Free ISACA CRISC Exam Questions (page: 136)

You are the project manager for your organization to install new workstations, servers, and cabling throughout a new building, where your company will be moving into. The vendor for the project informs you that the cost of the cabling has increased due to some reason. This new cost will cause the cost of your project to increase by nearly eight percent. What change control system should the costs be entered into for review?

  1. Cost change control system
  2. Contract change control system
  3. Scope change control system
  4. Only changes to the project scope should pass through a change control system.

Answer(s): A

Explanation:

Because this change deals with the change of the deliverable, it should pass through the cost change control system. The cost change control system reviews the reason why the change has happened, what the cost affects, and how the project should respond.

Incorrect Answers:
B: This is not a contract change. According to the evidence that a contract exists or that the cost of the materials is outside of the terms of a contract if one existed. Considered a time and materials contract, where a change of this nature could be acceptable according to the terms of the contract. If the vendor wanted to change the terms of the contract then it would be appropriate to enter the change into the contract change control system.

C: The scope of the project will not change due to the cost of the materials.

D: There are four change control systems that should always be entertained for change: schedule, cost, scope, and contract.



When a risk cannot be sufficiently mitigated through manual or automatic controls, which of the following options will BEST protect the enterprise from the potential financial impact of the risk?

  1. Updating the IT risk registry
  2. Insuring against the risk
  3. Outsourcing the related business process to a third party
  4. Improving staff-training in the risk area

Answer(s): B

Explanation:

An insurance policy can compensate the enterprise up to 100% by transferring the risk to another company. Hence in this stem risk is being transferred.

Incorrect Answers:
A: Updating the risk registry (with lower values for impact and probability) will not actually change the risk, only management's perception of it.

C: Outsourcing the process containing the risk does not necessarily remove or change the risk. While on other hand, insurance will completely remove the risk.

D: Staff capacity to detect or mitigate the risk may potentially reduce the financial impact, but insurance allows for the risk to be mitigated up to 100%.



You are the risk official at Bluewell Inc. There are some risks that are posing threat on your enterprise. You are measuring exposure of those risk factors, which has the highest potential, by examining the extent to which the uncertainty of each element affects the object under consideration when all other uncertain elements are held at their baseline values. Which type of analysis you are performing?

  1. Sensitivity analysis
  2. Fault tree analysis
  3. Cause-and-effect analysis
  4. Scenario analysis

Answer(s): A

Explanation:

Sensitivity analysis is the quantitative risk analysis technique that:
Assist in determination of risk factors that have the most potential impact
Examines the extent to which the uncertainty of each element affects the object under consideration when all other uncertain elements are held at their baseline values

Incorrect Answers:
B: Fault tree analysis provides a systematic description of the combination of possible undesirable occurrences in a system. It does not measure the extent of uncertainty.

C: Cause-and-effect analysis involves the use of predictive or diagnostic analytical tool for exploring the root causes or factors that contribute to positive or negative effects or outcomes, and not the extent of uncertainty.

D: Scenario analysis provides ability to see a range of values across several scenarios to identify risk in specific situation. It provides ability to identify those inputs which will provide the greatest level of uncertainty. But it plays no role in determining the extent of uncertainty.



Which of the following risk responses include feedback and guidance from well-qualified risk officials and those internal to the project?

  1. Contingent response strategy
  2. Risk Acceptance
  3. Expert judgment
  4. Risk transfer

Answer(s): C

Explanation:

Expert judgment is utilized in developing risk responses, including feedback and guidance from risk management experts and those internal to the project qualified to provide assistance in this process. Expert judgment is a technique based on a set of criteria that has been acquired in a specific knowledge area or product area. It is obtained when the project manager or project team requires specialized knowledge that they do not possess. Expert judgment involves people most familiar with the work of creating estimates. Preferably, the project team member who will be doing the task should complete the estimates. Expert judgment is applied when performing administrative closure activities, and experts should ensure the project or phase closure is performed to the appropriate standards.

Incorrect Answers:
A: Contingent response strategy, also known as contingency planning, involves adopting alternatives to deal with the risks in case of their occurrence. Unlike the mitigation planning in which mitigation looks to reduce the probability of the risk and its impact, contingency planning doesn't necessarily attempt to reduce the probability of a risk event or its impacts. Contingency comes into action when the risk event actually occurs.

B: Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs. If an enterprise adopts a risk acceptance, it should carefully consider who can accept the risk. Risk should be accepted only by senior management in relationship with senior management and the board. There are two alternatives to the acceptance strategy, passive and active.
Passive acceptance means that enterprise has made no plan to avoid or mitigate the risk but willing to accept the consequences of the risk.
Active acceptance is the second strategy and might include developing contingency plans and reserves to deal with risks.

D: Risk transfer means that impact of risk is reduced by transferring or otherwise sharing a portion of the risk with an external organization or another internal entity. Transfer of risk can occur in many forms but is most effective when dealing with financial risks. Insurance is one form of risk transfer.



Viewing page 136 of 451



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts