QUESTION 198
You are preparing to complete the quantitative risk analysis process with your project team and several subject matter experts. You gather the necessary inputs including the project's cost management plan. Why is it necessary to include the project's cost management plan in the preparation for the quantitative risk analysis process?
A. The project's cost management plan provides control that may help determine the structure for quantitative analysis of the budget. B. The project's cost management plan can help you to determine what the total cost of the project is allowed to be.
C. The project's cost management plan provides direction on how costs may be changed due to identified risks.
D. The project's cost management plan is not an input to the quantitative risk analysis process.
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
Explanation:
The cost management plan is an input to the quantitative risk analysis process because of the cost management control it provides.
The cost management plan sets how the costs on a project are managed during the project's life cycle. It defines the format and principles by which the project costs are measured, reported, and controlled. The cost management plan identifies the person responsible for managing costs, those who have the authority to approve changes to the project or its budget, and how cost performance is quantitatively calculated and reported upon.
Incorrect Answers:
B: The cost management plan defines the estimating, budgeting, and control of the project's cost.
C: While the cost management plan does define the cost change control system, this is not the best answer for this
D: This is not a valid statement. The cost management plan is an input to the quantitative risk analysis process.
QUESTION 199
You are the project manager in your enterprise. You have identified occurrence of risk event in your enterprise. You have pre-planned risk responses. You have monitored the risks that had occurred. What is the immediate step after this monitoring process that has to be followed in response to risk events?
A. Initiate incident response
B. Update the risk register
C. Eliminate the risk completely
D. Communicate lessons learned from risk events
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
Explanation:
When the risk events occur then following tasks have to done to react to it: Maintain incident response plans
Monitor risk
Initiate incident response
Communicate lessons learned from risk events
QUESTION 200
You are the project manager of GHT project. A stakeholder of this project requested a change request in this project. What are your responsibilities as the project manager that you should do in order to approve this change request?
Each correct answer represents a complete solution. Choose two.
A. Archive copies of all change requests in the project file.
B. Evaluate the change request on behalf of the sponsor
C. Judge the impact of each change request on project activities, schedule and budget. D. Formally accept the updated project plan
Correct Answer: AC Section: Volume D Explanation
Explanation/Reference:
Explanation:
Project manager responsibilities related to the change request approval process is judging the impact of each change request on project activities, schedule and budget, and also archiving copies of all change requests in the project file.
Incorrect Answers:
B: This is the responsibility of Change advisory board.
D: Pm has not the authority to formally accept the updated project plan. This is done by project sponsors so as to approve the change request.
QUESTION 201
You are the project manager of HJT project. You want to measure the operational effectiveness of risk management capabilities. Which of the following is the BEST option to measure the operational effectiveness?
A. Key risk indicators
B. Capability maturity models C. Key performance indicators D. Metric thresholds
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
Explanation:
Key performance indicators are a set of quantifiable measures that a company or industry uses to gauge or compare performance in terms of meeting their strategic and operational goals. Key performance indicators (KPIs) provide insights into the operational effectiveness of the concept or capability that they monitor.
Incorrect Answers:
A: Key risk Indicators (KRIs) only provide insights into potential risks that may exist or be realized within a concept or capability that they monitor.
B: Capability maturity models (CMMs) assess the maturity of a concept or capability and do not provide insights into operational effectiveness.
D: Metric thresholds are decision or action points that are enacted when a KPI or KRI reports a specific value or set of values.
QUESTION 202
What are the functions of the auditor while analyzing risk?
Each correct answer represents a complete solution. Choose three.
A. Aids in determining audit objectives
B. Identify threats and vulnerabilities to the information system C. Provide information for evaluation of controls in audit planning D. Supporting decision based on risks
Correct Answer: ACD
Section: Volume D Explanation
Explanation/Reference:
Explanation:
A risk analysis involves identifying the most probable threats to an organization and analyzing the related vulnerabilities of the organization to these threats. A risk from an organizational perspective consists of:
Threats to various processes of organization. Threats to physical and information assets. Likelihood and frequency of occurrence from threat. Impact on assets from threat and vulnerability.
Risk analysis allows the auditor to do the following tasks : Threats to various processes of organization.
Threats to physical and information assets.
Likelihood and frequency of occurrence from threat. Impact on assets from threat and vulnerability.
Risk analysis allows the auditor to do the following tasks :
Identify threats and vulnerabilities to the enterprise and its information system. Provide information for evaluation of controls in audit planning.
Aids in determining audit objectives.
Supporting decision based on risks.
Incorrect Answers:
B: Auditors identify threats and vulnerability not only in the IT but the whole enterprise as well.
QUESTION 203
Henry is the project manager of the QBG Project for his company. This project has a budget of $4,576,900 and is expected to last 18 months to complete. The CIO, a stakeholder in the project, has introduced a scope change request for additional deliverables as part of the project work. What component of the change control system would review the proposed changes' impact on the features and functions of the project's product?
A. Cost change control system
B. Configuration management system C. Scope change control system
D. Integrated change control
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
Explanation:
The configuration management system ensures that proposed changes to the project's scope are reviewed and evaluated for their affect on the project's product.
Configure management process is important in achieving business objectives. Ensuring the integrity of hardware and software configurations requires the establishment and maintenance of an accurate and complete configuration repository. This process includes collecting initial configuration information, establishing baselines, verifying and auditing configuration information, and updating the configuration repository as needed. Effective configuration management facilitates greater system availability minimizes production issues and resolves issues more quickly.
Incorrect Answers:
A: The cost change control system is responsible for reviewing and controlling changes to the project costs.
C: The scope change control system focuses on reviewing the actual changes to the project scope. When a change to the project's scope is proposed, the configuration management system is also invoked.
D: Integrated change control examines the affect of a proposed change on the project as a whole.
QUESTION 204
What are the key control activities to be done to ensure business alignment? Each correct answer represents a part of the solution. Choose two.
A. Define the business requirements for the management of data by IT
B. Conduct IT continuity tests on a regular basis or when there are major changes in the IT infrastructure C. Periodically identify critical data that affect business operations
D. Establish an independent test task force that keeps track of all events
Correct Answer: AC Section: Volume D Explanation
Explanation/Reference:
Explanation:
Business alignment require following control activities:
Defining the business requirements for the management of data by IT.
Periodically identifying critical data that affect business operations, in alignment with the risk management model and IT service as well as the business continuity plan.
Incorrect Answers:
B: Conducting IT continuity tests on a regular basis or when there are major changes in the IT infrastructure is done for testing IT continuity plan. It does not ensure alignment with business.
D: This is not a valid answer.
QUESTION 205
Which of the following statements is true for risk analysis?
A. Risk analysis should assume an equal degree of protection for all assets. B. Risk analysis should give more weight to the likelihood than the size of loss. C. Risk analysis should limit the scope to a benchmark of similar companies D. Risk analysis should address the potential size and likelihood of loss.
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
Explanation:
A risk analysis deals with the potential size and likelihood of loss. A risk analysis involves identifying the most probable threats to an organization and analyzing the related vulnerabilities of the organization to these threats. A risk from an organizational perspective consists of:
Threats to various processes of organization. Threats to physical and information assets. Likelihood and frequency of occurrence from threat. Impact on assets from threat and vulnerability.
Risk analysis allows the auditor to do the following tasks :
Identify threats and vulnerabilities to the enterprise and its information system. Provide information for evaluation of controls in audit planning.
Aids in determining audit objectives.
Supporting decision based on risks.
Incorrect Answers:
A: Assuming equal degree of protection would only be rational in the rare event that all the assets are similar in sensitivity and criticality. Hence this is not practiced in risk analysis.
B: Since the likelihood determines the size of the loss, hence both elements must be considered in the calculation.
C: A risk analysis would not normally consider the benchmark of similar companies as providing relevant information other than for comparison purposes.
QUESTION 206
You are working in Bluewell Inc. which make advertisement Websites. Someone had made unauthorized changes to your Website. Which of the following terms refers to this type of loss?
