It is more faster and easier to pass the Isaca CRISC exam by using Free Isaca Certified in Risk and Information Systems Control questuins and answers. Immediate access to the Most up-to-date CRISC Exam and find the same core area CRISC questions with professionally verified answers, then PASS your exam with a high score now.
2017 Jan CRISC study guide
Q21. - (Topic 3)
Which of the following statements is NOT true regarding the risk management plan?
A. The risk management plan is an output of the Plan Risk Management process.
B. The risk management plan is an input to all the remaining risk-planning processes.
C. The risk management plan includes a description of the risk responses and triggers.
D. The risk management plan includes thresholds, scoring and interpretation methods, responsible parties, and budgets.
The risk management plan details how risk management processes will be implemented, monitored, and controlled throughout the life of the project. The risk management plan does not include responses to risks or triggers. Responses to risks are documented in the risk register as part of the Plan Risk Responses process.
Answer: A, D, and B are incorrect. These all statements are true for risk management plan. The risk management plan details how risk management processes will be implemented, monitored, and controlled throughout the life of the project. It includes thresholds, scoring and interpretation methods, responsible parties, and budgets. It also act as input to all the remaining risk-planning processes.
Q22. - (Topic 1)
John works as a project manager for BlueWell Inc. He is determining which risks can affect the project. Which of the following inputs of the identify risks process is useful in identifying risks associated to the time allowances for the activities or projects as a whole, with a width of the range indicating the degrees of risk?
A. Activity duration estimates
B. Activity cost estimates
C. Risk management plan
D. Schedule management plan
The activity duration estimates review is valuable in identifying risks associated to the time allowances for the activities or projects as a whole, with a width of the range indicating the degrees of risk.
Answer: B is incorrect. The activity cost estimates review is valuable in identifying risks as it provides a quantitative assessment of the expected cost to complete scheduled activities and is expressed as a range, with a width of the range indicating the degrees of risk.
Answer: D is incorrect. It describes how the schedule contingencies will be reported and assessed.
Answer: C is incorrect. A Risk management plan is a document arranged by a project manager to estimate the effectiveness, predict risks, and build response plans to mitigate
them. It also consists of the risk assessment matrix.
Q23. - (Topic 2)
Which of the following control detects problem before it can occur?
A. Deterrent control
B. Detective control
C. Compensation control
D. Preventative control
Preventative controls are the controls that detect the problem before it occurs. They attempt to predict potential problems and make adjustments to prevent those problems to occur in near future. This prediction is being made by monitoring both the system's operations and its inputs.
Answer: A is incorrect. Deterrent controls are similar to the preventative controls, but they diminish or reverse the attraction of the environment to prevent risk from occurring instead of making adjustments to the environment.
Answer: C is incorrect. Compensation controls ensure that normal business operations continue by applying appropriate resource.
Answer: B is incorrect. Detective controls simply detect and report on the occurrence of a problems. They identify specific symptoms to potential problems.
Q24. - (Topic 2)
Which of the following is an output of risk assessment process?
A. Identification of risk
B. Identification of appropriate controls
C. Mitigated risk
D. Enterprise left with residual risk
The output of the risk assessment process is identification of appropriate controls for reducing or eliminating risk during the risk mitigation process. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system.
Once risk factors have been identified, existing or new controls are designed and measured for their strength and likelihood of effectiveness. Controls are preventive, detective or corrective; manual or programmed; and formal or ad hoc.
Answer: A is incorrect. Risk identification acts as input of the risk assessment process.
Answer: D is incorrect. Residual risk is the latter output after appropriate control.
Answer: C is incorrect. This is an output of risk mitigation process,that is, after applying several risk responses.
Q25. - (Topic 4)
In which of the following risk management capability maturity levels does the enterprise takes major business decisions considering the probability of loss and the probability of reward? Each correct answer represents a complete solution. Choose two.
A. Level 0
B. Level 2
C. Level 5
D. Level 4
Enterprise having risk management capability maturity level 4 and 5 takes business decisions considering the probability of loss and the probability of reward, i.e., considering all the aspects of risk.
Answer:A is incorrect. Enterprise having risk management capability maturity level 0 takes business decisions without considering risk credential information.
Answer:B is incorrect. At this low level of risk management capability the enterprise take decisions considering specific risk issues within functional and business silos (e.g., security, business continuity, operations).
Replace CRISC exam engine:
Q26. - (Topic 2)
Jane is the project manager of the NHJ Project for his company. He has identified several positive risk events within his project and he thinks these events can save the project time and money. Positive risk events, such as these within the NHJ Project are referred to as?
A. Contingency risks
C. Residual risk
A positive risk event is also known as an opportunity. Opportunities within the project to save time and money must be evaluated, analyzed, and responded to.
Answer: A is incorrect. A contingency risk is not a valid risk management term.
