Download Certified in Risk and Information Systems Control.CRISC.Test4Prep.2019-12-04.389q.vcex

Vendor: ISACA
Exam Code: CRISC
Exam Name: Certified in Risk and Information Systems Control
Date: Dec 04, 2019
File Size: 525 KB

How to open VCEX files?

Files with VCEX extension can be opened by ProfExam Simulator.

Demo Questions

Question 1
You are the project manager of a HGT project that has recently finished the final compilation process. The project customer has signed off on the project completion and you have to do few administrative closure activities. In the project, there were several large risks that could have wrecked the project but you and your project team found some new methods to resolve the risks without affecting the project costs or project completion date. What should you do with the risk responses that you have identified during the project's monitoring and controlling process?
  1. Include the responses in the project management plan.
  2. Include the risk responses in the risk management plan.
  3. Include the risk responses in the organization's lessons learned database.
  4. Nothing. The risk responses are included in the project's risk register already.
Correct answer: C
Explanation:
The risk responses that do not exist up till then, should be included in the organization's lessons learned database so other project managers can use these responses in their project if relevant. Incorrect Answers:A: The responses are not in the project management plan, but in the risk response plan during the project and they'll be entered into the organization's lessons learned database.B: The risk responses are included in the risk response plan, but after completing the project, they should be entered into the organization's lessons learned database.D: If the new responses that were identified is only included in the project's risk register then it may not be shared with project managers working on some other project.
The risk responses that do not exist up till then, should be included in the organization's lessons learned database so other project managers can use these responses in their project if relevant. 
Incorrect Answers:
A: The responses are not in the project management plan, but in the risk response plan during the project and they'll be entered into the organization's lessons learned database.
B: The risk responses are included in the risk response plan, but after completing the project, they should be entered into the organization's lessons learned database.
D: If the new responses that were identified is only included in the project's risk register then it may not be shared with project managers working on some other project.
Question 2
You are the project manager of GHT project. You have identified a risk event on your project that could save $100,000 in project costs if it occurs. Which of the following statements BEST describes this risk event?
  1. This risk event should be mitigated to take advantage of the savings.
  2. This is a risk event that should be accepted because the rewards outweigh the threat to the project.
  3. This risk event should be avoided to take full advantage of the potential savings.
  4. This risk event is an opportunity to the project and should be exploited.
Correct answer: D
Explanation:
This risk event has the potential to save money on project costs, so it is an opportunity, and the appropriate strategy to use in this case is the exploit strategy. The exploit response is one of the strategies to negate risks or threats appear in a project. This strategy may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized. Exploiting a risk event provides opportunities for positive impact on a project. Assigning more talented resources to the project to reduce the time to completion is an example of exploit response. Incorrect Answers:A, C: Mitigation and avoidance risk response is used in case of negative risk events, and not in positive risk events. Here in this scenario, as it is stated that the event could save $100,000, hence it is a positive risk event. Therefore should not be mitigated or avoided.B: To accept risk means that no action is taken relative to a particular risk; loss is accepted if it occurs. But as this risk event bring an opportunity, it should me exploited and not accepted.
This risk event has the potential to save money on project costs, so it is an opportunity, and the appropriate strategy to use in this case is the exploit strategy. The exploit response is one of the strategies to negate risks or threats appear in a project. This strategy may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized. Exploiting a risk event provides opportunities for positive impact on a project. Assigning more talented resources to the project to reduce the time to completion is an example of exploit response. 
Incorrect Answers:
A, C: Mitigation and avoidance risk response is used in case of negative risk events, and not in positive risk events. Here in this scenario, as it is stated that the event could save $100,000, hence it is a positive risk event. Therefore should not be mitigated or avoided.
B: To accept risk means that no action is taken relative to a particular risk; loss is accepted if it occurs. But as this risk event bring an opportunity, it should me exploited and not accepted.
Question 3
Which of the following role carriers will decide the Key Risk Indicator of the enterprise? 
Each correct answer represents a part of the solution. Choose two.
  1. Business leaders
  2. Senior management
  3. Human resource
  4. Chief financial officer
Correct answer: AB
Explanation:
An enterprise may have hundreds of risk indicators such as logs, alarms and reports. The CRISC will usually need to work with senior management and business leaders to determine which risk indicators will be monitored on a regular basis and be recognized as KRIs. Incorrect Answers:C, D: Chief financial officer and human resource only overview common risk view, but are not involved in risk based decisions.
An enterprise may have hundreds of risk indicators such as logs, alarms and reports. The CRISC will usually need to work with senior management and business leaders to determine which risk indicators will be monitored on a regular basis and be recognized as KRIs. 
Incorrect Answers:
