For anyone who is looking for a new complex position, a new Isaca will be somewhat drive further more on the brand of job seekers who definitely are definitely not professional. That said, a lot of employers demands Isaca CRISC youre a job, accomplish a job investigation and youll view a number of position jobs that is accessible for programs that you may possibly be unable to make application for now. Solely simply because they demand that level involving official certifications that ought to end up being no problem so that you can realize!
2017 Jan CRISC practice test
Q1. - (Topic 2)
Which of the following processes is described in the statement below?
"It is the process of exchanging information and views about risks among stakeholders, such as groups, individuals, and institutions."
A. Risk governance
C. Risk response planning
D. Risk communication
Risk communication is the process of exchanging information and views about risks among stakeholders, such as groups, individuals, and institutions. Risk communication is mostly concerned with the nature of risk or expressing concerns, views, or reactions to risk managersor institutional bodies for risk management. The key plan to consider and communicate risk is to categorize and impose priorities, and acquire suitable measures to reduce risks. It is important throughout any crisis to put across multifaceted information in a simple and clear manner. Risk communication helps in switching or allocating the information concerning risk among the decision-maker and the stakeholders. Risk communication can be explained more clearly with the help of the following definitions:
It defines the issue of what a group does, not just what it says.
It must take into account the valuable element in user's perceptions of risk. It will be more valuable if it is thought of as conversation, not instruction.
Risk communication is a fundamental and continuing element of the risk analysis exercise, and the involvement of the stakeholder group is from the beginning. It makes the stakeholders conscious of the process at each phase of the risk assessment. It helps to guarantee that the restrictions, outcomes, consequence, logic, and risk assessment are undoubtedly understood by all the stakeholders.
Answer: C is incorrect. Risk response is a process of deciding what measures should be taken to reduce threats and take advantage ofthe opportunities discovered during the risk analysis processes. This process also includes assigning departments or individual staff members the responsibility of carrying out the risk response plans and these folks are known as risk owners.
The prioritization of the risk responses and development of the risk response plan is based on following parameters:
Cost of the response to reduce risk within tolerance levels Importance of the risk
Capability to implement the response Effectiveness and efficiency of the response
Risk prioritization strategy is used to create a risk response plan and implementation schedule because all risk cannot be addressed at the same time. It may take considerable investment of time and resources to address all the risk identified in the risk analysis process. Risk with a greater likelihood and impact on the enterprise will prioritized above other risk that is considered less likely or lay less impact.
Answer: A is incorrect. Risk governance is a systemic approach to decision making processes associated to natural and technological risks. It is based on the principles of cooperation, participation, mitigation and sustainability, and is adopted to achieve more effective risk management. It seeks to reduce risk exposure and vulnerability by filling gaps in risk policy, in order to avoid or reduce human and economic costs caused by disasters. Risk governance is a continuous life cycle that requires regular reporting and ongoing review. The risk governance function must oversee the operations of the risk management team.
Answer: B is incorrect. The International Risk Governance Council (IRGC) is a self- governing organization whose principle is to facilitate the understanding and managing the rising overall risks that have impacts on the economy and society, human health and safety, the environment at large. IRGC's effort is to build and develop concepts of risk governance, predict main risk issues and present risk governance policy recommendations for the chief decision makers. IRGC mainly emphasizes on rising, universal risks for which governance deficits exist.
Its goal is to present recommendations for how policy makers can correct them. IRGC models at constructing strong, integrative inter-disciplinary governance models for up- coming and existing risks.
Q2. - (Topic 3)
Tom works as a project manager for BlueWell Inc. He is determining which risks can affect the project. Which of the following inputs of the identify risks process is useful in identifying risks, and provides a quantitative assessment of the likely cost to complete the scheduled activities?
A. Activity duration estimates
B. Risk management plan
C. Cost management plan
D. Activity cost estimates
The activity cost estimates review is valuable in identifying risks as it provides a quantitative assessment of the expected cost to complete the scheduled activities and is expressed as a range, with a width of the range indicating the degrees of risk.
Answer:B is incorrect. This is the output of plan risk management process. A Risk management plan is a document arranged by a project manager to estimate the effectiveness, predict risks, and build response plans to mitigate them. It also consists of the risk assessment matrix.
Answer:A is incorrect. The activity duration estimates review is valuable in identifying risks associated to the time allowances for the activities or projects as a whole, with a width of the range indicating the degrees of risk.
Answer:C is incorrect. The cost management plan sets how the costs on a project are managed during the project's lifecycle. It defines the format and principles by which the project costs are measured, reported, and controlled. The cost management plan identifies the person responsible for managing costs, those who have the authority to approve changes to the project or its budget, and how cost performance is quantitatively calculated and reported upon.
Q3. - (Topic 3)
Which of the following processes addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget?
A. Monitor and Control Risk
B. Plan risk response
C. Identify Risks
D. Qualitative Risk Analysis
The plan risk response project management process aims to reduce the threats to the project objectives and to increase opportunities. It follows the perform qualitative risk analysis process and perform quantitative risk analysis process. Plan risk response process includes the risk response owner to take the job for each agreed-to and funded risk response. This process addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget. The inputs to the plan risk response process are as follows:
Risk management plan
Answer: C is incorrect. Identify Risks is the process of determining which risks may affect the project. It also documents risks' characteristics. The Identify Risks process is part of the Project Risk Management knowledge area. As new risks may evolve or become known as the project progresses through its life cycle, Identify Risks is an iterative process. The process should involve the project team so that they can develop and maintain a sense of ownership and responsibility for the risks and associated risk response actions. Risk Register is the only output of this process.
Answer: A is incorrect. Monitor and Control Risk is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project. It can involve choosing alternative strategies, executing a contingency or fallback plan, taking corrective action, and modifying the project management plan.
Answer: D is incorrect. Qualitative analysis is the definition of risk factors in terms of high/medium/low or a numeric scale (1 to 10). Hence it determines the nature of risk on a relative scale.
Some of the qualitative methods of risk analysis are:
Scenario analysis- This is a forward-looking process that can reflect risk for a given point in time.
Risk Control Self -assessment (RCSA) - RCSA is used by enterprises (like banks) for the identification and evaluation of operational risk exposure. It is a logical first step and assumes that business owners and managers are closest to the issues and have the most expertise as to the source of the risk. RCSA is a constructive process in compelling business owners to contemplate, and then explain, the issues at hand with the added benefit of increasing their accountability.
Q4. - (Topic 1)
Harry is the project manager of HDW project. He has identified a risk that could injure project team members. He does not want to accept any risk where someone could become injured on this project so he hires a professional vendor to complete this portion of the project work. What type of risk response is Harry implementing?
Risk transfer means that impact of risk is reduced by transferring or otherwise sharing a portion of the risk with an external organization or another internal entity. Transfer of risk can occur in many forms but is most effective when dealing with financial risks. Insurance is one form of risk transfer. Hence when Harry hires a professional vendor to manage that risk, the risk event does not go away but the responsibility for the event is transferred to the vendor.
Answer:D is incorrect. Avoidance removes the risk event entirely either by adding additional steps to avoid the event or reducing the project scope.
Answer:C is incorrect. Mitigation are actions that Harry's project team could take to reduce the probability and/or impact of a risk event.
Answer:B is incorrect. Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs. Here
Harry is not accepting this risk event; he does not want anyone of his team to become injured so he's transferring the event to professional vendor.
Q5. - (Topic 3)
You are the project manager of your enterprise. You have identified new threats, and then evaluated the ability of existing controls to mitigate risk associated with new threats. You noticed that the existing control is not efficient in mitigating these new risks. What are the various steps you could take in this case?
Each correct answer represents a complete solution. Choose all that apply.
A. Education of staff or business partners
B. Deployment of a threat-specific countermeasure
C. Modify of the technical architecture
D. Apply more controls
As new threats are identified and prioritized in terms of impact, the first step is to evaluate the ability of existing controls to mitigate risk associated with new threats and if it does not work then in that case facilitate the:
Modification of the technical architecture Deployment of a threat-specific countermeasure
Implementation of a compensating mechanism or process until mitigating controls are developed
Education of staff or business partners
Answer:D is incorrect. Applying more controls is not the good solution. They usually complicate the condition.
