Effective CISSP Questions

You are the manger authorized to make decisions on the acceptance of risk. After risk treatment, you are considering a case that the cost of handling the residual risk is much higher than the risk acceptance criteria. Even though quantitative economic benefits cannot justify it, you deeply believe the risk with low likelihood is not urgent but brings a significant impact on the organization and should be handled. Which of the following decisions best meets the risk acceptance principles?
A. No further treatment because it doesn’t meet the risk acceptance criteria
B. No further treatment because subjective judgment is not reliable
C. Revise the risk acceptance criteria if possible, and implement risk treatment
D. Implement exception risk treatment but comment and justify your decision.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Revise the risk acceptance criteria if possible, and implement risk treatment.

If a risk is higher than the risk acceptance criteria, the risk treatment will be applied. The risk treatment can be justified because the cost of risk treatment is less than the risk and creating value. If it’s not possible to revise it in time, it’s appropriate to implement exception risk treatment and comment and justify it.

In this question, the odds are that the risk should be higher than the risk acceptance criteria and the cost of treatment. In other words, the risk acceptance criteria can be outdated and should be revised.

In regular cases, decisions can be made based on the risk acceptance criteria. However, as a manager, since you don’t think the risk acceptance criteria are appropriate, and the residual risk should be treated in further iteration, reviewing the risk acceptance criteria is needed.

Risk management is an ongoing process. It’s a good practice to improve continuously. Reviewing or revising the risk acceptance criteria is part of the improvement process.

If there is sufficient time to review or revise the risk acceptance criteria, this should be done first. However, in some urgent situations, managers are not allowed to finish the reviewing or revising process; In this situation, the decision can be made with explicit comment and justification without modifying the risk acceptance criteria.


Leave a Reply