Certified in Risk and Information Systems Control (CRISC) — Question 1215

While participating in a scenario analysis exercise, a risk practitioner was asked to determine the reputational impact of a system outage. Which of the following would be the BEST approach?

Answer options

• A. Determine the likelihood of negative media coverage and social media response.
• B. Calculate impact from third-party concerns about contractual obligations related to the outage.
• C. Report the value as high because cyber reputational impacts are significant.
• D. Work with the business to estimate the number and value of lost customers.

Correct answer: D

Explanation

The correct answer is D because estimating the number and value of lost customers provides a direct measure of the reputational impact on the business. While A, B, and C focus on indirect effects or assumptions, they do not quantify the actual loss of customer trust and revenue, which is crucial for understanding the reputational damage.