Exam CRISC topic 1 question 613 discussion

Should determine if its worth mitigate?

B. Relevance to the business process. The most important factor when deciding on a control to mitigate risk exposure is "B. Relevance to the business process." Controls should be selected based on their alignment with the specific risks and requirements of the business process in question. Controls that are directly applicable and tailored to the process have a higher likelihood of effectively mitigating the associated risk. While the other factors (comparison against best practice, regulatory compliance requirements, cost-benefit analysis) are also important considerations, they should be evaluated in the context of how well they align with the business process's unique characteristics and risk profile. Relevance to the business process ensures that the control is practical, applicable, and capable of effectively addressing the identified risk exposure.

B, if it's not relevant it wont help

I'd go with B, because assuming relevance for the CBA means B is a pre requisite and most important. But CRISC have a way of being silly so wouldn't shock me if D is right

Would have to go with D. The review manual seemed to place a lot of emphasis on the cost of the control in respect to the cost of the impact it was mitigating. A control that is relevant but costs too much is also not acceptable.

New round and correct: The reason for this is that the control should be directly related to the specific risks that are associated with the business process in question. The control should be designed to address those risks and be tailored to the unique requirements and characteristics of that process. Therefore, the control's relevance to the business process is crucial in ensuring that the control effectively mitigates the risks it is intended to address. While cost-benefit analysis is also an important consideration, it should not be the only factor considered when selecting a control. A control that is cost-effective but not relevant to the business process may not adequately mitigate the risks, and could ultimately end up costing the organization more in terms of losses or damages resulting from the unmitigated risks.

The selection of a control is based on the cost benefit for the organization, if the control has no relevance, it will not provide any benefit either and will not pass the balance.

The "benefit" part in "cost-benefit analysis" addresses the relevance to business processes, tight? So D should be a better answer?

The "benefit" part in "cost-benefit analysis" addresses the relevance to business processes, tight? So D should be a better answer?

B Relevance is right when mitigating. The cost is when creating the control.

I thing relevance to the business process is primary factor, then come regulatory requirement and then CBA. Support answer B

it's D,

I would go with CBA. It already assumed the relevance of the process. Otherwise, why trying to mitigate a risk of a process that is irrelevant.

Cost benefit analysis would happen before attempting to mitigate the risk, that's by B is more important

R2-78 would say it's CBA.

how come it's not D?