CRISC Certified in Risk and Information Systems Control – Question144

What are the various outputs of risk response?

A.
Risk Priority Number
B. Residual risk
C. Risk register updates
D. Project management plan and Project document updates
E. Risk-related contract decisions

Correct Answer: CDE

Explanation:

Explanation:
The outputs of the risk response planning process are:

  • Risk Register Updates: The risk register is written in detail so that it can be related to the priority ranking and the planned response.
  • Risk Related Contract Decisions: Risk related contract decisions are the decisions to transmit risk, such as services, agreements for insurance, and other items as required. It provides a means for sharing risks.
  • Project Management Plan Updates: Some of the elements of the project management plan updates are:
    -Schedule management plan
    -Cost management plan
    -Quality management plan
    -Procurement management plan
    -Human resource management plan
    -Work breakdown structure
    -Schedule baseline
    -Cost performance baseline
  • Project Document Updates: Some of the project documents that can be updated includes:
    -Assumption log updates
    -Technical documentation updates

Incorrect Answers:
A: Risk priority number is not an output for risk response but instead it is done before applying response. Hence it acts as one of the inputs of risk response and is not the output of it.
B: Residual risk is not an output of risk response. Residual risk is the risk that remains after applying controls. It is not feasible to eliminate all risks from an organization. Instead, measures can be taken to reduce risk to an acceptable level. The risk that is left is residual risk. As, Risk = Threat Vulnerability and Total risk = Threat Vulnerability Asset Value
Residual risk can be calculated with the following formula: Residual Risk = Total Risk – Controls
Senior management is responsible for any losses due to residual risk. They decide whether a risk should be avoided, transferred, mitigated or accepted. They also decide what controls to implement. Any loss due to their decisions falls on their sides.
Residual risk assessments are conducted after mitigation to determine the impact of the risk on the enterprise. For risk assessment, the effect and frequency is reassessed and the impact is recalculated.