A risk practitioner notices a risk scenario associated with data loss at the organization’s cloud provider is assigned to the provider. Who should the risk scenario be reassigned to?

A. Chief risk officer
B. Vendor manager
C. Data owner
D. Senior management

Which of the following would MOST likely result in updates to an IT risk profile?

A. Changes in senior management.
B. Establishment of a risk committee.
C. External audit findings.
D. Feedback from focus groups.

Which of the following should be the MAIN consideration when validating an organization’s risk appetite?

A. Cost of risk mitigation options.
B. Maturity of the risk culture.
C. Capacity to withstand loss.
D. Comparison against regulations.

A new international data privacy regulation requires personal data to be disposed after the specified retention period, which is different from the local regulatory requirement. Which of the following is the risk practitioner's BEST recommendation to resolve the disparity?

A. Adopt the international standard.
B. Adopt the standard determined by legal counsel.
C. Adopt the local standard.
D. Adopt the least stringent standard determined by the risk committee.

Which of the following is the MOST important reason to test new controls?

A. To verify controls work as intended.
B. To justify the cost of control investment.
C. To identify exceptions that elevate risk.
D. To ensure an accurate and up-to-date controls register.

Implementing which of the following controls would BEST reduce the impact of a vulnerability that has been exploited?

A. Preventive control
B. Deterrent control
C. Corrective control
D. Detective control

Which of the following BEST contributes to the implementation of an effective risk response action plan?

A. A business impact analysis.
B. An IT tactical plan.
C. Disaster recovery and continuity testing.
D. Assigned roles and responsibilities.

Which of the following provides the MOST important information to facilitate a risk response decision?

A. Risk appetite.
B. Industry best practices.
C. Key risk indicators.
D. Audit findings.

A company has located its computer center on a moderate earthquake fault. Which of the following is the MOST important consideration when establishing a contingency plan and an alternate processing site?

A. The alternative site does not reside on the same fault no matter how far the distance apart.
B. The contingency plan provides for backup media to be taken to the alternative site.
C. The contingency plan for high priority applications does not involve a shared cold site.
D. The alternative site is a hot site with equipment ready to resume processing immediately.

Which of the following is the GREATEST benefit of updating the risk register to include outcomes from a risk assessment?

A. It facilitates timely risk-based decisions.
B. It helps to mitigate internal and external risk factors.
C. It validates the organization’s risk appetite.
D. It maintains evidence of compliance with risk policy.