Isaca Certified in Risk and Information Systems Control CRISC Question # 238 Topic 24 Discussion

CRISC Exam Topic 24 Question 238 Discussion:

Question #: 238

Topic #: 24

A deficient control has been identified which could result in great harm to an organization should a low frequency threat event occur. When communicating the associated risk to senior management the risk practitioner should explain:

mitigation plans for threat events should be prepared in the current planning period.

this risk scenario is equivalent to more frequent but lower impact risk scenarios.

the current level of risk is within tolerance.

an increase in threat events could cause a loss sooner than anticipated.

Get Premium CRISC Questions

Explanation

The risk practitioner should explain to senior management that mitigation plans for threat events should be prepared in the current planning period, as this would demonstrate a proactive and responsible approach to risk management. Mitigation plans are documents that outline the actions and resources needed to reduce the likelihood and/or impact of a specific risk scenario. Mitigation plans should include the following elements:

Risk scenario description and risk ID

Risk owner and other stakeholders

Risk response strategy and objectives

Risk response actions and tasks

Resources, costs, and benefits

Roles and responsibilities

Timeline and milestones

Performance indicators and monitoring mechanisms

Contingency plans and triggers

Mitigation plans help to address the gap between the current and desired risk levels and align the risk response with the organizational risk appetite and objectives. Mitigation plans also facilitate the communication, coordination, and collaboration among the risk owners and other stakeholders involved in the risk response process. Mitigation plans should be prepared in the current planning period, as this would allow the organization to act timely and effectively in the event of a low frequency threat event. Preparing mitigation plans in advance would also help to avoid or minimize the potential harm to the organization and its reputation.

The other options are not the best ways to communicate the associated risk to senior management. Explaining that this risk scenario is equivalent to more frequent but lower impact risk scenarios may not accurately reflect the true nature and severity of the risk. Explaining that the current level of risk is within tolerance may not convey the urgency and importance of addressing the risk. Explaining that an increase in threat events could cause a loss sooner than anticipated may not provide a clear and actionable solution for the risk. References = Four steps for managing risk at the CEO level, IT Risk Resources | ISACA, How to Communicate Risk to Stakeholders | Anitian

Actual exam question for Isaca CRISC exam by Dune38004 at Oct 14, 2025, 9:21:39 PM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

Isaca Certified in Risk and Information Systems Control CRISC Question # 238 Topic 24 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 238 Topic 24 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Isaca Certified in Risk and Information Systems Control CRISC Question # 238 Topic 24 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 238 Topic 24 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval