems Control Study Manual, Chapter 2: IT Risk Identification, page 47.

Senior management involvement is a critical driver for the success of any risk management program. Without their engagement, there is a lack of strategic oversight, resource allocation, and prioritization of risk management initiatives, directly impacting the organization's ability to meet risk objectives. This is emphasized in theGovernance Principlesof CRISC.