Which of the following would BEST provide early warning of a high-risk condition?

A. Risk assessment
B. Key risk indicator (KRI)
C. Risk register
D. Key performance indicator (KPI)

Which of the following BEST enables a risk practitioner to enhance understanding of risk among stakeholders?

A. Threat analysis
B. Key risk indicators
C. Risk scenarios
D. Business impact analysis

An organization has procured a managed hosting service and just discovered the location is likely to be flooded every 20 years. Of the following, who should be notified of this new information FIRST?

A. The risk owner who also owns the business service enabled by this infrastructure
B. The site manager who is required to provide annual risk assessments under the contract
C. The data center manager who is also employed under the managed hosting services contract
D. The chief information officer (CIO) who is responsible for the hosted services

Which of the following is MOST critical when designing controls?

A. Involvement of process owner
B. Involvement of internal audit
C. Identification of key risk indicators
D. Quantitative impact of the risk

Which of the following is the MAIN benefit of involving stakeholders in the selection of key risk indicators (KRIs)?

A. Leveraging existing metrics
B. Optimizing risk treatment decisions
C. Obtaining buy-in from risk owners
D. Improving risk awareness

A risk practitioner’s PRIMARY focus when validating a risk response action plan should be that risk response:

A. advances business objectives.
B. quantifies risk impact.
C. reduces risk to an acceptable level.
D. aligns with business strategy.

The MAIN reason for creating and maintaining a risk register is to:

A. account for identified key risk factors.
B. ensure assets have low residual risk.
C. define the risk assessment methodology.
D. assess effectiveness of different projects.

An organization has identified a risk exposure due to weak technical controls in a newly implemented HR system. The risk practitioner is documenting the risk in the risk register. The risk should be owned by the:

A. business process owner.
B. chief information officer.
C. project manager.
D. chief risk officer.

Which of the following should be the risk practitioner’s PRIMARY focus when determining whether controls are adequate to mitigate risk?

A. Cost-benefit analysis
B. Sensitivity analysis
C. Level of residual risk
D. Risk appetite

Which of the following would be a risk practitioner’s BEST recommendation for preventing cyber intrusion?

A. Implement data loss prevention (DLP) tools.
B. Implement network segregation.
C. Establish a cyber response plan.
D. Strengthen vulnerability remediation efforts.