Answer: B is incorrect. Benefits are the good outcomes of a project endeavor. Benefits usually have a cost factor associated with them.
Answer: C is incorrect. Residual risk is the risk that remains after applying controls. It is not feasible to eliminate all risks from an organization. Instead, measures can be taken to reduce risk to an acceptable level. The risk that is left is residual risk.
Q27. - (Topic 3)
You work as a project manager for BlueWell Inc. You are involved with the project team on the different risk issues in your project. You are using the applications of IRGC model to facilitate the understanding and managing the rising of the overall risks that have impacts on the economy and society. One of your team members wants to know that what the need to use the IRGC is. What will be your reply?
A. IRGC models aim at building robust, integrative inter-disciplinary governance models for emerging and existing risks.
B. IRGC is both a concept and a tool.
C. IRGC addresses the development of resilience and the capacity of organizations and people to face unavoidable risks.
D. IRGC addresses understanding of the secondary impacts of a risk.
IRGC is aimed at building robust, integrative inter-disciplinary governance models for emerging and existing risks.
The International Risk Governance Council (IRGC) is a self-governing organization whose principle is to facilitate the understanding and managing the rising overall risks that have impacts on the economy and society, human health and safety, the environment at large. IRGC's effort is to build and develop concepts of risk governance, predict main risk issues and present risk governance policy recommendations for the chief decision makers. IRGC mainly emphasizes on rising, universal risks for which governance deficits exist. Its goal is to present recommendations for how policy makers can correct them. IRGC models at constructing strong, integrative inter-disciplinary governance models for up-coming and existing risks.
Answer:B is incorrect. As IRGC is aimed at building robust, integrative inter-disciplinary governance models for emerging and existing risks, so it is the best answer for this options D and C are incorrect. Risk governance addresses understanding of the secondary impacts of a risk, the development of resilience and the capacity of organizations and people to face unavoidable risks.
Q28. - (Topic 3)
Shawn is the project manager of the HWT project. In this project Shawn's team reports that they have found a way to complete the project work cheaply than what was originally estimated earlier. The project team presents a new software that will help to automate the project work. While the software and the associated training costs $25,000 it will save the project nearly $65,000 in total costs. Shawn agrees to the software and changes the project management plan accordingly. What type of risk response had been used by him?
A risk event is been exploited so as to identify the opportunities for positive impacts. Exploit response is one of the strategies to negate risks or threats that appear in a project. This strategy may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized. Exploiting a risk event provides opportunities for positive impact on a project. Assigning more talented resources to the project to reduce the time to completion is an example of exploit response.
Answer:B is incorrect. Accepting is a risk response that is appropriate for positive or negative risk events. It does not pursue the risk, but documents the event and allows the risk to happen. Often acceptance is used for low probability and low impact risk events.
Answer:A is incorrect. To avoid a risk means to evade it altogether, eliminate the cause of the risk event, or change the project plan to protect the project objectives from the risk event.
Answer:D is incorrect. Enhancing is a positive risk response that aims to increase the probability and/or impact of the risk event.
Q29. - (Topic 2)
Which of the following role carriers are responsible for setting up the risk governance process, establishing and maintaining a common risk view, making risk-aware business decisions, and setting the enterprise's risk culture?
Each correct answer represents a complete solution. Choose two.
A. Senior management
B. Chief financial officer (CFO)
C. Human resources (HR)
D. Board of directors
The board of directors and senior management has the responsibility to set up the risk governance process, establish and maintain a common risk view, make risk-aware
business decisions, and set the enterprise's risk culture.
Answer: B is incorrect. CFO is the most senior official 0f the enterprise who is accountable for financial planning, record keeping, investor relations and financial risks. CFO is not responsible for responsible for setting up the risk governance process, establishing and maintaining a common risk view, making risk-aware business decisions, and setting the enterprise's risk culture.
Answer: C is incorrect. Human resource is the most senior official of an enterprise who is accountable for planning and policies with respect to all human resources in that enterprise. HR is not responsible for risk related activities.
Q30. - (Topic 4)
When a risk cannot be sufficiently mitigated through manual or automatic controls, which of the following options will BEST protect the enterprise from the potential financial impact of the risk?
A. Updating the IT risk registry
B. Insuring against the risk
C. Outsourcing the related business process to a third party
D. Improving staff-training in the risk area
An insurance policy can compensate the enterprise up to 100% by transferring the risk to another company. Hence in this stem risk is being transferred.
Answer:A is incorrect. Updating the risk registry (with lower values for impact and
probability) will not actually change the risk, only management's perception of it.
Answer:D is incorrect. Staff capacity to detect or mitigate the risk may potentially reduce the financial impact, but insurance allows for the risk to be mitigated up to 100%.
Answer:C is incorrect. Outsourcing the process containing the risk does not necessarily remove or change the risk. While on other hand, insurance will completely remove the risk.
see more CRISC dumps