# Refresh Isaca CRISC - An Overview 111 to 120

When you visit Ucertify.org, please stop at our home page and possess a search carefully. You can find all the crucial contents which may appear in the genuine Isaca CRISC exam. And if you do not know how to prepare to the CRISC exam, our specialists will help you, or even you can find out form our own Isaca CRISC study manual. Ucertify is the just one web site that gives with every one of the Isaca Isaca preparation materials. If you are a busy worker, youd far better take part in our Isaca CRISC education course. It is just a quickest and sound way to suit your needs to get the actual Isaca CRISC certification.

## 2021 Nov CRISC real exam

Q111.  - (Topic 1)

You are the risk official in Bluewell Inc. You are supposed to prioritize several risks. A risk has a rating for occurrence, severity, and detection as 4, 5, and 6, respectively. What Risk Priority Number (RPN) you would give to it?

A. 120

B. 100

C. 15

D. 30

Explanation:

Steps involving in calculating risk priority number are as follows: Identify potential failure effects

Identify potential causes

Establish links between each identified potential cause Identify potential failure modes

Assess severity, occurrence and detection

Perform score assessments by using a scale of 1 -10 (low to high rating) to score these assessments.

Compute the RPN for a particular failure mode as Severity multiplied by occurrence and detection.

RPN = Severity * Occurrence * Detection Hence,

RPN = 4 * 5 * 6

= 120

Answer: C, D, and B are incorrect. These are not RPN for given values of severity, occurrence, and detection.

Q112.  - (Topic 3)

You have identified several risks in your project. You have opted for risk mitigation in order to respond to identified risk. Which of the following ensures that risk mitigation method that you have chosen is effective?

A. Reduction in the frequency of a threat

B. Minimization of inherent risk

C. Reduction in the impact of a threat

D. Minimization of residual risk

Explanation:

The inherent risk of a process is a given and cannot be affected by risk reduction or risk mitigation efforts. Hence it should be reduced as far as possible.

Answer:D is incorrect. The objective of risk reduction is to reduce the residual risk to levels below the enterprise's risk tolerance level.

Answer:A is incorrect. Risk reduction efforts can focus on either avoiding the frequency of the risk or reducing the impact of a risk.

Answer:C is incorrect. Risk reduction efforts can focus on either avoiding the frequency of the risk or reducing the impact of a risk.

Q113.  - (Topic 4)

You are the project manager of the GHY project for your company. This project has a budget of \$543,000 and is expected to last 18 months. In this project, you have identified several risk events and created risk response plans. In what project management process group will you implement risk response plans?

A. Monitoring and Controlling

B. In any process group where the risk event resides

C. Planning

D. Executing

Explanation:

The monitor and control project risk process resides in the monitoring and controlling project management process group. This process is responsible for implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness through the project.

Answer:C is incorrect. Risk response plans are not implemented as part of project planning.

Answer:D is incorrect. Risk response plans are not implemented as part of project execution.

Answer:B is incorrect. Risk response plans are implemented as part of the monitoring and controlling process group.

Q114.  - (Topic 2)

You are the project manager of GHT project. During the data extraction process you evaluated the total number of transactions per year by multiplying the monthly average by twelve. This process of evaluating total number of transactions is known as?

A. Duplicates test

B. Controls total

C. Simplistic and ineffective

D. Reasonableness test

Explanation:

Reasonableness tests make certain assumptions about the information as the basis for more elaborate data validation tests.

Answer: A is incorrect. The duplicate test does not identify duplicate transactions; rather it identifies and confirms the validity of duplicates.

Answer: C is incorrect. As compared to simplistic, the reasonableness test is a valid foundation for more elaborate data validation tests.

Answer: B is incorrect. The control total test does not ensure that all transactions have been extracted, but only ensures that the data are complete.

Q115.  - (Topic 2)

Which of the following is an acceptable method for handling positive project risk?

A. Exploit

B. Avoid

C. Mitigate

D. Transfer

Explanation:

Exploit is a method for handling positive project risk.

Answer: D, B, and C are incorrect. These are all responses which is used for negative risks, and not the positive risk.

### Up to the minute CRISC exam topics:

Q116.  - (Topic 2)

Which of the following is the process of numerically analyzing the effects of identified risks on the overall enterprise's objectives?

A. Identifying Risks

B. Quantitative Risk Assessment

C. Qualitative Risk Assessment

D. Monitoring and Controlling Risks

Explanation:

A quantitative risk assessment quantifies risk in terms of numbers such as dollar values. This involves gathering data and then entering it into standard formulas. The results can help in identifying the priority of risks. These results are also used to determine the effectiveness of controls. Some of the terms associated with quantitative risk assessments are :

Single loss expectancy (SLE)-It refers to the total loss expected from a single incident. This incident can occur when vulnerability is being exploited by threat. The loss is expressed as a dollar value such as \$1,000. It includes the value of data, software, and hardware.

SLE = Asset value * Exposure factor

Annual rate of occurrence (ARO)-It refers to the number of times expected for an incident to occur in a year. If an incident occurred twice a month in the past year, the ARO is 24. Assuming nothing changes, it is likely that it will occur 24 times next year.

