Certified in Risk and Information Systems Control (CRISC) — Question 1311

Which of the following should be done FIRST when developing an initial set of risk scenarios for an organization?

Answer options

• A. Consider relevant business activities.
• B. Use a top-down approach.
• C. Use a bottom-up approach.
• D. Refer to industry standard scenarios.

Correct answer: A

Explanation

The correct answer is A because understanding relevant business activities is essential to identify specific risks that the organization faces. Options B and C suggest methodologies that can be utilized later in the process, while D focuses on existing scenarios rather than developing new ones based on the organization's unique context.