Which TWO of the following are recognized techniques for identifying IT risks? (Select exactly 2.)
Brainstorming with stakeholders generates risk ideas.
Why this answer
Brainstorming sessions (B) are a recognized technique for IT risk identification because they leverage the collective expertise of stakeholders to surface potential threats, vulnerabilities, and risk scenarios in a structured or unstructured group setting. This method is specifically cited in ISACA's CRISC Review Manual as a qualitative risk identification approach, often used during the early stages of risk assessment to generate a comprehensive list of risks without requiring quantitative data.
Exam trap
The trap here is that candidates often confuse strategic or financial analysis tools (like SWOT or ROI) with risk identification techniques, but CRISC specifically requires methods that directly uncover threats and vulnerabilities, such as brainstorming and threat modeling, rather than high-level planning or performance metrics.