C, D: Chief financial officer and human resource only overview common risk view, but are not involved in risk based decisions.
Question 4
You work as the project manager for Bluewell Inc. Your project has several risks that will affect several stakeholder requirements. Which project management plan will define who will be available to share information on the project risks?
  1. Resource Management Plan
  2. Risk Management Plan
  3. Stakeholder management strategy
  4. Communications Management Plan
Correct answer: D
Explanation:
The Communications Management Plan defines, in regard to risk management, who will be available to share information on risks and responses throughout the project. The Communications Management Plan aims to define the communication necessities for the project and how the information will be circulated. The Communications Management Plan sets the communication structure for the project. This structure provides guidance for communication throughout the project's life and is updated as communication needs change. The Communication Managements Plan identifies and defines the roles of persons concerned with the project. It includes a matrix known as the communication matrix to map the communication requirements of the project. Incorrect Answers:A: The Resource Management Plan does not define risk communications.B: The Risk Management Plan defines risk identification, analysis, response, and monitoring.C: The stakeholder management strategy does not address risk communications.
The Communications Management Plan defines, in regard to risk management, who will be available to share information on risks and responses throughout the project. 
The Communications Management Plan aims to define the communication necessities for the project and how the information will be circulated. The Communications Management Plan sets the communication structure for the project. This structure provides guidance for communication throughout the project's life and is updated as communication needs change. The Communication Managements Plan identifies and defines the roles of persons concerned with the project. It includes a matrix known as the communication matrix to map the communication requirements of the project. 
Incorrect Answers:
A: The Resource Management Plan does not define risk communications.
B: The Risk Management Plan defines risk identification, analysis, response, and monitoring.
C: The stakeholder management strategy does not address risk communications.
Question 5
Which of the following controls is an example of non-technical controls?
  1. Access control
  2. Physical security
  3. Intrusion detection system
  4. Encryption
Correct answer: B
Explanation:
Physical security is an example of non-technical control. It comes under the family of operational controls. Incorrect Answers:A, C, D: Intrusion detection system, access control, and encryption are the safeguards that are incorporated into computer hardware, software or firmware, hence they refer to as technical controls.
Physical security is an example of non-technical control. It comes under the family of operational controls. 
Incorrect Answers:
A, C, D: Intrusion detection system, access control, and encryption are the safeguards that are incorporated into computer hardware, software or firmware, hence they refer to as technical controls.
Question 6
You are the project manager of GHT project. Your project team is in the process of identifying project risks on your current project. The team has the option to use all of the following tools and techniques to diagram some of these potential risks EXCEPT for which one?
  1. Process flowchart
  2. Ishikawa diagram
  3. Influence diagram
  4. Decision tree diagram
Correct answer: D
Explanation:
Decision tree diagrams are used during the Quantitative risk analysis process and not in risk identification. Incorrect Answers:A, B, C: All these options are diagrammatical techniques used in the Identify risks process.
Decision tree diagrams are used during the Quantitative risk analysis process and not in risk identification. 
Incorrect Answers:
A, B, C: All these options are diagrammatical techniques used in the Identify risks process.
Question 7
Which of the following BEST describes the utility of a risk?
  1. The finance incentive behind the risk
  2. The potential opportunity of the risk
  3. The mechanics of how a risk works
  4. The usefulness of the risk to individuals or groups
Correct answer: D
Explanation:
The utility of the risk describes the usefulness of a particular risk to an individual. Moreover, the same risk can be utilized by two individuals in different ways. Financial outcomes are one of the methods for measuring potential value for taking a risk. For example, if the individual's economic wealth increases, the potential utility of the risk will decrease. Incorrect Answers:A: Determining financial incentive is one of the method to measure the potential value for taking a risk, but it is not the valid definition for utility of risk.B: It is not the valid definition.C: It is not the valid definition.
The utility of the risk describes the usefulness of a particular risk to an individual. Moreover, the same risk can be utilized by two individuals in different ways. Financial outcomes are one of the methods for measuring potential value for taking a risk. For example, if the individual's economic wealth increases, the potential utility of the risk will decrease. 
Incorrect Answers:
A: Determining financial incentive is one of the method to measure the potential value for taking a risk, but it is not the valid definition for utility of risk.
B: It is not the valid definition.
C: It is not the valid definition.
Question 8
You are the project manager in your enterprise. You have identified risk that is noticeable failure threatening the success of certain goals of your enterprise. In which of the following levels do this identified risk exists?
  1. Moderate risk
  2. High risk
  3. Extremely high risk
  4. Low risk
Correct answer: A
Explanation:
Moderate risks are noticeable failure threatening the success of certain goals. Incorrect Answers:B: High risk is the significant failure impacting in certain goals not being met.C: Extremely high risk are the risks that has large impact on enterprise and are most likely results in failure with severe consequences.D: Low risks are the risk that results in certain unsuccessful goals.
