Certified Information Security Manager (CISM) — Question 918

Which of the following MOST effectively communicates the current risk profile to senior management after controls are applied?

Answer options

• A. Residual risk
• B. Impact of loss events
• C. Inherent risk
• D. Number of risks avoided

Correct answer: A

Explanation

Residual risk represents the level of risk that remains after controls have been implemented, making it the most relevant measure for senior management to understand the effectiveness of the risk management process. The impact of loss events and inherent risk do not reflect the current state post-controls, while the number of risks avoided does not provide a comprehensive view of the remaining risk profile.