The PRIMARY objective for selecting risk response options is to:
reduce risk 10 an acceptable level.
identify compensating controls.
minimize residual risk.
reduce risk factors.
The primary objective for selecting risk response options is to reduce risk to an acceptable level. Risk response options are the possible actions that can be taken to address the risks that have been identified and analyzed in the risk management process. Risk response options can be classified into four categories: avoid, transfer, mitigate, and accept for negative risks (or threats), and exploit, share, enhance, and accept for positive risks (or opportunities). The selection of the risk response options depends on various factors, such as the risk level, the risk appetite and tolerance, the cost and benefit, and the feasibility and availability of the options. The main goal of selecting the risk response options is to reduce the risk to a level that is acceptable to the organization, which means that the risk exposure is within the boundaries of the risk criteria and the risk appetite. The other options are not the primary objective for selecting risk response options, although they may be related or beneficial. Identifying compensating controls is a technique to implement additional or alternative controls when the existing controls are not effective or sufficient to reduce the risk to an acceptable level. Minimizing residual risk is a result of selecting and implementing the risk response options, but it is not the main purpose. Residual risk is the risk that remains after the risk response, and it may or may not be acceptable depending on the risk appetite and tolerance. Reducing risk factors is a method to decrease the likelihood or impact of the risk by addressing the root causes or sources of the risk. However, reducing risk factors does not necessarily mean that the risk is reduced to an acceptable level, as there may be other factors or uncertainties that affect the risk. References = CRISC Review Manual, pages 32-331; CRISC Review Questions, Answers & Explanations Manual, page 862
Which of the following is the BEST method to identify unnecessary controls?
Evaluating the impact of removing existing controls
Evaluating existing controls against audit requirements
Reviewing system functionalities associated with business processes
Monitoring existing key risk indicators (KRIs)
The best method to identify unnecessary controls is reviewing system functionalities associated with business processes, because this can help to determine whether the controls are relevant, effective, and efficient for the current business needs and objectives. System functionalities are the capabilities and features of IT systems that support the execution and performance of business processes. Business processes are the set of interrelated activities that transform inputs into outputs to deliver value to customers or stakeholders. By reviewing system functionalities associated with business processes, an organization can assess whether the controls are aligned with the process requirements, expectations, and outcomes, and whether they add value or create waste. The review can also identify any gaps, overlaps, redundancies, or conflicts among the controls, and any changes or improvements that are needed to optimize the controls. The other options are less effective methods to identify unnecessary controls. Evaluating the impact of removing existing controls can help to measure the benefits and costs of the controls, but it does not address the root causes or sources of the unnecessary controls. Evaluating existing controls against audit requirements can help to ensure compliance and assurance, but it does not consider the business context or purpose of the controls. Monitoring existing key risk indicators (KRIs) can help to measure the level and impact of risks, but it does not evaluate the suitability or adequacy of the controls. References = Surveying Staff to Identify Unnecessary Internal Controls - Methodology and Results
The MOST effective way to increase the likelihood that risk responses will be implemented is to:
create an action plan
assign ownership
review progress reports
perform regular audits.
Risk responses are the actions or strategies that are taken to address the risks that may affect the organization’s objectives, performance, or value creation12.
The most effective way to increase the likelihood that risk responses will be implemented is to assign ownership, which is the process of identifying and appointing the individuals or groups who are responsible and accountable for the execution and monitoring of the risk responses34.
Assigning ownership is the most effective way because it ensures the clarity and commitment of the roles and responsibilities for the risk responses, and avoids the confusion or ambiguity that may arise from the lack of ownership34.
Assigning ownership is also the most effective way because it enhances the communication and collaboration among the stakeholders involved in the risk responses, and provides the feedback and input that are necessary for the improvement and optimization of the risk responses34.
The other options are not the most effective way, but rather possible steps or tools that may support or complement the assignment of ownership. For example:
Creating an action plan is a step that involves defining and documenting the specific tasks, resources, timelines, and deliverables for the risk responses34. However, this step is not the most effective way because it does not guarantee the implementation of the risk responses, especially if there is no clear or agreed ownership for the action plan34.
Reviewing progress reports is a tool that involves collecting and analyzing the information and data on the status and performance of the risk responses, and identifying the issues or gaps that need to be addressed34. However, this tool is not the most effective way because it does not ensure the implementation of the risk responses, especially if there is no ownership for the progress reports or the corrective actions34.
Performing regular audits is a tool that involves conducting an independent and objective assessment of the adequacy and effectiveness of the risk responses, and providing the findings and recommendations for improvement56. However, this tool is not the most effective way because it does not ensure the implementation of the risk responses, especially if there is no ownership for the audit results or the follow-up actions56. References =
1: Risk IT Framework, ISACA, 2009
2: IT Risk Management Framework, University of Toronto, 2017
3: Risk Response Plan in Project Management: Key Strategies & Tips1
4: ProjectManagement.com - How to Implement Risk Responses2
5: IT Audit and Assurance Standards, ISACA, 2014
6: IT Audit and Assurance Guidelines, ISACA, 2014
Establishing and organizational code of conduct is an example of which type of control?
Preventive
Directive
Detective
Compensating
According to the CRISC Review Manual (Digital Version), establishing an organizational code of conduct is an example of a directive control, which is a type of control that guides or steers the behavior of individuals or processes to achieve desired outcomes. A directive control aims to influence or encourage compliance with the organization’s policies, standards, procedures, and guidelines. A directive control can also communicate the organization’s values, ethics, and expectations to its stakeholders. A directive control can take various forms, such as:
Codes of conduct or ethics
Policies or manuals
Training or awareness programs
Job descriptions or roles and responsibilities
Performance appraisals or incentives
Supervision or oversight
References = CRISC Review Manual (Digital Version), Chapter 2: IT Risk Assessment, Section 2.4: IT Risk Scenarios, pp. 105-1061
Copyright © 2021-2025 CertsTopics. All Rights Reserved