A. Loss of confidentiality B. Loss of integrity
C. Loss of availability
D. Loss of revenue
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
Explanation:
Loss of integrity refers to the following types of losses: An e-mail message is modified in transit
A virus infects a file
Someone makes unauthorized changes to a Web site
Incorrect Answers:
A: Someone sees a password or a company's secret formula, this is referred to as loss of confidentiality.
C: An e-mail server is down and no one has e-mail access, or a file server is down so data files aren't available comes under loss of availability.
D: This refers to the events which would eventually cause loss of revenue.
QUESTION 207
Which of the following is NOT true for Key Risk Indicators?
A. They are selected as the prime monitoring indicators for the enterprise
B. They help avoid having to manage and report on an excessively large number of risk indicators
C. The complete set of KRIs should also balance indicators for risk, root causes and business impact. D. They are monitored annually
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
Explanation:
They are monitored on regular basis as they indicate high probability and high impact risks. As risks change over time, hence KRIs should also be monitored regularly for its effectiveness on these changing risks.
Incorrect Answers:
A, B, C: These all are true for KRIs. Key Risk Indicators are the prime monitoring indicators of the enterprise. KRIs are highly relevant and possess a high probability of predicting or indicating important risk. KRIs help in avoiding excessively large number of risk indicators to manage and report that a large enterprise may have.
The complete set of KRIs should also balance indicators for risk, root causes and business impact, so as to indicate the risk and its impact completely.
QUESTION 208
You are the risk official at Bluewell Inc. There are some risks that are posing threat on your enterprise. You are measuring exposure of those risk factors, which has the highest potential, by examining the extent to which the uncertainty of each element affects the object under consideration when all other uncertain elements are held at their baseline values. Which type of analysis you are performing?
A. Sensitivity analysis
B. Fault tree analysis
C. Cause-and-effect analysis D. Scenario analysis
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
Explanation:
Sensitivity analysis is the quantitative risk analysis technique that:
Assist in determination of risk factors that have the most potential impact
Examines the extent to which the uncertainty of each element affects the object under consideration when all other uncertain elements are held at their baseline values
Incorrect Answers:
B: Fault tree analysis provides a systematic description of the combination of possible undesirable occurrences in a system. It does not measure the extent of uncertainty.
C: Cause-and-effect analysis involves the use of predictive or diagnostic analytical tool for exploring the root causes or factors that contribute to positive or negative effects or outcomes, and not the extent of uncertainty.
D: Scenario analysis provides ability to see a range of values across several scenarios to identify risk in specific situation. It provides ability to identify those inputs which will provide the greatest level of uncertainty. But it plays no role in determining the extent of uncertainty.
QUESTION 209
Which of the following risk responses include feedback and guidance from well-qualified risk officials and those internal to the project?
A. Contingent response strategy B. Risk Acceptance
C. Expert judgment
D. Risk transfer
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
Explanation:
Expert judgment is utilized in developing risk responses, including feedback and guidance from risk management experts and those internal to the project qualified to provide assistance in this process. Expert judgment is a technique based on a set of criteria that has been acquired in a specific knowledge area or product area. It is obtained when the project manager or project team requires specialized knowledge that they do not possess. Expert judgment involves people most familiar with the work of creating estimates. Preferably, the project team member who will be doing the task should complete the estimates. Expert judgment is applied when performing administrative closure activities, and experts should ensure the project or phase closure is performed to the appropriate standards.
Incorrect Answers:
A: Contingent response strategy, also known as contingency planning, involves adopting alternatives to deal with the risks in case of their occurrence. Unlike the mitigation planning in which mitigation looks to reduce the probability of the risk and its impact, contingency planning doesn't necessarily attempt to reduce the probability of a risk event or its impacts. Contingency comes into action when the risk event actually occurs.
B: Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs. If an enterprise adopts a risk acceptance, it should carefully consider who can accept the risk. Risk should be accepted only by senior management in relationship with senior management and the board. There are two alternatives to the acceptance strategy, passive and active.
