Certified in the Governance of Enterprise IT (CGEIT) — Question 363

Which of the following is the BEST outcome measure to determine the effectiveness of IT risk management processes?

Answer options

• A. Time lag between when IT risk is identified and the enterprise's response
• B. Percentage of business users satisfied with the quality of risk training
• C. Frequency of updates to the IT risk register
• D. Number of events impacting business processes due to delays in responding to risks

Correct answer: A

Explanation

The best measure of IT risk management effectiveness is the time lag between identifying a risk and the organization's response, as it directly reflects the responsiveness of the risk management process. The other options focus on user satisfaction, documentation frequency, or incidents, which do not provide a direct measure of the efficacy of the response to identified risks.