CRISC Risk and Control Monitoring and Reporting

Question 1

What is the primary purpose of continuous risk monitoring in CRISC?

Accepted Answer

To detect changes in the risk environment and verify that controls remain effective over time

Answer

To replace periodic risk assessments entirely

Answer

To document incidents for regulatory reporting purposes only

Answer

To monitor employee compliance with acceptable use policies

Question 2

What is a Key Risk Indicator (KRI)?

Accepted Answer

A metric that provides early warning signals of increasing risk exposure

Answer

A measure of how effective a specific control is operating

Answer

A financial report summarizing IT costs

Answer

A checklist used during security audits

Question 3

How does a KRI differ from a Key Performance Indicator (KPI)?

Accepted Answer

KRIs indicate potential future risk exposure; KPIs measure current control and process performance

Answer

KPIs are used only in financial reporting; KRIs apply only to IT systems

Answer

Both measure the same thing but use different scales

Answer

KRIs measure past incidents; KPIs predict future risk

Question 4

What information should a risk report to senior management typically include?

Accepted Answer

Current risk status, changes since last reporting period, KRI trends, and recommendations for action

Answer

Only a list of all identified risks without prioritization

Answer

Technical details of every vulnerability found during the period

Answer

Detailed firewall configuration settings

Question 5

What is the purpose of a control self-assessment (CSA)?

Accepted Answer

To allow process owners to evaluate the effectiveness of controls over their own activities

Answer

To replace external audits entirely

Answer

To automatically remediate control deficiencies using AI tools

Answer

To assign blame for security incidents to specific teams

Question 6

Which of the following indicates a control deficiency that requires immediate escalation?

Accepted Answer

A critical control has failed and the resulting risk now exceeds the organization's risk tolerance

Answer

A low-priority system does not have a documented backup procedure

Answer

A non-critical application lacks multi-factor authentication

Answer

An internal policy has not been reviewed within the past 24 months