Moderate risks are noticeable failure threatening the success of certain goals. 
Incorrect Answers:
B: High risk is the significant failure impacting in certain goals not being met.
C: Extremely high risk are the risks that has large impact on enterprise and are most likely results in failure with severe consequences.
D: Low risks are the risk that results in certain unsuccessful goals.
Question 9
Which of the following processes is described in the statement below? 
"It is the process of exchanging information and views about risks among stakeholders, such as groups, individuals, and institutions."
  1. Risk governance
  2. Risk identification
  3. Risk response planning
  4. Risk communication
Correct answer: D
Explanation:
Risk communication is the process of exchanging information and views about risks among stakeholders, such as groups, individuals, and institutions. Risk communication is mostly concerned with the nature of risk or expressing concerns, views, or reactions to risk managers or institutional bodies for risk management. The key plan to consider and communicate risk is to categorize and impose priorities, and acquire suitable measures to reduce risks. It is important throughout any crisis to put across multifaceted information in a simple and clear manner. Risk communication helps in switching or allocating the information concerning risk among the decision-maker and the stakeholders. Risk communication can be explained more clearly with the help of the following definitions:It defines the issue of what a group does, not just what it says. It must take into account the valuable element in user's perceptions of risk. It will be more valuable if it is thought of as conversation, not instruction. Risk communication is a fundamental and continuing element of the risk analysis exercise, and the involvement of the stakeholder group is from the beginning. It makes the stakeholders conscious of the process at each phase of the risk assessment. It helps to guarantee that the restrictions, outcomes, consequence, logic, and risk assessment are undoubtedly understood by all the stakeholders. Incorrect Answers:C: A risk response ensures that the residual risk is within the limits of the risk appetite and tolerance of the enterprise. Risk response is process of selecting the correct, prioritized response to risk, based on the level of risk, the enterprise's risk tolerance and the cost and benefit of the particular risk response option.Risk response ensures that management is providing accurate reports on:The level of risk faced by the enterprise The incidents' type that have occurred Any alteration in the enterprise's risk profile based on changes in the risk environment
Risk communication is the process of exchanging information and views about risks among stakeholders, such as groups, individuals, and institutions. Risk communication is mostly concerned with the nature of risk or expressing concerns, views, or reactions to risk managers or institutional bodies for risk management. The key plan to consider and communicate risk is to categorize and impose priorities, and acquire suitable measures to reduce risks. It is important throughout any crisis to put across multifaceted information in a simple and clear manner. 
Risk communication helps in switching or allocating the information concerning risk among the decision-maker and the stakeholders. Risk communication can be explained more clearly with the help of the following definitions:
  • It defines the issue of what a group does, not just what it says. 
  • It must take into account the valuable element in user's perceptions of risk. 
  • It will be more valuable if it is thought of as conversation, not instruction. 
Risk communication is a fundamental and continuing element of the risk analysis exercise, and the involvement of the stakeholder group is from the beginning. It makes the stakeholders conscious of the process at each phase of the risk assessment. It helps to guarantee that the restrictions, outcomes, consequence, logic, and risk assessment are undoubtedly understood by all the stakeholders. 
Incorrect Answers:
C: A risk response ensures that the residual risk is within the limits of the risk appetite and tolerance of the enterprise. Risk response is process of selecting the correct, prioritized response to risk, based on the level of risk, the enterprise's risk tolerance and the cost and benefit of the particular risk response option.
Risk response ensures that management is providing accurate reports on:
  • The level of risk faced by the enterprise 
  • The incidents' type that have occurred 
  • Any alteration in the enterprise's risk profile based on changes in the risk environment
Question 10
You are an experienced Project Manager that has been entrusted with a project to develop a machine which produces auto components. You have scheduled meetings with the project team and the key stakeholders to identify the risks for your project. Which of the following is a key output of this process?
  1. Risk Register
  2. Risk Management Plan
  3. Risk Breakdown Structure
  4. Risk Categories
Correct answer: A
Explanation:
The primary outputs from Identify Risks are the initial entries into the risk register. The risk register ultimately contains the outcomes of other risk management processes as they are conducted, resulting in an increase in the level and type of information contained in the risk register over time. Incorrect Answers:B, C, D: All these are outputs from the "Plan Risk Management" process, which happens prior to the starting of risk identification.
The primary outputs from Identify Risks are the initial entries into the risk register. The risk register ultimately contains the outcomes of other risk management processes as they are conducted, resulting in an increase in the level and type of information contained in the risk register over time. 
Incorrect Answers:
B, C, D: All these are outputs from the "Plan Risk Management" process, which happens prior to the starting of risk identification.
HOW TO OPEN VCE FILES

Use VCE Exam Simulator to open VCE files
Avanaset

HOW TO OPEN VCEX AND EXAM FILES

Use ProfExam Simulator to open VCEX and EXAM files
ProfExam Screen

ProfExam
ProfExam at a 20% markdown

You have the opportunity to purchase ProfExam at a 20% reduced price

Get Now!