Which of the following risk management practices BEST facilitates the incorporation of IT risk scenarios into the enterprise-wide risk register?

A. Key risk indicators (KRIs) are developed for key IT risk scenarios.
B. IT risk scenarios are developed in the context of organizational objectives.
C. IT risk scenarios are assessed by the enterprise risk management team.
D. Risk appetites for IT risk scenarios are approved by key business stakeholders.

IT risk assessments can BEST be used by management:

A. to measure organizational success.
B. as input for decision-making.
C. as a basis for cost-benefit analysis.
D. for compliance with laws and regulations.

Which of the following will BEST quantify the risk associated with malicious users in an organization?

A. Business impact analysis
B. Threat risk assessment
C. Vulnerability assessment
D. Risk analysis

Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?

A. Assess risk against business objectives.
B. Implement an organization-specific risk taxonomy.
C. Align business objectives to the risk profile.
D. Explain risk details to management.

Whether the results of risk analysis should be presented in quantitative or qualitative terms should be based PRIMARILY on the:

A. specific risk analysis framework being used.
B. results of the risk assessment.
C. requirements of management.
D. organizational risk tolerance.

Which of the following is the MOST important element of a successful risk awareness training program?

A. Mapping to a recognized standard
B. Providing metrics for measurement
C. Customizing content for the audience
D. Providing incentives to participants

Which of the following is the MAIN reason for documenting the performance of controls?

A. Justifying return on investment
B. Demonstrating effective risk mitigation
C. Providing accurate risk reporting
D. Obtaining management sign-off

Senior management has asked a risk practitioner to develop technical risk scenarios related to a recently developed enterprise resource planning (ERP) system. These scenarios will be owned by the system manager. Which of the following would be the BEST method to use when developing the scenarios?

A. Bottom-up approach
B. Cause-and-effect diagram
C. Top-down approach
D. Delphi technique

Which of the following is the MOST critical element to maximize the potential for a successful security implementation?

A. Industry-leading security tools
B. The organization’s culture
C. Ease of implementation
D. The organization’s knowledge

A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?

A. Action plans to address risk scenarios requiring treatment
B. The team that performed the risk assessment
C. An assigned risk manager to provide oversight
D. The methodology used to perform the risk assessment