Exam CRISC topic 1 question 403 discussion

Why A and not D?

Risk assessment not BIA In short, risk assessment will show you which kinds of incidents you might face, while business impact analysis will show you how quickly you need to recover your activities from incidents to avoid larger damage.

The answer is D. Conducting periodic risk assessments. Conducting periodic risk assessments is the most effective way to facilitate effective risk management throughout an organization. Risk assessments help to identify potential risks, assess the likelihood and impact of those risks, and develop plans to mitigate those risks.

ChatGPT said answer is D :D

Agree with D.

Conducting periodic risk assessments would BEST facilitate effective risk management throughout the organization. While performing a business impact analysis (BIA) can be a critical step in understanding the potential impacts of various risks on the organization, it is only one aspect of effective risk management. A BIA typically focuses on the potential impacts to specific business functions or processes, and may not identify all of the risks facing the organization.

A risk assessment analyzes potential threats and the likelihood of them happening. A business impact analysis measures the severity of those threats and how they would affect business operations and finances. In other words, a business impact analysis is essentially an extension of a risk assessment report—a BIA identifies potential risks, then also measures their impact.

Also see R2-66. BIA is correct.

Agree with A. The best way to facilitate risk management in an organization is through BIA. Imagine yourself in an organization with a low level of maturity in risk management. How do you start the conversation? The answer is the same when you are talking to an organization with high maturity.

Should be D. Audits verify control effectiveness

Should be B