Governance for CRISC

Sample Practice Questions

1. Question 1

   What are the requirements for creating risk scenarios? Each correct answer represents a part of the solution. (Choose three.)
   1. A. Determination of cause and effect
   2. B. Determination of the value of business process at risk
   3. C. Potential threats and vulnerabilities that could cause loss
   4. D. Determination of the value of an asset
   Explanation

   The correct answers are: B. Determination of the value of business process at risk, C. Potential threats and vulnerabilities that could cause loss, D. Determination of the value of an asset.

   The three requirements for creating risk scenarios are determining the value of the business process at risk, identifying the potential threats and vulnerabilities that could cause loss, and determining the value of the asset involved, because together these elements describe what is at stake, what could go wrong, and how much the loss would matter. The value of the business process establishes why the scenario matters in business terms. Potential threats and vulnerabilities define the causative mechanism that turns the scenario from hypothesis to plausible event. The value of the asset provides the magnitude reference that makes impact calculable. Determination of cause and effect alone is too narrow because it lacks the value reference required to evaluate scenario significance. ISACA Risk IT specifically lists value-of-process, threat-vulnerability pairs, and asset value as the trio that makes a scenario useful for analysis.

2. Question 2

   You work as the project manager for Bluewell Inc. Your project has several risks that will affect several stakeholder requirements. Which project management plan will define who will be available to share information on the project risks?
   1. A. Resource Management Plan
   2. B. Risk Management Plan
   3. C. Stakeholder management strategy
   4. D. Communications Management Plan
   Explanation

   The correct answer is: D. Communications Management Plan.

   The Communications Management Plan is the project document that defines who will be available to share information on the project, including project risks, because it specifies the audiences, channels, frequency, and responsible parties for every information flow on the project. The Resource Management Plan defines what people and material resources the project needs but not how information is shared among them. The Risk Management Plan defines how risk will be identified, analysed, and responded to but typically points to the communications plan for the who-shares-with-whom detail. The Stakeholder Management Strategy describes how stakeholder engagement will be managed but again leaves the operational communication mechanics to the communications plan. PMBOK explicitly assigns this role to the Communications Management Plan.

3. Question 3

   Which of the following is NOT true for risk management capability maturity level 1?
   1. A. There is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT risk
   2. B. Decisions involving risk lack credible information
   3. C. Risk appetite and tolerance are applied only during episodic risk assessments
   4. D. Risk management skills exist on an ad hoc basis, but are not actively developed
   Explanation

   The correct answer is: B. Decisions involving risk lack credible information.

   Risk-IT maturity level 1 — Initial or Ad Hoc — describes an organization that recognises risk needs to be managed but treats it as a technical concern handled in isolated pockets. At this level it is normal for risk appetite and tolerance to surface only during occasional risk assessments, for skills to exist in isolated individuals rather than as a developed competency, and for the business to focus primarily on the downside of IT risk. What does not specifically characterise level 1 is the absence of credible information for risk decisions — even higher-maturity organizations frequently report decision-grade information gaps, and conversely some level-1 organizations do have credible data within the narrow pockets where they operate. The other three statements are direct paraphrases of the level-1 description, so they are true and the credible-information statement is the false one in the set.

4. Question 4

   What are the two MAJOR factors to be considered while deciding risk appetite level? Each correct answer represents a part of the solution. (Choose two.)
   1. A. The amount of loss the enterprise wants to accept
   2. B. Alignment with risk-culture
   3. C. Risk-aware decisions
   4. D. The capacity of the enterprise's objective to absorb loss.
   Explanation

   The correct answers are: A. The amount of loss the enterprise wants to accept, D. The capacity of the enterprise's objective to absorb loss..

   The two major factors in deciding risk appetite are the amount of loss the enterprise is willing to accept and the capacity of the enterprise's objective to absorb that loss; together they define the boundary between losses that are tolerable and losses that would harm objectives. Willingness without capacity produces an unsustainable appetite that exceeds what the enterprise can survive, while capacity without a willingness statement leaves treatment decisions ungoverned. Alignment with risk culture is a downstream consideration that influences how appetite is communicated and applied, not how the level is set. Risk-aware decision making is the consequence of having appetite in place rather than a factor in choosing it. ISACA Risk IT and COSO ERM both frame appetite as a willingness-and-capacity statement issued by the board.

5. Question 5

   Which of the following is the MOST effective inhibitor of relevant and efficient communication?
   1. A. A false sense of confidence at the top on the degree of actual exposure related to IT and lack of a well-understood direction for risk management from the top down
   2. B. The perception that the enterprise is trying to cover up known risk from stakeholders
   3. C. Existence of a blame culture
   4. D. Misalignment between real risk appetite and translation into policies
   Explanation

   The correct answer is: C. Existence of a blame culture.

   The existence of a blame culture is the most effective inhibitor of relevant and efficient risk communication because in a blame culture people learn to withhold, downplay, or distort information to avoid consequences, which destroys the trustworthy data flow that risk management depends on. A false sense of confidence at the top with lack of direction is harmful but is often a symptom of a blame culture rather than the underlying inhibitor. The perception that the enterprise is covering up risk damages stakeholder communication but is again typically downstream of a blame culture inside the organisation. Misalignment between real appetite and policies creates inconsistency but does not by itself silence the people who would otherwise communicate. ISACA Risk IT explicitly identifies blame culture as the single most effective destroyer of risk communication.

Other CRISC domains

• Information Technology and Security (328 questions)
• IT Risk Assessment (368 questions)
• Risk Response and Reporting (881 questions)