Exam CRISC topic 1 question 724 discussion

B is wrong - Inherent is the initial risk, it doesnt change after implementing controls. Residual does - but there is no such choice. In this case D would be the best one - as encryption reduces the probability of risk materialization...

In this scenario, an organization has completed a project to implement encryption on all databases that host customer data. To reflect this change, the inherent risk element of the risk register should be updated

B. Inherent risk When an organization completes a project to implement encryption on all databases hosting customer data, it is effectively reducing the inherent risk associated with the exposure of customer data. Inherent risk refers to the level of risk that exists before any controls or mitigation measures are applied. By implementing encryption, the organization is reducing the inherent risk of unauthorized access or data breaches.

It is D. You only change inherent risk when you add or change activities / processes. And I am still stuck on the 723 before this one where the chart on pg 152 of the 7th review manual indicates that preventive controls reduce impact. Still picking D, and should probably change my answer on 723.

Question with a little trick. A preventive control (such as encryption) reduces the impact, not the probability. I would choose the inherent risk, even knowing that this is not the best option (it exists regardless of the application of controls).

Answer B appears best. Encryption project is completed so subsequent analysis should consider encryption as an existing control when assessing inherent risk. Furthermore, encryption is a preventive control and does not reduce the likelihood, hence D is not an option.

I pick D. Inherent risk is the total risk without any control. encryption is lower the risk of data explore to public. So it is risk likelihood.