Certified in Risk and Information Systems Control (CRISC) — Question 1390

Which of the following is the PRIMARY objective of aggregating the impact of IT risk scenarios and reflecting the results in the enterprise risk register?

Answer options

• A. To ensure IT risk scenarios are consistently assessed within the organization
• B. To ensure IT risk ownership is assigned at the appropriate organizational level
• C. To ensure IT risk impact can be compared to the IT risk appetite
• D. To ensure IT risk appetite is communicated across the organization

Correct answer: C

Explanation

The correct answer, C, highlights the importance of comparing IT risk impact to the organization's risk appetite, which helps in understanding whether the risks are acceptable. Options A and B focus on assessment and ownership, which are important but secondary to measuring impact against appetite. Option D addresses communication but does not relate to the aggregation of risk impact.