CRISC Question #256: Real Exam Question with Answer & Explanation

Question

When classifying and prioritizing risk responses, the areas to address FIRST are those with:

Options

• Alow cost effectiveness ratios and high risk levels
• Bhigh cost effectiveness ratios and low risk levels.
• Chigh cost effectiveness ratios and high risk levels
• Dlow cost effectiveness ratios and low risk levels.

Explanation

When prioritizing risk responses, the most effective approach is to address risks that are both high in impact/likelihood (high risk levels) and where mitigation efforts offer the most return on investment (high cost-effectiveness ratios). This ensures resources are efficiently directed towards the most significant threats.

Common mistakes.

• A. Addressing risks with low cost-effectiveness ratios means the mitigation efforts are expensive relative to the risk reduction, which is not an efficient use of resources, even for high risks.
• B. Prioritizing low-risk levels, even with high cost-effectiveness, means resources are spent on less critical issues while significant risks might remain unaddressed.
• D. Addressing risks with low cost-effectiveness and low risk levels would be a highly inefficient use of resources, as it targets minor issues with poor mitigation ROI.

Concept tested. Risk response prioritization, cost-effectiveness

Reference. https://learn.microsoft.com/en-us/compliance/regulatory/risk-management-framework#step-2-assess-risk

No community discussion yet for this question.