CRISC Exam Dumps - Certified in Risk and Information Systems Control

The risk practitioner should verify the cost-benefit of the new controls being implemented to ensure that they are aligned with the enterprise’s risk appetite and strategy, and that they provide value to the business. The other options are not as important as verifying the cost-benefit of the new controls, because:

Option A: Updating the risk register is a good practice, but it does not provide assurance that the new controls are effective and efficient.

Option B: Ensuring risk monitoring for the project is initiated is also a good practice, but it is not as urgent as verifying the cost-benefit of the new controls, which should be done before the project is closed.

Option C: Conducting and documenting a BIA is not relevant to the scenario, as the project is already completed and the new controls are implemented. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 184.

 The primary reason for establishing various threshold levels for a set of key risk indicators (KRIs) is to take appropriate actions in a timely manner. KRIs are metrics that provide information on the level of exposure to a given risk or the effectiveness of the controls in place. Threshold levels are predefined values that indicate when the risk level is acceptable, tolerable, or unacceptable. By establishing various threshold levels for a set of KRIs, the enterprise can monitor the risk situation and trigger the necessary responses before the risk becomes too severe or costly to mitigate. The other options are not the primary reasons for establishing various threshold levels, although they may be secondary benefits or outcomes of doing so. References = Risk and Information Systems Control Study Manual, Chapter 5: Risk and Control Monitoring and Reporting, page 189.

According to the CRISC Review Manual1, control process efficiency is the degree to which a control process achieves its intended objectives with minimum resources, time, and cost. The primary objective for automating controls is to improve control process efficiency, as automation can help to reduce human errors, increase consistency and accuracy, enhance scalability and flexibility, and optimize performance and productivity. Automation can also help to achieve other objectives, such as facilitating continuous control monitoring, complying with functional requirements, and reducing the need for audit reviews, but these are not the primary objective for automating controls. References = CRISC Review Manual1, page 202.

The internal auditor is the best suited to provide objective input when updating residual risk to reflect the results of control effectiveness. The internal auditor is an independent and impartial function that evaluates the adequacy and effectiveness of the internal controls and reports on the findings and recommendations. The internal auditor can provide an unbiased and reliable assessment of the residual risk, which is the risk that remains after the controls are applied. The other options are not as objective as the internal auditor, as they may have vested interests or conflicts of interest in the control environment. References = Risk and Information Systems Control Study Manual, Chapter 2: IT Risk Assessment, Section 2.4: IT Risk Response, page 87.

Artificial intelligence (AI) is a branch of computer science that aims to create machines or systems that can perform tasks that normally require human intelligence, such as learning, reasoning, decision making, etc.

An organization that is considering adopting AI should be aware of the potential risks and challenges that may arise from using AI, such as ethical, legal, social, technical, operational, or security issues.

The most important course of action for the risk practitioner is to identify applicable risk scenarios. This means that the risk practitioner should analyze the context and objectives of theAI adoption, the stakeholders and their expectations, the data and information sources and quality, the AI models and algorithms and their reliability, the AI outputs and outcomes and their impact, and the AI governance and oversight mechanisms and their effectiveness.

Identifying applicable risk scenarios helps to assess the likelihood and impact of the risks, prioritize the risks, design and implement appropriate risk responses, monitor and evaluate the risk performance, and report and communicate the risk status and issues.

The other options are not the most important courses of action for the risk practitioner. They are either secondary or not essential for AI risk management.

The references for this answer are:

Risk IT Framework, page 24

Information Technology & Security, page 18

Risk Scenarios Starter Pack, page 16

The risk practitioner’s BEST course of action is to validate the transfer of risk and update the register to reflect the change, because outsourcing the backup and recovery procedures to a third-party cloud provider does not eliminate the risk, but rather transfers it to the service provider. The risk practitioner should verify that the service provider has adequate controls and capabilities to handle the backup and recovery procedures, and that the contractual agreement specifies the roles and responsibilities of both parties. The risk practitioner should also update the risk register to reflect the new risk owner and the residual risk level. The other options are not the best course of action, because:

Option A: Accepting the risk and documenting contingency plans for data disruption is not the best course of action, because it implies that the risk practitioner is still responsible for the risk, even though it has been transferred to the service provider. Contingency plans are also reactive measures, rather than proactive ones.

Option B: Removing the associated risk scenario from the risk register due to avoidance is not the best course of action, because it implies that the risk has been eliminated, which is not the case. The risk still exists, but it has been transferred to the service provider. The risk register should reflect the current risk status and ownership.

Option C: Mitigating the risk with compensating controls enforced by the third-party cloud provider is not the best course of action, because it implies that the risk practitioner is still involved in the risk management process, even though the risk has been transferred to the service provider. The risk practitioner should rely on the service provider’s controls and capabilities, and monitor their performance and compliance. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 196.

The best course of action for the risk practitioner is to follow the incident reporting procedures established by the organization. This will ensure that the incident is properly documented, escalated, and resolved in a timely and consistent manner. Reporting the incident to the chief risk officer, advising the employee to forward the email to the phishing team, or advising the employee to permanently delete the email are not the best courses of action, as they may not comply with the organization’s policies and standards, and may not address the root cause and impact of the incident. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.2.2.1, page 193.

According to the CRISC Review Manual1, risk tolerance is the acceptable level of variation that management is willing to allow for any particular risk as it pursues its objectives. Risk tolerance provides a helpful reference point when communicating the results of a risk assessment to stakeholders, as it helps to compare the current level of risk exposure with the desired level of risk exposure, and to prioritize and allocate resources for risk response. Risk tolerance also helps to align the risk assessment results with the stakeholder expectations and preferences, and to facilitate risk-based decision making. References = CRISC Review Manual1, page 192.