Passive acceptance means that enterprise has made no plan to avoid or mitigate the risk but willing to accept the consequences of the risk. Active acceptance is the second strategy and might include developing contingency plans and reserves to deal with risks.
D: Risk transfer means that impact of risk is reduced by transferring or otherwise sharing a portion of the risk with an external organization or another internal entity. Transfer of risk can occur in many forms but is most effective when dealing with financial risks. Insurance is one form of risk transfer.
QUESTION 210
You are the risk professional of your enterprise. Your enterprise has introduced new systems in many departments. The business requirements that were to be addressed by the new system are still unfulfilled, and the process has been a waste of resources. Even if the system is implemented, it will most likely be underutilized and not maintained making it obsolete in a short period of time. What kind of risk is it?
A. Inherent risk
B. Business risk C. Project risk D. Residual risk
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
Explanation:
Business risk relates to the likelihood that the new system may not meet the user business needs, requirements and expectations. Here in this stem it is said that the business requirements that were to be addressed by the new system are still unfulfilled, therefore it is a business risk.
Incorrect Answers:
A: This is one of the components of risk. Inherent risk is the risk level or exposure without applying controls or other management actions into account. But here in this stem no description of control is given, hence it cannot be concluded whether it is an inherent risk or not.
C: Project risk are related to the delay in project deliverables. The project activities to design and develop the system exceed the limits of the financial resources set aside for the project. As a result, the project completion will be delayed. They are not related to fulfillment of business requirements.
D: This is one of the components of risk. Residual risk is the risk that remains after applying controls.
But here in this stem no description of control is given, hence it cannot be concluded whether it is a residual risk or not.
QUESTION 211
John is the project manager of the HGH Project for her company. He and his project team have agreed that if the vendor is late by more than ten days they will cancel the order and hire the NBG Company to fulfill the order. The NBG Company can guarantee orders within three days, but the costs of their products are significantly more expensive than the current vendor. What type of response does John adopt here?
A. Contingent response strategy B. Risk avoidance
C. Risk mitigation
D. Expert judgment
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
Explanation:
As in this case John and his team mates have pre-planned the alternative if the vendor would late in placing the order. Therefore, it is contingent response strategy.
Contingent response strategy, also known as contingency planning, involves adopting alternatives to deal with the risks in case of their occurrence. Unlike the mitigation planning in which mitigation looks to reduce the probability of the risk and its impact, contingency planning doesn't necessarily attempt to reduce the probability of a risk event or its impacts. Contingency comes into action when the risk event actually occurs.
Incorrect Answers:
B: Risk avoidance is the method which involves creating solutions that ensure a specific risk in not realized.
C: Risk mitigation attempts to eliminate or significantly decrease the level of risk present. Here no alternatives are pre-planned.
D: Expert judgment is utilized in developing risk responses, including feedback and guidance from risk management experts and those internal to the project qualified to provide assistance in this process.
QUESTION 212
You work as a project manager for TechSoft Inc. You are working with the project stakeholders on the qualitative risk analysis process in your project. You have used all the tools to the qualitative risk analysis process in your project. Which of the following techniques is NOT used as a tool in qualitative risk analysis process?
A. Risk Urgency Assessment
B. Risk Reassessment
C. Risk Data Quality Assessment D. Risk Categorization
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
Explanation:
You will not need the Risk Reassessment technique to perform qualitative risk analysis. It is one of the techniques used to monitor and control risks.
Incorrect Answers:
A, C, D: The tools and techniques for Qualitative Risk Analysis process are as follows:
Risk Probability and Impact Assessment: Risk probability assessment investigates the chances of a particular risk to occur.
Risk Impact Assessment investigates the possible effects on the project objectives such as cost, quality, schedule, or performance, including positive opportunities and negative threats.
Probability and Impact Matrix: Estimation of risk's consequence and priority for awareness is conducted by using a look-up table or the probability and impact matrix. This matrix specifies the mixture of probability and impact that directs to rating the risks as low, moderate, or high priority.
Risk Data Quality Assessment: Investigation of quality of risk data is a technique to calculate the degree to which the data about risks are useful for risk
management.
Risk Categorization: Risks to the projects can be categorized by sources of risk, the area of project affected and other valuable types to decide the areas of the project most exposed to the effects of uncertainty.
Risk Urgency Assessment: Risks that requires near-term responses are considered more urgent to address.
Expert Judgment: It is required to categorize the probability and impact of each risk to determine its location in the matrix.
QUESTION 213
Which of the following is the MOST important aspect to ensure that an accurate risk register is maintained?
A. Publish the risk register in a knowledge management platform with workflow features that periodically contacts and polls risk assessors to ensure accuracy of content
B. Perform regular audits by audit personnel and maintain risk register
C. Submit the risk register to business process owners for review and updating
D. Monitor key risk indicators, and record the findings in the risk register
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
Explanation:
A knowledge management platform with workflow and polling feature will automate the process of maintaining the risk registers. Hence this ensures that an accurate and updated risk register is maintained.
Incorrect Answers:
B: Audit personnel may not have the appropriate business knowledge in risk assessment, hence cannot properly identify risk. Regular audits may also cause hindrance to the business activities.
C: Business process owners typically cannot effectively identify risk to their business processes. They may not have the ability to be unbiased and may not have the appropriate skills or tools for evaluating risks.
D: Monitoring key risk indicators, and record the findings in the risk register will only provide insights to known and identified risk and will not account for obscure risk, i.e. , risk that has not been identified yet.
QUESTION 214
Which of the following test is BEST to map for confirming the effectiveness of the system access management process?
A. user accounts to human resources (HR) records. B. user accounts to access requests.
C. the vendor database to user accounts.
D. access requests to user accounts.
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
Explanation:
Tying user accounts to access requests confirms that all existing accounts have been approved. Hence, the effectiveness of the system access management process can be accounted.
Incorrect Answers:
A: Tying user accounts to human resources (HR) records confirms whether user accounts are uniquely tied to employees, not accounts for the effectiveness of the system access management process.
C: Tying vendor records to user accounts may confirm valid accounts on an e-commerce application, but it does not consider user accounts that have been established without the supporting access request.
D: Tying access requests to user accounts confirms that all access requests have been processed; however, the test does not consider user accounts that have been established without the supporting access request.
QUESTION 215
Which of the following is the way to verify control effectiveness?
A. The capability of providing notification of failure. B. Whether it is preventive or detective.
C. Its reliability.
D. The test results of intended objectives.
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
Explanation:
Control effectiveness requires a process to verify that the control process worked as intended and meets the intended control objectives. Hence the test result of intended objective helps in verifying effectiveness of control.
Incorrect Answers:
A: Notification of failure does not determine control strength, hence this option is not correct.
B: The type of control, like preventive or detective, does not help determine control effectiveness.
C: Reliability is not an indication of control strength; weak controls can be highly reliable, even if they do not meet the control objective.
QUESTION 216
David is the project manager of HRC project. He concluded while HRC project is in process that if he adopts e-commerce, his project can be more fruitful. But he did not engage in electronic commerce (e-commerce) so that he would escape from risk associated with that line of business. What type of risk response had he adopted?
A. Acceptance B. Avoidance C. Exploit
D. Enhance
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
Explanation:
As David did not engage in e-commerce in order to avoid risk, hence he is following risk avoidance strategy.
QUESTION 217
Which of the following is the final step in the policy development process?
A. Management approval
B. Continued awareness activities C. Communication to employees D. Maintenance and review
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
Explanation:
Organizations should create a structured ISG document development process. A formal process gives many areas the opportunity to comment on a policy. This is very important for high-level policies that apply to the whole organization. A formal process also makes sure that final policies are communicated to employees. It also provides organizations with a way to make sure that policies are reviewed regularly.
In general, a policy development process should include the following steps: 1. Development
2. Stakeholderreview
3. Managementapproval
4. Communicationtoemployees
5. Documentationofcomplianceorexceptions 6. Continuedawarenessactivities
7. Maintenanceandreview
Incorrect Answers:
A, B, C: These are the earlier phases in policy development process.
QUESTION 218
When does the Identify Risks process take place in a project?
