The Secret of CRISC study guide

It is impossible to pass Isaca CRISC exam without any help in the short term. Come to Ucertify soon and find the most advanced, correct and guaranteed Isaca CRISC practice questions. You will get a surprising result by our Renew Certified in Risk and Information Systems Control practice guides.

2016 Nov CRISC free question

Q61.  - (Topic 3)

What are the requirements of effectively communicating risk analysis results to the relevant stakeholders? Each correct answer represents a part of the solution. Choose three.

A. The results should be reported in terms and formats that are useful to support business decisions

B. Communicate only the negative risk impacts of events in order to drive response decisions

C. Communicate the risk-return context clearly

D. Provide decision makers with an understanding of worst-case and most probable scenarios

Answer: A,C,D

Explanation:

The result of risk analysis process is being communicated to relevant stakeholders. The steps that are involved in communication are:

The results should be reported in terms and formats that are useful to support business decisions. Coordinate additional risk analysis activity as required by decision makers, like report rejection and scope adjustment. Communicate the risk-return context clearly, which include probabilities of loss and/or gain, ranges, and confidence levels (if possible) that enable management to balance risk-return. Identify the negative impacts of events that drive response decisions as well as positive impacts of events that represent opportunities which should channel back into the strategy and objective setting process. Provide decision makerswith an understanding of worst-case and most probable scenarios, due diligence exposures and significant reputation, legal or regulatory considerations.

Answer:B is incorrect. Both the negative and positive risk impacts are being communicated to relevant stakeholders. Identify the negative impacts of events that drive response decisions as well as positive impacts of events that represent opportunities which should channel back into the strategy and objective setting process.


Q62.  - (Topic 4)

You are the program manager for your organization and you are working with Alice, a project manager in her program. Alice calls you and insists you to add a change to program scope. You agree for that the change. What must Alice do to move forward with her change

request?

A. Add the change to the program scope herself, as she is a project manager

B. Create a change request charter justifying the change request

C. Document the change request in a change request form.

D. Add the change request to the scope and complete integrated change control

Answer: C

Explanation:

Change requests must be documented to be considered. Alice should create a change request form and follow the procedures of the change control system.


Q63.  - (Topic 2)

Which of the following BEST measures the operational effectiveness of risk management capabilities?

A. Capability maturity models (CMMs)

B. Metric thresholds

C. Key risk indicators (KRIs)

D. Key performance indicators (KPIs)

Answer: D

Explanation:

Key performance indicators (KPIs) provide insights into the operational effectiveness of the concept or capability that they monitor. Key Performance Indicators is a set of measures that a company or industry uses to measure and/or compare performance in terms of meeting their strategic and operational goals. KPIs vary with company to company, depending on their priorities or performance criteria.

A company must establish its strategic and operational goals and then choose their KPIs which can best reflect those goals. For example, if a software company's goal is to have

the fastest growth in its industry, its main performance indicator may be the measure of its annualrevenue growth.

Answer: C is incorrect. Key risk indicators (KRIs) only provide insights into potential risks that may exist or be realized within a concept or capability that they monitor. Key Risk Indicators are the prime monitoring indicators of the enterprise. KRIs are highly relevant and possess a high probability of predicting or indicating important risk. KRIs help in avoiding excessively large number of risk indicators to manage and report that a large enterprise may have.

Answer: A is incorrect. Capability maturity models (CMMs) assess the maturity of a concept or capability and do not provide insights into operational effectiveness.

Answer: B is incorrect. Metric thresholds are decision or action points that are enacted when a KPI or KRI reports a specific value or set of values. It odes not provide any insights into operational effectiveness.


Q64.  - (Topic 3)

You work as a Project Manager for Company Inc. You have to conduct the risk management activities for a project. Which of the following inputs will you use in the plan risk management process?

Each correct answer represents a complete solution. Choose all that apply.

A. Quality management plan

B. Schedule management plan

C. Cost management plan

D. Project scope statement

Answer: B,C,D

Explanation:

The inputs to the plan risk management process are as follows:

Project scope statement: It provides a clear sense of the range of possibilities associated with the project and establishes the framework for how significant the risk management effort may become.

Cost management plan: It describes how risk budgets, contingencies, and management reserves will be reported and accessed.

Schedule management plan: It describes how the schedule contingencies will be reported and assessed.

Communication management plan: It describes the interactions, which occurs on the project and determines who will be available to share information on various risks and responses at different times.

Enterprise environmental factors: It include, but are not limited to, risk attitudes and tolerances that describe the degree of risk that an organization withstand. Organizational process assets: It includes, but are not limited to, risk categories, risk statement formats, standard templates, roles and responsibilities, authority levels for decision-making, lessons learned, and stakeholder registers.

Answer:A is incorrect. It is not an input for Plan risk management process.


Q65.  - (Topic 4)

You are the risk official at Bluewell Inc. There are some risks that are posing threat on your enterprise. You are measuring exposure of those risk factors, which has the highest potential, by examining the extent to which the uncertainty of each element affects the object under consideration when all other uncertain elements are held at their baseline values. Which type of analysis you are performing?

A. Sensitivity analysis

B. Fault tree analysis

C. Cause-and-effect analysis

D. Scenario analysis

Answer: A

Explanation:

Sensitivity analysis is the quantitative risk analysis technique that:

Assist in determination of risk factors that have the most potential impact

Examines the extent to which the uncertainty of each element affects the object under consideration when all other uncertain elements are held at their baseline values 

Answer:B is incorrect. Fault tree analysis provides a systematic description of the combination of possible undesirable occurrences in a system. It does not measure the extent of uncertainty.

