Risk Response and Reporting for CRISC

Sample Practice Questions

1. Question 1

   Which of the following is the MOST important reason to maintain key risk indicators (KRIs)?
   1. A. In order to avoid risk
   2. B. Complex metrics require fine-tuning
   3. C. Risk reports need to be timely
   4. D. Threats and vulnerabilities change over time
   Explanation

   The correct answer is: D. Threats and vulnerabilities change over time.

   Threats and vulnerabilities changing over time is the most important reason to maintain KRIs because the indicators chosen at one point in time may track signals that no longer reflect current exposure, and continuous maintenance keeps the KRI set aligned with the moving landscape of risks the organization actually faces. ISACA Risk IT treats KRI maintenance as an ongoing design discipline driven by environmental change. Avoiding risk is one possible treatment outcome but KRIs do not by themselves avoid risk; they monitor it, and maintenance keeps the monitoring aligned. Complex metrics requiring fine-tuning is a practical maintenance reason but is operationally narrower than the strategic driver of changing threats and vulnerabilities. Risk reports needing to be timely is a reporting-cadence requirement that depends on the data feed; timeliness is necessary but does not capture why the underlying KRIs must be maintained, which is to ensure they continue tracking what matters as the environment evolves.

2. Question 2

   You are the project manager of GHT project. You have identified a risk event on your project that could save $100,000 in project costs if it occurs. Which of the following statements BEST describes this risk event?
   1. A. This risk event should be mitigated to take advantage of the savings.
   2. B. This is a risk event that should be accepted because the rewards outweigh the threat to the project.
   3. C. This risk event should be avoided to take full advantage of the potential savings.
   4. D. This risk event is an opportunity to the project and should be exploited.
   Explanation

   The correct answer is: D. This risk event is an opportunity to the project and should be exploited..

   A risk event that could save the project $100,000 if it occurs is a positive risk — an opportunity — and should be exploited, the response option chosen when the project wants to maximize the chance the opportunity materializes. Exploit is one of the four canonical responses to positive risk alongside enhance, share, and accept. Mitigating to take advantage of the savings is wrong terminology; mitigation reduces likelihood or impact of negative risk, while opportunities call for exploit or enhance. Accepting because rewards outweigh threat misclassifies the situation as a negative risk being weighed against gains; the framing of the event as a possible $100,000 saving is positive risk specifically. Avoiding to take advantage of savings is contradictory; avoiding the risk would prevent the opportunity from being realized, which is the opposite of taking advantage of the savings the question describes.

3. Question 3

   You are the risk official in Bluewell Inc. You are supposed to prioritize several risks. A risk has a rating for occurrence, severity, and detection as 4, 5, and 6, respectively. What Risk Priority Number (RPN) you would give to it?
   1. A. 120
   2. B. 100
   3. C. 15
   4. D. 30
   Explanation

   The correct answer is: A. 120.

   The Risk Priority Number is calculated by multiplying occurrence, severity, and detection ratings, yielding 4 times 5 times 6 equals 120. The FMEA methodology defined in IEC 60812 and used in CRISC risk-prioritization material treats RPN as a product of these three factors so that risks with high occurrence, high severity, or low detectability accumulate a larger number and rise in priority. A value of 100 would be the product of 4 by 5 by 5 or 5 by 4 by 5, which does not match the inputs in the question. A value of 15 would be the sum of 4 plus 5 plus 6, which is the wrong arithmetic operation for RPN. A value of 30 would be 5 multiplied by 6, ignoring the occurrence factor of 4, which is also incorrect. The product-based formula is the canonical RPN computation and yields 120 for the given inputs.

4. Question 4

   Which of the following is the MOST important use of KRIs?
   1. A. Providing a backward-looking view on risk events that have occurred
   2. B. Providing an early warning signal
   3. C. Providing an indication of the enterprise's risk appetite and tolerance
   4. D. Enabling the documentation and analysis of trends
   Explanation

   The correct answer is: B. Providing an early warning signal.

   The most important use of key risk indicators is providing an early warning signal because KRIs are designed as forward-looking metrics that move ahead of the underlying risk event and give the risk owner time to act before exposure materialises. ISACA Risk IT defines KRI value primarily by this lead-time characteristic, since after-the-fact data cannot prevent the loss. Providing a backward-looking view on risk events that have occurred is the function of incident and loss reporting rather than of KRIs. Providing an indication of risk appetite and tolerance is a governance artefact: appetite and tolerance are set as separate statements and inform where KRI thresholds are calibrated. Enabling the documentation and analysis of trends is a useful capability that KRIs support, but trend analysis is the analytical use of the indicator data; the early-warning purpose is what makes KRIs worth running in the first place.

5. Question 5

   Which of the following role carriers will decide the Key Risk Indicator of the enterprise? Each correct answer represents a part of the solution. Choose two.
   1. A. Business leaders
   2. B. Senior management
   3. C. Human resource
   4. D. Chief financial officer
   Explanation

   The correct answers are: A. Business leaders, B. Senior management.

   Business leaders and senior management decide the key risk indicators of the enterprise because they are the parties with authority over the strategic objectives the KRIs must support and the appetite and tolerance the indicators must be calibrated to. ISACA Risk IT places KRI selection authority with these roles, since the indicators are governance instruments that translate strategic posture into ongoing monitoring. Human resources has expertise relevant to specific people-risk indicators but is not the decision-maker for the enterprise-wide KRI set. The chief financial officer is a member of senior management and would contribute as such, but a CFO acting alone does not have the breadth to choose enterprise KRIs; the broader senior management and business leadership group is the appropriate decision body.

Other CRISC domains

• Governance (319 questions)
• Information Technology and Security (328 questions)
• IT Risk Assessment (368 questions)