ISC2 Governance, Risk and Compliance (CGRC) Practice Question
During control evaluation, you calculate an inherent likelihood of 0.30 and a potential impact of $1,000,000 for a data-breach threat. After the new access-control safeguards are validated, likelihood drops to 0.08 while impact remains unchanged. The organization's risk-tolerance threshold is an annualized loss expectancy (ALE) of $50,000. Which statement best reflects the residual risk status?
The residual ALE is approximately $80,000, so risk exceeds the tolerance and must be addressed.
The residual ALE is approximately $24,000, indicating controls reduced risk below tolerance.
The residual ALE is approximately $300,000, showing controls are ineffective and risk is outside tolerance.
The residual ALE is approximately $30,000, so risk is acceptable without further action.
Residual risk is the level of risk that remains after security controls are implemented and their effectiveness has been assessed. ALE is commonly estimated as Likelihood × Impact. With the new controls in place, residual ALE = 0.08 × $1,000,000 = $80,000. Because $80,000 is higher than the organization's stated tolerance of $50,000, the residual risk is above the acceptable threshold and further risk-treatment action (such as additional mitigation, transfer, or formal acceptance by an authorized official) is required. The other options use incorrect calculations or interpret the residual risk status inaccurately: $30,000 results from multiplying the pre-control likelihood (0.30) by a reduced impact, which is not the scenario; $24,000 is based on misapplying both likelihood and impact reductions; and $300,000 represents the original inherent risk, not the residual level after controls.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is residual risk?
Open an interactive chat with Bash
How is annualized loss expectancy (ALE) calculated?
Open an interactive chat with Bash
What can an organization do if residual risk exceeds its risk tolerance?
Open an interactive chat with Bash
What is residual risk in risk management?
Open an interactive chat with Bash
How is Annualized Loss Expectancy (ALE) calculated?
Open an interactive chat with Bash
What is the difference between inherent and residual risk?
Open an interactive chat with Bash
ISC2 Governance, Risk and Compliance (CGRC)
System Compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .