Certified in Risk and Information Systems Control (CRISC) — Question 1240

Which of the following would be MOST effective in promoting a risk-aware culture within an organization?

Answer options

• A. Allocating budget for IT initiatives based on IT risk assessment results
• B. Appointing a risk committee to prioritize identified and assessed risk
• C. Issuing penalties to those who do not attend the risk awareness program
• D. Using risk scenarios to inform organizational strategy

Correct answer: D

Explanation

Using risk scenarios to inform organizational strategy is effective because it integrates risk considerations into decision-making processes, making everyone more aware of potential threats. In contrast, merely allocating budget or appointing a committee may not actively engage employees in understanding risks, and issuing penalties could foster resentment rather than awareness.