Isaca Updated CRISC Exam Questions and Answers by harleen

The most important factor for management to consider when deciding whether to invest in an IT initiative that exceeds management’s risk appetite is C. Risk tolerance1

According to the CRISC Review Manual, risk tolerance is the acceptable level of variation that management is willing to allow for any specific risk as the enterprise pursues its objectives. Risk tolerance reflects the degree of uncertainty that an organization is prepared to accept in relation to achieving its goals2

When an IT initiative exceeds management’s risk appetite, it means that the potential benefits of the initiative are outweighed by the potential negative consequences or losses that could result from the initiative. However, management may still decide to invest in the initiative if the level of uncertainty or variation is within the organization’s risk tolerance. For example, management may accept a higher level of risk for a strategic or innovative initiative that could provide a competitive advantage or a significant return on investment3

The most important course of action for a risk practitioner when reviewing the results of control performance monitoring is to validate whether the controls effectively mitigate risk, as it involves verifying and testing the adequacy and performance of the controls, and identifying any control gaps or deficiencies that may affect the risk level and response. The other options are not the most important courses of action, as they are more related to the evaluation, confirmation, or analysis of the risk profile, compliance, or indicators, respectively, rather than the validation of the control effectiveness. References = CRISC Review Manual, 7th Edition, page 154.

Preparing a risk response that is aligned to the organization’s risk tolerance is the next step after completing a risk assessment and reporting the validated vulnerability findings that require mitigation to the application owner, because it helps to define and implement the appropriate actions to reduce or eliminate the risk, or to prepare for and recover from the potential consequences. A risk response is a strategy or tactic for managing the identified risks, such as avoiding, transferring, mitigating, or accepting the risk. A risk response should be aligned to the organization’s risk tolerance, which is the acceptable level of variation from the organization’s objectives or expectations. A vulnerability is a weakness or flaw in an IT system or application that can be exploited by a threat or attack to cause harm or damage. A vulnerability finding is a result of a vulnerability assessment, which is a process of identifying and evaluating the vulnerabilities in an IT system or application. A vulnerability finding requires mitigation, which is a type of risk response that involves applying controls or countermeasures to reduce the likelihood or impact of the risk. Therefore, preparing a risk response that is aligned to the organization’s risk tolerance is the next step, as it helps to address the vulnerability findings and to achieve the desired level of risk. Reporting the findings to executive management, reassessing each vulnerability, and conducting a penetration test are all possible steps to perform afterpreparing a risk response, but they are not the next step, as they depend on the results and approval of the risk response. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.4.2, page 103

The control environment is the set of internal and external factors and conditions that influence and shape the organization’s governance, risk management, and control functions. It includes the organization’s culture, values, ethics, structure, roles, responsibilities, policies, standards, etc.

Uncontrolled changes are changes or modifications to the control environment that are not planned, authorized, documented, or monitored, and that may have unintended or adverse consequences for the organization. Uncontrolled changes may be caused by various drivers or events, such as technological innovations, market trends, regulatory changes, customer preferences, competitor actions, environmental issues, etc.

The greatest concern when uncontrolled changes are made to the control environment is an increase in the level of residual risk, which is the amount and type of risk that remains after the implementation and execution of the risk responses or controls. An increase in the level of residual risk means that the risk responses or controls are not effective or sufficient to mitigate or prevent the risks, and that the organization may face unacceptable or intolerable consequences if the risks materialize.

An increase in the level of residual risk is the greatest concern when uncontrolled changes are made to the control environment, because it indicates that the organization’s risk profile and performance have deteriorated, and that the organization may not be able to achieve its objectives or protect its value. It also indicates that the organization’s risk appetite and tolerance have been violated, and that the organization may need to take corrective or compensating actions to restore the balance between risk and return.

The other options are not the greatest concerns when uncontrolled changes are made to the control environment, because they do not indicate the actual or potential impact or outcome of the risks, and they may not be relevant or actionable for the organization.

A decrease in control layering effectiveness means a decrease in the extent or degree to which the organization uses multiple or overlapping controls to address the same or related risks, and to provide redundancy or backup in case of failure or compromise of one or more controls. A decrease in control layering effectiveness may indicate a weakness or gap in the organization’s control design or implementation, but it does not indicate the actual or potential impact or outcome of the risks, and it may not be relevant or actionable for the organization, unless the control layering is required or recommended by the organization’s policies or standards.

An increase in inherent risk means an increase in the amount and type of risk that exists in the absence of any risk responses or controls, and that is inherent to the nature or characteristics of the risk source, event, cause, or impact. An increase in inherent risk may indicate a change or variation in the organization’s risk exposure or level, but it does not indicate the actual or potential impact or outcome of the risks, and it may not be relevant or actionable for the organization, unless the inherent risk exceeds the organization’s risk appetite or tolerance.

An increase in control vulnerabilities means an increase in the number or severity of the weaknesses or flaws in the organization’s risk responses or controls that can be exploited or compromised by the threats or sources of harm that may affect the organization’s objectives or operations. An increase in control vulnerabilities may indicate a weakness or gap in the organization’s control design or implementation, but it does not indicate the actual or potential impact or outcome of the risks, and it may not be relevant or actionable for the organization, unless the control vulnerabilities are exploited or compromised by the threats or sources of harm. References =

ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 19-20, 23-24, 27-28, 31-32, 40-41, 47-48, 54-55, 58-59, 62-63

ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 174

CRISC Practice Quiz and Exam Prep