A. At the Planning stage.
B. At the Executing stage.
C. At the Initiating stage.
D. Throughout the project life-cycle.
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
Explanation:
Identify Risks is the process of determining which risks may affect the project. It also documents risks' characteristics. The Identify Risks process is part of the Project Risk Management knowledge area. As new risks may evolve or become known as the project progresses through its life cycle, Identify Risks is an iterative process. The process should involve the project team so that they can develop and maintain a sense of ownership and responsibility for the risks and associated risk response actions. Risk Register is the only output of this process.
Incorrect Answers:
A, B, C: Identify Risks process takes place at all the stages of a project, because risk changes over time.
QUESTION 219
In the project initiation phase of System Development Life Cycle, there is information on project initiated by which of the following role carriers?
A. CRO
B. Sponsor
C. Business management D. CIO
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
Explanation:
Project initiation section of SDLC contains information on projects initiated by sponsors who gather the information required to gain approval for the project to be created.
QUESTION 220
Which of the following are the responsibilities of Enterprise risk committee? Each correct answer represents a complete solution. Choose three.
A. React to risk events B. Analyze risk
C. Risk aware decision D. Articulate risk
Correct Answer: BCD Section: Volume D Explanation
Explanation/Reference:
Explanation:
Risk aware decision, analyzing risk, and articulating risk are the responsibilities of Enterprise risk committee. They are the executives who are accountable for the enterprise level collaboration and consensus required to support enterprise risk management (ERM) activities and decisions. An IT risk council may be established to consider IT risk in more detail and advise the enterprise risk committee. ERC ensure that these activities are completed successfully.
Incorrect Answers:
A: ERM is not responsible for reaction over risk events. Business process owners are accounted for this task.
QUESTION 221
You are the project manager of the NHQ project in Bluewell Inc. The project has an asset valued at $200,000 and is subjected to an exposure factor of 45 percent. If the annual rate of occurrence of loss in this project is once a month, then what will be the Annual Loss Expectancy (ALE) of the project?
A. $ 2,160,000 B. $ 95,000
C. $ 108,000 D. $ 90,000
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
Explanation:
The ALE of this project will be $ 108,000.
Single Loss Expectancy is a term related to Quantitative Risk Assessment. It can be defined as the monetary value expected from the occurrence of a risk on an asset. It is mathematically expressed as follows:
SLE = Asset value * Exposure factor
Therefore,
SLE = 200,000 * 0.45
= $ 90,000
As the loss is occurring once every month, therefore ARO is 12. Now ALE can be calculated as follows: ALE = SLE * ARO
= 90,000 * 12 = $ 108,000
QUESTION 222
You are the program manager for your organization and you are working with Alice, a project manager in her program. Alice calls you and insists you to add a change to program scope. You agree for that the change. What must Alice do to move forward with her change request?
A. Add the change to the program scope herself, as she is a project manager
B. Create a change request charter justifying the change request
C. Document the change request in a change request form.
D. Add the change request to the scope and complete integrated change control
Correct Answer: C Section: Volume D
Explanation Explanation/Reference:
Explanation:
Change requests must be documented to be considered. Alice should create a change request form and follow the procedures of the change control system.
QUESTION 223
In which of the following conditions business units tend to point the finger at IT when projects are not delivered on time?
A. Threat identification in project
B. System failure
C. Misalignment between real risk appetite and translation into policies D. Existence of a blame culture
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
Explanation:
In a blame culture, business units tend to point the finger at IT when projects are not delivered on time or do not meet expectations. In doing so, they fail to realize how the business unit's involvement up front affects project success. In extreme cases, the business unit may assign blame for a failure to meet the expectations that the unit never clearly communicated.
Incorrect Answers:
A, B, C: These are not relevant to the pointing of finger at IT when projects are not delivered on time.
QUESTION 224
Which of the following methods involves the use of predictive or diagnostic analytical tool for exposing risk factors?
