During an IT risk scenario review session, business executives question why they have been assigned ownership of IT-related risk scenarios. They feel IT risk is technical in nature and therefore should be owned by IT. Which of the following is the BEST way for the risk practitioner to address these concerns?

• A.Recommend the formation of an executive risk council to oversee IT risk
• B.Provide an estimate of IT system downtime if IT risk materializes
• C.Describe IT risk scenarios in terms of business risk
• D.Educate business executives on IT risk concepts

Comment: *

Name: *

Email: *

Verification: *

Which of the following is the PRIMARY objective for automating controls?

• A.Improving control process efficiency
• B.Facilitating continuous control monitoring
• C.Complying with functional requirements
• D.Reducing the need for audit reviews

Comment: *

Name: *

Email: *

Verification: *

Which of the following is the MOST important objective of establishing an enterprise risk management (ERM) function within an organization?

• A.To have a standard risk management process for complying with regulations
• B.To ensure risk profiles are presented in a consistent format within the organization
• C.To have a unified approach to risk management across the organization
• D.To optimize risk management resources across the organization

Comment: *

Name: *

Email: *

Verification: *

In which of the following system development life cycle (SDLC) phases should controls be incorporated into system specifications?

• A.Development
• B.Feasibility
• C.Design
• D.Implementation

Comment: *

Name: *

Email: *

Verification: *

Which among the following acts as a trigger for risk response process?

• A.Risk level increases above risk appetite
• B.Risk level increase above risk tolerance
• C.Risk level equates risk appetite
• D.Risk level equates the risk tolerance

Correct Answer: B

Explanation/Reference:
Explanation:
The risk response process is triggered when a risk exceeds the enterprise's risk tolerance level. The acceptable variation relative to the achievement of an objective is termed as risk tolerance. In other words, risk tolerance is the acceptable deviation from the level set by the risk appetite and business objectives.
Risk tolerance is defined at the enterprise level by the board and clearly communicated to all stakeholders.
A process should be in place to review and approve any exceptions to such standards.
Incorrect Answers:
A, C: Risk appetite level is not relevant in triggering of risk response process. Risk appetite is the amount of risk a company or other entity is willing to accept in pursuit of its mission. This is the responsibility of the board to decide risk appetite of an enterprise. When considering the risk appetite levels for the enterprise, the following two major factors should be taken into account:
The enterprise's objective capacity to absorb loss, e.g., financial loss, reputation damage, etc.

The culture towards risk taking-cautious or aggressive. In other words, the amount of loss the

enterprise wants to accept in pursue of its objective fulfillment.
D: Risk response process is triggered when the risk level increases the risk tolerance level of the enterprise, and not when it just equates the risk tolerance level.

Comment: *

Name: *

Email: *

Verification: *