Isaca Certified in Risk and Information Systems Control CRISC Question # 28 Topic 3 Discussion

CRISC Exam Topic 3 Question 28 Discussion:

Question #: 28

Topic #: 3

A risk assessment has identified increased losses associated with an IT risk scenario. It is MOST important for the risk practitioner to:

update the risk rating.

reevaluate inherent risk.

develop new risk scenarios.

implement additional controls.

Get Premium CRISC Questions

Explanation

The most important action for the risk practitioner to take when a risk assessment has identified increased losses associated with an IT risk scenario is to update the risk rating. A risk rating is a measure of the overall level of risk, based on the combination of the probability and impact of the risk scenario. A risk rating helps to prioritize the risks, communicate the risk exposure, and monitor the risk response. Updating the risk rating is the most important action, because it reflects the current state and magnitude of the risk, and it triggers the review and revision of the risk response plan, if needed. Updating the risk rating also ensures that the risk register and the risk profile are accurate and complete, and that the risk management process is consistent and effective. The other options are not the most important action, although they may be related or subsequent steps in the risk management process. Reevaluating inherent risk is a part of the risk analysis process, which estimates the probability and impact of the risk scenario before considering the existing controls. Reevaluating inherent risk can help to identify the root causes and drivers of the risk, and to assess the effectiveness and efficiency of the controls, but it does not change the overall level of risk or the risk response plan. Developing new risk scenarios is a part of the risk identification process, which identifies and describes the potential events or situations that could affect the achievement of the objectives. Developing new risk scenarios can help to expand the scope and coverage of the risk management process, and to address the emerging or changing risks, but it does not update the existing risk scenarios or the risk response plan. Implementing additional controls is a part of the risk response process, which selects and executes the appropriate actions to reduce, avoid, share, or exploit the risk. Implementing additional controls can help to mitigate the risk and achieve the desired risk level, but it is not the first or the only option, as it depends on the risk appetite, tolerance, and capacity of the organization, and the cost-benefit analysis of the controls. References = Risk Register Template and Examples | Prioritize and Manage Risk, How to Write Strong Risk Scenarios and Statements - ISACA, IT Risk Resources | ISACA

Actual exam question for Isaca CRISC exam by Arlo17369 at Mar 30, 2026, 4:27:41 AM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

Pre-Summer Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: force70

Isaca Certified in Risk and Information Systems Control CRISC Question # 28 Topic 3 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 28 Topic 3 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Pre-Summer Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: force70

Isaca Certified in Risk and Information Systems Control CRISC Question # 28 Topic 3 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 28 Topic 3 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval