CRISC Exam Dumps - Certified in Risk and Information Systems Control

An IT risk register is a document that records and tracks the significant IT risks that an organization faces across its various functions, processes, and activities. An IT risk register can help to provide a comprehensive and consistent view of the organization’s IT risk profile, and to support the decision making and reporting of the IT risk management function1.

One of the data that must be updated to maintain an IT risk register is the expected frequency and potential impact of each IT risk. The expected frequency is the probability or likelihood of the IT risk occurring, based on historical data, statistical analysis, expert judgment, or other methods. The potential impact is the magnitude or severity of the consequences or outcomes of the IT risk, measured in terms of cost, time, quality, reputation, or other criteria2.

Updating the expected frequency and potential impact of each IT risk is essential for maintaining an IT risk register, because it can help to:

Evaluate and prioritize the IT risks based on their risk level, which is calculated by multiplying the frequency and impact

Monitor and track the changes or trends in the IT risk exposure and performance over time

Identify and implement the appropriate risk response strategies and controls, based on the risk level and the risk appetite and tolerance of the organization

Report and communicate the IT risk status and progress to the stakeholders, using risk indicators, dashboards, or matrices3

The other options are not the data that must be updated to maintain an IT risk register, but rather the data that are used as inputs or outputs of the IT risk management process. Risk tolerance is the acceptable variation in the outcomes related to specific objectives or risks. Risk tolerance is used to measure the IT risk analysis and to guide the IT risk response. Enterprise-wide IT risk assessment is a process that identifies, analyzes, and evaluates the IT risks across theorganization. Enterprise-wide IT risk assessment is used topopulate the IT risk register and to inform the IT risk response. Risk appetite is the amount and type of risk that an organization is willing to accept in order to achieve its objectives. Risk appetite is used to guide the IT risk analysis and to align the IT risk response. References =

Risk Register - ISACA

Risk Analysis - ISACA

Risk Register 2021-2022 - UNECE

[How To Conduct Business Impact Analysis in 8 Easy Steps - G2]

[Risk Appetite and Risk Tolerance - ISACA]

[Enterprise Risk Assessment - ISACA]

[CRISC Review Manual, 7th Edition]

The most important objective from a cost perspective for considering aggregated risk responses in an organization is to address more than one risk response. Aggregated risk responses are risk responses that can affect multiple risks or objectives simultaneously. By addressing more than one risk response, the organization can achieve cost efficiency and effectiveness in risk management. Prioritizing risk response options, reducing likelihood, and reducing impact are other possible objectives, but they are not as important from a cost perspective as addressing more than one risk response. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 10; CRISC Review Manual, 6th Edition, page 140.

According to the CRISC Review Manual1, risk scenarios are hypothetical situations that describe the potential causes, impacts, and responses of a risk event. Risk scenarios are useful tools for identifying, analyzing, and communicating risks in a clear and understandable way. The most important factor when developing risk scenarios is to ensure that they are relevant to the organization, as this helps to capture the specific context, objectives, processes, and resources of the organization, and to reflect the actual risk exposure and appetite of the organization. Relevant risk scenarios also help to engage and involve the stakeholders, and to facilitate risk-based decision making and action planning. References = CRISC Review Manual1, page 206.

The most important factor when developing risk scenarios is obtaining input from key stakeholders. A risk scenario is a description of a possible event or situation that could affect the enterprise’s objectives, processes, or resources. Obtaining input from key stakeholders, such as business owners, process owners, subject matter experts, or external parties, helps to ensure that the risk scenarios are realistic, relevant, and comprehensive. It also helps to identify the sources,drivers, indicators, likelihood, impact, and responses of the risk scenarios, and to align them with the enterprise’s risk appetite and tolerance. Obtaining input from key stakeholders also fosters a collaborative and participatory approach to risk management, and enhances the risk awareness and ownership among the stakeholders. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.3, page 621

The risk likelihood is the element of the risk register that should be updated to reflect the change of implementing encryption on all databases that host customer data. The risk likelihood is the probability or frequency of a risk event occurring, and it is one of the factors that determine the risk level and priority. By implementing encryption, the organization reduces the risk likelihood of unauthorized access, disclosure, or breach of the customer data, as encryption protects the data from being read or modified by anyone who does not have the decryption key. Therefore, the risk likelihood should be updated to reflect the lower probability of the risk event after applying the encryption control. The other options are not the elements that should be updated, as they are either not affected by or not related to the change of implementing encryption. The inherent risk is the level of risk before applying any controls or mitigation measures, and it does not change after implementing encryption. The risk appetite is the amount of risk that the organization is willing to accept in pursuit of its objectives, and it is not influenced by the change ofimplementing encryption. The risk tolerance is the acceptable variation between the risk thresholds and thebusiness objectives, and it is not determined by the change of implementing encryption. References = Risk Register: A Project Manager’s Guide with Examples [2023] • Asana; Risk Assessment in Project Management | PMI; Risk Assessment Process: Definition, Steps, and Examples; Risk Assessment - an overview | ScienceDirect Topics

Noncompliance cost reflects the impact or penalties from deviating from policies. Per ISACA governance best practices, exceptions should only be granted when this cost is understood and deemed acceptable relative to business needs.

The most important element of an organization’s risk register to update following the commissioning of a new financial reporting system is the risk rating of affected financial processes. A risk rating is a measure of the level and nature of the risk exposure, based on the impact and likelihood of the risk events. A risk rating can help to prioritize and respond to the risks, and to monitor and report the risk status. A new financial reporting system may introduce new or different risks, or change the existing risks, that could affect the financial processes of the organization, such as data quality, accuracy, timeliness, compliance, or security. Therefore, the risk rating of affected financial processes should be updated to reflect the current risk situation and to ensure that the risk register is accurate and complete. Key risk indicators (KRIs), the owner of the financial reporting process, and the list of relevant financial controls are not asimportant as the risk rating of affected financial processes, as they are not directly affected by the commissioning of a new financial reporting system, and they do not measure the risk exposure and impact of the financial processes. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 48.

IT control self-assessments are techniques that involve identifying and evaluating the effectiveness and efficiency of the IT controls that are designed and implemented to mitigate the IT risks, by the managers and staff within the organization12.

An ineffective control is a control that does not achieve its intended objective or purpose, or does not operate as designed or expected34.

A low residual risk scenario is a situation or occurrence that has a low likelihood and impact of affecting the organization’s objectives, performance, or value creation, after considering the existing controls and their effectiveness56.

The next course of action when reviewing management’s IT control self-assessments and noting an ineffective control that links to several low residual risk scenarios is to recommend management accept the low-risk scenarios, which is a risk response strategy that involves acknowledging and tolerating the level of risk exposure, and not taking any further action to reduce or eliminate it78.

Recommending management accept the low-risk scenarios is the next course of action because it is the most cost-effective and reasonable option, given that the level of risk exposure is low andacceptable, and the cost and effort of implementing or improving the control may outweigh the potential benefits or value78.

Recommending management accept the low-risk scenarios is also the next course of action because it is consistent with the risk management process and objectives, which are to identifyand address the risks that may affect the achievement of the organization’s goals and the delivery of value to the stakeholders, and to optimize the balance between risk and reward78.

The other options are not the next course of action, but rather possible alternatives or steps that may be considered or followed in different circumstances or scenarios. For example:

Assessing management’s risk tolerance is a step that involves determining and communicating the acceptable or tolerable level of risk exposure for the organization or its business units, based on the organization’s risk appetite, criteria, and objectives78. However, this stepis not the next course of action because it is usually done before or during the risk assessment process, and not after noting an ineffective control that links to several low residual risk scenarios78.

Proposing mitigating controls is a course of action that involves suggesting or recommending additional or alternative controls that can reduce or eliminate the level of risk exposure, and improve the effectiveness and efficiency of the risk management process78. However, this course of action is not the next course of action because it is not necessary or appropriate for low residual risk scenarios, as the cost and effort of implementing or improving the controls may outweigh the potential benefits or value78.

Re-evaluating the risk scenarios associated with the control is a course of action that involves revising and updating the likelihood and impact of the risk scenarios, and the level of risk exposure or tolerance for the organization, based on the current or changed conditions or factors that influence the risk landscape78. However, this course of action is not the next course of action because it is not required or relevant for low residual risk scenarios, as the level of risk exposure is already low and acceptable, and the ineffective control does not significantly affect the risk assessment78. References =

1: Control Self Assessments - PwC1

2: Control self-assessment - Wikipedia2

3: Ineffective Controls: What They Are and How to Identify Them3

4: Ineffective Controls: What They Are and How to Identify Them4

5: Residual Risk - Definition and Examples5

6: Residual Risk: Definition, Formula & Management6

7: Risk IT Framework, ISACA, 2009

8: IT Risk Management Framework, University of Toronto, 2017