A. Scenario analysis
B. Sensitivity analysis
C. Fault tree analysis
D. Cause and effect analysis
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
Explanation:
Cause-and-effect analysis involves the use of predictive or diagnostic analytical tool for exploring the root causes or factors that contribute to positive or negative effects or outcomes. These tools also help in identifying potential risk.
Incorrect Answers:
A: This analysis is not a method for exposing risk factors. It is used for analyzing scenarios.
B: Sensitivity analysis is the quantitative risk analysis technique that:
Assist in determination of risk factors that have the most potential impact
Examines the extent to which the uncertainty of each element affects the object under consideration when all other uncertain elements are held at their baseline values
C: Fault tree analysis (FIA) is a technique that provides a systematic description of the combination of possible occurrences in a system, which can result in an undesirable outcome. It combines hardware failures and human failures.
QUESTION 225
Sammy is the project manager for her organization. She would like to rate each risk based on its probability and affect on time, cost, and scope. Harry, a project team member, has never done this before and thinks Sammy is wrong to attempt this approach. Harry says that an accumulative risk score should be created, not three separate risk scores. Who is correct in this scenario?
A. Sammy is correct, because she is the project manager.
B. Sammy is correct, because organizations can create risk scores for each objective of the project. C. Harry is correct, the risk probability and impact matrix is the only approach to risk assessment. D. Harry is correct, because the risk probability and impact considers all objectives of the project.
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
Explanation:
Sammy She certainly can create an assessment for a risk event for time cost, and scope. It is probable that a risk event may have an effect on just one or more objectives so an assessment of the objective is acceptable.
Incorrect Answers:
A: Just because Sammy is the project manager, it is not necessary that she is right.
C: Harry is incorrect as there are multiple approaches to risk assessment for a project
D: Harry's reasoning is flawed as each objective can be reviewed for the risk's impact rather than the total project.
QUESTION 226
Which of the following is MOST important when developing key performance indicators (KPIs)?
A. Alignment to management reports
B. Alignment to risk responses
C. Alerts when risk thresholds are reached D. Identification of trends
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
Explanation:
Monitor and analyze key performance indicators (KPIs) to identify changes or trends related to the control environment and determine the efficiency and effectiveness of controls.
Reference: https://m.isaca.org/Certification/Addit ... g_0117.pdf
QUESTION 227
Which of the following is the MOST important consideration for a risk practitioner when making a system implementation go-live recommendation?
A. Availability of in-house resources
B. Completeness of system documentation
C. Variances between planned and actual cost D. Results of end user acceptance testing
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 228
An organization is considering outsourcing user administration controls for a critical system. The potential vendor has offered to perform quarterly self-audits of its controls instead of having annual independent audits. Which of the following should be of GREATEST concern to the risk practitioner?
A. The vendor will not achieve best practices
B. The vendor will not ensure against control failure C. The controls may not be properly tested
D. Lack of a risk-based approach to access control
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 229
Which of the following activities would BEST facilitate effective risk management throughout the organization?
A. Performing a business impact analysis
B. Performing frequent audits
C. Reviewing risk-related process documentation D. Conducting periodic risk assessments
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 230
When reviewing management’s IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?
A. Propose mitigating controls
B. Assess management’s risk tolerance
C. Recommend management accept the low risk scenarios D. Re-evaluate the risk scenarios associated with the control
Correct Answer: A Section: Volume D
Explanation Explanation/Reference:
QUESTION 231
When an organization’s disaster recovery plan has a reciprocal agreement, which of the following risk treatment options is being applied?
A. Transfer
B. Avoidance C. Acceptance D. Mitigation
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 232
The BEST reason to classify IT assets during a risk assessment is to determine the:
A. appropriate level of protection B. enterprise risk profile
C. priority in the risk register
D. business process owner
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 233
A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when: A. identifying risk mitigation controls
B. documenting the risk scenarios C. validating the risk scenarios
D. updating the risk register
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 234
Which of the following is MOST important to the effectiveness of key performance indicators (KPIs)?
A. Management approval B. Automation
C. Annual review
D. Relevance
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 235
What should be PRIMARILY responsible for establishing an organization’s IT risk culture?
A. Risk management
B. IT management
C. Business process owner D. Executive management
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
Reference: https://www.casact.org/education/infocu ... 2190_0.pdf QUESTION 236
Which of the following is the GREATEST benefit to an organization when updates to the risk register are made promptly after the completion of a risk assessment?
A. Improved senior management communication B. Enhanced awareness of risk management
C. Optimized risk treatment decisions
D. Improved collaboration among risk professionals
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 237
After a high-profile systems breach at an organization’s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor’s control environment?
A. External audit
B. Internal audit
C. Vendor performance scorecard D. Regulatory examination
Correct Answer: B Section: Volume D
Explanation Explanation/Reference:
QUESTION 238
A change management process has recently been updated with new testing procedures. The NEXT course of action is to:
A. communicate to those who test and promote changes
B. assess the maturity of the change management process
C. conduct a cost-benefit analysis to justify the cost of the control D. monitor processes to ensure recent updates are being followed
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 239
For a large software development project, risk assessments are MOST effective when performed:
A. during the development of the business case B. at each stage of the SDLC
C. at system development
D. before system development begins
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 240
All business units within an organization have the same risk response plan for creating local disaster recovery plans. In an effort to achieve cost effectiveness., the BEST course of action would be to:
A. outsource disaster recovery to an external provider
B. select a provider to standardize the disaster recovery plans C. evaluate opportunities to combine disaster recovery plans D. centralize the risk response function at the enterprise level
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 241
Before implementing instant messaging within an organization using a public solution, which of the following should be in place to mitigate data leakage risk?
A. An access control list
B. An acceptable usage policy
C. An intrusion detection system (IDS) D. A data extraction tool
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 242
Which of the following would require updates to an organization’s IT risk register?
A. Discovery of an ineffectively designed key IT control
B. Management review of key risk indicators (KRIs)
C. Changes to the team responsible for maintaining the register D. Completion of the latest internal audit
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 243
IT stakeholders have asked a risk practitioner for IT risk profile reports associated with specific departments to allocate resources for risk mitigation. The BEST way to address this request would be to use:
A. historical risk assessments
B. key risk indicators (KRIs)
C. the cost associated with each control D. information from the risk register
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 244
When determining which control deficiencies are most significant, which of the following would provide the MOST useful information?
A. Exception handling policy
B. Benchmarking assessments
C. Vulnerability assessment results D. Risk analysis results
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 245
A program manager has completed an unsuccessful disaster recovery test. Which of the following should the risk practitioner recommend as the NEXT course of action?
A. Identify what additional controls are needed B. Update the business impact analysis (BIA)
C. Prioritize issues noted during the testing window D. Communicate test results to management
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 246
Which of the following should be the MOST important consideration when determining controls necessary for a highly critical information system?
A. The number of vulnerabilities to the system
B. The level of acceptable risk to the organization C. The organization’s available budget
D. The number of threats to the system
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 247
When defining thresholds for control key performance indicators (KPIs), it is MOST helpful to align:
A. key risk indicators (KRIs) with risk appetite of the business
B. the control key performance indicators (KPIs) with audit findings C. control performance with risk tolerance of business owners
D. information risk assessments with enterprise risk assessments
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 248
The number of tickets to rework application code has significantly exceeded the established threshold. Which of the following would be the risk practitioner’s BEST recommendation?
A. Implement training on coding best practices B. Perform a code review
C. Perform a root cause analysis
D. Implement version control software
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 249
Which of the following is the MOST important consideration when selecting key risk indicators (KRIs) to monitor risk trends over time?
A. Ability to predict trends
B. Ongoing availability of data
C. Availability of automated reporting systems D. Ability to aggregate data
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 250
Which of the following provides an organization with the MOST insight with regard to operational readiness associated with risk?
A. Capability maturity assessment results
B. Minutes of the enterprise risk committee meetings C. Benchmarking against industry standards
D. Self-assessment of capabilities
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
Certified in Risk and Information Systems Control CRISC Questions + Answers Part 6
-
answerhappygod
- Site Admin
- Posts: 899603
- Joined: Mon Aug 02, 2021 8:13 am