CRISC Certified in Risk and Information Systems Control Exam Set 3

Which of the following type of risk could result in bankruptcy?


Options are :

  • Catastrophic (Correct)
  • Negligible
  • Critical
  • Marginal

Answer : Catastrophic

You are completing the qualitative risk analysis process with your project team and are relying on the risk management plan to help you determine the budget, schedule for risk management, and risk categories. You discover that the risk categories have not been created. When the risk categories should have been created?


Options are :

  • Risk identification process
  • Plan risk management process (Correct)
  • Create work breakdown structure process
  • Define scope process

Answer : Plan risk management process

You are working as a project manager in Bluewell Inc.. You are nearing the final stages of project execution and looking towards the final risk monitoring and controlling activities. For your project archives, which one of the following is an output of risk monitoring and control?


Options are :

  • Qualitative risk analysis
  • Risk audits
  • Requested changes (Correct)
  • Quantitative risk analysis

Answer : Requested changes

What is the IMMEDIATE step after defining set of risk scenarios?


Options are :

  • Risk mitigation
  • Risk management
  • Risk monitoring
  • Risk analysis (Correct)

Answer : Risk analysis

Risks with low ratings of probability and impact are included for future monitoring in which of the following?


Options are :

  • Risk register
  • Risk alarm
  • Watch-list (Correct)
  • Observation list

Answer : Watch-list

You are working in an enterprise. You project deals with important files that are stored on the computer. You have identified the risk of the failure of operations. To address this risk of failure, you have guided the system administrator sign off on the daily backup. This scenario is an example of which of the following?


Options are :

  • Risk acceptance
  • Risk avoidance
  • Risk transference
  • Risk mitigation (Correct)

Answer : Risk mitigation

You work as a Project Manager for www.company.com Inc. You have to measure the probability, impact, and risk exposure. Then, you have to measure how the selected risk response can affect the probability and impact of the selected risk event. Which of the following tools will help you to accomplish the task?


Options are :

  • Project network diagrams
  • Cause-and-effect diagrams
  • Delphi technique
  • Decision tree analysis (Correct)

Answer : Decision tree analysis

What is the PRIMARY objective difference between an internal and an external risk management assessment reviewer?


Options are :

  • In independence (Correct)
  • In ease of access
  • In profession
  • In quality of work

Answer : In independence

Using which of the following one can produce comprehensive result while performing qualitative risk analysis?


Options are :

  • Value of information assets.
  • Vulnerability assessment
  • Scenarios with threats and impacts (Correct)
  • Cost-benefit analysis

Answer : Scenarios with threats and impacts

You are the project manager of HGT project. You have identified project risks and applied appropriate response for its mitigation. You noticed a risk generated as a result of applying response. What this resulting risk is known as?


Options are :

  • Secondary risk (Correct)
  • High risk
  • Pure risk
  • Response risk

Answer : Secondary risk

What are the various outputs of risk response?


Options are :

  • Risk-related contract decisions (Correct)
  • Risk register updates (Correct)
  • Project management plan and Project document updates (Correct)
  • Residual risk
  • Risk Priority Number

Answer : Risk-related contract decisions Risk register updates Project management plan and Project document updates

You are the project manager of GHT project. You have applied certain control to prevent the unauthorized changes in your project. Which of the following control you would have applied for this purpose?


Options are :

  • Access control
  • Physical and environment protection control
  • Personnel security control
  • Configuration management control (Correct)

Answer : Configuration management control

Which of the following actions assures management that the organization's objectives are protected from the occurrence of risk events?


Options are :

  • Risk management
  • Internal control (Correct)
  • Risk assessment
  • Hedging

Answer : Internal control

You are the product manager in your enterprise. You have identified that new technologies, products and services are introduced in your enterprise time-to-time. What should be done to prevent the efficiency and effectiveness of controls due to these changes?


Options are :

  • Receive timely feedback from risk assessments and through key risk indicators, and update controls (Correct)
  • Nothing, efficiency and effectiveness of controls are not affected by these changes
  • Add more controls
  • Perform Business Impact Analysis (BIA)

Answer : Receive timely feedback from risk assessments and through key risk indicators, and update controls

There are four inputs to the Monitoring and Controlling Project Risks process. Which one of the following will NOT help you, the project manager, to prepare for risk monitoring and controlling?


Options are :

  • Work Performance Information
  • Risk register
  • Project management plan
  • Change requests (Correct)

Answer : Change requests

You are the project manager of HWD project. It requires installation of some electrical machines. You and the project team decided to hire an electrician as electrical work can be too dangerous to perform. What type of risk response are you following?


Options are :

  • Transference (Correct)
  • Acceptance
  • Mitigation
  • Avoidance

Answer : Transference

Suppose you are working in Techmart Inc. which sells various products through its website. Due to some recent losses, you are trying to identify the most important risks to the Website. Based on feedback from several experts, you have come up with a list. You now want to prioritize these risks. Now in which category you would put the risk concerning the modification of the Website by unauthorized parties.


Options are :

  • Denial of service attack
  • Ping Flooding Attack
  • Web defacing (Correct)
  • FTP Bounce Attack

Answer : Web defacing

Which of the following is NOT true for risk governance?