Annual loss expectancy (ALE)-It is the expected loss for a year. ALE is calculated by multiplying SLE with ARO. Because SLE is a given in a dollar value, ALE is also given in a dollar value. For example, if the SLE is \$1,000 and the ARO is 24, the ALE is \$24,000. ALE

= SLE * ARO

Safeguard value-This is the cost of a control. Controls are used to mitigate risk. For example, antivirus software of an average cost of \$50 for each computer. If there are 50 computers, the safeguard value is \$2,500.

Unlike the quantitative risk assessment, qualitative risk assessment does not assign dollar values. Rather, it determines risk's level based on the probability and impact of a risk. These values are determined by gathering the opinions of experts.

Probability- establishing the likelihood of occurrence and reoccurrence of specific risks,

independently, and combined. The risk occurs when a threat exploits vulnerability. Scaling is done to define the probability that a risk will occur. The scale can be based on word values such as Low, Medium, or High. Percentage can also be assigned to these words, like 10% to low and 90% to high.

Impact- Impact is used to identify the magnitude of identified risks. The risk leads to some type of loss. However, instead of quantifying the loss as a dollar value, an impact assessment could use words such as Low, Medium, or High. Impact is expressed as a relative value. For example, low could be 10, medium could be 50, and high could be 100. Risk level= Probability*Impact

The first thing we must do in risk management is to identify the areas of the project where the risks can occur. This is termed as risk identification. Listing all the possible risks is proved to be very productive for the enterprise as we can cure them before it can occur. In risk identification both threats and opportunities are considered, as both carry some level of risk with them.

Answer: D is incorrect. This is the process of implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness through the project.

Q117.  - (Topic 3)

Mike is the project manager of the NNP Project for his organization. He is working with his project team to plan the risk responses for the NNP Project. Mike would like the project team to work together on establishing risk thresholds in the project. What is the purpose of establishing risk threshold?

A. It is a study of the organization's risk tolerance.

B. It is a warning sign that a risk event is going to happen.

C. It is a limit of the funds that can be assigned to risk events.

D. It helps to identify those risks for which specific responses are needed.

Explanation:

Risk threshold helps to identify those risks for which specific responses are needed.

Q118.  - (Topic 2)

Which of the following is the FOREMOST root cause of project risk? Each correct answer represents a complete solution. Choose two.

A. New system is not meeting the user business needs

B. Delay in arrival of resources

C. Lack of discipline in managing the software development process

D. Selection of unsuitable project methodology

Explanation:

The foremost root cause of project risk is:

A lack of discipline in managing the software development process

Selection of a project methodology that is unsuitable to the system being developed

Answer: A is incorrect. The risk associated with new system is not meeting the user business needs is business risks, not project risk.

Answer: B is incorrect. This is not direct reason of project risk.

Q119.  - (Topic 1)

You are the project manager of the NHH Project. You are working with the project team to create a plan to document the procedures to manage risks throughout the project. This document will define how risks will be identified and quantified. It will also define how contingency plans will be implemented by the project team. What document do you and your team is creating in this scenario?

A. Project plan

B. Resource management plan

C. Project management plan

D. Risk management plan

Explanation:

The risk management plan, part of the comprehensive management plan, defines how risks will be identified, analyzed, monitored and controlled, and even responded to.

A Risk management plan is a document arranged by a project manager to estimate the effectiveness, predict risks, and build response plans to mitigate them. It also consists of the risk assessment matrix.

Risks are built in with any project, and project managers evaluate risks repeatedly and build plans to address them. The risk management plan consists of analysis of possible risks with both high and low impacts, and the mitigation strategies to facilitate the project and avoid being derailed through which the common problems arise. Risk management plans should be timely reviewed by the project team in order to avoid having the analysis become stale and not reflective of actual potential project risks. Most critically, risk management plans include a risk strategy for project execution.

Answer: C is incorrect. The project management plan is a comprehensive plan that communicates the intent of the project for all project management knowledge areas.

Answer: A is incorrect. The project plan is not an official PMBOK project management plan.

Answer: B is incorrect. The resource management plan defines the management of project resources, such as project team members, facilities, equipment, and contractors.

Q120.  - (Topic 1)

Which of the following role carriers is accounted for analyzing risks, maintaining risk profile, and risk-aware decisions?

C. Chief information officer (CIO)

D. Chief risk officer (CRO)

Explanation:

Business management is the business individuals with roles relating to managing a program. They are typically accountable for analyzing risks, maintaining risk profile, and risk-aware decisions. Other than this, they are also responsible for managing risks, react to events, etc.

Answer: C is incorrect. CIO is the most senior official of the enterprise who is accountable for IT advocacy; aligning IT and business strategies; and planning, resourcing and managing the delivery of IT services and information and the deployment of associated human resources. CIO has some responsibility analyzing risks, maintaining risk profile, and risk-aware decisions but is not accounted for them.

Answer: B is incorrect. Business process owner is an individual responsible for identifying process requirements, approving process design and managing process performance. He/she is responsible for analyzing risks, maintaining risk profile, and risk-aware decisions but is not accounted for them.

Answer: D is incorrect. CRO is the individual who oversees all aspects of risk management across the enterprise. He/she is responsible for analyzing risks, maintaining risk profile, and risk-aware decisions but is not accounted for them.

see more CRISC dumps