Certified in Risk and Information Systems Control (CRISC) — Question 111

An external security audit has reported multiple findings related to control noncompliance. Which of the following would be MOST important for the risk practitioner to communicate to senior management?

Answer options

• A. Plans for mitigating the associated risk
• B. Suggestions for improving risk awareness training
• C. A recommendation for internal audit validation
• D. The impact to the organization's risk profile

Correct answer: D

Explanation

The most crucial information for senior management is the impact on the organization's risk profile, as it directly affects decision-making and resource allocation. While mitigating plans, training suggestions, and audit recommendations are important, they are secondary to understanding how these findings alter the organization's overall risk posture.