Renewal CRISC torrent:
Q6. - (Topic 4)
Henry is the project sponsor of the JQ Project and Nancy is the project manager. Henry has asked Nancy to start the risk identification process for the project, but Nancy insists that the project team be involved in the process. Why should the project team be involved in the risk identification?
A. So that the project team can develop a sense of ownership for the risks and associated risk responsibilities.
B. So that the project manager can identify the risk owners for the risks within the project and the needed risk responses.
C. So that the project manager isn't the only person identifying the risk events within the project.
D. So that the project team and the project manager can work together to assign risk ownership.
The best answer to include the project team members is that they'll need to develop a sense of ownership for the risks and associated risk responsibilities.
Answer:C is incorrect. While the project manager shouldn't be the only person to identify the risk events, this isn't the best answer.
Answer:D is incorrect. The reason to include the project team is that the project team needs to develop a sense of ownership for the risks and associated risk responsibilities, not to assign risk ownership.
Answer:B is incorrect. The reason to include the project team is that the project team needs to develop a sense of ownership for the risks and associated risk responsibilities, not to assign risk ownership and risk responses at this point.
Q7. - (Topic 4)
You are the risk professional of your enterprise. Your enterprise has introduced new systems in many departments. The business requirements that were to be addressed by the new system are still unfulfilled, and the process has been a waste of resources. Even if the system is implemented, it will most likely be underutilized and not maintained making it obsolete in a short period of time. What kind of risk is it?
A. Inherent risk
B. Business risk
C. Project risk
D. Residual risk
Business risk relates to the likelihood that the new system may not meet the user business needs, requirements and expectations. Here in this stem it is said that the business requirements that were to be addressed by the new system are still unfulfilled, therefore it is a business risk.
Answer:A is incorrect. This is one of the components of risk. Inherent risk is the risk level or exposure without applying controls or other management actions into account.
But here in this stem no description of control is given, hence it cannot be concluded whether it is a inherent risk or not.
Answer:C is incorrect. Project risk are related to the delay in project deliverables. The project activities to design and develop the system exceed the limits of the financial resources set aside for the project. As a result, the project completion will be delayed.
They are not related to fulfillment of business requirements.
Answer:D is incorrect. This is one of the components of risk. Residual risk is the risk that remains after applying controls.
But here in this stem no description of control is given, hence it cannot be concluded whether it is a residual risk or not.
Q8. - (Topic 4)
Natural disaster is BEST associated to which of the following types of risk?
D. Large impact
Natural disaster can be a long-term or short-term and can have large or small impact on the company. However, as the natural disasters are unpredictable and infrequent, they are best considered as discontinuous.
Answer:A is incorrect. Natural disaster can be a short-term, but it is not the best answer.
Answer:B is incorrect. Natural disaster can be a long-term, but it is not the best answer.
Answer:D is incorrect. Natural disaster can be of large impact depending upon its nature, but it is not the best answer.
Q9. - (Topic 3)
You are the project manager of GHT project. You have analyzed the risk and applied appropriate controls. In turn, you got residual risk as a result of this. Residual risk can be used to determine which of the following?
A. Status of enterprise's risk
B. Appropriate controls to be applied next
C. The area that requires more control
D. Whether the benefits of such controls outweigh the costs
Residual risk can be used by management to determine:
Which areas require more control Whether the benefits of such controls outweigh the costs As residual risk is the output that comes after applying appropriate controls, so it can also estimate the area which need more sophisticated control. If the cost of control is large that its benefits then no control is applied, hence residual risk can determine benefits of these controls over cost.
Answer:B is incorrect. Appropriate control can only be determined as the result of risk assessment, not through residual risk.
Answer:A is incorrect. Status of enterprise's risk can be determined only after risk monitoring.
Q10. - (Topic 4)
You are the project manager of GHT project. A risk event has occurred in your project and you have identified it. Which of the following tasks you would do in reaction to risk event occurrence? Each correct answer represents a part of the solution. Choose three.
A. Monitor risk
B. Maintain and initiate incident response plans
C. Update risk register
D. Communicate lessons learned from risk events
When the risk events occur then following tasks have to done to react to it: Maintain incident response plans
Initiate incident response
Communicate lessons learned from risk events
Answer:C is incorrect. Risk register is updated after applying appropriate risk response and at the time of risk event occurrence.
see more CRISC dumps