Answer:C is incorrect. Cause-and-effect analysis involves the use of predictive or diagnostic analytical tool for exploring the root causes or factors that contribute to positive or negative effects or outcomes, and not the extent of uncertainty.

Answer:D is incorrect. Scenario analysis provides ability to see a range of values across several scenarios to identify risk in specific situation. It provides ability to identify those inputs which will provide the greatest level of uncertainty. But it plays no role in determining the extent of uncertainty.


Up to the minute CRISC brain dumps:

Q66.  - (Topic 4)

Adrian is a project manager for a new project using a technology that has recently been released and there's relatively little information about the technology. Initial testing of the technology makes the use of it look promising, but there's still uncertainty as to the longevity and reliability of the technology. Adrian wants to consider the technology factors a risk for her project. Where should she document the risks associated with this technology so she can track the risk status and responses?

A. Project scope statement

B. Project charter

C. Risk low-level watch list

D. Risk register

Answer: D

Explanation:

A risk register is an inventory of risks and exposure associated with those risks. Risks are commonly found in project management practices, and provide information to identify, analyze, and manage risks. Typically a risk register contains:

A description of the risk

The impact should this event actually occur The probability of its occurrence

Risk Score (the multiplication of Probability and Impact)

A summary of the planned response should the event occur

A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact of the event)

Ranking of risks by Risk Score so as to highlight the highest priority risks to all involved. It records the initial risks, the potential responses, and tracks the status of each identified risk in the project.

Answer:B is incorrect. The project charter does not define risks.

Answer:A is incorrect. The project scope statement does document initially defined risks but it is not a place that will record risks responses and status of risks.

Answer:C is incorrect. The risk low-level watch list is for identified risks that have low impact and low probability in the project.


Q67.  - (Topic 3)

How residual risk can be determined?

A. By determining remaining vulnerabilities after countermeasures are in place.

B. By transferring all risks.

C. By threat analysis

D. By risk assessment

Answer: D

Explanation:

All risks are determined by risk assessment, regardless whether risks are residual or not. 

Answer:A is incorrect. Determining remaining vulnerabilities after countermeasures are in place says nothing about threats, therefore risk cannot be determined.

Answer:C is incorrect. Risk cannot be determined by threat analysis alone, regardless whether it is residual or not.

Answer:B is incorrect. Transferring all the risks in not relevant to determining residual risk. It is one of the method of risk management.


Q68.  - (Topic 2)

You are working as the project manager of the ABS project. The project is for establishing a computer network in a school premises. During the project execution, the school management asks to make the campus Wi-Fi enabled. You know that this may impact the project adversely. You have discussed the change request with other stakeholders. What will be your NEXT step?

A. Update project management plan.

B. Issue a change request.

C. Analyze the impact.

D. Update risk management plan.

Answer: C

Explanation:

The first step after receiving any change request in a project must be first analyzed for its impact. Changes may be requested by any stakeholder involved with the project. Although, they may be initiated verbally, they should always be recorded in written form and entered into the change management and/or configuration management.

Answer: A, B, and D are incorrect. All these are the required steps depending on the change request. Any change request must be followed by the impact analysis of the change.


Q69.  - (Topic 4)

You are preparing to complete the quantitative risk analysis process with your project team and several subject matter experts. You gather the necessary inputs including the project's cost management plan. Why is it necessary to include the project's cost management plan in the preparation for the quantitative risk analysis process?

A. The project's cost management plan provides control that may help determine the structure for quantitative analysis of the budget.

B. The project's cost management plan can help you to determine what the total cost of the project is allowed to be.

C. The project's cost management plan provides direction on how costs may be changed due to identified risks.

D. The project's cost management plan is not an input to the quantitative risk analysis process.

Answer: A

Explanation:

The cost management plan is an input to the quantitative risk analysis process because of the cost management control it provides.

The cost management plan sets how the costs on a project are managed during the project's lifecycle. It defines the format and principles by which the project costs are measured, reported, and controlled. The cost management plan identifies the person responsible for managing costs, those who have the authority to approve changes to the project or its budget, and how cost performance is quantitatively calculated and reported upon.

Answer:D is incorrect. This is not a valid statement. The cost management plan is an input to the quantitative risk analysis process.

Answer:B is incorrect. The cost management plan defines the estimating, budgeting, and control of the project's cost.

Answer:C is incorrect. While the cost management plan does define the cost change control system, this is not the best answer for this


Q70.  - (Topic 2)

Which of the following IS processes provide indirect information? Each correct answer represents a complete solution. Choose three.

A. Post-implementation reviews of program changes

B. Security log monitoring

C. Problem management

D. Recovery testing

Answer: A,B,C

Explanation:

Security log monitoring, Post-implementation reviews of program changes, and Problem management provide indirect information. Security log monitoring provide indirect information about certain controls in the security environment, particularly when used to analyze the source of failed access attempts.

Post-implementation reviews of program changes provide indirect information about the effectiveness of internal controls over the development process.

Problem management provide indirect information about the effectiveness of several different IS processes that may ultimately be determined to be the source of incidents. 

Answer: D is incorrect. Recovery testing is the direct evidence that the redundancy or backup controls work effectively. It doesn't provide any indirect information.



see more CRISC dumps