CRISC Certified in Risk and Information Systems Control – Question348

Which of the following statements is true for risk analysis?

A.
Risk analysis should assume an equal degree of protection for all assets.
B. Risk analysis should give more weight to the likelihood than the size of loss.
C. Risk analysis should limit the scope to a benchmark of similar companies
D. Risk analysis should address the potential size and likelihood of loss.

Correct Answer: D

Explanation:

Explanation:
A risk analysis deals with the potential size and likelihood of loss. A risk analysis involves identifying the most probable threats to an organization and analyzing the related vulnerabilities of the organization to these threats. A risk from an organizational perspective consists of:

  • Threats to various processes of organization.
  • Threats to physical and information assets.
  • Likelihood and frequency of occurrence from threat.
  • Impact on assets from threat and vulnerability.
  • Risk analysis allows the auditor to do the following tasks :
  • Identify threats and vulnerabilities to the enterprise and its information system.
  • Provide information for evaluation of controls in audit planning.
  • Aids in determining audit objectives.
  • Supporting decision based on risks.

Incorrect Answers:
A: Assuming equal degree of protection would only be rational in the rare event that all the assets are similar in sensitivity and criticality. Hence this is not practiced in risk analysis.
B: Since the likelihood determines the size of the loss, hence both elements must be considered in the calculation.
C: A risk analysis would not normally consider the benchmark of similar companies as providing relevant information other than for comparison purposes.