CRISC Certified in Risk and Information Systems Control – Question289 - CRISC Certified in Risk and Information Systems Control

You are the project manager of GHT project. You have analyzed the risk and applied appropriate controls. In turn, you got residual risk as a result of this. Residual risk can be used to determine which of the following?

A. Status of enterprise's risk
B. Appropriate controls to be applied next
C. The area that requires more control
D. Whether the benefits of such controls outweigh the costs

Correct Answer: CD

Explanation:

Explanation:
Residual risk can be used by management to determine:

Which areas require more control Whether the benefits of such controls outweigh the costs
As residual risk is the output that comes after applying appropriate controls, so it can also estimate the area which need more sophisticated control. If the cost of control is large that its benefits then no control is applied, hence residual risk can determine benefits of these controls over cost.

Incorrect Answers:
A: Status of enterprise’s risk can be determined only after risk monitoring.
B: Appropriate control can only be determined as the result of risk assessment, not through residual risk.