CRISC Certified in Risk and Information Systems Control - Practice Questions

Question 1 (Volume B)

What are the various outputs of risk response?

Select all that apply, then click Submit answer.

○
Risk Priority Number
○
Residual risk
○
Risk register updates
○
Project management plan and Project document updates
○
Risk-related contract decisions

Reference / correct answer:

Risk register updates

Project management plan and Project document updates

Risk-related contract decisions

The outputs of the risk response planning process are:

Risk Register Updates: The risk register is written in detail so that it can be related to the priority ranking and the planned response.

Risk Related Contract Decisions: Risk related contract decisions are the decisions to transmit risk, such as services, agreements for insurance, and other items as required. It provides a means for sharing risks.

Project Management Plan Updates: Some of the elements of the project management plan updates are:

- Schedule management plan

- Cost management plan

- Quality management plan

- Procurement management plan

- Human resource management plan

- Work breakdown structure

- Schedule baseline

- Cost performance baseline

Project Document Updates: Some of the project documents that can be updated includes:

- Assumption log updates

- Technical documentation updates

Incorrect Answers:

A: Risk priority number is not an output for risk response but instead it is done before applying response. Hence it acts as one of the inputs of risk response and is not the output of it.

B: Residual risk is not an output of risk response. Residual risk is the risk that remains after applying controls. It is not feasible to eliminate all risks from an organization. Instead, measures can be taken to reduce risk to an acceptable level. The risk that is left is residual risk. As,

Risk = Threat Vulnerability and

Total risk = Threat Vulnerability Asset Value

Residual risk can be calculated with the following formula:

Residual Risk = Total Risk - Controls

Senior management is responsible for any losses due to residual risk. They decide whether a risk should be avoided, transferred, mitigated or accepted. They also decide what controls to implement. Any loss due to their decisions falls on their sides.

Residual risk assessments are conducted after mitigation to determine the impact of the risk on the enterprise. For risk assessment, the effect and frequency is reassessed and the impact is recalculated.

Question 2 (Volume D)

Which of the following come under the phases of risk identification and evaluation?

Each correct answer represents a complete solution. (Choose three.)

Select all that apply, then click Submit answer.

○
Maintain a risk profile
○
Collecting data
○
Analyzing risk
○
Applying controls

Reference / correct answer:

Maintain a risk profile

Collecting data

Analyzing risk

Risk identification is the process of determining which risks may affect the project. It also documents risks' characteristics.

Following are high-level phases that are involved in risk identification and evaluation:

Collecting data- Involves collecting data on the business environment, types of events, risk categories, risk scenarios, etc., to identify relevant data to enable effective risk identification, analysis and reporting.

Analyzing risk- Involves analyzing risk to develop useful information which is used while taking risk-decisions. Risk-decisions take into account the business relevance of risk factors.

Maintain a risk profile- Requires maintaining an up-to-date and complete inventory of known threats and their attributes (e.g., expected likelihood, potential impact, and disposition), IT resources, capabilities, and controls as understood in the context of business products, services and processes to effectively monitor risk over time.

Incorrect Answers:

D: It comes under risk management process, and not in risk identification and evaluation process.

Question 3 (Volume B)

Which of the following are true for quantitative analysis?

Each correct answer represents a complete solution. (Choose three.)

Select all that apply, then click Submit answer.

○
Determines risk factors in terms of high/medium/low.
○
Produces statistically reliable results
○
Allows discovery of which phenomena are likely to be genuine and which are merely chance occurrences
○
Allows data to be classified and counted

CRISC – Certified in Risk and Information Systems Control