Certified in Risk and Information Systems Control (CRISC) — Question 1175

Which of the following should be the PRIMARY consideration when quantifying the risk associated with regulatory noncompliance?

Answer options

• A. Time requirements and cost of remediation
• B. Cost of continuous compliance activities
• C. Historical noncompliance events
• D. Value of punitive penalties and fines

Correct answer: D

Explanation

The primary consideration should be the value of punitive penalties and fines, as these can have significant financial implications for an organization. While the other options are important, they focus on remediation costs or past events rather than the direct financial consequences of noncompliance.