CRISC Risk Response and Mitigation Strategies 2

Question 1

Which element MUST be included in a risk response plan to ensure accountability?

Accepted Answer

Named owner responsible for implementing the response

Answer

A risk response plan must identify a specific owner who is responsible and accountable for executing the response within the agreed timeframe.

Question 2

Which statement BEST describes the difference between a preventive and a detective control?

Accepted Answer

Preventive controls stop incidents before they occur; detective controls identify incidents after they begin

Answer

Preventive controls block threats before they cause harm, while detective controls identify when a threat event is occurring or has occurred.

Question 3

When a risk cannot be fully mitigated, the BEST course of action is to:

Accepted Answer

Formally accept the residual risk with senior management approval

Answer

Formal acceptance of residual risk by senior management ensures that the decision is deliberate, documented, and appropriately authorized.

Question 4

A corrective control is MOST effective for:

Accepted Answer

Minimizing damage and restoring normal operations after a risk event

Answer

Corrective controls reduce the impact of a risk that has already materialized by enabling recovery and restoration of normal business operations.

Question 5

Which approach to risk mitigation involves redesigning a business process to eliminate a risk entirely?

Accepted Answer

Risk avoidance through process redesign

Answer

Redesigning a process to remove the conditions that create the risk is a form of risk avoidance that eliminates the root cause.

CRISC - Certified in Risk and Information Systems Control Practice Test