Options are :

  • Risk governance seeks to reduce risk exposure and vulnerability by filling gaps in risk policy.
  • Risk governance is a systemic approach to decision making processes associated to natural and technological risks.
  • Risk governance is based on the principles of cooperation, participation, mitigation and sustainability, and is adopted to achieve more effective risk management.
  • Risk governance requires reporting once a year. (Correct)

Answer : Risk governance requires reporting once a year.

Which of the following techniques examines the degree to which organizational strengths offset threats and opportunities that may serve to overcome weaknesses?


Options are :

  • Delphi
  • Expert Judgment
  • SWOT Analysis (Correct)
  • Brainstorming

Answer : SWOT Analysis

Which of the following are external risk factors? Each correct answer represents a complete solution. Choose three.


Options are :

  • Competition (Correct)
  • Geopolitical situation (Correct)
  • Market
  • Complexity of the enterprise

Answer : Competition Geopolitical situation

Which of the following guidelines should be followed for effective risk management? Each correct answer represents a complete solution. Choose three.


Options are :

  • Promote and support consistent performance in risk management
  • Promote fair and open communication (Correct)
  • Focus on enterprise's objective (Correct)
  • Balance the costs and benefits of managing risk (Correct)

Answer : Promote fair and open communication Focus on enterprise's objective Balance the costs and benefits of managing risk

Which of the following steps ensure effective communication of the risk analysis results to relevant stakeholders? Each correct answer represents a complete solution. Choose three.


Options are :

  • Communicate the risk-return context clearly (Correct)
  • Communicate the negative impacts of the events only, it needs more consideration
  • Provide decision makers with an understanding of worst-case and most probable scenarios,due diligence exposures and significant reputation, legal or regulatory considerations (Correct)
  • The results should be reported in terms and formats that are useful to support business decisions (Correct)

Answer : Communicate the risk-return context clearly Provide decision makers with an understanding of worst-case and most probable scenarios,due diligence exposures and significant reputation, legal or regulatory considerations The results should be reported in terms and formats that are useful to support business decisions

You are the risk professional of your enterprise. You need to calculate potential revenue loss if a certain risks occurs. Your enterprise has an electronic (e-commerce) web site that is producing US $1 million of revenue each day, then if a denial of service (DoS) attack occurs that lasts half a day creates how much loss?


Options are :

  • US $250,000 loss
  • US $500,000 loss (Correct)
  • US $100,000 loss
  • US $1 million loss

Answer : US $500,000 loss

According to the Section-302 of the Sarbanes-Oxley Act of 2002, what does certification of reports implies? Each correct answer represents a complete solution. Choose three.


Options are :

  • The signing officer has presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date. (Correct)
  • The signing officer has reviewed the report. (Correct)
  • The financial statement does not contain any materially untrue or misleading information. (Correct)
  • The signing officer has evaluated the effectiveness of the issuer's internal controls as of a date at the time to report.

Answer : The signing officer has presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date. The signing officer has reviewed the report. The financial statement does not contain any materially untrue or misleading information.

You are the project manager for your company and a new change request has been approved for your project. This change request, however, has introduced several new risks to the project. You have communicated these risk events and the project stakeholders understand the possible effects these risks could have on your project. You elect to create a mitigation response for the identified risk events. Where will you record the mitigation response?


Options are :

  • Risk register (Correct)
  • Risk management plan
  • Risk log
  • Project management plan

Answer : Risk register

Which of the following is MOST appropriate method to evaluate the potential impact of legal, regulatory, and contractual requirements on business objectives?


Options are :

  • Compliance-oriented business impact analysis (Correct)
  • Compliance-oriented gap analysis
  • Mapping of compliance requirements to policies and procedures
  • Communication with business process stakeholders

Answer : Compliance-oriented business impact analysis

You are the project manager for BlueWell Inc. You have noticed that the risk level in your project increases above the risk tolerance level of your enterprise. You have applied several risk response. Now you have to update the risk register in accordance to risk response process. All of the following are included in the risk register except for which item?


Options are :

  • Risk triggers
  • Risk owners and their responsibility
  • Network diagram analysis of critical path activities (Correct)
  • Agreed-upon response strategies

Answer : Network diagram analysis of critical path activities

One of the risk events you've identified is classified as force majeure. What risk response is likely to be used?


Options are :

  • Acceptance (Correct)
  • Enhance
  • Transference
  • Mitigation

Answer : Acceptance

Which of the following is an output of risk assessment process?


Options are :

  • Identification of appropriate controls (Correct)
  • Identification of risk
  • Enterprise left with residual risk
  • Mitigated risk

Answer : Identification of appropriate controls

Which of the following statements are true for risk communication? Each correct answer represents a complete solution. Choose three.


Options are :

  • It defines the issue of what a stakeholders does, not just what it says. (Correct)
  • It requires a practical and deliberate scheduling approach to identify stakeholders, actions, and concerns. (Correct)
  • It requires investigation and interconnectivity of procedural, legal, social, political, and economic factors. (Correct)
  • It helps in allocating the information concerning risk among the decision-makers

Answer : It defines the issue of what a stakeholders does, not just what it says. It requires a practical and deliberate scheduling approach to identify stakeholders, actions, and concerns. It requires investigation and interconnectivity of procedural, legal, social, political, and economic factors.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions