Isaca CRISC Based on Real Exam Environment

The most important thing for mitigating ethical risk when establishing accountability for control ownership is to ensure that the performance metrics balance business goals with risk appetite. Performance metrics are the measures that evaluate the achievement of the objectives or the performance of the processes or controls. Business goals are the desired or expected outcomes or results of the business activities or processes. Risk appetite is the amount and type of risk that the organization is willing and able to take. Ethical risk is the risk that arises from the violation or breach of the ethical principles or standards of the organization or the profession. To mitigate ethical risk, the performance metrics should balance business goals with risk appetite, meaning that they should not encourage or reward excessive or inappropriate risk-taking or unethical behavior, but rather promote and support responsible and ethical risk management and decision making. The other options are not as important as ensuring performance metrics balance business goals with risk appetite, as they are related to the documentation, communication, or monitoring of the processes or controls, not the evaluation or alignment of the performance metrics. References = Risk and Information Systems Control Study Manual, Chapter 4: Risk and Control Monitoring and Reporting, Section 4.2: Key Performance Indicators, page 183.

The first thing that should be done from a governance perspective to secure the information assets of a newly incorporated enterprise is to establish an inventory of information assets. An inventory of information assets is a document that lists and categorizes all the information assets that the organization owns, uses, or manages, such as data, documents, systems, applications, and devices. An inventory of information assets helps to identify and classify the information assets based on their value, sensitivity, and criticality, and to determine the appropriate level of protection and control for each asset. An inventory of information assets also helps to support the development and implementation of other information security activities, such as risk assessment, policy formulation, awareness training, and incident response. The other options are not the first thing that should be done, although they may be important steps or components of the information security governance. Defining information retention requirements and policies, providing information security awareness training, and establishing security management processes and procedures are all activities that can help to secure the information assets, but theyrequire the prior knowledge and understanding of the information assets. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.1.1, page 3-3.

The next thing that the risk practitioner should do from a risk management perspective when the organization is considering the adoption of an aggressive business strategy to achieve desired growth is to identify new threats resulting from the new business strategy. A threat is a potentialcause of an unwanted incident that may affect the achievement of the objectives. An aggressive business strategy is a strategy that involves pursuing high-risk, high-reward opportunities or initiatives to gain a competitive advantage or a significant market share. An aggressive business strategy may introduce new threats or increase thelikelihood or impact of existing threats, such as market volatility, regulatory changes, customer dissatisfaction, or competitor retaliation. Therefore, the risk practitioner should identify the new threats resulting from the new business strategy, and assess their potential consequences and implications for the organization. The other options are not as immediate as identifying new threats resulting from the new business strategy, as they are related to the update, information, or measurement of the risk management process, not the identification or analysis of the risk. References = Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.3: IT Risk Scenarios, page 23.

 The most important step when developing risk scenarios using a list of generic scenarios based on industry best practices is to validate the generic risk scenarios for relevance. The generic risk scenarios may not be applicable or suitable for the specific context, objectives, and environment of the organization. Therefore, the risk practitioner should validate the relevance of the generic risk scenarios by comparing them with the organization’s risk profile, risk appetite, and risk criteria. Assessing generic risk scenarios with business users, selecting the maximum possible risk scenarios from the list, and identifying common threats causing generic risk scenarios are other steps that may be useful, but they are not as important as validating the relevance of the generic risk scenarios. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 12; CRISC Review Manual, 6th Edition, page 215.