CRISC Domain II

Question 1

What’s the purpose of defining a risk response?

Answer 1

To ensure the residual risk is within the limits of the risk appetite and tolerance of the enterprise

Question 2

What is Risk Response based on?

Answer 2

-Selecting the correct, prioritized response to risk, based on the level of risk, the enterprise’s risk tolerance and the cost-benefit advantages of the selected risk response option

Question 3

What are the risk management processes? Where does Risk Response fit?

Answer 3

• Identification
• Assessment
• Evaluation
• Monitoring
• Risk Response integrates with risk management processes

Question 4

Risk Reponse ensure that management is provided what?

Answer 4

Accurate reports on:

• Level of risk faced by the enterprise
• Types of incidents that have occurred
• Any change to the enterprise’s risk profile based on changes in the (internal and external) risk environment

Question 5

Risk should always be reported based on?

Answer 5

• The risk to the business,
• The ability of the business to meet its objectives and
• Risk to IT systems

Question 6

When is the Risk Response triggered

Answer 6

When a risk exceeds the enterprise’s risk tolerance level

Question 7

The prioritzation of the risk response and development of risk response plan is influenced by what several parameters?

Answer 7

• Cost of the response to reduce risk to within tolerence levels
• Importance of the risk
• Capability to implement the response
• Effectiveness of the response
• Efficiency of the response

Question 8

What are the high-level risk response process phases?

Answer 8

• Phase 1: Review results of the risk analysis
• Phase 2:Select risk response options
• Phase 3:Prioritize the risk response options
• Phase 4:Implement the risk action plan

Question 9

What should be done where the risk analysis shows risk is not within the defined risk tolerance levels?

Answer 9

Weigh projected risk versus the potential cost of implementing and maintaining controls and select the most appropriate response

Question 10

What are the four key risk response options?

Answer 10

• Risk avoidance (avoid)
• Risk mitigation (reduce/mitigate)
• Risk sharing (share/transfer)
• Risk acceptance (accept)

Question 11

Define Risk Avoidance?

Answer 11

Activities or conditions that give rise to risk are discontinued

Question 12

Risk avoidance applies when?

Answer 12

The level or risk, even after the slection of controls, would be greater than the risk tolerance level of the enterprise

Question 13

Provide Risk Avoidance examples?

Answer 13

• Not engaging in electronic commerce (e-commerce) to avoid the risk associated with the line of business
• Not engating in a very large project when the business case shows a significant risk of failure
• Not operating in some countries or regions due to safety concerns

Question 14

What are some cases of Risk Avoidance?

Answer 14

• There is no other cost-effective response in reducing the liklihood and magnitude below the defined thresholds for risk appetite
• The risk cannot be shared or transferred
• The risk is deemed unacceptable by management

Question 15

What is Risk Mitigation?

Answer 15

Actions are taken to reduce the likelihood and/or the impact of risk

Question 16

What are the main control types in Risk Mitigation?

Answer 16

• Managerial (policies)
• Technical (tools like FW’s and IDS’s)
• Operational (procedures, SOD)
• Preparedness activities

Question 17

Give Risk Mitigation examples?

Answer 17

• Strengthening overall risk management practices, such as implementing sufficiently mature risk mgmt processes
• Deploying new technical, management or operational controls that reduce either the likelihood or impact of an adverse event
• Installing a new access control system
• Implementing policies or operational procedures
• Developing an effective incident response and business continuity plan

Question 18

What is Risk Sharing?

Answer 18

Risk impact is reduced by transferring or otherwise sharing a portion of the risk with an external enterprise or another internal entity

Question 19

Give examples of Risk Sharing?

Answer 19

• Taking out insurance coverage for disasters or incidents
• Outsourcing unique business processes
• Sharing project risk with other organizations through fixed prices arrangements or shared investment arrangements

Question 20

What is an important note regarding Risk Sharing?

Answer 20

In both physical and legal sense this technique does not releive an enterprise of a risk

Question 21

What is Risk Acceptance?

Answer 21

No action is taken relative to a particular risk; loss is accepted when/if it occurs

Question 22

If an enterprise adopts a risk accpetance stance it should consider?

Answer 22

Who can accept the risk. It should only be accepted by senior business management in collaboration with senior management and the board

Question 23

What is an important note regarding Risk Acceptance?

Answer 23

• Risk Acceptance is different from being ignorant of risk

- Accepting risk assumes risk is know and that an informal decision has been made by management to accept it

Question 24

What must be considered when selecting any of the risk mitigation options?

Answer 24

• Goals and objectives of an enterprise

Question 25

What is the “best in class” approach to risk response consideration?

Answer 25

Use appropriate technology along with appropriate risk mitigation options and nontechnical, administrative measures

Question 26

What are the risk response selction parameters?

Answer 26

• Cost of response
• Importance of risk
• Capability to implement response
• Effectiveness of response
• Efficiency of response

Question 27

What are the Risk Response Prioritzation Options?

Answer 27

• Quick win
• Business case to be made
• Deferral

Question 28

What is a Quick Win prioritization option?

Answer 28

Very effective and efficient response that addresses medium to high risk

Question 29

What is a Business case to be made option?

Answer 29

Requires careful analysis and management decisions on investments:

• More expensive or difficult risk responses to medium to high risk
• Efficient, effective responses to low to medium risk

Question 30

What is a Deferal option?

Answer 30

Costly risk reponse to a low risk

Question 31

A risk has been identified the enterprise’s IT system and application landscape is so complex that, within a few years, extending capacity will become difficult and maintaining software will become expensive. What is the response and the risk prioritization option?

Answer 31

Response:
- Major rearchitecuture and redesign of the existing system
- Purhase of a new, integrated system
Risk Option:
- Categorized as Business case to be made because of project cost

Question 32

A risk of noncompliance with regulations is identified because a number of relatively simple procedures are missing. What is the response and the risk prioritization option?

Answer 32

Reponse:
- Creating the missing procedures and implementing them
Risk Option:
- Categorized as Quick Win because the allocation of existing resources or a minor resource investment provides measurable benefits

Question 33

What is contained in a risk response plan?

Answer 33

• Steps, timelines, budgets, people and tools needed to implemente risk response strategy

Question 34

Whare are risk response factors should be taken into account?

Answer 34

• Stakeholder interests
• Acceptance of change
• Balance of technical and nontechnical solutions
• Cost
• Impact on productivity
• Ownership of controls
• Ability to audit and monitor risk
• Regulations
• Changing market conditions

Question 35

As part of a risk response, ongoing status of risk mitigation process must be tracked. How is this done?

Answer 35

• Tracking is often done using a risk register

Question 36

Why is it important to use a risk register?

Answer 36

To ensure the risk response strategy remains active and proposed controls are implemented according to schedule

Question 37

What happens when an enterprise is aware of a risk but does not have a justifiable risk response strategy or not following its strategy?

Answer 37

The liablity of the tnerprise to adverse publicity or even civil or criminal penalties increases

Question 38

What should a risk practitioner always look to achieve?

Answer 38

Greater efficiency by integrating risk response options to address more than one risk

Question 39

What iks the result of the use of techniques that are versatile and enterprisewide rather than individual solutions? Give an example?

Answer 39

• It provides better justification for risk response strategies and related costs
• Example: Deploying an access control system that supports more than one system

Question 40

The implementation of IS controls should consider?

Answer 40

• Controls are tested prior to implementation whenever possible
• People are trained in the use of the tools
• A control owner is clearly identified and responsible for the control
• The control is measurable
• The control is monitored to ensure that it remains effective over time

Question 41

What are the Phases of Risk Reponse Process?

Answer 41

• Phase 1: Articulate risk
• Phase 2: Manage risk
• Phase 3: React to risk events

Question 42

Explain the Phase 1 of the risk response process and what it requires?

Answer 42

Phase 1 is Articulate Risk. Requires articulating (documenting and reporting) risk to ensure information on the true state of exposures and opportunities is made available in a timely manner and to the right people to enable the appropriate response

Question 43

What are the tasks associated with Phase 1-Risk Articulation

Answer 43

Task 1: Communicate risk analysis results
Task 2: Report risk management activities and the state of compliance
Task 3: Interpret independent risk assessment findings
Task 4: Identify business oportunities

Question 44

What are the steps to communicate risk analysis results? What Task is this associated with?

Answer 44

Step 1: Report the results of risk analysis in terms and formats useful to support business and risk mgmt decisions
Step 2: Coordinate additonal risk analysis as required by decision makers (report rejection and scope adjustments)
Step 3: Clearly communicate the risk-return context, including, wherever possible, probabilities of loss and/or gain, ranges, and confidence levels that enable managmenet to balance risk-return ratios
Step 4: Identify the negative impacts of events/scnarios that drive response decisions and possitive impacts that represent oportunities that mgmt should channel back into the strategy and objective setting process
Step 5: Provide decision makers with an understinding of:
- Worst case and most probable scenarios
- Due dilligence exposures
- Significant reputation, legal or regulatory considrations

• Associate with Task 1: Communicate Risk Analysis Results

Question 45

What are the steps to Report Risk Management Acitivities and State of Compliance? What Task is this associated with?

Answer 45

Step 1: Meet the risk reporting needs of variouis stakeholders
Step 2: Apply the principles of relevance, efficiency, timeliness and accuracy to ensure strategic and efficient reporting on risk issues and status
Step 3: When reporting, include the following:
- Control effectiveness and performance
- Issues and gaps
- Remediation status
- Events and incidents
- Impacts of events and incidents on the risk profile
- Performance of risk management process
Step 4: Provide inputs to integrated enterprise reporting

• Associate with Task 1: Communicate Risk Analysis Results